Wednesday, September 24, 2008

Linux Part 1: Installing Configuring Sudoers and OpenSSH

Okay, I'm going to start you off with a little advice for beginning Linux users looking to get rolling with a torrent site such as ours. Note that startup sites will most likely look for shared hosting whereas the following advice is aimed at admin's moving from a shared host to a virtual private server (VPS) or a dedicated server (dedi).

In these posts, I'll be customizing the advice for a PHP/MySQL tracker such as ours at TorrentFries. I'll also be running under the assumption that you're running Ubuntu Server Linux, specifically Hardy Heron 8.04. Additionally, these are pretty common instructions you can find at a variety of blogs across the net.

Let's just get some things straight before we get technical. If you're new-ish to Linux, I'd recommend Ubuntu. If you disagree, you don't need to be reading this anyway. Ubuntu isn't the most rock-solid distro available, it's just the easiest to administer (in my realm of experience) and it's stable enough that I've never crashed it on accident. It can also be found with most hosting companies. If not, Debian is the closest to Ubuntu and feels nearly the same.

If you're concerned, check out these survey-based distribution choosers:

Logging In


You'll find that your hosting company will give you nothing more than an IP address (or a couple if that's the case) and a root login password. This means that you'll be accessing a server via Command Line Interface (CLI) over Secure SHell (SSH).

On Windows, I recommend using PuTTY for terminal access.
On Macs, you have Terminal!

Starting Configuration

Once you're logged in, create an admin group.

groupadd admin

If the admin group already exists, that's fine. Now create the first user with -g being the primary group (often just the username), -G being secondary group (admins), -s is the location to the shell, bash, -p is the password (you can omit this flag if you want), -d being the home directory, and -m creates the directory if it doesn't exist, and finally the username itself.

useradd -Gadmin -s/bin/bash -pPassword -d/home/UserName -m UserName

The password you just set can be tricky, so to be sure...

passwd UserName

You can add any other users in this fashion.
Let's give your new user sudo access first. Sudo lets you run commands as root while not logged in as root. Once, you'll have to use the UNIX text editor 'vim', but in the future, you can use a much easier text editor called 'nano'.

Edit: Ubuntu Intrepid Ibex (8.10) now uses nano for visudo.

visudo

Here's a quick tutorial on vi(m). Only use visudo when editing the sudoers file. Using any other method may cause corruption in the file, so make it a habit to use visudo.
Make sure your sudoers file looks like this in the group section:

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

Now that you have sudo access, try connecting with a new session. You should now see something like

UserName@host$

instead of

root@host#

Let's use our new user from now on.

Configuring OpenSSH


Now, lets lock down SSH. First, copy the config file so we can restore the original settings at any time.

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original

Now, let's edit the sshd_config file with nano text editor.

sudo nano /etc/ssh/sshd_config

Look for:
LogLevel INFO

Change to:
LogLevel VERBOSE

This will allow us to get more information about SSH activity. It's handy to see who's logged in and who's tried to log in. Run grep -ir ssh /var/log/* | less to get that good data you're collecting.

Look for:
PermitRootLogin yes

Change to:
PermitRootLogin no

This will prevent hackers from brute forcing the root password, since root login is disabled. They'll still try to enumerate your users, but this is a critical step.

Look for:
LoginGraceTime 120

Change to:
LoginGraceTime 20

Changing the login time will slow down any would-be automated attacks.

If you'd like, you can change the port you connect to on SSH if you feel better being more obscure. Just change the 22 to what you wish:

Port 22

Save and exit the file and restart OpenSSH:

sudo /etc/init.d/ssh restart

You won't notice any changes until you reconnect. When you do, remember that you won't be able to log in as root. If you need root, you will have to use sudo or su. Also, if you changed your port, remember to change it in PuTTY when you reconnect.

For more info on OpenSSH, check this out.

Up next: installing and configuring LAMP.

1 comment:

Anonymous said...

really really useful for starters! explanation of each command and the notes around it helped with learning.
Thanks, OnionRings!

Clicky Web Analytics