Manage user accounts
Create a root account
(To deepen see also: Wiki, the command line part there is not outdated.)
Reason: Who manages to enter the server with the user account, typically has spied out the user password. In such a scenario sudo offers no protection! For this reason here we create a fully-fledged root account with a separate password, and forbid sudo. Of course, this configuration requires discipline to use the root account absolutely only for administrative purposes, and to leave it as soon as possible.
Create a password for root and then type in the new password twice:
sudo passwd root
Unblock the root Account:
sudo passwd -u root
=> Console output “passwd: password expiry information changed”, if the command was successful.
Last forbid sudo by ejecting root from the group “sudo”, from now on with the regular root account:
deluser example sudo
In this tutorial example is meant as example for the user account name, which initially was used with sudo as login user. If no restricted login user exist on some special systems, create one with:
adduser example --ingroup users
Create an additional user account
For safety reasons, we run OpenSim with an own account, also only with limited user permissions. The advantage of this approach is that in the OpenSim account never a password must be typed in.
adduser maria --ingroup users
Test: Both users example und maria must be only in the group users now.
1) change the account with su <Account>
2) show the own groups with id -Gn
Supernumerary groups can be deleted with:
deluser <account> <group to delete>
Hardening SSH
(To deepen see also: Wiki)
Most scripted attacks point to standard ports and users. That is why we change SSH to an unusual port and allow only one specific user account (without root privileges).
Remark: Please prepare an up to date backup prior to these configuration steps. If you lock yourself out with a faulty SSH configuration, this is irrevocable!
Backstop: Most server hosting companies however offer some means of web based configuration system where you can boot from a rescue system and mount your corrupted root file system to correct the settings. Check with your provider, if they offer similar support.
Caution! Permit the newly configured SSH port in your firewall or once again you will be locked out!
1) In /etc/ssh/sshd_config
change the port to the desired value e.g. 12345.
=> After a successful connection test via the new port, close port 22 in the firewall.
Caution! Before proceeding to the next step, make sure an additional user (without root privileges) already exists or once again you will be locked out! If not done so far, create a new (limited) user as described in the previous chapter.
2) In /etc/ssh/sshd_config
change the following 5 parameters:
=> Parameter LoginGraceTime
to “2m
“, meaning 2 minutes time for login attempts
=> Parameter PermitRootLogin
to “no
“
=> Parameter MaxAuthTries 3
to three login attempts
=> Parameter MaxSessions 1
to max. one simultaneous logged in user
=> Parameter AllowUsers example
to the newly configured user (without root privileges)
Remark: The parameter AllowUsers does not exist in the example file, so you must add it manually below of the existing entries.
Tests:
=> Reboot the server and try if you can log in using your newly configured user account. If this fails, restore your backup…
=> Try to login as root, this must fail.
Remarks: It is still possible to use multiple shell windows. All logins of the same user from the same source machine count as one session. In the shell you can also change the current user account using su example
where “example” must be a valid account on your system.
Continued: Time and language configuration