...
The staff group by default does not normally have sudo access. To grant sudo access to the staff group,
visudo launches your default editor to a special file. Add the following to the bottom of the file,
| Code Block |
|---|
|
# Members of this group may gain root privileges
%staff ALL=(ALL) ALL |
...
Add the user and assign a password to that user,
| Code Block |
|---|
|
sudo addgroup --gid 3000 serveradmin
sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch-all" -s /bin/bash serveradmin
sudo passwd serveradmin |
...
We will also create staff users associated with the built in staff group so we know who is working on the machine. As a policy, our team requires that unless absolutely necessary, staff log in as their own account and then su to serveradmin or use sudo for maintenance work. That way we can have a trail of who does what.
| Code Block |
|---|
|
sudo useradd -d /home/bhitch -m -g staff -u 2002 -c "Support Bryan Hitch" -s /bin/bash bhitch
sudo useradd -d /home/jcassaday -m -g staff -u 2002 -c "Support John Cassaday" -s /bin/bash jcassaday
sudo useradd -d /home/wellis -m -g staff -u 2001 -c "Support Warren Ellis" -s /bin/bash wellis |
...
Here is the command,
| Code Block |
|---|
|
sudo usermod -a -G serveradmin,adm bhitch
sudo usermod -a -G serveradmin,adm jcassaday
sudo usermod -a -G serveradmin,adm wellis |
Do not forget to set default passwords for the new accounts,
| Code Block |
|---|
|
passwd bhitch
passwd jcassaday
passwd wellis |
...
Last restart the SSH service for the changes to take effect.
| Code Block |
|---|
|
sudo /etc/init.d/ssh restart |
...
As soon as it is on the Internet people will try to brute force attack your server over ssh. Basically they keep on pounding your system trying different passwords. fail2ban makes this kind of attack not worthwhile. After a chosen number of failed login attempts from the same ip address, fail2ban blocks that ip address for a set period of time. As constantly changing ip addresses is not a trivial task, the attacker will move on to another system.
| Code Block |
|---|
|
sudo apt-get install fail2ban |
...
Most of the how fail2ban works is in /etc/fail2ban/jail.conf and here are the highlights,
| Code Block |
|---|
|
maxretry = 6 # under the ssh section you are allowed 6 retries}
bantime = 600 # 600 seconds = 10 minutes
ignoreip = 127.0.0.1 # do not block list, and CIDR list |
...
After a day or so on the Internet you should start seeing people getting banned in the logs, /var/log/fail2ban.log. Here is an example of an ip getting banned and then after 10 minutes it unbans,
| Code Block |
|---|
|
2009-02-15 10:29:24,108 fail2ban.actions: WARNING \[ssh\] Ban 59.63.25.158
2009-02-15 10:39:24,137 fail2ban.actions: WARNING \[ssh\] Unban 59.63.25.158 |
...
Another package that is useful is Deny Hosts which works to prevent distributed brute force ssh attacks,
| Code Block |
|---|
|
sudo apt-get install denyhosts |
...