Re: Completely locking out a user
On Fri, Feb 03, 2023 at 04:27:06PM +0100, Nicolas George wrote:
> Hi.
>
> When there is a suspicious access to a user account, we want to lock
> this account until we made sure. So “:-:” in /etc/shadow and shell to
> /bin/false, and “sudo -u user kill -9 -1”.
>
> But, at least with the default configuration, these will not block:
>
> - crontabs or atjobs that download instructions from the web;
>
> - .procmailrc or “|something” in .forward;
>
> - probably one or two mechanisms I forgot about.
>
> PAM might be able to help for some of these, but not all.
>
> I tried to search on the web, but did not find anything relevant, which
> is somewhat surprising to me.
>
> Do you know of any extensive discussion about this topic, to help me set
> something up without leaving too many holes?
>
I think it would be a good idea to temporary ban/move the home directory.
mv /home/<user> /home/banned_<user>
To disconnect any automatisms like procmail etc.
If you do this, any automatisms would trigger an error which show up in the
log. A good way to find these (I think).
Next find any left files of that user in /var (likely the temp
files are located here), /run (if you have to keep the system running, a
reboot would flush those out)
find /var -type f -uid <userID> -print
-H
--
Henning Follmann | hfollmann@itcfollmann.com
Reply to: