Home / server / Questions / 324321
In Process
Edward Z. Yang
Asked: 2011-10-25 08:04:34 +0800 CST

Disabling a compromised user account

  • 772

I have a simple question for you, well, at least, much simpler than "How do I clean up a compromised user account?" The question is: "How do I disable a compromised user account?" There are some obvious things to do:

  • Disable logins for the user (we've done this by changing their home directory to /disabled/home/user)
  • Disable the users Apache websites (once again, but replacing with bogus paths.)
  • Killing off all the users processes using pkill -9 -u username
  • Checking they have no spooled cronjobs

So, if their processes mysteriously come back after doing these things, what did we miss?

unix security

2 Answers

  1. I'd also do the following:

     a. Disable the account password, via passwd -l
 b. Change the users' login shell to /bin/false
 c. Remove the users' .ssh directory
 d. Remove the users' .rhosts file
    • 5

  2. I agree with mdpc on this. I might add another suggestion, though, in addition to his recommendations. There is a method of putting limits on user processes, per user, via /etc/security/limits.conf. (I don't know if this is uniform across all distributions.) You may be able to disallow processes belonging to that user by setting the limit to 0.

    This link might help you - see section 1.4 on Limits.

    • 0