The first thing you should take stock of are the users with unlocked accounts. Users with unlocked accounts are allowed to login if assigned a valid shell, and should be kept to a minimum.

To get a list of unlocked users, execute the following:

# egrep –v ‘.*:*|:!’ /etc/shadow|awk -F: ‘{print $1}’

If you do not recognize any user returned by the above command, check to see if that user owns any files by executing:

# find / -path /proc -prune -o -user -ls

If the user does not own any files, or files that will not hinder the stability of your server, delete the user by executing:

# rmuser