Md Shahriyar Al Mustakim Mitul's Blog

Linux Foundation Certified System Administrator (LFCS) : Linux security (Part 4)

Md Shahriyar Al Mustakim Mitul's photo
Md Shahriyar Al Mustakim Mitul
·

11 min read

Table of contents

Within Linux , we need to keep these in mind:

Access controls : Use of password based authentication to know who can access which files.

PAM : Plugable authentication model. Use to authenticate users to programs and services

Network security : Used to access or deny service listening to linux server. We can use IP tables and Firewalld to set it

SSH Hardening: Secure shell (SSH) . It's used to get access to remote servers over an unsecured network

SELinux: It makes the use of security policies for isolating applications running on the same system from each other to protect the linux server.

Linux user

every user has it's credentials saved on /etc/passwd file

Also, a group is formed with some users who has same roles/attributes. The info about the group is saved on /etc/group folder

For example, here we have Bob and Michael who have similar roles and work on the same system. We can group then in a Linux group called “developers” and grant them access to specific files and directories in the file system.

Each user carries username, User ID, Group ID, Home directory,and default shell.

check it by using id <username> If there is not group yet, it creates a group with the username and same user id and group id.

In my terminal,

To check default home directory and default shell, we can do this

Account types

So, we can have user account which we saw by now, we can have superuser account, system accounts and service accounts

User accounts are for the normal users. Here Bob, Michael, Dave are example of users.

Superuser accounts are for the root access administrators. UID for them is 0. root user is an example of superuser account.

System accounts are something that’s created during OS installation. This are used for software and services that will not run as the super user.UID for these accounts are between 100 to 1000. ssh and mail users are example of system accounts

Service accounts are created when services are installed in linux. For example, an nginx service makes use of a service account called nginx

Commands

To see details about a user, we use id, who, last etc commands

id shows user id, group id etc. who shows who is logged in and last showed lastly which did log in and reboot.

Switching users

Now lets talk about the access. Assume the Michael wants to install nginx server.

now he can give his user password and use sudo command.

But does this work for everyone? No!! So, who have access?

If we go to /etc/sudoers , we can see who have which access.

For example , bob have all access but sarah has reboot access.

Describing what it is

here %admin ALL = (ALL) ALL ;

Format %<user group> <hosts> = <user> <command>

admin is user group, ALL means all localhost, (ALL) means all user can use, ALL then means all command can be used

We can eliminate the need for ever logging in as root user directly. We need to do this

Access control files

All user info is saved on /etc/passwd and any user can see that. But only root user can modify it.

Here you can see x as output and that’s the user password . We can’t see it because it’s hashed and saved in /etc/shadow file

All groups are saved in /etc/group

So, this is the format

Here, comparing the format you can see the hashed password.

We can also see the groups one user is associated with. Here, we have looked for bob and found that , he is part of developer group.Also, sara is part of the group.

Adding new user

We can create a user using useradd command and then the linux will set uid , group id etc for the user. We can set the password using passwd command

Once logged in, the user (Bob) can change his password using passwd

also, there is another way to set all of the value and then create a user.

Here, user id has been set to 109, group id has been set to 1009 and many more!!!

Here, /home/robert is the home directory, /bin/bash has been set as the default shell, “Mercury project member” is set as the comment for the ID and lastly id name is bob

Task

We will firstly create the group

sudo groupadd -g 1010 john

Here we specified group by groupadd -g and then groupID and then group name

and then create the user with useradd -u and then userID and then group ID (-g 1010) and then default shell (-s /bin/sh)

sudo useradd -u 1010 -g 1010 -s /bin/sh john

To verify if the user and the group was created or not, check the last line here

Basically /etc/passwd has all of the old and new users created and their user id.

Here we can see User name:user password:user ID(1010):group id (1010):home directory (/home/john):default shell (/bin/sh)

Here, john is the user name and x is the password which we can’t see although we can see the hashed password in /etc/shadow folder

Here you can see the username:password hased:Lastchange:……………….

As no one set the password while creation, it’s set to !

Let’s set it to “demo”

now, let’s check the password

Now, you can see the hashed password ($6$0g3fde5N$Av.r7RcZeWG3Z1PhfuEsJvSxC./cjcybZiZe94T5t3s3orW1nF3QwOlbaoIpbpD7dYc3CNxadilfCcS.2zu5k.) instead of “demo” itself

To check the group name called “john”, we use

The format is group name: password: group id : members

So, the group id for john is “john”

I have created another group named “bro” and user named “brocool”

You can see it’s info just like we saw earlier

So, brocool is the username, x is the password, 1011 is user id, 1011 is group id, /home/brocool is the home directory, /bin/sh is the default shell

Let’s see the group information for brocool called “bro”

Here the groupID is 1011 and it’s attached to our user brocool. So, it means brocool is part of this group.

