Installing Linux

Post-Install

The system is installed: now what?

We’re not done yet

We need to:

• Make users and groups
• Assign and drop privileges
• Secure the system on the network
• Install basic utilities
• Make this a usable system

Users and Groups

• *NIX access control based on user/group paradigm - ACLs
• Can be extended to RBAC using things like SELinux (NSA, so you know it’s legit)
• Role-Based Access Control - for example, AWS IAM
• Regular User/Groups -> filesystem and execution permissions
• Files are owned by users/groups, and opened/executed with the privileges of the executing program
• A virtual terminal is opened by /bin/login (exec’d as root, since it was started by /sbin/init), then changes users to you and launches your shell (e.g. /bin/zsh) as you, and then your shell is the parent process of any programs you start

Why is this important?

Users and Groups from a Security Standpoint

• The root user (uid/gid 0) has all permissions in the ‘classical’ UNIX permissions system - the root user can execute arbitrary programs, read any file, etc.
• If a program running as uid 0 gets exploited, what does this mean?
• The kernel controls access to files and processes based on uids and gids
• the kernel raises EACCES (“Permission Denied”) system error if you don’t have the right one
• These checks occur in privileged kernel memory - the CPU itself disallows memory accesses to other memory when not in kernel mode, by using protection rings.
• Ring 3: user mode, Ring 0: supervisor mode

Almost all hardware/kernel protections are negated if the root user is compromised

Making Users

• Users: call `useradd` or friendly `adduser`
• Options: create home directory, set shell, add to groups, set expire time, etc.
• Adds an entry to /etc/passwd containing GECOS information
• Use `passwd` to set passwords - adds hashed password to /etc/shadow

Managing Users

• List users by `cat /etc/passwd`, `getent passwd`, etc.
• Delete users by doing `userdel`
• Be wary of deleting users - file ownership is governed by uid, and newly created users claim the next available UID. Make sure to fix file permissions when doing this.
• System users: UIDs in the SYS_UID range, usually for daemons and such things (e.g. www-data, nobody)

Making and Managing Groups

• Users by default have a primary group - usually named after their username�
• Can be added to secondary groups - e.g. `wheel`, `sys`, etc.�
• Add new group by doing “groupadd”, remove by doing “groupdel”
• Friendlier equivalents are `addgroup` and `delgroup` on Debian�
• List people in groups by doing `groups`, `getent group <group>`, cat `/etc/groups`, etc.�
• Group equivalent to “su” is “sg” - substitute group

​

Managing privileges for your user

You don’t want to run everything as the root user, because this is insecure, but you also want to be able to run some things as root. How can we manage this without having to log in as root every time you want to run something?

/etc/sudoers

sudoers file - only edit through commands like `visudo`, because broken syntax will brick your system

Add your user/group to sudoers to give them the ability to escalate privileges through the “sudo” (superuser do) command

User/Group Takeaways

• Be very careful about creating users, and giving them permissions
• Limit file privileges as much as possible to minimize risk
• Know what the implications are when executing things as other users

​

DON’T JUST PREPEND “SUDO” IF SOMETHING FAILS

(Advanced) - Extended Filesystem Stuff

• `lsattr` and `chattr` - beyond r/w/x for user/group/other, there are FS attributes you can edit
• e.g. immutability - don’t allow anyone to write to the file permanently, below --w--w--w-, or “undeleteability” - don’t allow the file to actually be deleted, lots of other things that are FS dependent but accessible through `lsattr` and `chattr`�
• `fsck` - the filesystem checker
• For filesystems that support, for example, journaling, fsck will find orphaned files, missing inodes, etc. and help recover files that might have been lost on crashes/corruption. Equivalent to `chkdsk` on Windows.

