Security

From Systerserver

Jump to: navigation, search

What we have implemented to maintain the integrity or our /home.

join mailinglists
follow the websites http://www.linuxsecurity.com/ and http://www.securityfocus.com/

SUDO

super user do
on debian install sudo as soon as you can
add admin users to sudoers file with visudo
try not to do any work on the machine as root
sudo su = sudo -, = sudo
use sudosh to log all commands typed into new shells
GKSu and GKsudo are graphical frontends to su and sudo (there are more)
https://help.ubuntu.com/community/RootSudo

SU

switch user
eg when logged in as betty, "su billy" or "su - billy" will let you log in as billy
"su root" = "su -"
"su", without any arguments implies user root
su = keep present (user) profile
su - = sources root profile

KEYRINGS

ssh and pgp keypairs
aka keychains or keyrings
the pair consists of a public and a private key
ssh keyrings are used for logging into remote servers
pgp keyrings are used to encrypt and sign files, eg emails
you can manage all your keys from the TUI
and from a GUI like Seahorse under Gnome on Linux

Create a SSH keypair

ssh-keygen -t RSA -b 4096 (or 8192) plus passphrase is required these days!
when asked the question give a file name, if you don't the resulting files are called id_rsa and id_rsa.pub. if you do then they're called filename and filename.pub
ssh-keygen -t rsa -b 2048 -f ~/.ssh/ServerName_UserName_id -C “ServerName”
then create a file on your client computer:
~/.ssh/config

  Host ServerName
  HostName fqdn.ServerName.fqdn
  IdentityFile /home/donna/.ssh/ServerName.id
  PasswordAuthentication no
  PubkeyAuthentication yes
  PreferredAuthentications publickey
  User donna
  Port 12345

chmod 600 ~/home/.ssh/config
this is very useful if you manage more than one server; use a different key pair for each
reset the password with ssh-keygen -p
make a backup of your .ssh directory (burn it on a cd) and write the passphrase on a piece of paper and keep the two in two separate vaults at different locations
copy the public key to the servers where you want to start using it:
cat ~/.ssh/filename.pub | ssh id@host -p2222 'cat >> ~/.ssh/authorized_keys'
or use the script:
ssh-copy-id user@host (which does not work on all unices)
if your private key is not the standard ~/.ssh/id_rsa:
ssh -i /path/to/private_key remoteuser@remotehost
ssh good practices: lackof.org/taggart/hacking/ssh

SSH

edit /ssh/sshd_config -> change port, although this only prevents the bruteforce scripts, with a portscanner you can quickly find which port is being used for ssh
use fail2ban to remedy the bots
and edit /etc/ssh/sshd_config -> PermitRootLogin no is one option, another is PermitRootLogin keyonly
i once spent hours editing /etc/ssh/ssh_config and couldn't figure out why nothing i did was working!
note: edit sshd_config and not ssh_config

activate key based authentication

   RSAAuthentication yes
   PubkeyAuthentication yes

disable password based authentication

   ChallengeResponseAuthentication no
   PasswordAuthentication no
   UsePAM no

restart ssh
ssh is not installed by default
http://lackof.org/taggart/hacking/ssh/

ssh-add

ssh-add /location/of/key (if you have more than one identity on a machine)
ssh-add -l (to show your currently loaded keys)
ssh-add -

ssh-agent

ssh-agent is it started automatically when ubuntu starts?

ssh tunneling

use when working in a public network

GPG

GNU privacy guard, (Open)PGP - pretty good privacy
used to encrypt and authenticate files
encrypt by means of asymmetric keypairs
authenitcate by means of digital signatures, certificates
text files in your home directory
or emails
or your instant message traffic

Navigation

SEARCH

Security

From Systerserver

Contents

SUDO

SU

KEYRINGS

Create a SSH keypair

SSH

ssh-add

ssh-agent

ssh tunneling

GPG

Create a GPG keypair

using GPG with files

using GPG with email