------------------------------------------------------------ revno: 3653 committer: Jim Campbell <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Thu 2008-01-24 22:13:34 -0600 message: more updates from the server team modified: generic/server/C/security.xml ------------------------------------------------------------ revno: 3651.1.4 committer: Adam Sommer <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Wed 2008-01-23 23:47:56 -0500 message: Small formatting changes to earlier patch by Gilbert Mendoza. modified: generic/server/C/security.xml ------------------------------------------------------------ revno: 3651.3.4 committer: Gilbert Mendoza <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Tue 2008-01-22 21:50:23 -0800 message: Command and output distinction, and minor sentence flow adjustments modified: generic/server/C/security.xml ------------------------------------------------------------ revno: 3651.3.3 committer: Gilbert Mendoza <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Tue 2008-01-22 07:23:28 -0800 message: Syntax, grammar, and spelling modifications. modified: generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml' --- a/generic/server/C/security.xml 2008-01-21 05:00:30 +0000 +++ b/generic/server/C/security.xml 2008-01-23 05:50:23 +0000 @@ -39,8 +39,10 @@ <para> If for some reason you wish to enable the root account, simply give it a password: </para> -<screen><command>$ sudo passwd -[sudo] password for username: (enter your own password) +<screen><command>sudo passwd</command></screen> + <para>Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below: + </para> + <screen><command>[sudo] password for username: (enter your own password) Enter new UNIX password: (enter a new password for root) Retype new UNIX password: (repeat new password for root) passwd: password updated successfully</command></screen> @@ -49,18 +51,17 @@ <para> To disable the root account, use the following passwd syntax: </para> -<screen><command>$ sudo passwd -l root -Password changed.</command></screen> +<screen><command>sudo passwd -l root</command></screen> </listitem> <listitem> <para> You should read more on <application>Sudo</application> by checking out it's man page: </para> -<screen><command>$ man sudo</command></screen> +<screen><command>man sudo</command></screen> </listitem> </itemizedlist> <para> - By default, the initial user created by the Ubuntu installer is a member of the group "admin" which is added to /etc/sudoers as an authorized sudo user. If you wish to give any other account full root access through sudo, simply add them to the admin group. + By default, the initial user created by the Ubuntu installer is a member of the group "admin" which is added to the file <filename>/etc/sudoers</filename> as an authorized sudo user. If you wish to give any other account full root access through <application>sudo</application>, simply add them to the admin group. </para> </sect2> @@ -74,13 +75,13 @@ <para> To add a user account, use the following syntax, and follow the prompts to give the account a password and identifiable characteristics such as a full name, phone number, etc. </para> -<screen><command>$ sudo adduser username</command></screen> +<screen><command>sudo adduser username</command></screen> </listitem> <listitem> <para> To delete a user account and its primary group, use the following syntax: </para> -<screen><command>$ sudo deluser username</command></screen> +<screen><command>sudo deluser username</command></screen> <para> Deleting an account does not remove their respective home folder. It is up to you whether or not you wish to delete the folder manually or keep it according to your desired retention policies. </para> @@ -90,29 +91,29 @@ <para> You may want to change these UID/GID values to something more appropriate, such as the root account, and perhaps even relocate the folder to avoid future conflicts: </para> -<screen><command>$ sudo chown -R root:root /home/username/ -$ sudo mkdir /home/archived_users/ -$ sudo mv /home/username /home/archived_users/</command></screen> +<screen><command>sudo chown -R root:root /home/username/ +sudo mkdir /home/archived_users/ +sudo mv /home/username /home/archived_users/</command></screen> </listitem> <listitem> <para> To temporarily lock or unlock a user account, use the following syntax, respectively: </para> -<screen><command>$ sudo passwd -l username -$ sudo passwd -u username</command></screen> +<screen><command>sudo passwd -l username +sudo passwd -u username</command></screen> </listitem> <listitem> <para> To add or delete a personalized group, use the following syntax, respectively: </para> -<screen><command>$ sudo addgroup groupname -$ sudo delgroup groupname</command></screen> +<screen><command>sudo addgroup groupname +sudo delgroup groupname</command></screen> </listitem> <listitem> <para> To add a user to a group, use the