INFO1105 - Lecture 11 - Ubuntu and Red Hat Security
INFO1105 - Lecture 11 - Ubuntu and Red Hat Security
The root account has absolute privilege and should only be used
when necessary.
Account types
Root : The main administrator user account. UID value of 0.
Permissions to access all files and directories on the system
Standard : Used to log into the system and perform standard
tasks. Assigned a $HOME directory, with permissions to
store files and create subdirectories. Cannot access files
outside of their $HOME directory unless given permission by
the file or directory owner. UIDs start at 1000.
Service : Used for applications that start in the background,
such as servers. Restricted so that they cannot log into the
system by setting the password value in the shadow file to an
asterisk. Login shell defined in /etc/passwd is set to the
/sbin/nologin value to prevent access to shell. UID less than
1000.
Ubuntu root account
Ubuntu and derivatives disable the root account from logging
in to minimize attack surface.
For current user and default key you do not need to use –i
and specify a key.
In Class Task: ssh
enforce mode: This is the default mode, and profile violations are logged
and blocked.
complain mode: Any violations of the profile are logged, but not blocked,
except in the case when deny rules exist in the profile.
Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
ufw status verbose
• Status : Service is running and will start on system boot (active ), or
the service is stopped and a system boot does not change this
(disabled ).
• Logging: The service ’ s logging feature can be set to off ; log all
blocked packets ( low ), which is the default; log all blocked, invalid,
no-policy-match, and new connection packets (medium ) with rate
limiting; log medium-log-level packets and all other packets ( high )
with rate limiting; and log everything with no rate limits (full ).
• Default: Shows the default policy for incoming , outgoing , and routed
packets, which can be set to allow the packet, drop (deny ) the packet,
or reject the packet and send a rejection message back.
• New profiles : Shows the default policy for automatically loading new
profiles into the firewall, which can be set to ACCEPT , DROP ,
REJECT , or SKIP , where ACCEPT is considered a security risk.
ufw configuration
Simple syntax:
Full syntax:
Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
ufw settings
Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
In Class Task: ufw
Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
ssh root lockdown
ssh logins can access all functionality and privileges of the
logged in user. If the root account has login enabled, an
attacker can potentially gain access via ssh.
The root user can no longer log in over ssh, but can still log
in locally.
automatic bash logout
Setting a timeout on logins helps prevent unauthorized
access.
TMOUT=_seconds_
readonly TMOUT
In Class Task: Timeout
root:x:0:0:root:/root:/sbin/nologin
This will display the text in /etc/nologin.txt when a user tries to log
in.
getenforce
sestatus
SELinux Contexts
SELinux uses contexts to label each onject in a system. The
context tells SELIniux which policies to apply to each object.
Format:
user:role:type:level
Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
firewalld zones
Christine Bresnahan and Richard Blum, Mastering Linux System Administration, 2021
firewalld config
firewalld can be configured through text files, or through the
firewall-cmd program:
sudo firewall-cmd –state
default : Rejects all packets not matching the zone rules, but sends an
ICMP packet to the client indicating why.
ACCEPT : Accepts packets not matching the zone rules.
DROP : Drop packets not matching the zone rules.
%%REJECT%%: Rejects all packets not matching the zone rules.
firewall-cmd zones/rules
firewall-cmd can create a new zone: