Monday, April 9, 2012

Disable Root SSH Login on Linux

One of the biggest security holes you could open on your server is to allow directly logging in as root through ssh, because any cracker can attempt to brute force your root password and potentially get access to your system if they can figure out your password.

It’s much better to have a separate account that you regularly use and simply sudo to root when necessary. Before we begin, you should make sure that you have a regular user account and that you can su or sudo to root from it.

To fix this problem, we’ll need to edit the sshd_config file, which is the main configuration file for the sshd service. The location will sometimes be different, but it’s usually in /etc/ssh/. Open the file up while logged on as root.

    vi /etc/ssh/sshd_config

Find this section in the file, containing the line with “PermitRootLogin” in it.

    #LoginGraceTime 2m
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6

Make the line look like this to disable logging in through ssh as root.

    PermitRootLogin no

Now you’ll need to restart the sshd service:

    /etc/init.d/sshd restart

Sunday, April 8, 2012

### Sudo Users ###

If a server needs to be administered by a number of people, it is normally not a good idea for them all to use the root account. This is because it becomes difficult to determine exactly who did what, when and where if everyone logs in with the same credentials. The sudo utility was designed to overcome this difficulty.

The sudo utility allows users defined in the /etc/sudoers configuration file to have temporary access to run commands which they would not normally be able to due to file permission restrictions.

Configuraton:

Suppose we want two more admin users (Remil, shinto) with all previlleges of root user.

We'll make them sudo users.

Edit the /etc/sudoers and add those names as follows

we'll use the command visudo to edit the file /etc/sudoers
[root@vm1 ~]# visudo

root    ALL=(ALL)       ALL
remil   ALL=(ALL)       ALL
shinto  ALL=(ALL)       ALL

save the file.

Now loging as shinto and execute any command.

The privileged command you want to run must first begin with the word sudo followed by the command's regular syntax.

[shinto@vm1 ~]$ sudo /sbin/service network restart

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: #When running the command with the sudo prefix,
you will be prompted for your regular password
before it is executed.
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[shinto@vm1 ~]$

NOTE: All commands run as sudo are logged in the log file /var/log/messages

If you dont want to prompt for the password, give the keyword NOPASSWD as below.

remil   ALL=(ALL)       NOPASSWD: ALL

[remil@vm1 ~]$ sudo /sbin/service network restart #see it didn't prompt for password
Shutting down interface eth0:                              [  OK  ]
Shutting down loopback interface:                          [  OK  ]
Bringing up loopback interface:                            [  OK  ]
Bringing up interface eth0:                                [  OK  ]
[remil@vm1 ~]$


Suppose we want to give permission for only one command. For example, we are running a webserver and we want to give a group of admins permission only to stop and restart the service.

the configuration is as follows.

User_Alias WEBADMINS=ajith,vivek
Cmnd_Alias WEBADMINS_COMMANDS=/etc/init.d/httpd
WEBADMINS ALL=WEBADMINS_COMMANDS

Now loggin as ajith and checking:

[ajith@vm1 ~]$ sudo /etc/init.d/httpd start

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
Starting httpd:                                            [  OK  ]
[ajith@vm1 ~]$

For groups:

If you are giving permissions for a group of users, you can give their username as follows:
%linux ALL=(ALL) NOPASSWD: ALL

we created a user rakesh with primary group linux. And gave all the users in linux all privilleges
of root user.

Checking the privilleges as user rakesh.
[rakesh@vm1 ~]$ sudo /sbin/service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]

[rakesh@vm1 ~]$ groups rakesh
rakesh : linux
[rakesh@vm1 ~]$