Deleting/renaming osmc user as safety measure

I’m in a little project with my raspberry pi 2. I installed OSMC and intend to leave it plugged in the TV and, at same time, install owncloud to be able to access my files when outside home. This means I will expose osmc to the internet, so I’m concerned about security. One safety measure I thought about implementing is to remove/rename osmc user. But something tells me that this will raise permissions problems, so how is the best way to do this? If I create a new user to replace osmc user, what do I have to change?

Change the password, but don’t change the username. OSMC is not a commonly guessed username, and certainly less so than ‘root’

Sam

@wilhelm_m, when you install owncloud you should not have it run by osmc but e.g. www-data (who doesn’t have login capabilties) and all the users within owncloud are not related to the OS users anyhow. And using owncloud via internet means you should only expose the HTTPS port (best on a customized port) and not the SSH port which means the osmc user would not be accessible.
Anyhow as Sam wrote at least change the password for osmc user.
Depending in the importance you might want to not directly give HTTPS access but also have openvpn configured for access.

Thanks for the advices. I was more worried about someone guessing the username osmc, but I guess that putting a really strong password may be enough. The openvpn idea was something I had not tough yet, so I will give it a try. Thanks.

@wilhelm_m, but my point was that there would be no exposure of the osmc user if you only open HTTPS port to the internet. I hope you where not planning to connect the raspberry pi directly to the internet without firewall infront.

Defitely not going to connect it directly to the internet. I’m going to install fail2ban and there is my router firewall as well. Also, my internet provider blocks the default HTTP and HTTPS, so I was already going to follow your advice to be listening to not common ports.

One thing that I forgot to mention though is that I’d like to ssh it remotely, thus my concern even after your answer. By the way, I did not know about this, thanks.

For the curious reader, my final solution was to put a really strong password (long and hard to remember) in osmc user, note it down in a safe place and forget about this user. Then, create a new user with sudo priveleges. I also created a pair of private/public key for ssh login and disabled password login. Since this is for personal use only, I believe it is secure enough.

1 Like

You could go one step further and allow only your newly-defined user to connect over ssh. Just add this line to the end of /etc/ssh/sshd_config

AllowUsers my_new_user

…replacing my_new_user with the user you defined earlier.

You could also change the ssh port from default 22, but remember to allow it through your firewall.

2 Likes

Some pointers in general:

  • Use key based authentication
  • Use iptables to DROP any incoming on 22 that is not a trusted IP (if you always connect from the same IP)

Sam