ShareWiz Security

By default, the root account is disabled on Ubuntu. To run anything as the root user one needs to place the command sudo before the issued command.

The root account has superuser permissions. The superuser can do almost anything on the system, which could be dangerous, as an incorrectly typed command could destroy the system.

Ideally, when a user logs onto the system they should only have sufficient privileges needed for the task at hand.

By the way, if you want to enable the root account (which is not recommended) enter the following command:

An alternative approach to disable root is to lock the account using the command:

echo -e "Root Shell Access on `tty` \n `w`" | mail -s "Alert: Root Access" sysadmin@sharewiz.net

Add additional users to the admin group, by repeating the above command for each user.

This only allows members of the admin group to run su.

This can also be achieved with:

The above settings remove super access from the root user. It also sets that the only users allowed to edit the sudoers file are members of the admin account, and the Active Directory user peter.

If Active Directory is not going to be used as part of the network, then remove those lines from the above file.

visudo is used to edit the sudoers file in a safe fashion. visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors.

The line Defaults timestamp_timeout=0 states that sudo will always ask for a password, and will no longer remember it for 15 minutes.

Replace <account> with the actual account name.

Only root should have the UID 0. Any other account with that UID is often synonymous with a backdoor.

This follows on from the previous setting of securing the default user profile.

When a new user is created, using a command such as sudo adduser username the users's profile is modeled after the contents found in the directory of /etc/skel.

Modifying the /etc/skel/.bashrc file as indicated will result in all future users being added to the system having colour prompts enabled.

These commands prevent the .bash_history file being deleted or renamed. It also appends all commands issued by the user to the file, allowing full auditing to take place.

Let your users know that their history is being logged and they will have to agree before they use your services.

Replace <account> with the actual account name.

Having the option --expiredate 1 sets the account´s expiry date to Jan 2, 1970.

passwdqc is a PAM password quality control module that checks the strength of the password.

Warning: Enabling the PAM passwdqc module will disable the PAM cracklib module.

libpam_ passwdqc is a PAM module that tests passwords to make sure they are not too weak during password change. It adds additional password entropy assistance to the standard security system.

By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file /etc/pam.d/common-password.

The pam_passwdqc manpage provides a lot of information, but the above essentially disallows passwords from any single character class, enforces a minimum length of 10 characters for a password from any two character classes, a minimum length of 8 characters for a passphrase, a minimum length of 8 characters for a password from any three character classes, and a minimum length of 8 characters from four character classes. The four character classes are made up of, digits, lower-case letters, upper-case letters, and other characters (such as '!' and '_') respectively. The above also enforces no passwords longer than 40 characters. The other options are clearly outlined in the pam_passwdqc man pages.

Each option can be customized to suit your environment. The above is actually less strict than the recommended default setting of "min=disabled,24,12,8,7" which can create some extremely difficult-to-crack passwords.

pam_passwdqc has no strange requirements, so even if your distribution does not provide it in packaged form, installing and compiling from source should cause no problems whatsoever.

The hashed passwords use a randomly generated salt.

These options specifiy the maximum number of days that a password may be used, the minimum number of days between password changes, the number of days warning given before a password expires, and the maximum number of login retries if a password is bad.

The LOGIN_RETRIES setting will probably be overwritten by PAM, so check the PAM settings as well.

To disable password aging for system and shared accounts, you can run the following chage command:

sudo chage -M 99999 administrator

To get password expiration information:

sudo chage -l administrator

This specifies the number of days after password expiration that the account will be disabled.

By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users’ home directories.

This change results in world readable permissions being removed.

Replace <username> with the actual login name to the computer.

Restricts access by other users to another user’s home directory.

When a new user is created, the adduser utility creates a brand new home directory named /home/username, respectively. The default profile is modeled after the contents found in the directory of /etc/skel, which includes all profile basics.

If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users’ home directories.

To verify your current users home directory permissions, use the following syntax:

The following output shows that the directory /home/username has world readable permissions:

NOTE: Some people tend to use the recursive option (-R) indiscriminately which modifies all child folders and files, but this is not necessary, and may yield other undesirable results. The parent directory alone is sufficient for preventing unauthorized access to anything below the parent.

A much more efficient approach to the matter would be to modify the adduser global default permissions when creating user home folders. Simply edit the file /etc/adduser.conf and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions.

After correcting the directory permissions using any of the previously mentioned techniques, verify the results using the following syntax:

The results below show that world readable permissions have been removed:

Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.

Jailkit is known to be used in network security appliances from several leading IT security firms, internet servers from several large enterprise organizations, internet servers from internet service providers, as well as many smaller companies and private users that need to secure cvs, sftp, shell or daemon processes.

This is optional but recommended.

Jailkit is needed only if you want to chroot SSH users.

A lot of system accounts have the default shell of /bin/sh but as they will not be used for login purposes, we secure them further to prevent potential logins using these accounts if the system ever became compromised.

The following command can be used to determine the UID range for system accounts:

which should probably return 1000. Different Linux distributions use different UID numbers for system accounts. Debian and Ubuntu systems have system users using UIDs between 0 and 1000.

Other users accounts settings can be found in the file /etc/login.defs.