≡ Menu

Help: Old Employees Accessing The Linux Server

I've recently noticed that two of my former employees are still accessing one of our Linux box. Old user account wasn't deleted because it has some important files. How do I make sure account get deleted without losing files and email stored in the account? Can you describe a terminations clearance policy for an employee account including email accounts, forwarding aliases, ssh / ftp, and access to vpn dialup services under Red Hat Enterprise Linux server?

Laid-off employee may seek revenge so delete and disable all unwanted account. When an employee leaves you can immediately lock down shell access by typing the following command:

passwd -l username

The -l option disables an account by changing the password to a value which matches no possible encrypted value, and by setting the account expiry field to 1. This make sure he / she cannot get into server. You can delete a user account without removing any files as follows:

# userdel username
You can also tell userdel to remove the user's home directory and all of its contents:
# userdel -r username
Files in the user' s home directory will be removed along with the home directory itself and the user´s mail spool. Files located in other file systems will have to be searched for and deleted manually. Additional cleanup work is is left to the administrator.

Recommend Procedure To Delete User Account

The following is recommend procedure. Linux and UNIX server accounts are maintained as long as the owner is affiliated with you or your business. Generally, users or employees who leave for one reason or another will eventually lose their accounts and data. However, please consult your legal or HR department regarding local laws and privacy policy laws.

#1: Deactivate the account

First, lock down user account and disable login to shell, ftp and ssh services:
passwd -l username

#2: Scan For rootkits

Scan file for virus, bad stuff and rootkits. Try chkrootkit and rkhunter software for scanning rootkits. If user accessing Linux file server via Windows or Mac operating system, use Microsoft / Mac os tools and anti-virus software to scan files. The ClamAV virus scanner is available and may be used to scan Linux / Unix file systems for viruses which infect other operating systems. Some employees leave rootkits and virus for backdoor entry. This is critical before you make a backup of existing data.

#3: Backup Data

Usually, you need to backup:

  • Home directory
  • Email box
  • FTP directory
  • Cron jobs
  • Webserver files
  • CVS files
  • MySQL / PGSQL database etc

Just create a tarball of home directory, cron jobs, and mailbox at safe location in another directory:

# DEST=/path/to/safe/delete_accounts/user/data_$(date +"%d-%m-%Y_%H_%M_%P").tar.gz
# SHOME=/home/$user
# SMAILBOX=/usr/local/mailboxes/domain.com/$user
# SCRON=/var/spool/cron/crontabs/$user
# SFTP=/var/spool/ftp/$user

Replace $user and other paths with actual values.

#4: List Files In Other Directories

User may have left files in other directories. Type the following command to get a complete list of files owned by user vivek:
# find / -user vivek -print0 > /root/viveksfiles.txt 2>/root/error.log &
You can backup those files or simply change their ownership using find command itself. Removes all files owned by the user from /tmp, /var/tmp, and other tmp locations.

Delete User Account

Finally, you can delete the user account and all files:
# userdel -r $user
Make sure you removed the username from all groups to which it belongs in /etc/group.

#5: Removes The User's Crontab

Type the following command to backup and delete cronjobs:
# crontab -u username -l > /path/to/safe/delete_accounts/user/crontab.bak
# crontab -u username -r

#6: Removes The User's at Jobs

Type atq command to lists the user's pending jobs, unless the user is the superuser; in that case, everybody's jobs are listed. The format of the output lines:
# atq | less
# atq > /path/to/safe/delete_accounts/user/at.bak
# atrm jobid

#7: Delete All Process

You need to send a SIGKILL (-9) signal to all processes owned by the user. For example, send -KILL single to all process owned by vivek use the following commands. Get detailed inforation about running process:
# ps -fp $(pgrep -u vivek)
Get all PIDS:
# pgrep -u vivek
# pkill -9 -u vivek pid1 pid2

# killall -KILL -u vivek

#8: Disable Email Login

Configure your email server to forward or deny access to email box. Usually, this is done by editing mysql or LDAP database files. Removes the incoming mail (postfix or sendmail) and POP / IMAP daemon mail files belonging to the user from /var/mail or /var/spool/mail.

Fig.01: Postfix -  Disable Email Box Using Postfixadmin

Fig.01: Postfix - Disable Email Box Using Postfixadmin

You can also forward incoming email or simply delete mailbox with Postfixadmin.

#9: Disable Proxy Server and VPN Remote Login

Again update your central login database (such as LDAP) and disable all login access.

#10: Files and Emails

Generally, any files or email left on a system can be turned over to employees supervisor if necessary.

#11: Dealing With Root Level Access

If former employee had root access you may need to look out for the following additional things:

  1. Trojans.
  2. Hidden kernel backdoor modules.
  3. Rootkits.
  4. Cron and at jobs can be to run arbitrary shell scripts or give back root level access again.
  5. .forward file can be to run arbitrary shell scripts.
  6. Unwanted and hidden network services.
  7. SSH password less remote login keys etc.
  8. Unwanted SUID/SGID binaries.
  9. Iptables firewalls settings.
  10. Removes all message queues, shared memory segments and semaphores owned by the user.

Use Identity Manager Software

Third party identity manager software can easily enable and disable access to many services. You can configure various policies based on users employment status or weekend login policy etc using an automated provisioning software.


You can write a perl or shell script to automate the entire procedure to disable access to user account and backup files / emails in other safe location.

{ 9 comments… add one }

  • webjuan September 23, 2009, 3:57 pm

    If possible, I would also consider changing the ownerships of all the files owned by the old employee to another valid system user.

    You can use find while logged in as the root user:

    # find /home/fireduser -user fireduser -exec chown newuser.newgroup {} \;

    Your mileage will vary depending on OS.

  • @OlhoNaTV September 23, 2009, 5:39 pm

    It’s so Linux!

  • Reck September 23, 2009, 11:58 pm

    Just change the start up shell from /bin/sh to /bin/false in the /etc/passwd file for those specific accounts. There shell won’t start.

  • athmoss September 24, 2009, 10:29 pm

    Nice article. I have one question: why use passwd -l (in the case mentioned in the article) instead of passwd -d?

  • CM September 29, 2009, 5:20 pm

    passwd -d just deletes the user password. This means that no password is required for that account.

    password -l acts on the /etc/shadow by adding a ! to the users password. Since encryption methods in use never produce a ! , this password will never be matched!

  • Jonas Björklund October 2, 2009, 2:50 pm

    I personally would recommend not to delete a user’s account using userdel, since it is possible that the same UID may be used again for a newly added employee. Even if you have searched and changed ownership of all files owned by the user, there still could be files you have missed, leaving a potential security risk.

    • prr.suresh May 18, 2013, 4:51 am

      @Jonas Björklund
      Then how can i overcome the problem ?
      By explicitly setting uid or anything else ?

      • Colin October 3, 2014, 11:50 am

        Deleting a users account is asking for problems.

        What of reporting and legacy programs that look for that UID. Or any daemon starting itself as that user, especially if that person is a DBA you can suddenely discover Cron jobs stop running because user does not exist.

        Honestly I would change their password and set their shell to /bin/false. From there interrogate any web service and look for old accounts.

  • Pandu POLUAN October 3, 2014, 12:56 am

    If you redirect the stdout of find to a file, you really shouldn’t use -print0, so that the resulting file would be easily parseable by a shellscript. And easier to parse by humans.

    The -print0 switch is useful mostly only for feeding to xargs, which will ‘ flatten ‘ the list into one line to feed to commands that accept multiple files as parameters.

Leave a Comment

   Tagged with: , , , , , , , , , , , ,