following syntax: </para> -<screen><command>$ sudo usermod -a -G groupname username</command></screen> +<screen><command>sudo adduser username groupname</command></screen> </listitem> </itemizedlist> </sect2> @@ -120,7 +121,7 @@ <sect2 id="user-profile-security" status="review"> <title>User Profile Security</title> <para> - When a new user is created, the adduser utility creates a brand new home directory named <emphasis>/home/username</emphasis>, respectively. The default profile is modeled after the contents found in <emphasis>/etc/skel</emphasis>, which includes all profile basics. + When a new user is created, the adduser utility creates a brand new home directory named <filename>/home/username</filename>, respectively. The default profile is modeled after the contents found in the directory of <filename>/etc/skel</filename>, which includes all profile basics. </para> <para> If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment. @@ -130,14 +131,16 @@ <para> To verify your current users home directory permissions, use the following syntax: </para> -<screen><command>$ ls -ld /home/username -drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username</command></screen> +<screen><command>ls -ld /home/username</command></screen> + <para>The following output shows that the directory <filename>/home/username</filename> has world readable permissions: + </para> +<screen><command>drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username</command></screen> </listitem> <listitem> <para> - To properly correct the above permissions, remove world readable permissions from the users parent directory using the following syntax: + To can remove the world readable permissions using the following syntax: </para> -<screen><command>$ sudo chmod 0750 /home/username</command></screen> +<screen><command>sudo chmod 0750 /home/username</command></screen> <note> <para> Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent. @@ -150,10 +153,12 @@ </listitem> <listitem> <para> - After correcting the directory permissions using any of the previously mentioned techniques, verify the permissions using the following syntax: - </para> -<screen><command>$ ls -ld /home/username -drwxr-x--- 2 username username 4096 2007-10-02 20:03 username</command></screen> + After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax: + </para> +<screen><command>ls -ld /home/username</command></screen> + <para>The results below show that world readable permissions have been removed: + </para> +<screen><command>drwxr-x--- 2 username username 4096 2007-10-02 20:03 username</command></screen> </listitem> </itemizedlist> </sect2> @@ -166,7 +171,7 @@ <sect3 id="minimum-password-length" status="review"> <title>Minimum Password Length</title> <para> - By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password, which is outlined below. + By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file <filename>/etc/pam.d/common-password</filename>, which is outlined below. </para> <screen><command>password required pam_unix.so nullok obscure min=4 max=8 md5</command></screen> <para> @@ -175,7 +180,7 @@ <screen><command>password required pam_unix.so nullok obscure min=6 max=8 md5</command></screen> <note> <para> - The max=8 variable does not represent the maximum length of a password. It only means that complexity requirements will not be checked on passwords over 8 characters. You may want to look at the <application>libpam-cracklib</application> package for additional password entropy assistance. + The <varname>max=8</varname> variable does not represent the maximum length of a password. It only means that complexity requirements will not be checked on passwords over 8 characters. You may want to look at the <application>libpam-cracklib</application> package for additional password entropy assistance. </para> </note> </sect3> @@ -189,8 +194,10 @@ <para> To easily view the current status of a user account, use the following syntax: </para> -<screen><command>$ sudo chage -l username -Last password change : Jan 20, 2008 +<screen><command>sudo chage -l username</command></screen> + <para>The output below shows interesting facts about the user account, namely that there are no policies applied: + </para> +<screen><command>Last password change : Jan 20, 2008 Password expires : never Password inactive : never Account expires : never @@ -202,18 +209,20 @@ <para> To set any of these values, simply use the following syntax, and follow the interactive prompts: </para> -<screen><command>$ sudo chage username</command></screen> +<screen><command>sudo chage username</command></screen> <para> - The following is an example of how you can change an accounts explicit expiration date (-E) to 01/31/2008, minimum passsword age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration. + The following is also an example of how you can manually change the explicit expiration