------------------------------------------------------------
revno: 3653
committer: Jim Campbell <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Thu 2008-01-24 22:13:34 -0600
message:
more updates from the server team
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.1.4
committer: Adam Sommer <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Wed 2008-01-23 23:47:56 -0500
message:
Small formatting changes to earlier patch by Gilbert Mendoza.
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.3.4
committer: Gilbert Mendoza <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Tue 2008-01-22 21:50:23 -0800
message:
Command and output distinction, and minor sentence flow adjustments
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.3.3
committer: Gilbert Mendoza <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Tue 2008-01-22 07:23:28 -0800
message:
Syntax, grammar, and spelling modifications.
modified:
generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml'
--- a/generic/server/C/security.xml 2008-01-21 05:00:30 +0000
+++ b/generic/server/C/security.xml 2008-01-23 05:50:23 +0000
@@ -39,8 +39,10 @@
<para>
If for some reason you wish to enable the root account, simply
give it a password:
</para>
-<screen><command>$ sudo passwd
-[sudo] password for username: (enter your own password)
+<screen><command>sudo passwd</command></screen>
+ <para>Sudo will prompt you for your password, and then ask you
to supply a new password for root as shown below:
+ </para>
+ <screen><command>[sudo] password for username: (enter your own
password)
Enter new UNIX password: (enter a new password for root)
Retype new UNIX password: (repeat new password for root)
passwd: password updated successfully</command></screen>
@@ -49,18 +51,17 @@
<para>
To disable the root account, use the following passwd syntax:
</para>
-<screen><command>$ sudo passwd -l root
-Password changed.</command></screen>
+<screen><command>sudo passwd -l root</command></screen>
</listitem>
<listitem>
<para>
You should read more on <application>Sudo</application> by
checking out it's man page:
</para>
-<screen><command>$ man sudo</command></screen>
+<screen><command>man sudo</command></screen>
</listitem>
</itemizedlist>
<para>
- By default, the initial user created by the Ubuntu installer is
a member of the group "admin" which is added to /etc/sudoers as an authorized
sudo user. If you wish to give any other account full root access through
sudo, simply add them to the admin group.
+ By default, the initial user created by the Ubuntu installer is
a member of the group "admin" which is added to the file
<filename>/etc/sudoers</filename> as an authorized sudo user. If you wish to
give any other account full root access through
<application>sudo</application>, simply add them to the admin group.
</para>
</sect2>
@@ -74,13 +75,13 @@
<para>
To add a user account, use the following syntax, and follow the
prompts to give the account a password and identifiable characteristics such as
a full name, phone number, etc.
</para>
-<screen><command>$ sudo adduser username</command></screen>
+<screen><command>sudo adduser username</command></screen>
</listitem>
<listitem>
<para>
To delete a user account and its primary group, use the
following syntax:
</para>
-<screen><command>$ sudo deluser username</command></screen>
+<screen><command>sudo deluser username</command></screen>
<para>
Deleting an account does not remove their respective home
folder. It is up to you whether or not you wish to delete the folder manually
or keep it according to your desired retention policies.
</para>
@@ -90,29 +91,29 @@
<para>
You may want to change these UID/GID values to something more
appropriate, such as the root account, and perhaps even relocate the folder to
avoid future conflicts:
</para>
-<screen><command>$ sudo chown -R root:root /home/username/
-$ sudo mkdir /home/archived_users/
-$ sudo mv /home/username /home/archived_users/</command></screen>
+<screen><command>sudo chown -R root:root /home/username/
+sudo mkdir /home/archived_users/
+sudo mv /home/username /home/archived_users/</command></screen>
</listitem>
<listitem>
<para>
To temporarily lock or unlock a user account, use the following
syntax, respectively:
</para>
-<screen><command>$ sudo passwd -l username
-$ sudo passwd -u username</command></screen>
+<screen><command>sudo passwd -l username
+sudo passwd -u username</command></screen>
</listitem>
<listitem>
<para>
To add or delete a personalized group, use the following
syntax, respectively:
</para>
-<screen><command>$ sudo addgroup groupname
-$ sudo delgroup groupname</command></screen>
+<screen><command>sudo addgroup groupname
+sudo delgroup groupname</command></screen>
</listitem>
<listitem>
<para>
To add a user to a group, use the following syntax:
</para>
-<screen><command>$ sudo usermod -a -G groupname username</command></screen>
+<screen><command>sudo adduser username groupname</command></screen>
</listitem>
</itemizedlist>
</sect2>
@@ -120,7 +121,7 @@
<sect2 id="user-profile-security" status="review">
<title>User Profile Security</title>
<para>
- When a new user is created, the adduser utility creates a brand new
home directory named <emphasis>/home/username</emphasis>, respectively. The
default profile is modeled after the contents found in
<emphasis>/etc/skel</emphasis>, which includes all profile basics.
