“UbuntuHelp:UnsafeDefaults”的版本间的差异
来自Ubuntu中文
小 |
小 |
||
| 第1行: | 第1行: | ||
{{From|https://help.ubuntu.com/community/UnsafeDefaults}} | {{From|https://help.ubuntu.com/community/UnsafeDefaults}} | ||
{{Languages|UbuntuHelp:UnsafeDefaults}} | {{Languages|UbuntuHelp:UnsafeDefaults}} | ||
| − | + | #title Unsafe Defaults | |
| − | |||
| − | By default, /dev/shm is mounted read/write. | + | While Ubuntu comes secure and ready to use, many people decide to offer other services on their computer, such as running a FTP server or Apache. The purpose of this page is to advise these users on the settings that they should probably change. |
| + | |||
| + | === Shared Memory === | ||
| + | By default, /dev/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /dev/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /dev/shm read/write. To change this setting, edit the `/etc/fstab` file to include the following line: | ||
<pre><nowiki> | <pre><nowiki> | ||
| − | tmpfs /dev/shm tmpfs defaults,ro 0 0 | + | tmpfs /dev/shm tmpfs defaults,ro 0 0 |
</nowiki></pre> | </nowiki></pre> | ||
| − | + | This will mount /dev/shm in read-only mode. If you have a good reason to keep it writable, put this line in `/etc/fstab` instead: | |
| + | <pre><nowiki> | ||
| + | tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0 | ||
| + | </nowiki></pre> | ||
| + | This will mount /dev/shm writable, but without permission to execute programs and without permission to change the UID of running programs. | ||
| − | + | The changes will take effect the next time you reboot, unless you remount /dev/shm with the command `sudo mount -o remount /dev/shm`. | |
| − | + | === SSH Default Settings === | |
| + | While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain `sshd` settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the `/etc/ssh/sshd_config` file. Lines with a pound sign (`#`) are commented and not read. To edit this file from a terminal: | ||
| + | <pre><nowiki> | ||
| + | sudo vi /etc/ssh/sshd_config | ||
| + | </nowiki></pre> | ||
| + | For a Gnome editor, press Alt+F2 and use: | ||
| + | <pre><nowiki> | ||
| + | gksudo gedit /etc/ssh/sshd_config | ||
| + | </nowiki></pre> | ||
| + | For a KDE editor, press Alt+F2 and use: | ||
| + | <pre><nowiki> | ||
| + | kdesu kate /etc/ssh/sshd_config | ||
| + | </nowiki></pre> | ||
| + | Please remember, after making any changes, `sshd` must be restarted, which can be done from the terminal with this command: | ||
| + | <pre><nowiki> | ||
| + | sudo /etc/init.d/ssh restart | ||
| + | </nowiki></pre> | ||
| + | |||
| + | ==== SSH Root Login ==== | ||
| + | By default, the SSH daemon ships with remote root logins enabled. This is a potential security risk, and so should be disabled. To disable root login, edit the `/etc/ssh/sshd_config` file and replace the following line: | ||
<pre><nowiki> | <pre><nowiki> | ||
PermitRootLogin yes | PermitRootLogin yes | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | with | + | with this line: |
<pre><nowiki> | <pre><nowiki> | ||
PermitRootLogin no | PermitRootLogin no | ||
</nowiki></pre> | </nowiki></pre> | ||
| − | |||
| + | ==== SSH Login Grace Time ==== | ||
| + | The login grace time is a period of time where a user may be connected and not begin the authentication process. By default, `sshd` will allow a connected user to wait for 120 seconds (2 minutes) before starting to authenticate. This could be used to conduct a Denial of Service (DoS) or a brute force attack against a running SSH daemon. A more reasonable setting is 20 seconds. To change this, replace this line: | ||
| + | <pre><nowiki> | ||
| + | LoginGraceTime 120 | ||
| + | </nowiki></pre> | ||
| + | with this line: | ||
| + | <pre><nowiki> | ||
| + | LoginGraceTime 20 | ||
| + | </nowiki></pre> | ||
| + | |||
| + | ==== SSH Welcome Banner ==== | ||
| + | The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line: | ||
| + | <pre><nowiki> | ||
| + | #Banner /etc/issue.net | ||
| + | </nowiki></pre> | ||
| + | so it looks like this: | ||
| + | <pre><nowiki> | ||
| + | Banner /etc/issue.net | ||
| + | </nowiki></pre> | ||
| + | Now, edit /etc/issue.net and place a warning to unauthorized users. The following is taken from the [[UbuntuHelp:AdvancedOpenSSH| Advanced OpenSSH]] page and is modified from a U.S. Department of Defense warning banner. | ||
| + | <pre><nowiki> | ||
| + | *************************************************************************** | ||
| + | NOTICE TO USERS | ||
| + | |||
| + | |||
| + | This computer system is the private property of its owner, whether | ||
| + | individual, corporate or government. It is for authorized use only. | ||
| + | Users (authorized or unauthorized) have no explicit or implicit | ||
| + | expectation of privacy. | ||
| + | |||
| + | Any or all uses of this system and all files on this system may be | ||
| + | intercepted, monitored, recorded, copied, audited, inspected, and | ||
| + | disclosed to your employer, to authorized site, government, and law | ||
| + | enforcement personnel, as well as authorized officials of government | ||
| + | agencies, both domestic and foreign. | ||
| + | |||
| + | By using this system, the user consents to such interception, monitoring, | ||
| + | recording, copying, auditing, inspection, and disclosure at the | ||
| + | discretion of such personnel or officials. Unauthorized or improper use | ||
| + | of this system may result in civil and criminal penalties and | ||
| + | administrative or disciplinary action, as appropriate. By continuing to | ||
| + | use this system you indicate your awareness of and consent to these terms | ||
| + | and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the | ||
| + | conditions stated in this warning. | ||
| + | |||
| + | **************************************************************************** | ||
| + | </nowiki></pre> | ||
| + | Once this is in place, restart `sshd` and all users will see this warning before they get the login prompt. | ||
| + | |||
| + | ==== SSH Allowed Users ==== | ||
| + | By default, SSH will permit every user with an account to attempt to log in. To prevent this, you can use the `AllowUsers` directive. To do this, add a line like this in your sshd configuration file: | ||
| + | <pre><nowiki> | ||
| + | AllowUsers jsmith tallen | ||
| + | </nowiki></pre> | ||
| + | The `AllowUsers` directive is the list of all users that are allowed to log in through SSH. If you have a large number of users, or you intend to have a changing list of users, you can also use the `AllowGroups` directive and create a group specifically for users allowed to log in through SSH. You can add a group for this purpose with this command: | ||
| + | <pre><nowiki> | ||
| + | sudo addgroup sshlogin | ||
| + | </nowiki></pre> | ||
| + | Using the example name of 'sshlogin', you would then add this line to your sshd configuration file: | ||
| + | <pre><nowiki> | ||
| + | AllowGroups sshlogin | ||
| + | </nowiki></pre> | ||
| + | After you restart sshd, only users in the `AllowUsers` list (or users who are members of the 'sshlogin' group if you chose that method instead) will be allowed to log in through SSH. | ||
| − | + | === "su" program available to non-admin users === | |
| − | This is not a problem | + | This is not necessarily a problem alone, but if there are accounts with weak passwords on the system a malicious non-admin user (or malicious software they are using) might use `su` to gain access to such accounts. To deny non-admin users access to `su`, type this in a terminal: |
<pre><nowiki> | <pre><nowiki> | ||
sudo chown root:admin /bin/su | sudo chown root:admin /bin/su | ||
| − | sudo chmod | + | sudo chmod 4750 /bin/su |
</nowiki></pre> | </nowiki></pre> | ||
---- | ---- | ||
| − | [[category:CategorySecurity | + | [[category:CategorySecurity]] |
[[category:UbuntuHelp]] | [[category:UbuntuHelp]] | ||
2007年11月21日 (三) 17:44的版本
 |
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
- title Unsafe Defaults
While Ubuntu comes secure and ready to use, many people decide to offer other services on their computer, such as running a FTP server or Apache. The purpose of this page is to advise these users on the settings that they should probably change.
目录
By default, /dev/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /dev/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /dev/shm read/write. To change this setting, edit the `/etc/fstab` file to include the following line:
tmpfs /dev/shm tmpfs defaults,ro 0 0
This will mount /dev/shm in read-only mode. If you have a good reason to keep it writable, put this line in `/etc/fstab` instead:
tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
This will mount /dev/shm writable, but without permission to execute programs and without permission to change the UID of running programs.
The changes will take effect the next time you reboot, unless you remount /dev/shm with the command `sudo mount -o remount /dev/shm`.
SSH Default Settings
While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain `sshd` settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the `/etc/ssh/sshd_config` file. Lines with a pound sign (`#`) are commented and not read. To edit this file from a terminal:
sudo vi /etc/ssh/sshd_config
For a Gnome editor, press Alt+F2 and use:
gksudo gedit /etc/ssh/sshd_config
For a KDE editor, press Alt+F2 and use:
kdesu kate /etc/ssh/sshd_config
Please remember, after making any changes, `sshd` must be restarted, which can be done from the terminal with this command:
sudo /etc/init.d/ssh restart
SSH Root Login
By default, the SSH daemon ships with remote root logins enabled. This is a potential security risk, and so should be disabled. To disable root login, edit the `/etc/ssh/sshd_config` file and replace the following line:
PermitRootLogin yes
with this line:
PermitRootLogin no
SSH Login Grace Time
The login grace time is a period of time where a user may be connected and not begin the authentication process. By default, `sshd` will allow a connected user to wait for 120 seconds (2 minutes) before starting to authenticate. This could be used to conduct a Denial of Service (DoS) or a brute force attack against a running SSH daemon. A more reasonable setting is 20 seconds. To change this, replace this line:
LoginGraceTime 120
with this line:
LoginGraceTime 20
SSH Welcome Banner
The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:
#Banner /etc/issue.net
so it looks like this:
Banner /etc/issue.net
Now, edit /etc/issue.net and place a warning to unauthorized users. The following is taken from the Advanced OpenSSH page and is modified from a U.S. Department of Defense warning banner.
*************************************************************************** NOTICE TO USERS This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning. ****************************************************************************
Once this is in place, restart `sshd` and all users will see this warning before they get the login prompt.
SSH Allowed Users
By default, SSH will permit every user with an account to attempt to log in. To prevent this, you can use the `AllowUsers` directive. To do this, add a line like this in your sshd configuration file:
AllowUsers jsmith tallen
The `AllowUsers` directive is the list of all users that are allowed to log in through SSH. If you have a large number of users, or you intend to have a changing list of users, you can also use the `AllowGroups` directive and create a group specifically for users allowed to log in through SSH. You can add a group for this purpose with this command:
sudo addgroup sshlogin
Using the example name of 'sshlogin', you would then add this line to your sshd configuration file:
AllowGroups sshlogin
After you restart sshd, only users in the `AllowUsers` list (or users who are members of the 'sshlogin' group if you chose that method instead) will be allowed to log in through SSH.
"su" program available to non-admin users
This is not necessarily a problem alone, but if there are accounts with weak passwords on the system a malicious non-admin user (or malicious software they are using) might use `su` to gain access to such accounts. To deny non-admin users access to `su`, type this in a terminal:
sudo chown root:admin /bin/su sudo chmod 4750 /bin/su
