hardening the ability to create new users

arpeggio · July 11, 2020, 5:46pm

Hi All,

New user here - so grateful to everybody that’s had a hand in the creation of what is literally the BEST distro available for rpi bar none!

I have a two part idea for (possibly better?) lock down. I also believe it could possibly be helpful to others - if feasible.

Conceptually - here’s the idea:

create another admin with same admin privileges except for one - the new admin cannot create new users
modify the root account, such that it is only allowed to login via console (no ssh) - doing this by creating a ssh users group and removing root

Scanning the forums first, I found the following links for creating new users:

https://vitux.com/how-to-manage-user-accounts-in-debian-10/
https://www.digitalocean.com/community/tutorials/how-to-create-a-sudo-user-on-ubuntu-quickstart

My question immediately out of the gate - is this bad idea perse?

I don’t have the experience to know (beyond obvious) future considerations.

Any input is appreciated!

Humble thanks from an aspiring noob!

trendy · July 11, 2020, 7:03pm

What is the use case you want to apply it to?
What would be the pros of such a feature?

arpeggio · July 11, 2020, 7:16pm

Ah - not so much a particular use case scenario as much as it is a goal to make more difficult to create local admins or other accounts.

With the constant flow of security exploits on a daily basis, I would theorize that limiting root to console only and further disabling new user creation from any other accounts, this could inhibit hackers from possibly combining exploits and lateraling.

Joulinar · July 11, 2020, 11:16pm

Hi,

well, usually DietPi is designed to work completely headless. Therefore root access via SSH is allowed by default (not every user is capable to have a monitor or keyboard attached). If needed you can disable root login via SSH already. There are different ways to archive this, depending on your SSH server.

Next to that, you have non-root user dietpi who can manage everything using sudo command.

Basically everything is already there.

As well there are other methods to protect your system and to restrict access to local network or specific computer.

ensure your router is not forwarding unnecessary ports and disable UPnP
Use a different port (not 22) on SSH server
don’t allow password access, use keys only
use TCP wrapper to allow specific hosts only
use iptables or ufw to restrict access on SSH server port
use fail2ban to detect failed login attempts and to block access if needed

arpeggio · July 16, 2020, 6:24pm

Thank you so much Joulinar! Excellent food for thought! I am using DietPi not only to learn more about Linux but also expand into Linux security (which I even know less about).

I plan to use this thread as a placeholder for other folks who might be interested in the same.

Thanks so much again to you and the entire DietPi team!!!

Joulinar · July 17, 2020, 12:42am

but you know what is best way to protect a system is?

detach power