Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Ubuntu Server Cookbook

You're reading from   Ubuntu Server Cookbook Arm yourself to make the most of the versatile, powerful Ubuntu Server with over 100 hands-on recipes

Arrow left icon
Product type Paperback
Published in Jun 2016
Publisher Packt
ISBN-13 9781785883064
Length 456 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Uday Sawant Uday Sawant
Author Profile Icon Uday Sawant
Uday Sawant
Arrow right icon
View More author details
Toc

Table of Contents (16) Chapters Close

Preface 1. Managing Users and Groups FREE CHAPTER 2. Networking 3. Working with Web Servers 4. Working with Mail Servers 5. Handling Databases 6. Network Storage 7. Cloud Computing 8. Working with Containers 9. Streaming with Ampache 10. Communication Server with XMPP 11. Git Hosting 12. Collaboration Tools 13. Performance Monitoring 14. Centralized Authentication Service Index

Securing user accounts

In this recipe, we will look at ways to make user profiles more secure.

How to do it...

Follow these steps to secure the user account:

  1. Set a strong password policy with the following steps:
    • Open the /etc/pam.d/common-password file with GNU nano:
      	$ sudo nano /etc/pam.d/common-password
      
    • Find the line similar to this:
      password    [success=1 default=ignore]  pam_unix.so obscure sha512
      
    • Add minlen to the end of this line:
      password    [success=1 default=ignore]  pam_unix.so obscure sha512 minlen=8
    • Add this line to enforce alphanumeric passwords:
      password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1
      
    • Save changes and exit GNU nano editor.
    • Press Ctrl + O to save changes.
    • Press Ctrl + X to exit GNU nano editor.
  2. Secure the home directory with the following steps:
    • Check home directory permissions with the following command:
      $ ls -ld /home/username
      
    • Restrict permissions to user and group with the following command:
      $ chmod 750 /home/username
      
    • Change adduser default permissions by editing /etc/adduser.conf. Find DIR_MODE=0755 and change it to DIR_MODE=0750.
  3. Disable SSH access to root user with the following step:
    • Open /etc/ssh/sshd_config and add or edit PermitRootLogin to PermitRootLogin no
  4. Disable password authentication with the following step:
    • Open /etc/ssh/sshd_config and add or edit PasswordAuthentication no
  5. Install fail2ban with sudo apt-get install fail2ban.

How it works…

This recipe discussed a few important steps to make user accounts more secure.

A password is the most important aspect in securing user accounts. A weak password can be easily broken with brute force attacks and dictionary attacks. It is always a good idea to avoid password-based authentication, but if you are still using it, then make sure you enforce a strong password policy.

Password authentication is controlled by the PAM module pam_unix, and all settings associated with login are listed at /etc/pam.d/login. An additional configuration file /etc/pam.d/common-password includes values that control password checks.

The following line in the primary block of common-password file defines the rules for password complexity:

password [success=1 default=ignore] pam_unix.so obscure sha512

The default setting already defines some basic rules on passwords. The parameter obscure defines some extra checks on password strength. It includes the following:

  • Palindrome check
  • Case change only
  • Similar check
  • Rotated check

The other parameter, sha512, states that the new password will be encrypted with the sha512 algorithm. We have set another option, minlen=8, on the same line, adding minimum length complexity to passwords.

Tip

For all settings of the pam_unix module, refer to the manual pages with the command man pam_unix.

Additionally, we have set alphanumeric checks for new passwords with the PAM module pam_cracklib:

password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1  ocredit=-1

The preceding line adds requirement of one uppercase letter, one lowercase letter, one digit (dcredit), and one special character (ocredit)

There are other PAM modules available, and you can search them with the following command:

$ apt-cache search limpam-

You might also want to secure the home directory of users. The default permissions on Ubuntu allow read and execute access to everyone. You can limit the access on the home directory by changing permission on the home directory as required. In the preceding example, we changed permissions to 750. This allows full access to the user, and allows read and execute access to the user's primary group.

You can also change the default permissions on the user's home directory by changing settings for the adduser command. These values are located at /etc/adduser.conf. We have changed default permissions to 750, which limits access to the user and the group only.

Additionally, you can disable remote login for the root account as well as disable password-based authentication. Public key authentication is always more secure than passwords, unless you can secure your private keys. Before disabling password authentication, ensure that you have properly enabled public key authentication and you are able to log in with your keys. Otherwise, you will lock yourself out of the server.

You might want to install a tool like fail2ban to watch and block repeated failed actions. It scans through access logs and automatically blocks repeated failed login attempts. This can be a handy tool to provide a security against brute force attacks.

You have been reading a chapter from
Ubuntu Server Cookbook
Published in: Jun 2016
Publisher: Packt
ISBN-13: 9781785883064
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image