​

​

Managing Secure Access

You’ve set up users and groups, now you need to manage remote access for those users. i.e. Secure Shell

Lots of ways to authenticate to SSH: password, SSH keys, GSSAPI (Kerberos) etc. By default, sshd will allow login for any user on the machine, including root

This could be dangerous - if a user has a weak password on an internet-facing system, especially if the root user is insecure, than the entire system can be compromised

Authentication and /etc/ssh/sshd_config

We edit /etc/ssh/sshd_config to fix some of these issues

• PasswordAuthentication yes/no
• Allow passwords to be used to login (opens you up to brute-force password attempts)
• PermitRootLogin yes/no/without-password
• Allow root user to login (allows brute-force to root, without-password = only keys allowed)
• PubKeyAuthentication yes/no
• Allow using SSH keys for authentication (more secure than passwords)
• GSSAPIAuthentication yes/no
• Generic Security Service API, = LDAP/Kerberos based authentication

Live Demo - make your SSH keys

1. Log into tsunami.ocf.berkeley.edu
2. If you don’t already have an ~/.ssh/id_rsa, make your ssh key:
1. ssh-keygen -t rsa -b 4096 (passphrase if you prefer, or not)
3. Copy it to your student VM
• ssh-copy-id <user>@<user>.decal.xcf.sh
4. Try to log in using your SSH key:
• ssh <user>@<user>.decal.xcf.sh
5. Add the host to your .ssh/config

Host <user>.decal.xcf.sh� User <user>� IdentityFile ~/.ssh/id_rsa

Reducing SSH Attack surface

1. Obviously, make sure that critical users have secure passwords
2. Use ssh keys as much as possible to avoid having passwords floating around
3. Bind ssh server to non-public interfaces, e.g. through a VPN
4. Inspect authentication logs to ensure no one is logging in that you don’t expect:
1. By default, /var/log/auth.log logs all authentication attempts
5. Use something like Fail2Ban on public networks - uses iptables or ufw to ban connections after 3-5 failed connection attempts
• After a while a significant part of the Chinese, Russian, and Eastern European IP ranges will probably be banned

Firewall Config

• Firewall restricts the connections that can be made to your machine.
• iptables: the standard Linux firewall. Tricky, complicated, potentially dangerous syntax.
• For personal servers, ufw (Uncomplicated FireWall) can make these rules for us.
• sudo ufw default deny
• Configure ufw to deny by default, highly recommend
• sudo ufw allow 80/tcp
• Allow connections on TCP port 80 (HTTP)
• sudo ufw allow SSH
• Allow connections on TCP port 22 (SSH)
• sudo ufw status
• Show list of all rules

Filesystem hierarchy

• /boot - files necessary for booting. Holds “vmlinuz,” the kernel executable!
• /dev - doesn’t hold actual “files,” instead abstracts away hardware devices.
• /etc - holds configuration files. Consider including this folder in your backups.
• /home - home directories for users on the system
• /lost+found - used by fsck (filesystem checker). Corrupted/recovered files show up here
• /media - automounted devices show up here
• /opt - holds files for packages that don’t conform to the hierarchy. Jupyter Notebook, Google Chrome, and some others install to this folder
• /proc - another “fake” filesystem, has information about all your processes

Filesystem hierarchy, continued

• /root - home folder for root user
• /run, /tmp - tmpfs. For files that don’t need to persist across reboots.
• /srv - Intended to be used for programs that serve files (HTTP, FTP).
• /sys - Fake filesystem, only accessible by root. Gives information about system from the kernel.
• /var - “Things that change.” Holds log files, database files.

Filesystem hierarchy, continued, continued

• /bin, /usr/bin, /sbin/ /usr/sbin/ /usr/local/bin, /usr/local/sbin, etc.
• Binaries in your $PATH
• /usr/include - Header files for C programs.
• /lib, /usr/lib, /usr/local/lib - C libraries.
• /usr/share - Can be “shared” across machines.
• /usr/local/man - Manpages.

Basic Utilities

You might want to install some useful programs:

• tmux
• Terminal multiplexer
• htop
• htop gives you a graphical view of processes/systems/memory
• emacs
• The best editor, if you can’t get over vim, just run vim in emacs

​

decal.ocf.io/signin

Magic word is Dijkstra