Twitter
Sun, 3 Aug 2008Morgan

Securing user logins on your linux server

If you host mail, web content or other services on your Linux server for others, you will probably find yourself adding users to your system. However, you may not want to give them shell access. Here are two effective ways you can secure your server by ensuring shell access is restricted to only the users you want.

Set the user’s shell to /bin/false

When a user logs into a server via SSH, the system will load up a shell for the user. The shell is what you input your commands into (like `ls’ or `cd ‘). The default shell on most Linux systems is Bash. Other popular ones are Zsh and Tcsh.

The system will look in the /etc/passwd file to determine what shell to load up for each user. Historically, this file also used to contain an encrypted version of all the users’ passwords, but this responsibility has been moved to the /etc/shadow file, which is only readable by root.

As root, edit /etc/passwd. You’ll find that each line of the file maps to a user account on the system. Some are system accounts, used internally by various applications. The format of each line should look something like the following (it varies a little between systems):

mike:x:1023:1023:Mike,,,:/home/mike:/bin/bash

Each field of a user record is separated by a colon. The first field is the username and the last is the shell.

Change the shell (in this case /bin/bash) to /bin/false for the users you don’t want to give shell access to (they will still be able to login to their mail and other services). Save and quit the file. You should now find that the user cannot login via SSH or directly to the box.

Instead of using /bin/false, many systems provide a `nologin’ program that will print a message like “This account is currently not available”. This application is typically located at /bin/nologin or /usr/sbin/nologin. To find out for sure, try running the command which nologin. Once you’ve found it, just insert it in your /etc/passwd file instead of /bin/false as described earlier.

Explicitly name the users who can login via SSH

What happens if you add a user and forget to change their shell? There is another layer of protection you can easily employ to ensure no one accidentally gets shell access. This method involves forbidding all users to login via SSH except for those you explicitly mention.

To use this method, edit your server’s SSH configuration file. It is likely located at /etc/ssh/sshd_config or /etc/sshd/sshd_config. At the bottom of the file, add the following option:

AllowUsers grant mike

Where ‘grant’ and ‘mike’ are the only users you want to be able to login with SSH.

After you have edited the file, you will need to get the SSH server to reload its configuration for this new configuration option to take effect. The method of how to restart the SSH daemon/service varies between distributions. On Debian-based systems you can use /etc/init.d/ssh restart. On Red Hat-based systems, use service sshd restart.

This method by itself doesn’t stop users logging in if they have physical access to your server (since that is bypassing SSH), but if used in conjunction with the /etc/passwd method above then your server will be considerably more hardened against intrusion.

Our experience

We have a collective of over 15 years experience working with mid to high profile clients, though we also love to work for the ‘little guy’. Find out more about who we are and what we can do.

Support | Contact | Sitemap

© Copyright 2010 Morgan Creative Pty Ltd

ACN 136 498 489