Managing user accounts in Ubuntu is pretty straightforward. Creating a new user also creates a new group with the same name if you do not specify anything else.
User Management
To create a user:
useradd -m -s /bin/bash username
The -m option indicates a user’s home directory should be created and -s specifies which shell should be used. In this case it is the bash shell.
To remove a user:
userdel -r username
The -r option removes home directory objects for the user.
To set a password for a user, as the root user:
passwd username
This will then prompt twice for the password. Alternatively you can use the chpasswd command to change passwords without the prompt and in batch mode, such as from a script with:
echo username:password | chpasswd
The username and password pair are piped into the chpasswd command. The format of username and password separated by a colon is defined in the manpage for the chpasswd command.
Group Management
Groups can help to collect like users together in order to apply certain permissions to an object.
To create a group:
groupadd groupname
To remove a group:
groupdel groupname
To add a user to a group:
usermod -a -G username groupname
Permissions and Security
Security is maintained by (not) granting permission to access certain objects within a system. In Linux we are usually speaking of filesystem objects like files and directories, but it need not be limited to those objects.
If you run the ls -al command in Linux, you will see a lot of detail:
w.jojo@acadnx:~$ ls -al total 329824 drwxr-x--- 42 w.jojo w.jojo 4096 2013-03-13 18:30 . drwxr-xr-x 245 root root 12288 2013-03-12 20:18 .. drwx------ 3 w.jojo w.jojo 4096 2012-03-28 20:57 .adobe -rw------- 1 w.jojo w.jojo 7611 2013-03-13 19:04 .bash_history -rw-r--r-- 1 w.jojo w.jojo 220 2010-04-18 22:15 .bash_logout -rw-r--r-- 1 w.jojo w.jojo 3103 2010-04-18 22:15 .bashrc drwx------ 4 w.jojo w.jojo 4096 2013-03-08 10:51 .cache drwxr-xr-x 3 w.jojo w.jojo 4096 2013-02-07 18:21 ciss111
The above is output from ls -al. Among the columns of data is file size, date and time of last modification and, of course, the filename at the end of each line.
All the way to the left is a column of ten characters. These characters represent the permissions.
The first character represents the object type. They are typically:
d = Directory - = Regular file s = Unix socket p = Named pipe c = Character device b = Block Device
The next three groups of three characters represent permissions for user (owner), group and other (world). The owner and group can be found in the third and fourth columns of the larger output from above. The permissions are as follows:
r = Read permission. w = Write permission. x = Execute permission. S =setuid(user) orsetgid(group), but not x permission. s =setuid(user) orsetgid(group), but with x permission. T =ISVTX(sticky) bit, but not x permission. t =ISVTX(sticky) bit, but with x permission.
Permissions work basically like this:
For files, r, w and x are pretty self-explanatory, however, with directories, you will find that x permission means to use the directory in a pathname. That coupled with r means you can see the files inside the directory and when combined with w means you can create, update and delete files.
The setuid and setgid bits allow the program to run as a particular user or group or both.
The ISVTX, or sticky bit is typically used on directories. This helps to restrict the ability to delete files to the file owner, directory owner or the superuser.
Firewalls
One other important detail of security is the use of a firewall. The Linux filewall common to most distributions is iptables. As this tool has become rather cumbersome to use, a frontend has been implemented called ufw (universal firewall).
In its dormant state, you can reveal:
root@acadnx:~# ufw status Status: inactive
The corresponding iptables reveals:
root@acadnx:~# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
To restrict access to only OpenSSH, you can use a command like:
root@acadnx:~# ufw allow in OpenSSH Rules updated
This grants port 22 access from anywhere as shown here:
root@acadnx:~# ufw enable Command may disrupt existing ssh connections. Proceed with operation (y|n)? y Firewall is active and enabled on system startup root@acadnx:~# ufw status Status: active To Action From -- ------ ---- 9102/tcp ALLOW 151.103.16.0/20 OpenSSH ALLOW Anywhere
Now the iptables looks rather detailed:
root@acadnx:~# iptables --list Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere state INVALID DROP all -- anywhere anywhere state INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT all -- base-address.mcast.net/4 anywhere ACCEPT all -- anywhere base-address.mcast.net/4 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW ALLOW] ' Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere state INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix `[UFW BLOCK] ' Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere state NEW ACCEPT udp -- anywhere anywhere state NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- localnet/20 anywhere tcp dpt:bacula-fd ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* 'dapp_OpenSSH' */ Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix `[UFW LIMIT BLOCK] ' REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination
As you can see the use of ufw is a clear winner over using the traditional iptables command.
Be sure to limit traffic to your site as needed. There is no reason to not have a firewall in place. It can be extremely helpful in determining if your site is a victim of DDOS (Distributed Denial Of Service) or other attack vector.