Restricting normal user account access on Ubuntu Server

Here’s a tip to restrict normal user account access so that common users may not be able to explore other directories beyond his/her own /home directory.

  • First you need to chmod all /home dir to 0700
  • Then, you need to set the default umask to 077, to do that, you ned to edit /etc/profile, and replace “umask 022” with “umask 077“.
  • Optionally, you can also update PAM configuration in /etc/pamd.d/common-session so that the line reads “ umask=077 usergroups

The tips has been adapted from –

Debian: Force users to use more secure login password with pam_cracklib

One of the factor that makes your system easily crackable is the weak password. PAM cracklib forces users to choose stronger password by analyzing the password strength, length and entropy.

To enable pam_cracklib in Debian / Ubuntu operating system, you need to install libpam_cracklib:

sudo apt-get install libpam_cracklib

Then edit the “/etc/pam.d/common-password” file using your favorite editor. Then, add and uncomment the following line at the end of the file.

password required retry=3 minlen=6 difok=3

difok determines the number of same characters that allowed to be present in the old and new passwords.