www.bonsaiframework.com
Page tree

Versions Compared

Old Version 56

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 57

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

Outlined here are the minimal security steps the Bonsa Framework uses in server builds.

Allow staff Group to sudo

Use account names associated with a user. For this example, I will be designating adminstrative users under the staff group. To see the list of groups available to you use the command, cat /etc/group.

...

Code Block
languagebash
# Members of the staff group may gain root privileges
%staff ALL=(ALL) ALL

Create Catch-All serveradmin user

The purpose of serveradmin is the catch-all place to setup things like scripts. It may also, depending on requirements for your organization be used to manually setup software like application servers.

...

Code Block
languagebash
sudo addgroup --gid 3000 serveradmin
sudo useradd -d /home/serveradmin -m -g serveradmin -u 3000 -c "Admin catch-all" -s /bin/bash serveradmin
sudo passwd serveradmin

Create Staff Users

We will also create staff users associated with the built in staff group so we know who is working on the machine. As a policy, our team requires that unless absolutely necessary, staff log in as their own account and then su to serveradmin or use sudo for maintenance work. That way we can have a trail of who does what.

...

Warning

At this point it is important to logout and log in with your staff account to continue your work.

Disable Direct Login as Root Through SSH

Normally having permit root login in ssh in Ubuntu is not a security issue. Root is simply disabled in the OS. This is a hosted Ubuntu only step where often the root account is enabled. This is dangerous because there are attackers out there looking for Unix/Linux boxes and trying to login via ssh using the username root and then a list of common passwords.

...

Code Block
languagebash
sudo /etc/init.d/ssh restart

Prevent SSH Brute Force Dictionary Attacks

As soon as it is on the Internet people will try to brute force attack your server over ssh. Basically they keep on pounding your system trying different passwords.

...

Code Block
languagebash
2009-02-15 10:29:24,108 fail2ban.actions: WARNING \[ssh\] Ban 59.63.25.158
2009-02-15 10:39:24,137 fail2ban.actions: WARNING \[ssh\] Unban 59.63.25.158

Unbanning

To unban a user try these instructions. I am hesitant about playing with the ip tables in any way, so I have not tried myself. I usually just wait the 10 minutes.

According to the developers, Fail2ban version 0.9 will include an unban command through it's own client program.

More

This is basic Ubuntu Security. There is more.

...