+ When a new user is created, the adduser utility creates a brand new
home directory named <filename>/home/username</filename>, respectively. The
default profile is modeled after the contents found in the directory of
<filename>/etc/skel</filename>, which includes all profile basics.
</para>
<para>
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure confidentiality. By
default, user home directories in Ubuntu are created with world read/execute
permissions. This means that all users can browse and access the contents of
other users home directories. This may not be suitable for your environment.
@@ -130,14 +131,16 @@
<para>
To verify your current users home directory permissions, use
the following syntax:
</para>
-<screen><command>$ ls -ld /home/username
-drwxr-xr-x 2 username username 4096 2007-10-02 20:03
username</command></screen>
+<screen><command>ls -ld /home/username</command></screen>
+ <para>The following output shows that the directory
<filename>/home/username</filename> has world readable permissions:
+ </para>
+<screen><command>drwxr-xr-x 2 username username 4096 2007-10-02 20:03
username</command></screen>
</listitem>
<listitem>
<para>
- To properly correct the above permissions, remove world
readable permissions from the users parent directory using the following syntax:
+ To can remove the world readable permissions using the
following syntax:
</para>
-<screen><command>$ sudo chmod 0750 /home/username</command></screen>
+<screen><command>sudo chmod 0750 /home/username</command></screen>
<note>
<para>
Some people tend to use the recursive option (-R)
indiscriminately which modifies all child folders and files, but this is not
necessary, and may yield other undesirable results. The parent directory alone
is sufficient for preventing unauthorized access to anything below the parent.
@@ -150,10 +153,12 @@
</listitem>
<listitem>
<para>
- After correcting the directory permissions using any of the
previously mentioned techniques, verify the permissions using the following
syntax:
- </para>
-<screen><command>$ ls -ld /home/username
-drwxr-x--- 2 username username 4096 2007-10-02 20:03
username</command></screen>
+ After correcting the directory permissions using any of the
previously mentioned techniques, verify the results using the following syntax:
+ </para>
+<screen><command>ls -ld /home/username</command></screen>
+ <para>The results below show that world readable permissions
have been removed:
+ </para>
+<screen><command>drwxr-x--- 2 username username 4096 2007-10-02 20:03
username</command></screen>
</listitem>
</itemizedlist>
</sect2>
@@ -166,7 +171,7 @@
<sect3 id="minimum-password-length" status="review">
<title>Minimum Password Length</title>
<para>
- By default, Ubuntu requires a minimum password length of 4 characters,
as well as some basic entropy checks. These values are controlled in the file
/etc/pam.d/common-password, which is outlined below.
+ By default, Ubuntu requires a minimum password length of 4 characters,
as well as some basic entropy checks. These values are controlled in the file
<filename>/etc/pam.d/common-password</filename>, which is outlined below.
</para>
<screen><command>password required pam_unix.so nullok obscure min=4 max=8
md5</command></screen>
<para>
@@ -175,7 +180,7 @@
<screen><command>password required pam_unix.so nullok obscure min=6 max=8
md5</command></screen>
<note>
<para>
- The max=8 variable does not represent the maximum length of a password.
It only means that complexity requirements will not be checked on passwords
over 8 characters. You may want to look at the
<application>libpam-cracklib</application> package for additional password
entropy assistance.
+ The <varname>max=8</varname> variable does not represent the maximum
length of a password. It only means that complexity requirements will not be
checked on passwords over 8 characters. You may want to look at the
<application>libpam-cracklib</application> package for additional password
entropy assistance.
</para>
</note>
</sect3>
@@ -189,8 +194,10 @@
<para>
To easily view the current status of a user account, use the
following syntax:
</para>
-<screen><command>$ sudo chage -l username
-Last password change : Jan 20, 2008
+<screen><command>sudo chage -l username</command></screen>
+ <para>The output below shows interesting facts about the user
account, namely that there are no policies applied:
+ </para>
+<screen><command>Last password change : Jan
20, 2008
Password expires : never
Password inactive : never
Account expires : never
@@ -202,18 +209,20 @@
<para>
To set any of these values, simply use the following syntax,
and follow the interactive prompts:
</para>
-<screen><command>$ sudo chage username</command></screen>
+<screen><command>sudo chage username</command></screen>
<para>
- The following is an example of how you can change an accounts
explicit expiration date (-E) to 01/31/2008, minimum passsword age (-m) of 5
days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days
after password expiration, and a warning time period (-W) of 14 days before
password expiration.
