mirror of
https://github.com/ovh/debian-cis.git
synced 2024-11-22 21:47:02 +01:00
13.1_remove_empty_password_field.sh 13.2_remove_legacy_passwd_entries.sh 13.3_remove_legacy_shadow_entries.sh 13.4_remove_legacy_group_entries.sh 13.5_find_0_uid_non_root_account.sh 13.6_sanitize_root_path.sh
This commit is contained in:
parent
dbc24bb8d7
commit
b24a415dce
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 10.1.3 Set Password Expiring Warning Days (Scored)
|
# 10.3 Set Default Group for root Account (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# 10.4 Set Default umask for Users (Scored)
|
# 10.5 Lock Inactive User Accounts (Scored)
|
||||||
#
|
#
|
||||||
|
|
||||||
set -e # One error, it's over
|
set -e # One error, it's over
|
||||||
|
@ -17,7 +17,7 @@ FILE='/etc/shadow'
|
|||||||
# This function will be called if the script status is on enabled / audit mode
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
audit () {
|
audit () {
|
||||||
info "Checking if accounts have empty passwords"
|
info "Checking if accounts have empty passwords"
|
||||||
RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }')
|
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
crit "Some accounts have empty passwords"
|
crit "Some accounts have empty passwords"
|
||||||
crit $RESULT
|
crit $RESULT
|
||||||
@ -28,7 +28,7 @@ audit () {
|
|||||||
|
|
||||||
# This function will be called if the script status is on enabled mode
|
# This function will be called if the script status is on enabled mode
|
||||||
apply () {
|
apply () {
|
||||||
RESULT=$(/bin/cat $FILE | /usr/bin/awk -F: '($2 == "" ) { print $1 }')
|
RESULT=$(cat $FILE | awk -F: '($2 == "" ) { print $1 }')
|
||||||
if [ ! -z "$RESULT" ]; then
|
if [ ! -z "$RESULT" ]; then
|
||||||
warn "Some accounts have empty passwords"
|
warn "Some accounts have empty passwords"
|
||||||
for ACCOUNT in $RESULT; do
|
for ACCOUNT in $RESULT; do
|
61
bin/hardening/13.2_remove_legacy_passwd_entries.sh
Executable file
61
bin/hardening/13.2_remove_legacy_passwd_entries.sh
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.2 Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have empty passwords"
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
crit "Some accounts have legacy password entry"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
warn "Some accounts have legacy password entry"
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
info "Removing $LINE from $FILE"
|
||||||
|
delete_line_in_file $FILE $LINE
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
61
bin/hardening/13.3_remove_legacy_shadow_entries.sh
Executable file
61
bin/hardening/13.3_remove_legacy_shadow_entries.sh
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.3 Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
FILE='/etc/shadow'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have empty passwords"
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
crit "Some accounts have legacy password entry"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
warn "Some accounts have legacy password entry"
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
info "Removing $LINE from $FILE"
|
||||||
|
delete_line_in_file $FILE $LINE
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
61
bin/hardening/13.4_remove_legacy_group_entries.sh
Executable file
61
bin/hardening/13.4_remove_legacy_group_entries.sh
Executable file
@ -0,0 +1,61 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.4 Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
FILE='/etc/group'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have empty passwords"
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
crit "Some accounts have legacy password entry"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
if grep '^+:' $FILE -q; then
