...
Note |
---|
A disclaimer here. These are basic steps to securing the box. An actual hardening guide is something that I might write about in the future as a separate article. |
Allow staff Group to sudo
Instead use account names associated with a user. For this example, I will be designating adminstrative users under the staff group. To see the list of groups available to you use the command, cat /etc/group.
...
Code Block | ||
---|---|---|
| ||
# Members of this group may gain root privileges %staff ALL=(ALL) ALL |
Create Catch-All serveradmin user
The purpose of serveradmin is the catch-all place to setup things like scripts. It may also, depending on requirements for your organization be used to manually setup software like application servers.
...
Code Block | ||
---|---|---|
| ||
sudo addgroup \--gid 3000 serveradmin sudo useradd \-d /home/serveradmin \-m \-g serveradmin \-u 3000 \-c "Admin catch-all" \-s /bin/bash serveradmin sudo passwd serveradmin |
Create Staff Users
We will also create staff users associated with the built in staff group so we know who is working on the machine. As a policy, our team requires that unless absolutely necessary, staff log in as their own account and then su to serveradmin or use sudo for maintenance work. That way we can have a trail of who does what.
...
- serveradmin - so staff users can work with manually setup apps
- adm - so staff can view logs in apps setup using the sudo command
Code Block lang html sudo usermod -a -G serveradmin,adm bhitch sudo usermod -a -G serveradmin,adm jcassaday sudo usermod -a -G serveradmin,adm wellis
Warning At this point it is important to logout and log in with your staff account to continue your work.
Disable Direct Login as Root Through SSH
Normally having permit root login in ssh in Ubuntu is not a security issue. Root is simply disabled in the OS. This is a hosted Ubuntu only step where often the root account is enabled. This is dangerous because there are attackers out there looking for Unix/Linux boxes and trying to login via ssh using the username root and then a list of common passwords.
...
Code Block | ||
---|---|---|
| ||
sudo /etc/init.d/ssh restart |
Prevent SSH Brute Force Dictionary Attacks
As soon as it is on the Internet people will try to brute force attack your server over ssh. Basically they keep on pounding your system trying different passwords. fail2ban makes this kind of attack not worthwhile. After a chosen number of failed login attempts from the same ip address, fail2ban blocks that ip address for a set period of time. As constantly changing ip addresses is not a trivial task, the attacker will move on to another system.
...