Small process when we get a new installed with more eye-candy staff and security.
Core configuration
Locales configuration
To setup the appropates locales on the system: the one that will be available for the users.
# dpkg-reconfigure locales
Select the local according to the language you want and the different encodings. The more languages encoding you will selected the more time it will need to generate them and the more disk space it will use.
For example, to get French messages select the locales starting by fr_FR
(French from France) for all encoding. The best encoding on Unix system is
UTF-8. On the second screen select the default language and encoding that will
be used by the system for example fr_FR.UTF-8, to get message in French
by default.
Bash configuration
The creation of a new user take the default configuration files that are present
in the /etc/skel/ folder. However, by default the root user do not get
these files. Therefore to get a better bash shell for root with color prompt and
auto-completion we have to copy the .bashrc manually:
# cp /etc/skel/.bashrc $HOME
By default the bash auto-completion is activated in that file.
To activate the color prompt uncomment the line 39:
39 #force_color_prompt=yes
to get
39 force_color_prompt=yes
Some commands can use color. To use it by default some alias could be activated in the lines 78 and following:
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
alias dir='dir --color=auto'
alias vdir='vdir --color=auto'
alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi
Logout and login again to get it active, or source it to get active in the current shell:
# source $HOME/.bashrc
Set a alias address for root account
By default all system email are send to the root user. However, to avoid uneeded
root login it is a godd idea to redirect this email to an other account or
address. For that we need to modify /etc/aliases so it contain the
following line:
root: nom@domain.com
All email send to root will be send to this address.
Increase the security of the system
System upgrade
# aptitude update
# aptitude dist-upgrade
To receive by email automatically available system upgrade, you need to install
apticron package
# aptitude install apticron
The message of possible upgrade will be send by email on a daily basis to root by default
fail2ban installation
fail2ban is a daemon that is monitoring connexion attempt and blacklist temporarily IP addresses after a certain amount of failed connexion from this IP. This prevent brute force attack s, that try all possible password to enter the system.
# aptitude install fail2ban
To configure it you have to edit the /etc/fail2ban/fail.conf file.
Several modules are available for fail2ban and to activate them you need to go
to the end of the configuration file (around the line 74). Each module is called
a JAIL.
Each JAIL is setup the same way, like for example for ssh:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
Its name is in between [], and the option enable is set to true
to activate it. The port that have to be monitored is set with the port
option, like the log file (logpath) and the filter to use to interpret
it (filter). Finally the number of error that is allowed before an IP
ban (maxretry).
By default the ssh JAIL is activated. The pam-generic JAIL allow
to block the user after error on the PAM module. The ssh-ddos JAIL to
protect against deny of service attacks.
To take into account the new configuration you need to restart the service with the following command:
# service fail2ban restart
rkhunter installation
It is a software that search for rootkit by searching for modification of main programs compared to safe stat and signature and to identify already known rootkits.
# aptitude install rkhunter
debsecan installation
Check for security alerts on the web in relation with the system.
# aptitude install debsecan
To configure it run
# dpkg-reconfigure debsecan
Select the correct distribution, so the alert will be in relation to it.
Firewall configuration with ferm
See the corresponding article about ferm
SSH connexion limitation
root user without any
other account on the system: you will not be able to connect to the server
anymore.First create a user (admin in this example) that will be able to connect as
root after the deactivation of the SSH connexion for root user.
# adduser admin
When configured, the SSH connexion for root user can be deactivated in
the /etc/ssh/sshd_config file:
26 PermitRootLogin no
Restart SSH server to take it into account.
# /etc/init.d/ssh restart
Limitation of the su command only to certain users
The su command allow to change user in a console to execute a program.
The main case is the switch to root for administration tasks. However,
it could be nice to limit this possibility to certain user. By default
su can be executed by any user, assuming he knows the password of the
targeted user. It is possible to limit this possibility to a particular group by
modifying the PAM configuration file of su (/etc/pam.d/su). The
following should be uncommented:
15 auth required pam_wheel.so
By default, the user should belong to the root group to be able to use
su. Historically, the super-user group is called wheel therefore
the name of the PAM module (see [[!wikipedia Wheel_(Unix_term)]] for more info).
It is possible to change the wheel group to consider by adding the
group=group_name option to the command. Therefore to set the adm
group as wheel group:
15 auth required pam_wheel.so group=adm
Then you just have to add the user you want to allow to connect as root in the
correct group. For example to add the admin user to the root
group:
# adduser admin root