Configuring Root Access | HackerSploit Linux Security

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey guys hack exploit here back again with another video welcome back to the linux security series in this video we'll be continuing where we left off from uh where we are talking about configuring ssh security and securing ssh in general in this video we'll be moving on to actually giving or assigning user permissions to the dev account and i'll also show you how to disable the root account from being logged into or accessed and that's something that you might or might not want to enable or disable based on on your current setup so in the previous video we set up the dev account and the way we were going about security was we were creating accounts of setting up the server based on segregation of duties so again we have the development team that's going to be using the server so we created the development account we now need to assign relevant permissions to the development account because the development team is going to require a you know root they're going to require the ability to run certain commands with root privileges they're going to require or they're going to actually need to perform some administrative tasks like updating repositories updating packages installing new packages so on and so forth so to do that they require some root privileges and to assign them again it's very very simple so what i'll be taking you through is modifying the sudo as file however before we do that i just want to show you that right now within the dev account which is what i'm currently looked into if i try and run an administrative command like updating the repository and if i hit enter you can see it's going to tell me dev or the user dev is not in the sudoes file this incident will be reported well what this means is that i don't have the necessary privileges to run these commands and it tells us to look at the sudoes file now the sudoes file can be accessed uh can be accessed within the etsy directory by a user that has root privileges so the first thing we're going to do is we're just going to switch into the root user here it's going to ask me for the root password i'll just provide that here and i'll just go into my um i'll just go to my home directory here and we will okay so we can now say vim i'll use the vim editor so etsy and we are looking for the sudoes file so if i type in sudoers and i hit enter you're going to see something very interesting on the first line of this particular file it's going to tell us this file must be edited with the vsudo command as root so this file or this configuration file as it were essentially allows you to set up and configure permissions for users system-wide it allows you to set up various aliases as it allows you to set up group permissions so on and so forth and that makes it a very important file when it comes down to security and for that reason a tool or utility called vsudo is used to modify this file now the reason we use vsudo is because number one if we make a mistake with the syntax in regards to assigning permissions within here that can cause a lot of problems if we save that file with incorrect uh permissions or incorrect syntax and that's why we have the utility v sudo so vsudo will check the file when you save it or before you save it it'll check the file for any logical mistakes you're making it'll check it for any syntax errors uh anything that that might cause misconfigurations with the system and it'll actually tell you where the error is and allow you to correct it so it's a it's imperative that you use vsudo and so we can just actually write and quit and you can see it tells us that this file is read only so that means we need to use v sudo now to use v sudo uh we simply need to type in sudo and v sudo however let's just take a look at our current scenario here in terms of group so if i say groups if i use the groups command and i say groups for the user dev we can see that the only group that the user dev is in is in in its own group which is dev which means it isn't in any particular group and if i take a look at the groups for the user root you can see that the root users is going to be in its own it's going to be in its own and that's because when working with debian we have the sudo group now the sudo group is a group that essentially allows you to or if you're a part of will allow you to run administrative uh commands or allow you to run commands with root privileges with the sudo command as a prefix so for example if i open up the say if i say sudo and v sudo right and we'll just open up the file and this will become much more clearer this will open up the sudoes file with the nano editor so again we can now go to the bottom here and we are looking for user privilege specification and uh we can then allow members of a group to or of a group sudo to execute any command so this is your group privilege specification so for the users you can see the root user has been added here and this is the privilege or this this is the privilege or permission specification so we can pretty much see that the root user can run or it can run a whole plethora of commands or essentially or in essence it can run all the commands available which is you know exactly what the root account should be able to do we can then go ahead and add the dev account here and also give it the ability to run all all commands or give it you know all permissions and making it equally as powerful to the root account we can do that or we can also add it to the to the sudo group or and to do that we would need to use the user mod command so what i'll do is i'll just exit here for a second if i say user mod and i say user mode add to the group and then i specify the group here which is going to be sudo and then the user i want to add to the group which is dev and hit enter it's going to say that's not found i need to use the sudo command hit enter and now if i say groups for the user dev it's going to tell me that the dev user also belongs to the sudo group which means the dev user can now run administrative commands or run commands with root privileges as i said you can also use the vsudo or these you can also modify the sudoes file and add the user directly here so again you can simply go ahead and type in dev and we then say um all is equal to all and we use a colon there all and of course all now of course we can modify this uh we can modify these commands uh or the the permissions to uh to essentially specify what commands a a user can run uh and again that's something we'll probably be covering in another video and i've spoken about the sudo as file uh in other videos where i talk about specifying various uh user and command aliases where you can then again customize the permissions uh on a granular level uh that being said we've already added the uh the dev user to the sudo group um so i'll just hit ctrl o to save that the way it is and we can now exit and if i switch into the dev user right over here and i'll just go into my home directory and try and run it in administrative command like updating my my my repositories and i hit enter it's gonna ask me for my password and i hit enter you can see we can now run the sudo apt update command and we can do a whole a lot more with the sudo uh prefix right over here so we now have granted the dev uh a user account administrative privileges which is great and we in the previous video we talked about disabling password-based authentication and we set up our ssh keys so we've pretty much secured the server really well we've also disabled root logins via ssh which is great now let's talk about disabling uh the root account and when i talk about disabling it i mean essentially essentially refusing or revoking access to the account and there's tons of ways you can do this one of the ways is to change the password or to lock you can lock the user account password using the password command and if i just open up the man pages for the password command and i go to lock which should be right over here uh there we are we have the lock command so the lock command will lock the password of the named account this option disables a disables the password by changing it to a value which matches no possible encrypted value and it adds a an exclamation mark at the beginning of the password so what this will do is if i'm in the dev user account and i log in and i try and switch to the root account and i try and enter the password it may be correct or it may be not i'll not be able to log in at all now this is a great way of restricting access from other users on the system like the dev account so i'll just give you an example so let's say i give the the dev account administrative uh you know administrative privileges and they're able to run certain commands as root and they try and login to the root account they may have the password or they may not have it but they try and log in regardless of whether they have the password or not they'll not be able to log in using password-based authentication and i'm talking about that locally not via ssh of course they've established the initial ssh connection using the dev account but if they try and switch locally as we have been doing they'll not be able to do it and the only way then to log into the root account is to set up another ssh key and then the only person who has the ssh key to the root account will be able to access it there however as we know we have disabled uh the the root account from being logged into via ssh so that's not something we want to do so again this is not something that is recommended you do if you plan on using the root account again but it's it's a very very helpful option uh if you want to disable access to it or you want to ensure that no one will get access to it in the event of a of a compromise so to to set this up we use sudo and we can then say password and we say l to lock and then we specify the user that we want to lock and we hit enter it's going to tell us the password expiry information is changed if we display the and i'll just use the pseudo command and if i say cat at etsy shadow like so and i hit enter if we take a look at the password hashes for the root user you can see the exclamation mark has been added and this is a password of course whose hash has been changed and does not match that one of the original password so that's how to lock it now as i said let's actually see this in action if i say switch user into the root user and if even if i enter the legitimate password you can see it's going to tell me right over here in a few seconds there's an authentication failure and that's because the password does not match all right so i hope that makes sense and again as i said this this will be great or this again can be used to um to ensure that no one gets access onto the um on onto the root account now to unlock an account we simply just change the l to u do mean unlock and we hit enter and if i try and log in now again and i enter in my correct password i can do that and voila so it's really very simple to do that and let me just go back into the dev account now the second way of disabling the root account is uh to actually change the the shell the login shell to something or to the to change the actual login shell which by default is going to be set to bash to the no login binary shell which again prevents anyone from logging in or rather simply uh it does not allow anyone to essentially interact with the account and as we know on linux the main at the main interface for interaction is through the terminal so i can explain this really