Материал из NNLUG Wiki
Безопасность
What are the basic things I need to know about securing my Ubuntu
- Read #General Notes
- Ensure hard drive is first in BIOS boot-up sequence
- To prevent trespassers from using Linux Installation CD which allows them to gain root user access
- To prevent trespassers from using Linux Live CD (e.g. UBUNTU/KNOPPIX/MEPIS) which allows them to destroy/browse/share the entire hard drive
- To prevent trespassers from installing another Operating System
- Ensure a password is set for BIOS
- To prevent trespassers from changing the BIOS boot-up sequence
- Ensure computer is located at a secured place
- To prevent trespassers from removing computer's hard drive which allows them to destroy/browse/share the entire hard drive from a different computer
- To prevent trespassers from removing computer's on-board battery which resets the BIOS password
- Ensure passwords used on the system cannot be easily guessed
- To prevent trespassers from cracking password file using brute force attacks (e.g. John the Ripper)
- Create password with minimum length of 8 characters
- Create password with mixture of characters/numbers, and upper/lower case
- Ensure interactive editing control for GRUB menu is disabled
- Ensure history listing is disabled in Console mode
- Ensure Ctrl+Alt+Del is disabled in Console mode
- Ensure interactive option is set for remove, copy and move of files/folders in Console mode
- For day to day usage, login as a normal user
- Disable root user account, use "sudo" instead
- To reduce the amount of time spent with root privileges, and thus the risk of inadvertently executing a command as root
- "sudo" provides a more useful audit trail (/var/log/auth.log)
- Read #How to disable root user account
- Install a Firewall
- Perform vulnerability test
grub
grub> md5crypt
Password: ****** (ubuntu)
Encrypted: $1$ZWnke0$1fzDBVjUcT1Mpdd4u/T961 (encrypted password)
grub> quit
sudo cp /boot/grub/menu.lst /boot/grub/menu.lst_backup
sudo gedit /boot/grub/menu.lst
...
## password ['--md5'] passwd
# If used in the first section of a menu file, disable all interactive editing
# control (menu entry editor and command-line) and entries protected by the
# command 'lock'
# e.g. password topsecret
# password --md5 $1$gLhU0/$aW78kHK1QfV3P2b2znUoe/
# password topsecret
...
- Add the following line below it
password --md5 $1$ZWnke0$1fzDBVjUcT1Mpdd4u/T961 (encrypted password above)
...
title Ubuntu, kernel 2.6.10-5-386 (recovery mode)
root (hd0,1)
kernel /boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single
initrd /boot/initrd.img-2.6.10-5-386
savedefault
boot
...
- Replace with the following lines
#title Ubuntu, kernel 2.6.10-5-386 (recovery mode)
#root (hd0,1)
#kernel /boot/vmlinuz-2.6.10-5-386 root=/dev/hda2 ro single
#initrd /boot/initrd.img-2.6.10-5-386
#savedefault
#boot
How to disable history listing in Console mode
rm -f $HOME/.bash_history
touch $HOME/.bash_history
chmod 000 $HOME/.bash_history
How to disable Ctrl+Alt+Del from restarting computer in Console mode
sudo cp /etc/inittab /etc/inittab_backup
sudo gedit /etc/inittab
...
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
...
- Replace with the following line
#ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
sudo telinit q
How to enable prompt before removal/overwritten of files/folders in Console mode
sudo cp /etc/bash.bashrc /etc/bash.bashrc_backup
sudo gedit /etc/bash.bashrc
- Append the following lines at the end of file
alias rm='rm -i'
alias cp='cp -i'
alias mv='mv -i'
