Linux Lock Device Script

Problem Overview

Whether a Linux device is compromised, lost, or subject to strict compliance standards, instantly revoking user access is paramount. This script securely locks all local and SSH-enabled accounts, ensuring no one can log in or remain logged in, all without losing remote management capabilities through Level.

Description

This script finds all currently logged-in users and terminates their sessions, effectively booting them off the system. It then fully disables each account, including root, by locking their passwords and setting their expiration to an immediate end date. This dual action eliminates the chance for re-logins or ongoing unauthorized use, granting you peace of mind that the system remains inaccessible except through Level’s remote management.

Script

1#!/bin/bash
2
3# This resource is provided as a convenience for Level users. We cannot 
4# guarantee it will work in all environments. Please test before deploying 
5# to your production environment. We welcome contributions to our community 
6# library
7
8# Level Library
9# https://level.io/library/script-linux-lock-device
10
11# Initialize script-scoped error flag
12script_errors=false
13
14echo "Killing all user sessions..."
15for user in $(who | awk '{print $1}' | sort | uniq); do
16    pkill -KILL -u "$user"
17    if [[ $? -ne 0 ]]; then
18        echo "ALERT: Failed to kill session for user $user."
19        script_errors=true
20    fi
21done
22
23echo "Fully locking all user accounts (SSH & local access)..."
24for user in $(awk -F: '{if ($3 >= 1000 && $3 < 65534) print $1}' /etc/passwd); do
25    passwd -l "$user" &> /dev/null
26    usermod -L -e 1 "$user" &> /dev/null
27    if [[ $? -ne 0 ]]; then
28        echo "ALERT: Failed to lock user account $user."
29        script_errors=true
30    fi
31done
32
33echo "Locking root account..."
34passwd -l root &> /dev/null
35usermod -L -e 1 root &> /dev/null
36if [[ $? -ne 0 ]]; then
37    echo "ALERT: Failed to lock root account."
38    script_errors=true
39fi
40
41if [[ "$script_errors" == true ]]; then
42    echo "ALERT: Errors occurred during execution. Exiting with code 1."
43    exit 1
44fi
45
46echo "All users have been kicked off and all accounts are completely locked."
47

‍

Use Cases

• Emergency lockdown after detecting suspicious activity
• Enhancing security for misplaced or stolen Linux devices
• Temporary lockout during sensitive maintenance tasks
• Restricting access for audits or compliance inspections

Recommendations

• Thoroughly test this script on non-production systems before wider deployment
• Configure a script-based monitor in Level to run this script on-demand in response to security alerts
• Or, create an Automation in Level with a schedule trigger if you need routine lockdowns
• Validate after locking to ensure all necessary user sessions are terminated and accounts are disabled
• Pair with an unlock solution to easily restore access when the risk subsides

FAQ

• Will this remove the device from Level management?‍
  No. Remote management through Level remains intact so you can still execute commands and manage the device.

• How can I regain access after locking the accounts?
  ‍You’ll need to run a corresponding unlock script (or manual commands) to re-enable the accounts, including root.

• What if an account doesn’t appear to lock properly?
  ‍The script will indicate any account lock failures. Check logs for errors, confirm the user exists, and verify there are no conflicting system policies.

• Does this prevent scheduled tasks or cron jobs from running?
  ‍Existing scheduled tasks should still execute as long as they don’t require interactive logins. However, any user sessions tied to those tasks would be forcibly ended.