Installing SUDO
Install sudo from repository:
aptitude install sudo
Configure SUDO
A group named "wheel" will be needed to put users in it who will be able to act as root.
Create the wheel group:
addgroup --system wheel
Add "user" and "root" to the weel group:
adduser user wheel adduser root wheel
To configure the /etc/sudoers file it is recommended to use "visudo" because it also checks syntax.
visudo
Create some rules for the wheel group. Members of wheel must type the roots password every time he uses sudo and all commands will be logged (except redirections but redirections could only be done if the destination files permissions allow it to the user). Copy the followings into the file:
# Defaults specification Defaults:%wheel timestamp_timeout=0, runaspw Defaults logfile=/var/log/sudolog
Copy the followings in it (the wheel group from debsrv.localdomain can run as root ALL commands):
%wheel debsrv.localdomain = (root) ALL
There should be already a line in it:
root ALL=(ALL) ALL
Modify it to this:
root debsrv.localdomain=(ALL) ALL
Save and exit than logout and log back in.
The whole file looks like this:
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset #Defaults:user timestamp_timeout=0, runaspw, passwd_tries=5 # Defaults:%wheel timestamp_timeout=0, runaspw Defaults logfile=/var/log/sudolog # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification # User privilege specification root debsrv.localdomain =(ALL) ALL # Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL %wheel debsrv.localdomain = (root) ALL
To change the "su" command to "sudo su" add an alias into the /etc/profiles:
nano /etc/profiles
Insert the following line to the end
alias su='sudo su'
To test create a file in the name of root:
sudo touch test.txt ls -l
With sudo you will have root privileges for a specific duration (in this configuration 0 secundum).
If you need to work for a longer period as root you can choose to simply use "su" or use "sudo su" or "sudo -" or "sudo -i". Almost all are the same and lets you to be root until you exit from that context.
To disable the "su root" or in a shorter way "su" command you have to lock the root user. Be careful with this, because if you set sudo to require root password and you lock root user you won't be able to login or act as root! You will lock yourself out. The way a user can be locked out:
sudo passwd -l the_user
You can unlock a user with this command:
sudo passwd -u the_user
Securing PAM
PAM (Pluggable authentication modules) is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). Basically it is good for the management of security policies regarding to access controls. It is installed as part of Debian and almost all distros. These settings are suitable for the webserver and I recommend you to read all parameters in the config files because there are way more than this in this tool.
As usually these configurations are double edged swords. If you are too restrictive you could lock yourself out of your own system, so be careful.
In this lab case this section does not matter for SSH because we do not use plaintext authentication, just certificates.
Requirements
For the weak password detection the cracklib package and a dictionary are needed. Install it with aptitude:
aptitude install libpam-cracklib wamerican
Some additional packages will be installed:
cracklib-runtime libcrack2
You can check which services are enforcing limits via PAM:
find /etc/pam.d/ \! -name "*.dpkg*" | xargs -- grep limits |grep -v ":#"
The next thing is to set the /etc/security/limits.conf according to your needs. These limitations prevents too extensive resource usage. These are the basics and you can adjust them as you wish:
nano /etc/security/limits.conf
I set the followings in the file:
* soft core 0 * hard core 0 * hard rss 1000 * hard memlock 1000 * hard nproc 100 * - maxlogins 1 * hard data 102400 * hard fsize 2048 @wheel hard core 100000 @wheel hard rss 100000 @wheel soft nproc 2000 @wheel hard nproc 3000 @wheel hard fsize 100000 @wheel - maxlogins 10
The PAM config files are located under /etc/pam.d/. Check all of them and modify according to your needs. I copied here my settings which are essential:
nano /etc/pam.d/common-auth
Tally is the login counter which makes the account lockout after certain failed login attempts. And this is the double edged sword. If you set this lockout and I am a bad hacker I can lock you out just by brute-forcing continuously. So there is currently to three methods in my mind to solve this. One is to create a user with unpredictable username and very complex password which won't be locked because the hacker won't be able to guess it. The second is to use certificate based authentication as we did in this tutorial. The third is to use IP blocking before the account itself is locked out. You can do it with PSAD or OSSEC or with any IDS I guess. But for now I set the number of failed logins to 5 and the lockout time to 3600 secundums.
auth required pam_unix.so auth required pam_tally.so onerr=fail deny=3 unlock_time=3600
Edit the account settings:
nano /etc/pam.d/common-account
I also added the lockout feature to this:
account required pam_unix.so account required pam_tally.so
Tally is not compatible with the standard PAM lockout feature so it has to be disabled.
nano /etc/login.defs
I copied here my settings:
FAILLOG_ENAB no SULOG_FILE /var/log/sulog UMASK 077 LOGIN_RETRIES 5 ENCRYPT_METHOD SHA256 SHA_CRYPT_MIN_ROUNDS 5000 SHA_CRYPT_MAX_ROUNDS 5000
Continue with the files in /etc/pam.d:
nano /etc/pam.d/su
I allow only the members of wheel group to "su". This needs a group wheel and root must be the member of it (we configured this at sudo settings):
auth sufficient pam_rootok.so auth required pam_wheel.so group=wheel session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale session optional pam_mail.so nopen session required pam_limits.so @include common-auth @include common-account @include common-session
I want only the "user" user to be able to login and this could be set in /etc/security/access.conf:
nano /etc/security/access.conf
Just the followings should be in it:
-:ALL EXCEPT user:LOCAL
To set the password policies edit /etc/pam.d/common-passwd. MD5 is the encryption algorithm, retry enables you to try 3 passwords before killing the process, minlen defines the passwords minimum length and difok defines the number of characters that have to be different in the password. Obscure is some precaution not letting you to choose weak passwords:
nano /etc/pam.d/common-password
The folloings should be in it:
password required pam_cracklib.so retry=3 minlen=8 difok=3 password required pam_unix.so use_authtok obscure md5
To close the config you have to define a file which will be the "else" case for everything else not defined previously. To do this create a file:
nano /etc/pam.d/other
And copy the followings in it:
@include common-auth @include common-account @include common-password @include common-session auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so account required pam_unix_acct.so account required pam_warn.so account required pam_deny.so password required pam_unix_passwd.so password required pam_warn.so password required pam_deny.so session required pam_unix_session.so session required pam_warn.so session required pam_deny.so
To make the changes effective you have to restart the daemon which use the config. For example:
/etc/init.d/ssh restart
Or you can simply reboot to make all changes effective
reboot
Links:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/old/pam-6.html
http://www.linuxsecurity.com/resource_files/host_security/securing-debian-howto/ap-checklist.en.html
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html
http://aplawrence.com/Basics/sudo.html
The next tutorial is: Webserver install - Part 8 - Hardening VII. - Debian Lenny