simply if i go in and i type in cat etsy password to list out all the user accounts and all the other various configurations for the account if i take a look at the dev user you can see the dev user has a home directory right over here this is the user id these id is a thousand and if we take a look at the shell you can see it's bash so that means whenever we try to log into the dev user we will be greeted with a bash shell we can also change this to another shell like the born shell we can change it to uh to the z shell so on and so forth however there's something very interesting if you take a look at the service accounts that deal with maintaining various services like mysql you can see let's take another example like ssh here you can see that the the default terminal is sent or the default shell is set to user s bin no login what that means is you cannot log into this particular account via ssh or uh you can't uh you can access it remotely as well or you can't access it locally so that means when i change the root account default shell to user as bin no login i'll not be able to do i'll not be able to log into it at all via either locally or remotely so again that's something you want to be very cautious with you want to ensure another account on the system has root privileges so that you can all you can always revoke this and change it back to uh bash so i can just show this to you uh remember the root account is not locked anymore so to to actually change this all we need to do is we can use the change shell utility so we say sudo change shell which is chsh and then we specify the user we want to change the shell for from or the the the shell we want to change of the particular user so we hit enter and we change the default bin bash to user s-bin and we say no login right and i believe that is correct and we hit enter and now again if we display if you use cat etsy password and we take a look at the top here for the root user you can see it's set to user as bin no login so if we try and log in to the root user so switch user root and regardless of whether i hit my password you can see it's going to tell me this account is currently not available so that means that no one locally can escalate their privileges to the root account and of course if they do they'll need to specify a custom variable that that actually explicitly specifies what shell to use that being said it's it's highly improbable that that will be the case so this is a very good security feature if you're working on hardening your server right okay so as i said you may want to ensure that before you do this you have the appropriate privileges to revoke this with another user account and to do this uh or to revoke this all we need to do is just go back into um say sudo chain shell and we can just do it like so i'll just enter the password here it's going to tell us there's a authentication failure and the reason it's telling us that is because if you remember we've disabled the actual shell that we can interface with so that means we'll have to do this manually so we need to say sudo vim etsy and we say password and then we can change it manually within the file here although it's always recommended to use the change shell utility so we'll just change this to bin and bash right and we save that and we should be able to access the root account now i believe or we'll have to restart the system but there we are we can still access it which is fantastic so excellent so in this video we've taken a look at how to set up user permissions uh for the dev account we've taken a look at the various ways of blocking or locking the root account from being accessed both remotely and locally and that's all that i wanted to cover in this video in the next video we'll be working uh to secure apache and then in this in the subsequent video after that we'll be taking a look at how to secure engines and then we'll finally end off uh by talking about how to say how to set up a firewall so with that being said that's going to be for this video and i'll be seeing you in the next [Music] you
Info
Channel: Linode
Views: 980
Rating: undefined out of 5
Keywords: linux tutorial, root user, linux security, linux security tutorial, linux security hardening, linux server security, linux tutorial for beginners, linux commands, ssh security, securing linux, how to secure linux, how to secure linux server, linode, hackersploit, cloud computing, alternative cloud, linode server, linode tutorial, hackersploit tutorial, securing linux server, how to secure linux server from hackers, ssh root login, root login ubuntu, linode server tutorial
Id: 9lXW0obOGOY
Channel Id: undefined
Length: 16min 32sec (992 seconds)
Published: Mon Mar 29 2021
Related Videos
Securing Apache 2 | HackerSploit Linux Security
Linode
1.2K
How to Secure WordPress | HackerSploit Linux Security
Linode
1.7K
When Linux users met Windows 10
BugsWriter
127K
Why New York’s Billionaires’ Row Is Half Empty
The B1M
3.3M
Switch to these open-source apps...on Windows, macOS or Linux!
InfinitelyGalactic
208K
The Insane Engineering of James Webb Telescope
Real Engineering
883K
How did the Enigma Machine work?
Jared Owen
1M
Linux Security - Configuring SUDO Access
HackerSploit
23K
I bought 1000 meters of wire to settle a physics debate
AlphaPhoenix
700K
Making a Simple Hydrogen Generator from Washers
Maciej Nowak Projects
4.2M
Why You Will Marry the Wrong Person
The School of Life
5M
How To Speak by Patrick Winston
MIT OpenCourseWare
5.3M
Golang Tutorial for Beginners | Full Go Course
TechWorld with Nana
20K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.4M
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.3M
CI/CD Pipeline with GitLab and K8s | Jérôme Petazzoni LKE Helm Workshop
Linode
503
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.