date (-E) to 01/31/2008, minimum password age (-m) of 5 days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days after password expiration, and a warning time period (-W) of 14 days before password expiration. </para> -<screen><command>$ sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username</command></screen> +<screen><command>sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14 username</command></screen> </listitem> <listitem> <para> To verify changes, use the same syntax as mentioned previously: </para> -<screen><command>$ sudo chage -l username -Last password change : Jan 20, 2008 +<screen><command>sudo chage -l username</command></screen> + <para>The output below shows the new policies that have been established for the account: + </para> +<screen><command>Last password change : Jan 20, 2008 Password expires : Apr 19, 2008 Password inactive : May 19, 2008 Account expires : Jan 31, 2008 @@ -236,17 +245,23 @@ <sect3 id="ssh-access-by-disabled-users" status="review"> <title>SSH Access by Disabled Users</title> <para> - Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access. e.g. /home/username/.ssh/authorized_keys. + Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access. e.g. <filename>/home/username/.ssh/authorized_keys</filename>. </para> <para> - Remove or rename the .ssh directory of the user to prevent further SSH authentication. + Remove or rename the directory <filename>.ssh/</filename> in the user's home folder to prevent further SSH authentication capabilities. </para> <para> Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found. </para> <para> - Restrict SSH access to only user accounts that should have it. You might want to create a group called "sshlogin" and add it to the value associated with the "AllowGroups" variable in /etc/ssh/sshd_config. Then add your permitted SSH users to this group using the steps outlined earlier in this document. - </para> + Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the <varname>AllowGroups</varname> variable located in the file <filename>/etc/ssh/sshd_config</filename>. + </para> +<screen><command>AllowGroups sshlogin</command></screen> + <para> + Then add your permitted SSH users to the group "sshlogin", and restart the SSH service. + </para> +<screen><command>sudo adduser username sshlogin +sudo /etc/init.d/ssh restart</command></screen> </sect3> <sect3 id="external-db-auth" status="review"> <title>External User Database Authentication</title> @@ -261,21 +276,21 @@ <sect1 id="console-security" status="review"> <title>Console Security</title> <para> - As with any other security barrier you put in place to protect your server, it is pretty tough to defend against untold damage caused by someone with physical access to your environment. e.g. Theft of hard drives, power or service disruption, etc. Therefore, console security should be addressed merely as one component of your overall physical security strategy. A locked "screen door" may deter a casual criminal, or at the very least slow down a determined one, so it is still advisable to perform basic precautions with regard to console security. + As with any other security barrier you put in place to protect your server, it is pretty tough to defend against untold damage caused by someone with physical access to your environment, for example, theft of hard drives, power or service disruption and so on. Therefore, console security should be addressed merely as one component of your overall physical security strategy. A locked "screen door" may deter a casual criminal, or at the very least slow down a determined one, so it is still advisable to perform basic precautions with regard to console security. </para> <para> - The following sections will limit a persons ability to perform some fairly simple attacks against your server that could yield very serious consequences. + The following instructions will help defend your server against issues that could otherwise yield very serious consequences. </para> <sect2 id="disable-ctrl-alt-delete" status="review"> <title>Disable CTRL+ALT+Delete</title> <para> - First and foremost, anyone that has physical access to the keyboard can simply use the Ctrl+Alt+Delete key combination to reboot the server without having to log on. Sure, someone could simply unplug the power source, but you should still prevent the use of this key combination on a production server. This forces an attacker to take more drastic measures to reboot the server, and will prevent accidental reboots at the same time. + First and foremost, anyone that has physical access to the keyboard can simply use the <keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo> key combination to reboot the server without having to log on. Sure, someone could simply unplug the power source, but you should still prevent the use of this key combination on a production server. This forces an