Linux file permissions

any file can have permissions in this format. Owner permission, group permission and other

here we can see owner has read, write and execute access. Group has also read, write and execute access, and finally others have read and execute access

Now, assume you are bob and you want to check access to /home/bob/random_dir folder

Here you can see

-- xrwxrwx which means , user bob has access (- - x) to only execution, group has access to (rwx) read, write and execute, other users have access to (rwx) to read, write and execute.

So, if bob wants to see what is inside the /home/bob/random_dir, he can’t read

But as he has execution access, he can get into the folder

Now, you may ask that, the group bob is part of has (rwx) all access then why can’t he access it?

Because linux first checks user permission and then group permission and then others.

Depending on the permissions , we can sum up the octal values to use it later numerically

How to change the file permissions?

use chmod <permissions> file name

For example, u means user and u+rwx means

user will have (+ means addition) read (r) , write (w) and execution (x) access

But group (g) will have read (r ) access but remove (- means removing) execution (x) access

and others (o) will remove (-) read (r ) , write (w ) , execution (x ) access

for test-file

We can also use numeric (summation of octal values) method to set permissions

Here 777 is access for user, group and others

first 7 means rwx, so, read , write and execution access. Same goes for remaining 7s

Check this example:

here 660 means user has 6 which means rw- (read and write access), group has 6 which means rw- (read and write access) and others have 0 which means- - - ( no access)

We can also change owner and group for a file

here for the test-file, owner is set to bob and group is set to developer

Check other examples:

Task

we verified the information

then let’s see what permission the file has

Now, the owner has rwx, group has rwx, and other users have rwx access

We need to remove writing (w) permissions from group (g) and others(o)

chmod go-w /home/bob/sports/soccer

So, here we go

SSH and SCP

SSH is used to logging into an executing commands on a remote computer. This is how you can connect

For example, to connect to devapp01

We can also choose not to use password.Assume we want to connect to a remove server.

So, we need key pair (public and private)

Private key will remain only with you and public one will be shared with others

So, first we generate a keypair

avoid giving passphrase.

The public and private key’s location is also shared in the message

Now, you need to copy the public key to the remote server.

Once done, you can connect to remote server without any password

SO, the public key is installed in the devapp01 server

SCP

It allows you to copy data over SSH

Assume you want to copy the file caleston-code.tar.gz to the devapp01 server’s home directory, you can do it.

You can do it using SCP because we can ssh into devapp01 which we have done just a moment back.

Also, to copy directories , use -r and to preserve the ownership use -p

IP Tables

We can also limit which server to contact which one etc using iptable. First install it on ubuntu

This is how it looks

Now, let’s add a rule in our IPTable to connect source 172.16.238.187 to port 22

we can verify it here

What happens when another source wants to connect to DEVAPP01?

it will work as there was not rule and need no port to contact

If we don’t use -s this time, we have 2 input rules

First one accepts rule for source client for port 22. The second one drops SSH connection from the source anywhere.

Note: IP tables follows rules from top to bottom

Let’s assume these are our tasks now

So, apply

So, final IP table

We have 3 input rules and 4 output rules

Let’s understand if connection to caleston-hq.com will work using https?

as we have an outbound drop rule for anywhere on port 443 (https) and no preceding allow rule to the destination, the connection won’t work.

To solve this issue, we need to add accept rule

here we use -I to add to the top of the chain instead of bottom, our target is caleston-hq/com’s IP and then destination port is 443.

Now, accept rule got added at top for https port. So, from anywhere on the internet we are accepting traffic visa 443 port to destination caleston-hq

Let’s do another task. We have to ensure that the trafic on port 5432 on the DB server is only accepted whben the source is DEVAPP01 server.

so, we will add an accept rule for incoming traffic from DEVAPP01 (172.16.238.10) server to the db server (devdb01)

then we will drop other traffics coming from different servers

this is how the iptable might look

It can also be

Cronjobs

assume that Michael everyday 9PM logs in to the system and passes the uptime result to /temp/system-report.txt file

Isn’t that boring? Logging everyday etc.

To solve this issue, we can run a cronjob which can do this task at 9PM daily. It’s done using croned service.

this is how we can add the job

21 for 9 pm and then the command

Let’s understand how it work

to run a job on every day , every month and any weekday, we set those to star

To run on every minute, every hour, every day, every month and every weekday, set everything to star

SO, this is what we did earlier

To verify if it did run on the time we set, check this

check more examples

Task

weekday starts from monday

So, 11 23 2 /usr/local/bin/system-identifier.sh is the job for bob

TASK

Open the crontab editor

Let’s add our code at the last line

0 6 1 * * /usr/local/bin/last-reboot.sh

Done!!

Task

Use Step values for the minute column = */30 OR

Specify the minute column as 00,30 both of which mean at minute zero then minute 30.
To sum up, add this to the crontab:
*/30 * * * * /usr/local/bin/system-debugger.sh

Done!

LinuxSecurity