Linux Account Management & System Hardening: Permissions, Users, and Security Tips

Account and Permissions

System Users

Super administrator: UID=0

System default user: used by programs, never logs in

Regular user: UID greater than 500

User Management

Add user: useradd <username> Delete user: userdel [-r] [-f] <username> Lock user: passwd -l <username> Unlock user: passwd -u <username> Modify attributes: usermod -L <username> # lock and usermod -U <username> # unlock View current user:

id

Permission Management

Example of listing permissions:

root@anonymous ~# ls -ld /etc/passwd /boot
dr-xr-xr-x. 5 root root 4096 ... /boot
-rw-r--r-- 1 root root 1240 ... /etc/passwd

Explanation of permission string -rw-r--r--:

Permission bits

Hard link count

Owner (root)

Group (root)

File size

Modification time

File name

Access Rights and Ownership

Read: allows viewing content

Write: allows modifying content

Execute: allows running or traversing

Owner: user who owns the file/directory

Group: group that owns the file/directory

Other: users not in owner or group

All: combination of owner, group, and other

File System Security

View permissions with ls -l.

Modify permissions with chmod commands.

Setting Reasonable Default File Permissions (Umask)

Umask defines default permissions for newly created files and directories.

Umask 0022 results in default file mode 644 and directory mode 755.

File permission rule: 777 - 111 - 022 = 644 (files have no execute bits by default).

Directory permission rule: 777 - 022 = 755.

Change umask temporarily (lost after reboot): umask xxx.

Persistently change umask in /etc/profile:

root@anonymous ~# umask 027
root@anonymous ~# touch test2
-rw-r----- 1 root root 0 ... test2
root@anonymous ~# mkdir test10
drwxr-x--- 2 root root 6 ... test10

System Hardening

Lock unnecessary built‑in accounts by checking /etc/passwd and /etc/shadow, then using passwd -l <user> to lock.

Set password policies, disable root remote login, restrict su to root, enforce SSH protocol version 2, hide SSH banner, block ICMP echo requests, prevent Ctrl+Alt+Del reboot, configure account lockout, set TMOUT for automatic logout, limit Bash history size, delete history on logout, and configure syslog.

SSH Security

Disable root remote login.

Hide SSH banner.

Allow only SSH protocol version 2.

Prevent Ping Responses

Block all ICMP echo requests:

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Syslog Configuration

Check /etc/rsyslog.conf for modules, global directives, and rules.

[root@anonymous ~]# cat /etc/rsyslog.conf
# rsyslog configuration file
module(load="imuxsock"  # provides support for local system logging
       SysSock.Use="off")
module(load="imjournal"  # provides access to the systemd journal
       UsePid="system"
       StateFile="imjournal.state")
# ... (additional configuration omitted for brevity) ...
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*

Verify syslog service is enabled and log files exist.

References

Article originally from 运维星火燎原. Link