Essential Linux Account Security: Disable Root, Harden Permissions, and Block Attacks

Account Security and Permissions

Disable super‑user accounts other than root

1. Detection method: cat /etc/passwd The file format is

login_name:password:user_ID:group_ID:comment:home_dir:command

. Any entry with user_ID=0 has root privileges; check for multiple IDs equal to 0.

2. Detection command:

cat /etc/passwd | awk -F ':' '{print $1,$3}' | grep ' 0$'

3. Backup method: cp -p /etc/passwd /etc/passwd_bak 4. Hardening method:

passwd -l <username>   # lock unnecessary super accounts
passwd -u <username>   # unlock accounts that need to be restored
# or change the user shell to /sbin/nologin

Delete unnecessary accounts

Remove default system accounts that are not required (e.g., adm, lp, sync, shutdown, halt, mail, operator, games, ftp). Also delete unnecessary groups such as adm, lp, games, mail using:

userdel username
groupdel groupname

User password policy

Use strong passwords containing at least three of the following: uppercase, lowercase, digits, special characters, and a length greater than 10 characters. Set the minimum length in /etc/login.defs: PASS_MIN_LEN 10 Check for empty‑password accounts awk -F ':' '($2 == "") {print $1}' /etc/shadow Lock password files

# chattr +i /etc/passwd
# chattr +i /etc/shadow
# chattr +i /etc/group
# chattr +i /etc/gshadow

Set root auto‑logout timeout

Modify /etc/profile and add TMOUT=300 (seconds). For individual users, add the same line to their .bashrc.

Restrict the su command

Edit /etc/pam.d/su to allow only members of the wheel group to switch to root. To grant a specific user, run: # usermod -G wheel admin Prevent ordinary users from shutting down, rebooting, or configuring the network

# rm -rf /etc/security/console.apps/*   # remove access control files for halt, reboot, poweroff, shutdown

Disable Ctrl+Alt+Del reboot

# Comment out the line "ca::ctrlaltdel:/sbin/shutdown -t3 -r now" in /etc/inittab

Set permissions on startup service directory

Restrict /etc/rc.d/init.d/ so that only root can read, write, or execute the scripts.

Avoid displaying system and version information on login

(Illustrative image omitted for brevity.)

Restrict network access (NFS)

Configure /etc/exports with strict permissions, e.g.:

/dir/to/export host1.mydomain.com(ro,root_squash)
/dir/to/export host2.mydomain.com(ro,root_squash)

Apply changes with: # /usr/sbin/exportfs -a Login terminal settings

Edit /etc/securetty to comment out all lines except the desired TTY (e.g., tty1) so root can log in only on that terminal.

Prevent IP spoofing

Add the following lines to /etc/host.conf:

order hosts,bind
multi on
nospoof on

Prevent DoS attacks

Set resource limits in /etc/security/limits.conf, for example:

* soft nproc 50
* hard nproc 50
* soft rss 5M
* hard rss 5M

Ensure session required pam_limits.so is present in /etc/pam.d/login.

Block ping and mitigate SYN attacks

Add to /etc/sysctl.conf (or appropriate sysctl file):

net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 3
net.ipv4.tcp_syn_retries = 3

Apply with sysctl -p.

(All images referenced in the original article have been omitted for brevity, but they illustrate the described configurations.)