For basic hardening of the system accounts, the very best recommendation I can make is to disable the root account entirely and use only sudo. You likewise need to prevent direct login to any shared accounts, whether it’s the root account or some function account like a user that manages your application or web server. By needing users to visit as themselves and then sudo up to root or function accounts, you provide a nice audit trail for who did what, and you make revoking access simpler when users not need an account– since the shared accounts will not have a password, you don’t need to alter them whenever a member of the team leaves; instead, you can simply get rid of that user’s account.
linux server admin is a good thing to think about.
A lot of distributions currently consist of sudo, and some also either disable the root account by default or allow you to disable it throughout setup. Otherwise, you merely can modify your/ etc/shadow file and change whatever password you have in place for the root user with a * symbol. Just make certain you do have sudo working first with a minimum of one account so you don’t lock yourself out.
When utilizing sudo there are a few practices you ought to follow to assist keep it protect. First, while using NOPASSWD sudo guidelines (rules that do not need you to enter a password) are rather inevitable for dæmons that may run cron jobs like backup jobs, you ought to restrict any NOPASSWD sudo guidelines to just those dæmon role accounts and need all genuine users to key in a password. As much as possible, you likewise need to follow the principle of least privilege and grant users sudo access just to the particular commands they require rather of granting them access to run all commands as a specific user (particularly the root user). Lastly, if you find yourself giving users access to a general-purpose command to do something specific (like approving them access to service or systemctl so they can reboot simply one service), think about creating a simple shell script that runs the command with just the specific specifications you want and giving them sudo access to that script rather.
Although these solidifying steps aren’t the only things you must do to lock down your server, they are a great start and should take only a few minutes. In my next short article, I’ll include another round of easy hardening pointers, including SSH customer hardening and cloud hardening steps, and I’ll end up with some general-purpose suggestions.