Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the acf domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php on line 6131

Deprecated: Creation of dynamic property ACF::$fields is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields.php on line 138

Deprecated: Creation of dynamic property acf_loop::$loops is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/loop.php on line 28

Deprecated: Creation of dynamic property ACF::$loop is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/loop.php on line 269

Deprecated: Creation of dynamic property ACF::$revisions is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/revisions.php on line 397

Deprecated: Creation of dynamic property acf_validation::$errors is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/validation.php on line 28

Deprecated: Creation of dynamic property ACF::$validation is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/validation.php on line 214

Deprecated: Creation of dynamic property acf_form_customizer::$preview_values is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-customizer.php on line 28

Deprecated: Creation of dynamic property acf_form_customizer::$preview_fields is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-customizer.php on line 29

Deprecated: Creation of dynamic property acf_form_customizer::$preview_errors is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-customizer.php on line 30

Deprecated: Creation of dynamic property ACF::$form_front is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-front.php on line 598

Deprecated: Creation of dynamic property acf_form_widget::$preview_values is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-widget.php on line 34

Deprecated: Creation of dynamic property acf_form_widget::$preview_reference is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-widget.php on line 35

Deprecated: Creation of dynamic property acf_form_widget::$preview_errors is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/forms/form-widget.php on line 36

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the all-in-one-wp-migration domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php on line 6131

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp_plugin/wp_plugin.php on line 23

Deprecated: str_replace(): Passing null to parameter #3 ($subject) of type array|string is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 54

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 1539

Deprecated: strtolower(): Passing null to parameter #1 ($string) of type string is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/wp-super-cache/wp-cache-phase2.php on line 828

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the rocket domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php on line 6131

Deprecated: Creation of dynamic property acf_field_oembed::$width is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-oembed.php on line 31

Deprecated: Creation of dynamic property acf_field_oembed::$height is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-oembed.php on line 32

Deprecated: Creation of dynamic property acf_field_google_map::$default_values is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-google-map.php on line 33

Deprecated: Creation of dynamic property acf_field__group::$have_rows is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/includes/fields/class-acf-field-group.php on line 31

Deprecated: Creation of dynamic property acf_field_clone::$cloning is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/pro/fields/class-acf-field-clone.php on line 34

Deprecated: Creation of dynamic property acf_field_clone::$have_rows is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-pro/pro/fields/class-acf-field-clone.php on line 35

Deprecated: Creation of dynamic property jh_acf_field_table::$settings is deprecated in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-content/plugins/advanced-custom-fields-table-field/class-jh-acf-field-table.php on line 23

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/functions.php:6131) in /var/www/vhosts/studiogo.tech/httpdocs/upcloudold/wp-includes/rest-api/class-wp-rest-server.php on line 1902
{"id":24639,"date":"2015-09-18T10:57:27","date_gmt":"2015-09-18T07:57:27","guid":{"rendered":"https:\/\/upcloud.com\/community\/tutorials\/manage-linux-user-account-security"},"modified":"2015-09-18T10:57:27","modified_gmt":"2015-09-18T07:57:27","slug":"manage-linux-user-account-security","status":"publish","type":"tutorial","link":"https:\/\/studiogo.tech\/upcloudold\/tutorial\/manage-linux-user-account-security\/","title":{"rendered":"How to manage Linux user account security"},"content":{"rendered":"\n

Practising good control over your user accounts can be a big step toward a more secure cloud server<\/a>. Follow the examples in this guide to find out how to perform some of the basic user account management tasks, and how to implement a few added security measures.<\/p>\n\n\n\n

\n
Test hosting on UpCloud!<\/a><\/div>\n<\/div>\n\n\n\n

Adding a new user<\/h2>\n\n\n\n

One of the common security practices on any Linux machine is to avoid using the root account for day-to-day operations. If you have just deployed a new cloud server, of course, the only account on it will be root, so you will need to create a new username for yourself.<\/p>\n\n\n\n

adduser <username><\/pre>\n\n\n\n
Follow the user creation procedure to set a password and other information. On CentOS and other Red Hat variants, you will need to manually unlock the new account by setting the password with the next command.<\/p>\n\n\n\n
passwd <username><\/pre>\n\n\n\n
If you are going to be using this account for system management, give yourself sudo execution privileges. On Ubuntu servers, you can do this with the command below.<\/p>\n\n\n\n
adduser <username> sudo<\/pre>\n\n\n\n
Adding sudo permissions to users on CentOS is a little different, use the following instead.<\/p>\n\n\n\n
gpasswd -a <username> wheel<\/pre>\n\n\n\n
Debian users should note that the sudo access control system might not be installed by default. If it is missing, install it with the following.<\/p>\n\n\n\n
apt-get install sudo<\/pre>\n\n\n\n
Once installed, use the same command as with Ubuntu above to add your username to the sudoers list.<\/p>\n\n\n\n
Note that the group changes will only take effect after the next time the user logs in.<\/p>\n\n\n\n
With sudo permissions, you can perform all the same operations as the root account can, but\u00a0without compromising on security. In case you are going to have more users on your server than just yourself, it is much safer to give them sudo privileges instead of sharing the root password with everyone. Using sudo over the root account is generally considered good practice overall.<\/p>\n\n\n\n
Disable root login<\/h2>\n\n\n\n
When you have your own account set up you should go ahead and disable SSH remote login for root. The OpenSSH server settings are defined in a configuration file, open it in an editor on Debian or Ubuntu with the next command.<\/p>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
With CentOS and other Red Hat variants, or if you just prefer using vi<\/tt> instead.<\/p>\n\n\n\n
sudo vi \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
Search for the authentication options and change the root login permission by setting it to no<\/tt> like below.<\/p>\n\n\n\n
PermitRootLogin no<\/pre>\n\n\n\n
Afterwards, just save the file and exit the text editor.<\/p>\n\n\n\n
Making changes to the SSH configuration file will require you to restart the service, on CentOS cloud servers use the following.<\/p>\n\n\n\n
sudo systemctl restart sshd<\/pre>\n\n\n\n
On systems running Ubuntu, the service is simply called ssh, the same will work with Debian.<\/p>\n\n\n\n
sudo service ssh restart<\/pre>\n\n\n\n
Password policies<\/h2>\n\n\n\n
If your server has more remote users than just yourself, implement and enforce reasonable password policies with a Linux PAM module called pam_cracklib.so. The module will check user passwords against dictionary words to help prevent weak password usage. You can also use it to set the minimum requirements for a new password like length and complexity.<\/p>\n\n\n\n
On Ubuntu and Debian systems, you need to install the module with the command below.<\/p>\n\n\n\n
sudo apt-get install libpam-cracklib<\/pre>\n\n\n\n
CentOS and other Red Hat variants already have it installed by default.<\/p>\n\n\n\n
With the module installed, open the configuration file in an editor on Ubuntu or Debian.<\/p>\n\n\n\n
sudo nano \/etc\/pam.d\/common-password<\/pre>\n\n\n\n
On cloud servers with CentOS, the file is stored under a different name, use the following.<\/p>\n\n\n\n
sudo vi \/etc\/pam.d\/system-auth<\/pre>\n\n\n\n
Installing the module on Ubuntu and Debian already pre-configures the password checks, so find the corresponding setting and edit it to look like the example below. On CentOS, depending on your version, you might need to add the whole following line to the configuration file.<\/p>\n\n\n\n
password required pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=1 ucredit=1 lcredit=1<\/pre>\n\n\n\n
The first parameter retry<\/tt> defines how many times the user gets to attempt again. The next minlen<\/tt> marks the minimum length of the password, while difok<\/tt> checks the maximum number of reused characters compared to the user\u2019s old password. The last 3 parameters set requirements for the password complexity, dcredit<\/tt> is a number of numerals, ucredit<\/tt> for upper case characters, and finally, lcredit<\/tt> is a number of lower case characters.<\/p>\n\n\n\n
Once you have set the password requirements to your liking, save the configuration file and exit the editor. Note that these policies only apply to regular user accounts, you as an administrator are still responsible for the root user password strength.<\/p>\n\n\n\n
Restrict SSH to specific user group<\/h2>\n\n\n\n
OpenSSH servers can limit user connections by cross-checking that they belong to the allowed group. This can be useful if you have multiple users which should not need to remote with SSH, or you just want the added security for example\u00a0when running a web service or database with separate users from your own.<\/p>\n\n\n\n
Start by creating a new user group for this purpose, you can name the group whatever you wish, for this example, the group is called sshusers<\/tt>.<\/p>\n\n\n\n
sudo groupadd sshusers<\/pre>\n\n\n\n
Next, add your own username to the same new group.<\/p>\n\n\n\n
sudo gpasswd -a <username> sshusers<\/pre>\n\n\n\n
You can then check that your username was added to the group successfully.<\/p>\n\n\n\n
groups <username><\/pre>\n\n\n\n
The output will show all the groups the given username belongs to including a user group with the same name as the user.<\/p>\n\n\n\n
user : user sudo sshusers<\/pre>\n\n\n\n
With this done you can specify the allowed group for OpenSSH. To do this, open the configuration file in an editor.<\/p>\n\n\n\n
sudo nano \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
If you do not have nano installed, or just prefer vi, use the following instead.<\/p>\n\n\n\n
sudo vi \/etc\/ssh\/sshd_config<\/pre>\n\n\n\n
You will need to add the line\u00a0underneath\u00a0the file, for example at the end.<\/p>\n\n\n\n
AllowGroups sshusers<\/pre>\n\n\n\n
Make sure your new configuration option is not commented out with the #<\/tt> sign in front of it, then save the file and exit the editor.<\/p>\n\n\n\n
Afterwards just restart your SSH server, on Ubuntu and Debian servers use this command.<\/p>\n\n\n\n
sudo service ssh restart<\/pre>\n\n\n\n
With CentOS and other Red Hat variants, the same can be done using the following instead.<\/p>\n\n\n\n
sudo systemctl restart sshd<\/pre>\n\n\n\n
With the new configuration, any user that does not belong to the allowed group will simply be denied access over SSH, even if their password was entered correctly. This will greatly reduce the chance of having a user password brute-forced, or guessed with dictionary lists, giving you a more secure cloud server.<\/p>\n","protected":false},"featured_media":0,"comment_status":"open","ping_status":"closed","template":"","community-category":[121],"class_list":["post-24639","tutorial","type-tutorial","status-publish","hentry","community-category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/tutorial\/24639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/tutorial"}],"about":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/types\/tutorial"}],"replies":[{"embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/comments?post=24639"}],"wp:attachment":[{"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/media?parent=24639"}],"wp:term":[{"taxonomy":"community-category","embeddable":true,"href":"https:\/\/studiogo.tech\/upcloudold\/wp-json\/wp\/v2\/community-category?post=24639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}