|
||||||
|
RESULT=$(grep '^+:' $FILE)
|
||||||
|
warn "Some accounts have legacy password entry"
|
||||||
|
for LINE in $RESULT; do
|
||||||
|
info "Removing $LINE from $FILE"
|
||||||
|
delete_line_in_file $FILE $LINE
|
||||||
|
done
|
||||||
|
else
|
||||||
|
ok "All accounts have a valid password entry format"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
65
bin/hardening/13.5_find_0_uid_non_root_account.sh
Executable file
65
bin/hardening/13.5_find_0_uid_non_root_account.sh
Executable file
@ -0,0 +1,65 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.5 Verify No UID 0 Accounts Exist Other Than root (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
FILE='/etc/passwd'
|
||||||
|
RESULT=''
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
info "Checking if accounts have uid 0"
|
||||||
|
RESULT=$(cat $FILE | awk -F: '($3 == 0 && $1!="root" ) { print $1 }')
|
||||||
|
for ACCOUNT in $RESULT; do
|
||||||
|
debug "Account : $ACCOUNT"
|
||||||
|
debug "Exceptions : $EXCEPTIONS"
|
||||||
|
debug "echo \"$EXCEPTIONS\" | grep -q $ACCOUNT"
|
||||||
|
if echo "$EXCEPTIONS" | grep -q $ACCOUNT; then
|
||||||
|
debug "$ACCOUNT is confirmed as an exception"
|
||||||
|
RESULT=$(sed "s!$ACCOUNT!!" <<< "$RESULT")
|
||||||
|
else
|
||||||
|
debug "$ACCOUNT not found in exceptions"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! -z "$RESULT" ]; then
|
||||||
|
crit "Some accounts have uid 0"
|
||||||
|
crit $RESULT
|
||||||
|
else
|
||||||
|
ok "No account with suid 0 apart root"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Removing accounts with uid 0 may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
if [ -z "$EXCEPTIONS" ]; then
|
||||||
|
EXCEPTIONS="@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
84
bin/hardening/13.6_sanitize_root_path.sh
Executable file
84
bin/hardening/13.6_sanitize_root_path.sh
Executable file
@ -0,0 +1,84 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# 13.6 Ensure root PATH Integrity (Scored)
|
||||||
|
#
|
||||||
|
|
||||||
|
set -e # One error, it's over
|
||||||
|
set -u # One variable unset, it's over
|
||||||
|
|
||||||
|
ERRORS=0
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled / audit mode
|
||||||
|
audit () {
|
||||||
|
if [ "`echo $PATH | grep :: `" != "" ]; then
|
||||||
|
crit "Empty Directory in PATH (::)"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ "`echo $PATH | grep :$`" != "" ]; then
|
||||||
|
crit "Trailing : in PATH $PATH"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
FORMATTED_PATH=$(echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g')
|
||||||
|
set -- $FORMATTED_PATH
|
||||||
|
while [ "${1:-}" != "" ]; do
|
||||||
|
if [ "$1" = "." ]; then
|
||||||
|
crit "PATH contains ."
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
else
|
||||||
|
if [ -d $1 ]; then
|
||||||
|
dirperm=$(ls -ldH $1 | cut -f1 -d" ")
|
||||||
|
if [ $(echo $dirperm | cut -c6 ) != "-" ]; then
|
||||||
|
crit "Group Write permission set on directory $1"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
if [ $(echo $dirperm | cut -c9 ) != "-" ]; then
|
||||||
|
crit "Other Write permission set on directory $1"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
dirown=$(ls -ldH $1 | awk '{print $3}')
|
||||||
|
if [ "$dirown" != "root" ] ; then
|
||||||
|
crit "$1 is not owned by root"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
crit "$1 is not a directory"
|
||||||
|
ERRORS=$((ERRORS+1))
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ $ERRORS = 0 ]; then
|
||||||
|
ok "root PATH is secure"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will be called if the script status is on enabled mode
|
||||||
|
apply () {
|
||||||
|
info "Editing items from PATH may seriously harm your system, report only here"
|
||||||
|
}
|
||||||