attacker to take more drastic measures to reboot the server, and will prevent accidental reboots at the same time. </para> <itemizedlist> <listitem> <para> - To disable the reboot action taken by pressing the Ctrl+Alt+Delete key combination, comment out the following line in the file <emphasis>/etc/event.d/control-alt-delete</emphasis>. + To disable the reboot action taken by pressing the <keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo> key combination, comment out the following line in the file <filename>/etc/event.d/control-alt-delete</filename>. </para> <screen><command>#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</command></screen> </listitem> @@ -284,30 +299,47 @@ <sect2 id="grub-password-security" status="review"> <title>GRUB Password Security</title> <para> - Ubuntu installs GNU GRUB as its default boot loader, which allows for great flexibility and recovery options. For example, when you install additional kernel images, these are automatically added as available boot options in the grub menu. Also, by default, alternate boot options are available for each kernel entry that may be used for system recovery, aptly labeled (recovery mode). Recovery mode simply boots the corresponding kernel image into single user mode (init 1), which lands the administrator at a root prompt without the need for any password. - </para> - <para> - Therefore, it is important to control who may edit the grub menu items to, <emphasis>(a)</emphasis> pass kernel options at boot up, and <emphasis>(b)</emphasis> boot the server into single user mode. You can do this by simply adding a password to grubs configuration file <emphasis>/boot/grub/menu.lst</emphasis>, which will be required to unlock grubs more advanced features prior to use. - </para> - <itemizedlist> - <listitem> - <para> - To add a password for use with grub, first you must generate an md5 password hash using the <application>grub-md5-crypt</application> utility: - </para> -<screen><command>$ grub-md5-crypt -Password: (enter new password) + Ubuntu installs GNU GRUB as its default boot loader, which allows for great flexibility and recovery options. For example, when you install additional kernel images, these are automatically added as available boot options in the <application>grub</application> menu. Also, by default, alternate boot options are available for each kernel entry that may be used for system recovery, aptly labeled (recovery mode). Recovery mode simply boots the corresponding kernel image into single user mode (init 1), which lands the administrator at a root prompt without the need for any password. + </para> + <para> + Therefore, it is important to control who may edit the <application>grub</application> menu items which, would otherwise allow for someone to perform the following dangerous actions: + </para> + <itemizedlist> + <listitem> + <para> + Pass kernel options at boot up. + </para> + </listitem> + <listitem> + <para> + Boot the server into single user mode. + </para> + </listitem> + </itemizedlist> + <para> + You can prevent these actions by adding a password to grub's configuration file of <filename>/boot/grub/menu.lst</filename>, which will be required to unlock grub's more advanced features prior to use. + </para> + <itemizedlist> + <listitem> + <para> + To add a password for use with <application>grub</application>, first you must generate an md5 password hash using the <application>grub-md5-crypt</application> utility: + </para> +<screen><command>grub-md5-crypt</command></screen> + <para>The command will ask you to enter a password and offer a resulting hash value as shown below: + </para> +<screen><command>Password: (enter new password) Retype password: (repeat password) $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen> </listitem> <listitem> <para> - Add the resulting hash value to <emphasis>/etc/grub/menu.lst</emphasis> in the following format: + Add the resulting hash value to the file <filename>/etc/grub/menu.lst</filename> in the following format: </para> <screen><command>password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen> </listitem> <listitem> <para> - To require the use of the password for entering single user mode, change the <emphasis>"lockalterntive"</emphasis> value in <emphasis>/boot/grub/menu.lst</emphasis> to <emphasis>"true"</emphasis>. + To require use of the password for entering single user mode, change the value of the <varname>lockalternative</varname> variable in the file <filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as shown in the following example. </para> <screen><command># lockalternative=true</command></screen> </listitem> -- https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy You are receiving this branch notification because you are subscribed to it. -- ubuntu-doc-commits mailing list ubuntu-doc-commits@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits