You are logged into your server and notice an unauthorized user (ex-employee) on your Linux server. For whatever reason the original removal of his user account apparently failed. Since this now poses a critical security risk, how do you get rid of a) the SSH session of this user and b) how do you remove his user account from the system.
First you need to identify the user session ID and then kill it.
grep “pts/0” (Replace “0” with the value you retrieved from the ps –auxf command)
xargs kill -9
Another option is to kill anything related to his user name:
Killall –u username
You can then manually remove him from the following files:
/etc/passwd and /etc/group
Another way to do this is to run the following linux command:
Userdel –rf username
In general this situation should have been prevented by removing the user account the moment the employee did leave the company. It is also recommended that you do an user account audit to make sure the user did not create a different user ID to login. You should also look for backdoors to the system. Depending on how critical this server in question is you might want to involve an external security professional or consider a server rebuild.
If you are having difficulties managing your dedicated server, I highly recommend to consider a switch to LiquidWeb. Their servers come fully managed. All you would have to do is to submit a support ticket and they will take care of it for you. Visit LiquidWeb here to see the entire list of features for their cheap dedicated servers.