hardening the ability to create new users

Hi All,

New user here - so grateful to everybody that’s had a hand in the creation of what is literally the BEST distro available for rpi bar none!

I have a two part idea for (possibly better?) lock down. I also believe it could possibly be helpful to others - if feasible.

Conceptually - here’s the idea:

  1. create another admin with same admin privileges except for one - the new admin cannot create new users
  2. modify the root account, such that it is only allowed to login via console (no ssh) - doing this by creating a ssh users group and removing root

Scanning the forums first, I found the following links for creating new users:


My question immediately out of the gate - is this bad idea perse?

I don’t have the experience to know (beyond obvious) future considerations.

Any input is appreciated!

Humble thanks from an aspiring noob! :slight_smile:

What is the use case you want to apply it to?
What would be the pros of such a feature?

Ah - not so much a particular use case scenario as much as it is a goal to make more difficult to create local admins or other accounts.

With the constant flow of security exploits on a daily basis, I would theorize that limiting root to console only and further disabling new user creation from any other accounts, this could inhibit hackers from possibly combining exploits and lateraling.


well, usually DietPi is designed to work completely headless. Therefore root access via SSH is allowed by default (not every user is capable to have a monitor or keyboard attached). If needed you can disable root login via SSH already. There are different ways to archive this, depending on your SSH server.

Next to that, you have non-root user dietpi who can manage everything using sudo command.

Basically everything is already there.

As well there are other methods to protect your system and to restrict access to local network or specific computer.

  1. ensure your router is not forwarding unnecessary ports and disable UPnP
  2. Use a different port (not 22) on SSH server
  3. don’t allow password access, use keys only
  4. use TCP wrapper to allow specific hosts only
  5. use iptables or ufw to restrict access on SSH server port
  6. use fail2ban to detect failed login attempts and to block access if needed

Thank you so much Joulinar! Excellent food for thought! I am using DietPi not only to learn more about Linux but also expand into Linux security (which I even know less about).

I plan to use this thread as a placeholder for other folks who might be interested in the same.

Thanks so much again to you and the entire DietPi team!!!

but you know what is best way to protect a system is?

detach power :rofl: