Its exciting to see so many people interested in using Linux more and more. I am often asked about setting up a "small server" for web, mail, etc... However what seems to come up more and more are basic security concerns. Recently on this list and others this topic is coming up more frequently. The number of times someone has asked me for help and sent me an IP root username and password in clear text mail dumbfounds me. So I decided to write a very basic security guide that will work with pretty much any linux distro out there. This is all about remote shell access over ssh. Once any other port is open, you always open yourself to another angle of attack. Also, there are more ways to do this, this is the one I like.
Last note... proceed at your own risk. Disclaimer disclaimer disclaimer.... Know what you are doing before putting any of this into place. I purposely try to stay vague enough to make sure you do some research before blindly following a posted howto. All that said, I hope someone finds this useful. :) Passwords over the Internet are bad! Use keypairs whenever you can. I am a big advocate of eliminating passwords for remote authentication all together. Use ssh key pairs. There are already a number of guides on how to setup ssh key pairs, so google what you don't understand below. - create your users key pair on your workstation ssh-keygen -t dsa -b 1024 - copy the public key securely to your destination server and put it in ~/.ssh/authorized_keys2 - don't forget to set the correct permissions (number one reason why this does not work) chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys2 - test to make sure it is working. You should be able to ssh from your workstation to the destination server as your user without a password. Once setup and tested, remove the possibility of logging in with a password over ssh. - in sshd_config set: PasswordAuthentication no - restart ssh I hope you tested your passwordless access before you restarted ssh. Direct root logins are bad! Use sudo or su. First make sure you have a normal non-root user on your system. That should have been the user you used to create your keypair with and now have ssh access to your server with. If you did all this with your root user, create a new user and start over. Make sure that user can su to root or use sudo. Eliminate the possibility of sshing into your box as root. - in sshd_config set: PermitRootLogin no - restart ssh Limit who can use sudo or su to root. If you are using any flavor of Ubuntu, the sudo setup is already done for you and you should already be used to using sudo, so you are already half way there. Look at /etc/sudoers and make any required changes. If you prefer su, look at using wheel (http://lmgtfy.com/?q=pam+wheel) Finally, now that you know what user you will always be using to login to your server, make sure ONLY that user can ever login. This is a little more drastic and can have some evil side affects, but I will get into that in a sec. So PAM access.conf. What a wonderful invention. Its a shame its not setup by default. Anyways, here is the basic way to setup and start using access.conf Find your pam.d config directory, normally in /etc/ and look for your sshd pam config file. On ubuntu, you will find it here: /etc/pam.d/sshd Edit it and enable pam_access (in ubuntu, you simply need to uncomment the following line, in other distros, you need to add it in manually) account required pam_access.so Do the same in pam.d/login Now edit your access.conf, in ubuntu, you will find it here: /etc/security/access.conf The most basic setup will look something like this. -:root:ALL EXCEPT LOCAL +:jimmy:ALL -:ALL:ALL With this in your access.conf, root can only login from a local console, the jimmy user can login from anywhere, and everyone else is not allowed to login at all. In combination with key pair shell access and blocked ssh access for root, you can sleep more soundly knowing that the only way into your server remotely is from your workstation using your user's key. If your workstation is not secure, well, then you have other issues. With a setup like this, if you need someones help remotely, create them a user, ask for their public key, drop it into their users' authorized keys file and add their name to the access.conf file. Yes its a little more setup, but afterwards, you don't have to worry about them keeping access, as soon as you remove their user you are safe. Even if they copy your public key or try and setup a backdoor user, if they are not in the access.conf file, they are not shelling in. (Make sure they did not put their public key in your authorized_keys file) :) Hope this can be useful! Jimmy _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