|
|
||||||
|
# This function will check config parameters required
|
||||||
|
check_config() {
|
||||||
|
:
|
||||||
|
}
|
||||||
|
|
||||||
|
# Source Root Dir Parameter
|
||||||
|
if [ ! -r /etc/default/cis-hardenning ]; then
|
||||||
|
echo "There is no /etc/default/cis-hardenning file, cannot source CIS_ROOT_DIR variable, aborting"
|
||||||
|
exit 128
|
||||||
|
else
|
||||||
|
. /etc/default/cis-hardenning
|
||||||
|
if [ -z $CIS_ROOT_DIR ]; then
|
||||||
|
echo "No CIS_ROOT_DIR variable, aborting"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Main function, will call the proper functions given the configuration (audit, enabled, disabled)
|
||||||
|
[ -r $CIS_ROOT_DIR/lib/main.sh ] && . $CIS_ROOT_DIR/lib/main.sh
|
16
bin/hardenning.sh
Normal file
16
bin/hardenning.sh
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# CIs Deb
|
||||||
|
#
|
||||||
|
# CIS Debian 7 Hardening
|
||||||
|
# Authors : Thibault Dewailly, OVH <thibault.dewailly@corp.ovh.com>
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Main script : Execute hardening considering configuration
|
||||||
|
#
|
||||||
|
|
||||||
|
# Execute blindly binaries
|
||||||
|
# Audit mode
|
||||||
|
|
||||||
|
# ls | sort -n
|
2
etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
Normal file
2
etc/conf.d/13.2_remove_legacy_passwd_entries.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
Normal file
2
etc/conf.d/13.3_remove_legacy_shadow_entries.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
2
etc/conf.d/13.4_remove_legacy_group_entries.cfg
Normal file
2
etc/conf.d/13.4_remove_legacy_group_entries.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
4
etc/conf.d/13.5_find_0_uid_non_root_account.cfg
Normal file
4
etc/conf.d/13.5_find_0_uid_non_root_account.cfg
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
||||||
|
# Put here valid accounts with uid 0 separated by spaces
|
||||||
|
EXCEPTIONS=""
|
2
etc/conf.d/13.6_sanitize_root_path.cfg
Normal file
2
etc/conf.d/13.6_sanitize_root_path.cfg
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Configuration for script of same name
|
||||||
|
status=enabled
|
@ -125,7 +125,7 @@ add_line_file_before_pattern() {
|
|||||||
|
|
||||||
backup_file "$FILE"
|
backup_file "$FILE"
|
||||||
debug "Inserting $LINE before $PATTERN in $FILE"
|
debug "Inserting $LINE before $PATTERN in $FILE"
|
||||||
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
|
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
|
||||||
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
debug "sed -i '/$PATTERN/i $LINE' $FILE"
|
||||||
sed -i "/$PATTERN/i $LINE" $FILE
|
sed -i "/$PATTERN/i $LINE" $FILE
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -138,7 +138,7 @@ replace_in_file() {
|
|||||||
|
|
||||||
backup_file "$FILE"
|
backup_file "$FILE"
|
||||||
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
debug "Replacing $SOURCE to $DESTINATION in $FILE"
|
||||||
SOURCE=$(sed 's@/@\/@g' <<< $SOURCE)
|
SOURCE=$(sed 's@/@\\\/@g' <<< $PATTERN)
|
||||||
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
debug "sed -i 's/$SOURCE/$DESTINATION/g' $FILE"
|
||||||
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
|
sed -i "s/$SOURCE/$DESTINATION/g" $FILE
|
||||||
FNRET=0
|
FNRET=0
|
||||||
@ -150,7 +150,7 @@ delete_line_in_file() {
|
|||||||
|
|
||||||
backup_file "$FILE"
|
backup_file "$FILE"
|
||||||
debug "Deleting lines from $FILE containing $PATTERN"
|
debug "Deleting lines from $FILE containing $PATTERN"
|
||||||
PATTERN=$(sed 's@/@\/@g' <<< $PATTERN)
|
PATTERN=$(sed 's@/@\\\/@g' <<< $PATTERN)
|
||||||
debug "sed -i '/$PATTERN/d' $FILE"
|
debug "sed -i '/$PATTERN/d' $FILE"
|
||||||
sed -i "/$PATTERN/d" $FILE
|
sed -i "/$PATTERN/d" $FILE
|
||||||
FNRET=0
|
FNRET=0
|
||||||
|
Loading…
Reference in New Issue
Block a user