+ The following is also an example of how you can manually change
the explicit expiration date (-E) to 01/31/2008, minimum password age (-m) of 5
days, maximum password age (-M) of 90 days, inactivity period (-I) of 5 days
after password expiration, and a warning time period (-W) of 14 days before
password expiration.
</para>
-<screen><command>$ sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14
username</command></screen>
+<screen><command>sudo chage -E 01/31/2008 -m 5 -M 90 -I 30 -W 14
username</command></screen>
</listitem>
<listitem>
<para>
To verify changes, use the same syntax as mentioned previously:
</para>
-<screen><command>$ sudo chage -l username
-Last password change : Jan 20, 2008
+<screen><command>sudo chage -l username</command></screen>
+ <para>The output below shows the new policies that have been
established for the account:
+ </para>
+<screen><command>Last password change : Jan
20, 2008
Password expires : Apr 19, 2008
Password inactive : May 19, 2008
Account expires : Jan 31, 2008
@@ -236,17 +245,23 @@
<sect3 id="ssh-access-by-disabled-users" status="review">
<title>SSH Access by Disabled Users</title>
<para>
- Simply disabling/locking a user account will not prevent a user from
logging into your server remotely if they have previously set up RSA public key
authentication. They will still be able to gain shell access to the server,
without the need for any password. Remember to check the users home directory
for files that will allow for this type of authenticated SSH access. e.g.
/home/username/.ssh/authorized_keys.
+ Simply disabling/locking a user account will not prevent a user from
logging into your server remotely if they have previously set up RSA public key
authentication. They will still be able to gain shell access to the server,
without the need for any password. Remember to check the users home directory
for files that will allow for this type of authenticated SSH access. e.g.
<filename>/home/username/.ssh/authorized_keys</filename>.
</para>
<para>
- Remove or rename the .ssh directory of the user to prevent further SSH
authentication.
+ Remove or rename the directory <filename>.ssh/</filename> in the user's
home folder to prevent further SSH authentication capabilities.
</para>
<para>
Be sure to check for any established SSH connections by the disabled
user, as it is possible they may have existing inbound or outbound connections.
Kill any that are found.
</para>
<para>
- Restrict SSH access to only user accounts that should have it. You
might want to create a group called "sshlogin" and add it to the value
associated with the "AllowGroups" variable in /etc/ssh/sshd_config. Then add
your permitted SSH users to this group using the steps outlined earlier in this
document.
- </para>
+ Restrict SSH access to only user accounts that should have it. For
example, you may create a group called "sshlogin" and add the group name as the
value associated with the <varname>AllowGroups</varname> variable located in
the file <filename>/etc/ssh/sshd_config</filename>.
+ </para>
+<screen><command>AllowGroups sshlogin</command></screen>
+ <para>
+ Then add your permitted SSH users to the group "sshlogin", and restart
the SSH service.
+ </para>
+<screen><command>sudo adduser username sshlogin
+sudo /etc/init.d/ssh restart</command></screen>
</sect3>
<sect3 id="external-db-auth" status="review">
<title>External User Database Authentication</title>
@@ -261,21 +276,21 @@
<sect1 id="console-security" status="review">
<title>Console Security</title>
<para>
- As with any other security barrier you put in place to protect your
server, it is pretty tough to defend against untold damage caused by someone
with physical access to your environment. e.g. Theft of hard drives, power or
service disruption, etc. Therefore, console security should be addressed
merely as one component of your overall physical security strategy. A locked
"screen door" may deter a casual criminal, or at the very least slow down a
determined one, so it is still advisable to perform basic precautions with
regard to console security.
+ As with any other security barrier you put in place to protect your
server, it is pretty tough to defend against untold damage caused by someone
with physical access to your environment, for example, theft of hard drives,
power or service disruption and so on. Therefore, console security should be
addressed merely as one component of your overall physical security strategy.
A locked "screen door" may deter a casual criminal, or at the very least slow
down a determined one, so it is still advisable to perform basic precautions
with regard to console security.
</para>
<para>
- The following sections will limit a persons ability to perform some
fairly simple attacks against your server that could yield very serious
consequences.
+ The following instructions will help defend your server against issues
that could otherwise yield very serious consequences.
</para>
<sect2 id="disable-ctrl-alt-delete" status="review">
<title>Disable CTRL+ALT+Delete</title>
<para>
- First and foremost, anyone that has physical access to the keyboard can
simply use the Ctrl+Alt+Delete key combination to reboot the server without
having to log on. Sure, someone could simply unplug the power source, but you
should still prevent the use of this key combination on a production server.
