—–> Keep your software upto date
Check if your software is up to date:
$sudo apt-get update
(This command updates your package source list. After this the system is aware what all software is available and the most recent versions )
$sudo apt-get upgrade
(This command would actually go ahead and update the software to the latest versions)
$sudo apt-get autoremove
(Removes not nedded software)
$sudo apt-install finger
(Install a software called finger.)
(Gives all the user that are logged in currently)
(Gives more info about the user called username)
Finger gets most of the info from a file called ‘/etc/passwd’. This files is used to store user information.
$cat /etc/passwd |grep vagrant
vagrant:x:1000:1000:Vagrant user decscripton:/home/vagrant:/bin/bash
(Here I am getting info for a user called vagrant)
Each field in the output is separated by a ‘:’
vagrant –> username
x –> encrypted password of the user (Not used anymore)
1000 —> User id (0 for root)
1000 —> group id (0 for root)
Vagrant user decscripton —> User description
/home/vagrant —> home directory
/bin/bash –> shell
One should never be able ssh to a server as a root.
You can create a user
$sudo adduser username
Give the new user sudo access. You can add the new user in the ‘/etc/sudoers’. But in ubuntu instead of directly adding it in this file which can be overwritten on an update you can also add the user to the ‘/etc/sudoers.d’ directory.
You can add your new user here. Here is a link for more info on sudoers
You can expire the password of this user so that he is forced to create a new secure one since now that he is added to the sudoers list.
$sudo passwd -e username
BUT THIS IS BAD!!!!
You should always use public private key authentication (RSA).
Generate a rsa key pair and always USE A PASSPHRASE!!
Disable ssh through password authentication.
$sudo nano /etc/ssh/sshd_config
In this file search for ‘passwordAuthentication yes’ change it to ‘passwordAuthentication no’. Restart ssh service.
We use chmod to change file permission. But what exactly are file permission.
$ ls -al
-rw-r–r– 1 vagrant vagrant 3637 Apr 9 2014 .bashrc
We are interested in ‘rw-r–r–‘ (The first ‘-‘ represents wether it is a directory or a file)
These are basically divided in three groups
Owner : ‘rw-‘
Group : ‘r–‘
This basically tells us which user or group of users is allowed to what with the particular file.
r: read permission
w: write permission
– : not permitted
x : allowed to execute this file
r –> 4
w –> 2
x –> 1
So to represent ‘rw-r–r–‘ in octal form we just add the values
$chmod 644 filename
Will make the filename permssions to be ‘rw-r–r–‘
Ubuntu comes with a firewall called ‘ufw’. You can check the status using
$sudo ufw status
Good rule of thumb is to start with denying all incoming traffic.
$ sudo ufw default deny incoming
Also we should allow all outgoing traffice
$sudo ufw default allow outgoing
Now open only the ports you need to use
$sudo ufw allow ssh
(This will open the port 22 to allow us to ssh to the server)
$sudo ufw allow www
(Open port 80 for http traffic)