UbuntuHelp:UnsafeDefaults

文章出处:

https://help.ubuntu.com/community/UnsafeDefaults

点击翻译:

English

While Ubuntu comes secure and ready to use, many people decide to offer other services on their computer, such as running an FTP server or Apache. The purpose of this page is to advise these users on the settings that they should probably change.

Shared Memory

By default, /dev/shm is mounted read/write. There has recently been an uptake noticed on many security mailing lists of /dev/shm being used in an attack against a running service such as httpd. There is almost no reason for it to be mounted read/write. To change this setting, edit the /etc/fstab file to include the following line:

tmpfs     /dev/shm     tmpfs     defaults,ro     0 0
</code>
The changes will take effect the next time you reboot, unless you remount /dev/shm.

==== SSH Root Login ====

This is not a major issue, as even OpenBSD ships with root login permitted (though the documentation suggests removing it), and Ubuntu does not ship with root enabled by default.  However, in many environments it is standard procedure to create a root account, even if it is never used.  '''If''' a root account is created, and you are running sshd, edit the '''/etc/ssh/sshd_config''' file and replace the following line:
<pre>
PermitRootLogin yes
</code>
with
<pre>
PermitRootLogin no
</code>
The OpenSSH server must be restarted for this to take effect, which can be done with: <code>sudo /etc/init.d/ssh restart</code>


==== "su" program available to non-admin users ====
This is not a problem itself, but if there are accounts with weak passwords on the system, then malicious non-admin users (or malicious software they are using) might use su to gain access to such accounts. To deny non-admin users access to "su", type this in a terminal:
<pre>
sudo chown root:admin /bin/su
sudo chmod 04750 /bin/su
</code>

----
CategorySecurity CategoryCleanup

[[category:UbuntuHelp]]