Security

From Systerserver

What we have implemented to maintain the integrity or our /home.

Contents 1 SUDO 2 SU 3 KEYRINGS 4 Create a SSH keypair 5 SSH 6 ssh-add 7 ssh-agent 8 ssh tunneling 9 GPG 10 Create a GPG keypair 11 using GPG with files 12 using GPG with email

SUDO

• super user do
• on debian install sudo as soon as you can
• add admin users to sudoers file with visudo
• try not to do any work on the machine as root
• sudo su = sudo -, = sudo
• use sudosh to log all commands typed into new shells
• GKSu and GKsudo are graphical frontends to su and sudo (there are more)
• https://help.ubuntu.com/community/RootSudo

SU

• switch user
• eg when logged in as betty, "su billy" or "su - billy" will let you log in as billy
• "su root" = "su -" and "su", writing nothing implies user root

KEYRINGS

• ssh and pgp keypairs
• aka keychains or keyrings
• the pair consists of a public and a private key
• ssh keyrings are used for logging into remote servers
• pgp keyrings are used to encrypt and sign files, eg emails
• you can manage all your keys from the TUI
• and from a GUI like Seahorse under Gnome on Linux

Create a SSH keypair

• ssh-keygen -t RSA -b 4096 (or 8192) plus passphrase is required these days!
• when asked the question give a file name, if you don't the resulting files are called id_rsa and id_rsa.pub. if you do then they're called filename and filename.pub
• reset the password with ssh-keygen -p
• make a backup of your .ssh directory (burn it on a cd) and write the passphrase on a piece of paper and keep the two in two separate vaults at different locations
• copy the public key to the servers where you want to start using it:
• cat ~/.ssh/filename.pub | ssh id@host -p2222 'cat >> ~/.ssh/authorized_keys'
• or use the script:
• ssh-copy-id user@host (which does not work on all unices)
• if your private key is not the standard ~/.ssh/id_rsa:
• ssh -i /path/to/private_key remoteuser@remotehost

SSH

• edit /ssh/sshd_config -> change port, although this only prevents the bruteforce scripts, with a portscanner you can quickly find which port is being used for ssh
• use fail2ban to remedy the bots
• and edit /ssh/sshd_config -> PermitRootLogin no is one option, another is PermitRootLogin keyonly
• ssh is not installed by default

ssh-add

• ssh-add /location/of/key (if you have more than one identity on a machine)
• ssh-add -l (to show your currently loaded keys)
• ssh-add -

ssh-agent

• ssh-agent is it started automatically when ubuntu starts?

ssh tunneling

• use when working in a public network

GPG

• GNU privacy guard, (Open)PGP - pretty good privacy
• used to encrypt and authenticate files
• encrypt by means of asymmetric keypairs
• authenitcate by means of digital signatures, certificates
• text files in your home directory
• or emails
• or your instant message traffic

Create a GPG keypair

using GPG with files

• gpg -e file -> to encrypt a file
• gpg -d file -> to decrypt the file

using GPG with email

• most clients have ways of encrypting messages these days
• this wiki only contains information for the Thunderbird email client
• install the the Enigmail plugin for TB