hardening the ability to create new users

Guides and tutorials for various stuff. Posted by DietPi users.
Post Reply
arpeggio
Posts: 4
Joined: Sat Jul 11, 2020 7:02 pm

hardening the ability to create new users

Post by arpeggio »

Hi All,

New user here - so grateful to everybody that's had a hand in the creation of what is literally the BEST distro available for rpi bar none!

I have a two part idea for (possibly better?) lock down. I also believe it could possibly be helpful to others - if feasible.

Conceptually - here's the idea:
1. create another admin with same admin privileges except for one - the new admin cannot create new users
2. modify the root account, such that it is only allowed to login via console (no ssh) - doing this by creating a ssh users group and removing root

Scanning the forums first, I found the following links for creating new users:

https://vitux.com/how-to-manage-user-ac ... debian-10/
https://www.digitalocean.com/community/ ... quickstart

My question immediately out of the gate - is this bad idea perse?

I don't have the experience to know (beyond obvious) future considerations.

Any input is appreciated!

Humble thanks from an aspiring noob! :)
User avatar
trendy
Posts: 156
Joined: Tue Feb 25, 2020 2:54 pm

Re: hardening the ability to create new users

Post by trendy »

What is the use case you want to apply it to?
What would be the pros of such a feature?
arpeggio
Posts: 4
Joined: Sat Jul 11, 2020 7:02 pm

Re: hardening the ability to create new users

Post by arpeggio »

Ah - not so much a particular use case scenario as much as it is a goal to make more difficult to create local admins or other accounts.

With the constant flow of security exploits on a daily basis, I would theorize that limiting root to console only and further disabling new user creation from any other accounts, this could inhibit hackers from possibly combining exploits and lateraling.
User avatar
Joulinar
Posts: 2588
Joined: Sat Nov 16, 2019 12:49 am

Re: hardening the ability to create new users

Post by Joulinar »

Hi,

well, usually DietPi is designed to work completely headless. Therefore root access via SSH is allowed by default (not every user is capable to have a monitor or keyboard attached). If needed you can disable root login via SSH already. There are different ways to archive this, depending on your SSH server.

Next to that, you have non-root user dietpi who can manage everything using sudo command.

Basically everything is already there.

As well there are other methods to protect your system and to restrict access to local network or specific computer.
  1. ensure your router is not forwarding unnecessary ports and disable UPnP
  2. Use a different port (not 22) on SSH server
  3. don't allow password access, use keys only
  4. use TCP wrapper to allow specific hosts only
  5. use iptables or ufw to restrict access on SSH server port
  6. use fail2ban to detect failed login attempts and to block access if needed
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
arpeggio
Posts: 4
Joined: Sat Jul 11, 2020 7:02 pm

Re: hardening the ability to create new users

Post by arpeggio »

Thank you so much Joulinar! Excellent food for thought! I am using DietPi not only to learn more about Linux but also expand into Linux security (which I even know less about).

I plan to use this thread as a placeholder for other folks who might be interested in the same.

Thanks so much again to you and the entire DietPi team!!! Image Image Image
User avatar
Joulinar
Posts: 2588
Joined: Sat Nov 16, 2019 12:49 am

Re: hardening the ability to create new users

Post by Joulinar »

but you know what is best way to protect a system is?

> detach power :lol:
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply