Basic Linux security

Pacages:

—–>  Keep your software upto date

Check if your software is up to date:

$sudo apt-get update

(This command updates your package source list. After this the system is aware what all software is available and the most recent versions )

$sudo apt-get upgrade

(This command would actually go ahead and update the software to the latest versions)

$sudo apt-get autoremove

(Removes not nedded software)

$sudo apt-install finger

(Install a software called finger.)

Finger:

Install finger

$finger

(Gives all the user that are logged in currently)

$finger username

(Gives more info about the  user called username)

Finger gets most of the info from a file called ‘/etc/passwd’. This files is used to store user information.

$cat /etc/passwd |grep vagrant

vagrant:x:1000:1000:Vagrant user decscripton:/home/vagrant:/bin/bash

(Here I am getting info for a user called vagrant)

Each field in the output is separated by a ‘:’

vagrant –> username

x –> encrypted password of the user (Not used anymore)

1000 —> User id (0 for root)

1000 —> group id (0 for root)

Vagrant user decscripton —> User description

/home/vagrant —> home directory

/bin/bash –> shell

One should never be able ssh to a server as a root. 

You can create a user

$sudo adduser username

Give the new user sudo access. You can add the new user in the ‘/etc/sudoers’. But in ubuntu instead of directly adding it in this file which can be overwritten on an update you can also add the user to the ‘/etc/sudoers.d’ directory.

You can add your new user here. Here is a link for more info on sudoers

https://help.ubuntu.com/community/Sudoers

You can expire the password of this user so that he is forced to create a new secure one since now that he is added to the sudoers list.

$sudo passwd -e username

BUT THIS IS BAD!!!!

You should always use public private key authentication (RSA).

Generate a rsa key pair and always USE A PASSPHRASE!!

Disable ssh through password authentication.

$sudo nano /etc/ssh/sshd_config

In this file search for ‘passwordAuthentication yes’ change it to ‘passwordAuthentication no’. Restart ssh service.

File Permissions:

We use chmod to change file permission. But what exactly are file permission.

$ ls -al

-rw-r–r– 1 vagrant vagrant 3637 Apr  9  2014 .bashrc

We are interested in ‘rw-r–r–‘ (The first ‘-‘ represents wether it is a directory or a file)

These are basically divided in three groups

Owner : ‘rw-‘

Group : ‘r–‘

Everyone: ‘r–‘

This basically tells us which user or group of users is allowed to what with the particular file.

r: read permission

w: write permission

– : not permitted

x : allowed to execute this file

Octal permissions:

r –> 4

w –> 2

x –> 1

So to represent ‘rw-r–r–‘ in octal form we just add the values

644

6(rw-)4(r–)4(r–)

$chmod 644 filename

Will make the filename permssions to be ‘rw-r–r–‘

Firewalls:

Ubuntu comes with a firewall called ‘ufw’. You can check the status using

$sudo ufw status

Good rule of thumb is to start with denying all incoming traffic.

$ sudo ufw default deny incoming

Also we should allow all outgoing traffice

$sudo ufw default allow outgoing

Now open only the ports you need to use

$sudo ufw allow ssh

(This will open the port 22 to allow us to ssh to the server)

$sudo ufw allow www

(Open port 80 for http traffic)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s