🛡️ Linux Account Security

Security on Linux systems starts at the account level. This guide explores key practices and tools for hardening Linux accounts based on advanced system administration and enterprise grade principles.

🔐 Introduction

Managing user access is essential in preventing internal and external attacks on Linux systems. This post covers all the crucial components of Linux account security including Pluggable Authentication Modules (PAM), shadow passwords, account control, and sudo configuration.

🔧 Pluggable Authentication Modules (PAM)

PAM is a suite of shared libraries enabling the local system administrator to choose how applications authenticate users.

📁 Key Configuration Files

• /etc/pam.d/
• /etc/pam.d/login
• /etc/pam.d/sshd

🔌 Module Interfaces

• auth: Authenticates the user.
• account: Verifies if access is permitted.
• password: Updates passwords.
• session: Sets up and tears down login sessions.

⚙️ Control Flags

• required, requisite, sufficient, optional
• Example PAM configuration block

1auth      required  pam_securetty.so
2auth      required  pam_unix.so nullok
3account   required  pam_unix.so
4password  required  pam_pwquality.so retry=3
5session   required  pam_unix.so

👥 Linux Account Types

• Root: Superuser with UID 0. Unlimited access.
• System Accounts: UIDs < 1000. Created with useradd -r.
• User Accounts: UIDs ≥ 1000. Assigned to human users.

🔐 Password and Shadow Files

📄 /etc/passwd vs /etc/shadow

• /etc/passwd: Holds user information, readable by all.
• /etc/shadow: Stores hashed passwords, accessible by root only.

🔁 Conversion Utilities

1pwconv      # Enable shadow passwords
2pwunconv    # Revert to /etc/passwd only

🔒 Password Security

• Enforce strong passwords via pam_pwquality.
• Configure /etc/security/pwquality.conf.
• Enforce password history

1password required pam_pwhistory.so remember=5

📆 Account Expiry Management

Manage password aging and expiry with chage

1chage -l username
2chage -M 90 -E 2025-12-31 username

Settings in /etc/login.defs

1PASS_MAX_DAYS   90
2PASS_MIN_DAYS   1
3PASS_MIN_LEN    8
4PASS_WARN_AGE   7

🔐 Locking and Disabling Accounts

🚫 Lock Account

1passwd -l username

🔓 Unlock Account

1passwd -u username

🚷 Disable Login via Shell

1chsh -s /sbin/nologin username

🔍 Monitoring Authentication

📜 Useful Logs

• /var/log/auth.log
• /var/log/secure
• /var/log/syslog

👮 Intrusion Prevention

Use fail2ban

1sudo apt install fail2ban

🔐 Multifactor Authentication

Supported PAM Modules:

• Google Authenticator
• Duo Security (pam_duo)
• RSA SecurID

🧑‍💻 Securing Root Access

Best Practices

• Avoid direct root logins.
• Use sudo instead of su.
• Restrict root login via SSH

1PermitRootLogin no

Check for UID 0 accounts:

1awk -F: '($3 == "0") {print}' /etc/passwd

👮 Using and Configuring sudo

Benefits

• Granular control
• Audit trails
• No shared passwords

Configuration

• Use visudo for editing /etc/sudoers.
• Additional configs in /etc/sudoers.d/.

Example Entries

1jason webdev01=(root) /sbin/apachectl
2%web  web*=(root)     /sbin/apachectl
3%wheel ALL=(ALL)      ALL

Aliases

1User_Alias   WEBTEAM  = jason, bob
2Runas_Alias  WEBUSERS = apache, httpd
3Host_Alias   WEBHOSTS = web*, prodweb01
4Cmnd_Alias   WEBCMNDS = /sbin/apachectl
5
6WEBTEAM WEBHOSTS=(WEBUSERS) WEBCMNDS

🧹 Deleting User Accounts

1userdel -r username
2find / -user UID
3find / -nouser

✅ Summary

• PAM offers modular control over authentication.
• Shadow passwords secure password hashes.
• Lock, disable, and expire user accounts effectively.
• Use sudo with fine grained permissions.
• Implement multifactor authentication and intrusion prevention.

Linux account security is a foundational aspect of system administration and should not be overlooked. Proper configuration of accounts, permissions, and authentication methods is essential for maintaining a secure Linux environment.