Webserver install - Part 7 - Hardening VI. - Debian Lenny

Installing SUDO


Install sudo from repository:

aptitude install sudo


Configure SUDO

A group named "wheel" will be needed to put users in it who will be able to act as root.

Create the wheel group:

addgroup --system wheel


Add "user" and "root" to the weel group:

adduser user wheel
adduser root wheel


To configure the /etc/sudoers file it is recommended to use "visudo" because it also checks syntax.


Create some rules for the wheel group. Members of wheel must type the roots password every time he uses sudo and all commands will be logged (except redirections but redirections could only be done if the destination files permissions allow it to the user). Copy the followings into the file:

# Defaults specification
Defaults:%wheel timestamp_timeout=0, runaspw
Defaults logfile=/var/log/sudolog

Copy the followings in it (the wheel group from debsrv.localdomain can run as root ALL commands):

%wheel debsrv.localdomain = (root) ALL

There should be already a line in it:

root ALL=(ALL) ALL

Modify it to this:

root debsrv.localdomain=(ALL) ALL

Save and exit than logout and log back in.

The whole file looks like this:

# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.
Defaults        env_reset
#Defaults:user    timestamp_timeout=0, runaspw, passwd_tries=5
Defaults:%wheel    timestamp_timeout=0, runaspw
Defaults logfile=/var/log/sudolog
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
# User privilege specification
root    debsrv.localdomain =(ALL) ALL
# Uncomment to allow members of group sudo to not need a password
# (Note that later entries override this, so you might need to move
# it further down)
%wheel debsrv.localdomain = (root) ALL

To change the "su" command to "sudo su" add an alias into the /etc/profiles:

nano /etc/profiles

Insert the following line to the end

alias su='sudo su'

To test create a file in the name of root:

sudo touch test.txt
ls -l

With sudo you will have root privileges for a specific duration (in this configuration 0 secundum).

If you need to work for a longer period as root you can choose to simply use "su" or use "sudo su" or "sudo -" or "sudo -i". Almost all are the same and lets you to be root until you exit from that context.

To disable the "su root" or in a shorter way "su" command you have to lock the root user. Be careful with this, because if you set sudo to require root password and you lock root user you won't be able to login or act as root! You will lock yourself out. The way a user can be locked out:

sudo passwd -l the_user

You can unlock a user with this command:

sudo passwd -u the_user


Securing PAM

PAM (Pluggable authentication modules) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). Basically it is good for the management of security policies regarding to access controls. It is installed as part of Debian and almost all distros. These settings are suitable for the webserver and I recommend you to read all parameters in the config files because there are way more than this in this tool.

As usually these configurations are double edged swords. If you are too restrictive you could lock yourself out of your own system, so be careful.

In this lab case this section does not matter for SSH because we do not use plaintext authentication, just certificates.



For the weak password detection the cracklib package and a dictionary are needed. Install it with aptitude:

aptitude install libpam-cracklib wamerican

Some additional packages will be installed:

cracklib-runtime libcrack2

You can check which services are enforcing limits via PAM:

find /etc/pam.d/ \! -name "*.dpkg*" | xargs -- grep limits |grep -v ":#"

The next thing is to set the /etc/security/limits.conf according to your needs. These limitations prevents too extensive resource usage. These are the basics and you can adjust them as you wish:

nano /etc/security/limits.conf

I set the followings in the file:

*                soft    core            0
*                hard    core            0
*                hard    rss             1000
*                hard    memlock         1000
*                hard    nproc           100
*                -       maxlogins       1
*                hard    data            102400
*                hard    fsize           2048
@wheel           hard    core            100000
@wheel           hard    rss             100000
@wheel           soft    nproc           2000
@wheel           hard    nproc           3000
@wheel           hard    fsize           100000
@wheel           -       maxlogins       10

The PAM config files are located under /etc/pam.d/. Check all of them and modify according to your needs. I copied here my settings which are essential:

nano /etc/pam.d/common-auth

Tally is the login counter which makes the account lockout after certain failed login attempts. And this is the double edged sword. If you set this lockout and I am a bad hacker I can lock you out just by brute-forcing continuously. So there is currently to three methods in my mind to solve this. One is to create a user with unpredictable username and very complex password which won't be locked because the hacker won't be able to guess it. The second is to use certificate based authentication as we did in this tutorial. The third is to use IP blocking before the account itself is locked out. You can do it with PSAD or OSSEC or with any IDS I guess. But for now I set the number of failed logins to 5 and the lockout time to 3600 secundums.

auth    required        pam_unix.so
auth    required        pam_tally.so onerr=fail deny=3 unlock_time=3600

Edit the account settings:

nano /etc/pam.d/common-account

I also added the lockout feature to this:

account required        pam_unix.so
account required        pam_tally.so

Tally is not compatible with the standard PAM lockout feature so it has to be disabled.

nano /etc/login.defs

I copied here my settings:

FAILLOG_ENAB           no
SULOG_FILE             /var/log/sulog
UMASK                  077
LOGIN_RETRIES          5

Continue with the files in /etc/pam.d:

nano /etc/pam.d/su

I allow only the members of wheel group to "su". This needs a group wheel and root must be the member of it (we configured this at sudo settings):

auth       sufficient pam_rootok.so
auth       required   pam_wheel.so group=wheel
session    required   pam_env.so readenv=1
session    required   pam_env.so readenv=1 envfile=/etc/default/locale
session    optional   pam_mail.so nopen
session    required   pam_limits.so
@include   common-auth
@include   common-account
@include   common-session

I want only the "user" user to be able to login and this could be set in /etc/security/access.conf:

nano /etc/security/access.conf

Just the followings should be in it:


To set the password policies edit /etc/pam.d/common-passwd. MD5 is the encryption algorithm, retry enables you to try 3 passwords before killing the process, minlen defines the passwords minimum length and difok defines the number of characters that have to be different in the password. Obscure is some precaution not letting you to choose weak passwords:

nano /etc/pam.d/common-password

The folloings should be in it:

password required       pam_cracklib.so retry=3 minlen=8 difok=3
password required       pam_unix.so use_authtok obscure md5

To close the config you have to define a file which will be the "else" case for everything else not defined previously. To do this create a file:

nano /etc/pam.d/other

And copy the followings in it:

@include common-auth
@include common-account
@include common-password
@include common-session
auth     required       pam_securetty.so
auth     required       pam_unix_auth.so
auth     required       pam_warn.so
auth     required       pam_deny.so
account  required       pam_unix_acct.so
account  required       pam_warn.so
account  required       pam_deny.so
password required       pam_unix_passwd.so
password required       pam_warn.so
password required       pam_deny.so
session  required       pam_unix_session.so
session  required       pam_warn.so
session  required       pam_deny.so

To make the changes effective you have to restart the daemon which use the config. For example:

/etc/init.d/ssh restart

Or you can simply reboot to make all changes effective






The next tutorial is: Webserver install - Part 8 - Hardening VII. - Debian Lenny