|
|
| 第1行: |
第1行: |
| | + | #REDIRECT [[UbuntuHelp:StricterDefaults]] |
| | {{From|https://help.ubuntu.com/community/UnsafeDefaults}} | | {{From|https://help.ubuntu.com/community/UnsafeDefaults}} |
| | {{Languages|UbuntuHelp:UnsafeDefaults}} | | {{Languages|UbuntuHelp:UnsafeDefaults}} |
| − | #title Unsafe Defaults
| |
| − | While Ubuntu comes secure and ready to use, many people decide to offer other services on their computer, such as running a FTP server or Apache. The purpose of this page is to advise these users on the settings that they should probably change.
| |
| − | === Shared Memory ===
| |
| − | By default, /dev/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /dev/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /dev/shm read/write. To change this setting, edit the `/etc/fstab` file to include the following line:
| |
| − | <pre><nowiki>
| |
| − | tmpfs /dev/shm tmpfs defaults,ro 0 0
| |
| − | </nowiki></pre>
| |
| − | This will mount /dev/shm in read-only mode. If you have a good reason to keep it writable, put this line in `/etc/fstab` instead:
| |
| − | <pre><nowiki>
| |
| − | tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
| |
| − | </nowiki></pre>
| |
| − | This will mount /dev/shm writable, but without permission to execute programs and without permission to change the UID of running programs.
| |
| − | The changes will take effect the next time you reboot, unless you remount /dev/shm with the command `sudo mount -o remount /dev/shm`.
| |
| − | === SSH Default Settings ===
| |
| − | While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain `sshd` settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the `/etc/ssh/sshd_config` file. Lines with a pound sign (`#`) are commented and not read. To edit this file from a terminal:
| |
| − | <pre><nowiki>
| |
| − | sudo vi /etc/ssh/sshd_config
| |
| − | </nowiki></pre>
| |
| − | For a Gnome editor, press Alt+F2 and use:
| |
| − | <pre><nowiki>
| |
| − | gksudo gedit /etc/ssh/sshd_config
| |
| − | </nowiki></pre>
| |
| − | For a KDE editor, press Alt+F2 and use:
| |
| − | <pre><nowiki>
| |
| − | kdesu kate /etc/ssh/sshd_config
| |
| − | </nowiki></pre>
| |
| − | Please remember, after making any changes, `sshd` must be restarted, which can be done from the terminal with this command:
| |
| − | <pre><nowiki>
| |
| − | sudo /etc/init.d/ssh restart
| |
| − | </nowiki></pre>
| |
| − | ==== SSH Root Login ====
| |
| − | By default, the SSH daemon ships with remote root logins enabled. This is a potential security risk, and so should be disabled. To disable root login, edit the `/etc/ssh/sshd_config` file and replace the following line:
| |
| − | <pre><nowiki>
| |
| − | PermitRootLogin yes
| |
| − | </nowiki></pre>
| |
| − | with this line:
| |
| − | <pre><nowiki>
| |
| − | PermitRootLogin no
| |
| − | </nowiki></pre>
| |
| − | ==== SSH Login Grace Time ====
| |
| − | The login grace time is a period of time where a user may be connected and not begin the authentication process. By default, `sshd` will allow a connected user to wait for 120 seconds (2 minutes) before starting to authenticate. This could be used to conduct a Denial of Service (DoS) or a brute force attack against a running SSH daemon. A more reasonable setting is 20 seconds. To change this, replace this line:
| |
| − | <pre><nowiki>
| |
| − | LoginGraceTime 120
| |
| − | </nowiki></pre>
| |
| − | with this line:
| |
| − | <pre><nowiki>
| |
| − | LoginGraceTime 20
| |
| − | </nowiki></pre>
| |
| − | ==== SSH Welcome Banner ====
| |
| − | The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:
| |
| − | <pre><nowiki>
| |
| − | #Banner /etc/issue.net
| |
| − | </nowiki></pre>
| |
| − | so it looks like this:
| |
| − | <pre><nowiki>
| |
| − | Banner /etc/issue.net
| |
| − | </nowiki></pre>
| |
| − | Now, edit /etc/issue.net and place a warning to unauthorized users. The following is taken from the [[UbuntuHelp:AdvancedOpenSSH| Advanced OpenSSH]] page and is modified from a U.S. Department of Defense warning banner.
| |
| − | <pre><nowiki>
| |
| − | ***************************************************************************
| |
| − | NOTICE TO USERS
| |
| − |
| |
| − |
| |
| − | This computer system is the private property of its owner, whether
| |
| − | individual, corporate or government. It is for authorized use only.
| |
| − | Users (authorized or unauthorized) have no explicit or implicit
| |
| − | expectation of privacy.
| |
| − |
| |
| − | Any or all uses of this system and all files on this system may be
| |
| − | intercepted, monitored, recorded, copied, audited, inspected, and
| |
| − | disclosed to your employer, to authorized site, government, and law
| |
| − | enforcement personnel, as well as authorized officials of government
| |
| − | agencies, both domestic and foreign.
| |
| − |
| |
| − | By using this system, the user consents to such interception, monitoring,
| |
| − | recording, copying, auditing, inspection, and disclosure at the
| |
| − | discretion of such personnel or officials. Unauthorized or improper use
| |
| − | of this system may result in civil and criminal penalties and
| |
| − | administrative or disciplinary action, as appropriate. By continuing to
| |
| − | use this system you indicate your awareness of and consent to these terms
| |
| − | and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
| |
| − | conditions stated in this warning.
| |
| − |
| |
| − | ****************************************************************************
| |
| − | </nowiki></pre>
| |
| − | Once this is in place, restart `sshd` and all users will see this warning before they get the login prompt.
| |
| − | ==== SSH Allowed Users ====
| |
| − | By default, SSH will permit every user with an account to attempt to log in. To prevent this, you can use the `AllowUsers` directive. To do this, add a line like this in your sshd configuration file:
| |
| − | <pre><nowiki>
| |
| − | AllowUsers jsmith tallen
| |
| − | </nowiki></pre>
| |
| − | The `AllowUsers` directive is the list of all users that are allowed to log in through SSH. If you have a large number of users, or you intend to have a changing list of users, you can also use the `AllowGroups` directive and create a group specifically for users allowed to log in through SSH. You can add a group for this purpose with this command:
| |
| − | <pre><nowiki>
| |
| − | sudo addgroup sshlogin
| |
| − | </nowiki></pre>
| |
| − | Using the example name of 'sshlogin', you would then add this line to your sshd configuration file:
| |
| − | <pre><nowiki>
| |
| − | AllowGroups sshlogin
| |
| − | </nowiki></pre>
| |
| − | After you restart sshd, only users in the `AllowUsers` list (or users who are members of the 'sshlogin' group if you chose that method instead) will be allowed to log in through SSH.
| |
| − | === "su" program available to non-admin users ===
| |
| − | This is not necessarily a problem alone, but if there are accounts with weak passwords on the system a malicious non-admin user (or malicious software they are using) might use `su` to gain access to such accounts. To deny non-admin users access to `su`, type this in a terminal:
| |
| − | <pre><nowiki>
| |
| − | sudo chown root:admin /bin/su
| |
| − | sudo chmod 4750 /bin/su
| |
| − | </nowiki></pre>
| |
| − | ----
| |
| − | [[category:CategorySecurity]]
| |
| | | | |
| | [[category:UbuntuHelp]] | | [[category:UbuntuHelp]] |
