Before I allow access from the Internet directly to my GuruPlug, I want to make sure it is as save as possible. There are a few basic steps to follow, but only the first one is really necessary. The others depend on your preferences and setup.
- The root-user has a default password which has to be changed. This is the most important step and absolutely required!
- If you use wireless, make sure it is encrypted
- Disable root-access and allow other users to gain root privileges
- Know what you are doing
If you are logged in as root (what I assume you are since no other user has root privileges yet), type
and it will ask you for your old password, the new one and a confirmation to make sure you typed correctly.
As written here, I don't use wireless right now, so I disabled it. I will of course post more later on wireless security when I need it.
Allow other users to gain root-privileges with sudo
Since I want to disable root-access later, there has to be another possibility to execute super user commands or edit root files. Using the sudo-command is the possibility I am going to set up.
At first, you have to create a new user:
$ adduser <username>
It will create the home-directory and ask for password and some information about the user. The information can be empty (just continue by pressing ENTER).
Now, lets allow the new user to run sudo. Thus, we are going to edit the file /etc/sudoers but not by using vim, we have to use visudo instead!
First make sure you are connected to your GuruPlug via SSH, since I experienced some problems with visudo on minicom. One simple command
will open the required file. It looks like this:
# /etc/sudoers # # This file MUST be edited with the 'visudo' command as root. # # See the man page for details on how to write a sudoers file. # Defaults env_reset # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL) ALL # Uncomment to allow members of group sudo to not need a password # (Note that later entries override this, so you might need to move # it further down) # %sudo ALL=NOPASSWD: ALL
root ALL=(ALL) ALL
add the following line, replacing <username> with your previously created username:
<username> ALL=(ALL) ALL
Press Ctrl+O to save and Ctrl+X to exit visudo.
Now try if everything works so far. Log in with your previously created username and run a simple command with sudo. For example, just try
$ sudo ls
and it should ask for the sudo-password (which is the same like the root-password). If no error shows up, your new user is ready to use sudo.
We now have the possibility to execute root-commands with the previously created user, thus we do not need the user root any more. There is a controversy if disabling root access makes the system more secure, but there are two things which I think do:
- The username root is a default username, so anyone who attacks does not has to figure out the username of an user (even though figuring out an username is not very difficult, and the password has to be strong enough anyway)
- Preventing any administrator (anyone that would log in with root) from making changes without being aware that super user privileges are needed
The second point is the one which I think is more important, since the first one doesn't make the system that much more secure, but let's take a look how root-access can be disabled.
Using the passwd command, an account can be locked:
$ passwd -l <username>
Replace <username> with "root", log out and try to log in as root again. Now it is not even possible to log in as root over SSH.
If you once want to activate the root user again, you have to log in as another user which can get root privileges, and then type:
$ sudo passwd -u root
and logging in with the user root should be possible again.
Know what you are doing
One of the very important things for a secure server is of course that you know what you are doing. Choose strong passwords, do not install any services if you don't really need them and use encrypted connections if necessary. It is better to test new software or services on a second server and if they run well, install and configure them on the real server.