This forces an attacker to take more drastic measures to reboot the server, and
will prevent accidental reboots at the same time.
+ First and foremost, anyone that has physical access to the keyboard can
simply use the
<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo>
key combination to reboot the server without having to log on. Sure, someone
could simply unplug the power source, but you should still prevent the use of
this key combination on a production server. This forces an attacker to take
more drastic measures to reboot the server, and will prevent accidental reboots
at the same time.
</para>
<itemizedlist>
<listitem>
<para>
- To disable the reboot action taken by pressing the
Ctrl+Alt+Delete key combination, comment out the following line in the file
<emphasis>/etc/event.d/control-alt-delete</emphasis>.
+ To disable the reboot action taken by pressing the
<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo>
key combination, comment out the following line in the file
<filename>/etc/event.d/control-alt-delete</filename>.
</para>
<screen><command>#exec /sbin/shutdown -r now "Control-Alt-Delete
pressed"</command></screen>
</listitem>
@@ -284,30 +299,47 @@
<sect2 id="grub-password-security" status="review">
<title>GRUB Password Security</title>
<para>
- Ubuntu installs GNU GRUB as its default boot loader, which allows for
great flexibility and recovery options. For example, when you install
additional kernel images, these are automatically added as available boot
options in the grub menu. Also, by default, alternate boot options are
available for each kernel entry that may be used for system recovery, aptly
labeled (recovery mode). Recovery mode simply boots the corresponding kernel
image into single user mode (init 1), which lands the administrator at a root
prompt without the need for any password.
- </para>
- <para>
- Therefore, it is important to control who may edit the grub menu items
to, <emphasis>(a)</emphasis> pass kernel options at boot up, and
<emphasis>(b)</emphasis> boot the server into single user mode. You can do
this by simply adding a password to grubs configuration file
<emphasis>/boot/grub/menu.lst</emphasis>, which will be required to unlock
grubs more advanced features prior to use.
- </para>
- <itemizedlist>
- <listitem>
- <para>
- To add a password for use with grub, first you must generate an
md5 password hash using the <application>grub-md5-crypt</application> utility:
- </para>
-<screen><command>$ grub-md5-crypt
-Password: (enter new password)
+ Ubuntu installs GNU GRUB as its default boot loader, which allows for
great flexibility and recovery options. For example, when you install
additional kernel images, these are automatically added as available boot
options in the <application>grub</application> menu. Also, by default,
alternate boot options are available for each kernel entry that may be used for
system recovery, aptly labeled (recovery mode). Recovery mode simply boots the
corresponding kernel image into single user mode (init 1), which lands the
administrator at a root prompt without the need for any password.
+ </para>
+ <para>
+ Therefore, it is important to control who may edit the
<application>grub</application> menu items which, would otherwise allow for
someone to perform the following dangerous actions:
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Pass kernel options at boot up.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Boot the server into single user mode.
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ You can prevent these actions by adding a password to grub's
configuration file of <filename>/boot/grub/menu.lst</filename>, which will be
required to unlock grub's more advanced features prior to use.
+ </para>
+ <itemizedlist>
+ <listitem>
+ <para>
+ To add a password for use with <application>grub</application>,
first you must generate an md5 password hash using the
<application>grub-md5-crypt</application> utility:
+ </para>
+<screen><command>grub-md5-crypt</command></screen>
+ <para>The command will ask you to enter a password and offer a
resulting hash value as shown below:
+ </para>
+<screen><command>Password: (enter new password)
Retype password: (repeat password)
$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen>
</listitem>
<listitem>
<para>
- Add the resulting hash value to
<emphasis>/etc/grub/menu.lst</emphasis> in the following format:
+ Add the resulting hash value to the file
<filename>/etc/grub/menu.lst</filename> in the following format:
</para>
<screen><command>password --md5
$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen>
</listitem>
<listitem>
<para>
- To require the use of the password for entering single user
mode, change the <emphasis>"lockalterntive"</emphasis> value in
<emphasis>/boot/grub/menu.lst</emphasis> to <emphasis>"true"</emphasis>.
+ To require use of the password for entering single user mode,
change the value of the <varname>lockalternative</varname> variable in the file
<filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as shown
in the following example.
</para>
<screen><command># lockalternative=true</command></screen>
</listitem>
--
https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy
You are receiving this branch notification because you are subscribed to it.
--
ubuntu-doc-commits mailing list
ubuntu-doc-commits@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits
