|
|
第1行: |
第1行: |
| + | #REDIRECT [[UbuntuHelp:StricterDefaults]] |
| {{From|https://help.ubuntu.com/community/UnsafeDefaults}} | | {{From|https://help.ubuntu.com/community/UnsafeDefaults}} |
| {{Languages|UbuntuHelp:UnsafeDefaults}} | | {{Languages|UbuntuHelp:UnsafeDefaults}} |
− | #title Unsafe Defaults
| |
− | While Ubuntu comes secure and ready to use, many people decide to offer other services on their computer, such as running a FTP server or Apache. The purpose of this page is to advise these users on the settings that they should probably change.
| |
− | === Shared Memory ===
| |
− | By default, /dev/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /dev/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /dev/shm read/write. To change this setting, edit the `/etc/fstab` file to include the following line:
| |
− | <pre><nowiki>
| |
− | tmpfs /dev/shm tmpfs defaults,ro 0 0
| |
− | </nowiki></pre>
| |
− | This will mount /dev/shm in read-only mode. If you have a good reason to keep it writable, put this line in `/etc/fstab` instead:
| |
− | <pre><nowiki>
| |
− | tmpfs /dev/shm tmpfs defaults,noexec,nosuid 0 0
| |
− | </nowiki></pre>
| |
− | This will mount /dev/shm writable, but without permission to execute programs and without permission to change the UID of running programs.
| |
− | The changes will take effect the next time you reboot, unless you remount /dev/shm with the command `sudo mount -o remount /dev/shm`.
| |
− | === SSH Default Settings ===
| |
− | While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain `sshd` settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the `/etc/ssh/sshd_config` file. Lines with a pound sign (`#`) are commented and not read. To edit this file from a terminal:
| |
− | <pre><nowiki>
| |
− | sudo vi /etc/ssh/sshd_config
| |
− | </nowiki></pre>
| |
− | For a Gnome editor, press Alt+F2 and use:
| |
− | <pre><nowiki>
| |
− | gksudo gedit /etc/ssh/sshd_config
| |
− | </nowiki></pre>
| |
− | For a KDE editor, press Alt+F2 and use:
| |
− | <pre><nowiki>
| |
− | kdesu kate /etc/ssh/sshd_config
| |
− | </nowiki></pre>
| |
− | Please remember, after making any changes, `sshd` must be restarted, which can be done from the terminal with this command:
| |
− | <pre><nowiki>
| |
− | sudo /etc/init.d/ssh restart
| |
− | </nowiki></pre>
| |
− | ==== SSH Root Login ====
| |
− | By default, the SSH daemon ships with remote root logins enabled. This is a potential security risk, and so should be disabled. To disable root login, edit the `/etc/ssh/sshd_config` file and replace the following line:
| |
− | <pre><nowiki>
| |
− | PermitRootLogin yes
| |
− | </nowiki></pre>
| |
− | with this line:
| |
− | <pre><nowiki>
| |
− | PermitRootLogin no
| |
− | </nowiki></pre>
| |
− | ==== SSH Login Grace Time ====
| |
− | The login grace time is a period of time where a user may be connected and not begin the authentication process. By default, `sshd` will allow a connected user to wait for 120 seconds (2 minutes) before starting to authenticate. This could be used to conduct a Denial of Service (DoS) or a brute force attack against a running SSH daemon. A more reasonable setting is 20 seconds. To change this, replace this line:
| |
− | <pre><nowiki>
| |
− | LoginGraceTime 120
| |
− | </nowiki></pre>
| |
− | with this line:
| |
− | <pre><nowiki>
| |
− | LoginGraceTime 20
| |
− | </nowiki></pre>
| |
− | ==== SSH Welcome Banner ====
| |
− | The SSH daemon will allow a message to be displayed to users attempting to log in to the SSH server. To enable login messages, remove the pound sign from this line:
| |
− | <pre><nowiki>
| |
− | #Banner /etc/issue.net
| |
− | </nowiki></pre>
| |
− | so it looks like this:
| |
− | <pre><nowiki>
| |
− | Banner /etc/issue.net
| |
− | </nowiki></pre>
| |
− | Now, edit /etc/issue.net and place a warning to unauthorized users. The following is taken from the [[UbuntuHelp:AdvancedOpenSSH| Advanced OpenSSH]] page and is modified from a U.S. Department of Defense warning banner.
| |
− | <pre><nowiki>
| |
− | ***************************************************************************
| |
− | NOTICE TO USERS
| |
− |
| |
− |
| |
− | This computer system is the private property of its owner, whether
| |
− | individual, corporate or government. It is for authorized use only.
| |
− | Users (authorized or unauthorized) have no explicit or implicit
| |
− | expectation of privacy.
| |
− |
| |
− | Any or all uses of this system and all files on this system may be
| |
− | intercepted, monitored, recorded, copied, audited, inspected, and
| |
− | disclosed to your employer, to authorized site, government, and law
| |
− | enforcement personnel, as well as authorized officials of government
| |
− | agencies, both domestic and foreign.
| |
− |
| |
− | By using this system, the user consents to such interception, monitoring,
| |
− | recording, copying, auditing, inspection, and disclosure at the
| |
− | discretion of such personnel or officials. Unauthorized or improper use
| |
− | of this system may result in civil and criminal penalties and
| |
− | administrative or disciplinary action, as appropriate. By continuing to
| |
− | use this system you indicate your awareness of and consent to these terms
| |
− | and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
| |
− | conditions stated in this warning.
| |
− |
| |
− | ****************************************************************************
| |
− | </nowiki></pre>
| |
− | Once this is in place, restart `sshd` and all users will see this warning before they get the login prompt.
| |
− | ==== SSH Allowed Users ====
| |
− | By default, SSH will permit every user with an account to attempt to log in. To prevent this, you can use the `AllowUsers` directive. To do this, add a line like this in your sshd configuration file:
| |
− | <pre><nowiki>
| |
− | AllowUsers jsmith tallen
| |
− | </nowiki></pre>
| |
− | The `AllowUsers` directive is the list of all users that are allowed to log in through SSH. If you have a large number of users, or you intend to have a changing list of users, you can also use the `AllowGroups` directive and create a group specifically for users allowed to log in through SSH. You can add a group for this purpose with this command:
| |
− | <pre><nowiki>
| |
− | sudo addgroup sshlogin
| |
− | </nowiki></pre>
| |
− | Using the example name of 'sshlogin', you would then add this line to your sshd configuration file:
| |
− | <pre><nowiki>
| |
− | AllowGroups sshlogin
| |
− | </nowiki></pre>
| |
− | After you restart sshd, only users in the `AllowUsers` list (or users who are members of the 'sshlogin' group if you chose that method instead) will be allowed to log in through SSH.
| |
− | === "su" program available to non-admin users ===
| |
− | This is not necessarily a problem alone, but if there are accounts with weak passwords on the system a malicious non-admin user (or malicious software they are using) might use `su` to gain access to such accounts. To deny non-admin users access to `su`, type this in a terminal:
| |
− | <pre><nowiki>
| |
− | sudo chown root:admin /bin/su
| |
− | sudo chmod 4750 /bin/su
| |
− | </nowiki></pre>
| |
− | ----
| |
− | [[category:CategorySecurity]]
| |
| | | |
| [[category:UbuntuHelp]] | | [[category:UbuntuHelp]] |