Linux Security - Configuring SUDO Access

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] before we get started with today's video i just want to take you through the structure of this particular series um so i've actually partnered with linux to bring you this series this series will involve two parts so if you head over to linux.com under events you should find the hack exploit linux live linux server security series and you can just click on more info here so this series is going to be a 12-part series on how to set up secure and audit linux servers uh and we'll begin on on the 1st of october and the first series will be available on youtube and will include ssh security essentials configuring sudo access securing apache 2 securing engine x and the uncomplicated firewall the second part of the series will be hosted on linux live and it's absolutely free you don't have to pay anything and again you can access you can actually register for that there this is going to be an advanced series that will build up or build off the first series and we'll cover things like brute force protection ip tables wordpress security and security auditing on linux with the linux tool um so to access that just click on the registration link on on the on24 platform and that'll take you here so that'll give you an idea of all the various web costs and when they're going to be posted and it'll give you a summary of what will be covered exactly these are advanced uh webcasts that will be about 40 minutes and you can register for them absolutely free of charge we've also partnered with lino to give you guys a free credit uh so again if you are interested in using lynode for your virtual private server or for your hosting whether you're a developer or a administrator uh you can get a hundred dollars of 90 day credit uh and this is for new accounts um so that's fantastic definitely do take advantage of this if you're getting started with linux or you're actually following uh you're following along with this series however make sure to actually redeem this offer or this code uh which is under promo.linu.com and the code is hackersploit100 this offer will only be limited till the 15th of december so definitely check that out that being said let's get started with today's video hey guys hack exploit here back again with another video welcome back to the linux security series in this video we'll be continuing where we left off from uh where we are talking about configuring ssh security and securing ssh in general in this video we'll be moving on to actually giving or assigning user permissions to the dev account and i'll also show you how to disable the root account from being logged into or accessed and that's something that you might or might not want to enable or disable based on on your current setup so in the previous video we set up the dev account and the way we were going about security was we were creating accounts or setting up the server based on segregation of duties so again we have the development team that's going to be using the server so we created the development account we now need to assign relevant permissions to the development account because the development team is going to require a you know route they're going to require the ability to run certain commands with root privileges they're going to uh require uh or that they're going to actually need to perform some administrative tasks like updating repositories updating packages installing new packages so on and so forth so to do that they require some root privileges and to assign them again it's very very simple so what i'll be taking you through is modifying the sudo as file however before we do that i just want to show you that right now within the dev account which is what i'm currently logged into if i try and run an administrative command like updating the repository and if i hit enter you can see it's going to tell me dev or the user dev is not in the sudoes file this incident will be reported well what this means is that i don't have the necessary privileges to run these commands and it tells us to look at the sudoes file now the sudoes file can be accessed can be accessed within the etsy directory by a user that has root privileges so the first thing we're going to do is we're just going to switch into the root user here it's going to ask me for the root password i'll just provide that here and i'll just go into my um i'll just go into my home directory here and we will okay so we can now say vim i'll use the vim editor so etsy and we are looking for the sudoes file so if i type in sudoers and i hit enter you're going to see something very interesting on the first line of this particular file it's going to tell us this file must be edited with the vsudo command as root so this file or this configuration file as it were essentially allows you to set up and configure permissions for users system-wide it allows you to set up various aliases uh it allows you to set up group permissions so on and so forth and that makes it a very important file when it comes down to security and for that reason a tool or utility called vsudo is used to modify this file now the reason we use v sudo is because number one if we make a mistake with the syntax in regards to assigning permissions within here that can cause a lot of problems if we save that file with incorrect permissions or incorrect syntax and that's why we have the utility v sudo so vsudo will check the file when you save it or before you save it it'll check the file for any logical mistakes you're making it'll check it for any syntax errors anything that that might cause misconfigurations with the system and it will actually tell you where the error is and allow you to correct it so it's a it's imperative that you use vsudo and so we can just actually write and quit and you can see it tells us that this file is read only so that means we need to use v sudo now to use v sudo uh we simply need to type in sudo and v sudo however let's just take a look at our current scenario here in terms of group so if i say uh groups if i use the groups command and i say groups for the user dev we can see that the only uh group that the user dev is in is in in its own group which is dev which means it isn't in any particular group and if i take a look at the groups for the user root you can see that the root users is going to be in its own it's going to be in its own and that's because when working with debian we have the pseudo group now the sudo group is a group that essentially allows you to or if you're a part of will allow you to run administrative uh commands or allow you to run commands with root privileges with the sudo command as a prefix so for example if i open up the say if i say sudo and vsudo right and we'll just open up the file and this will become much more clearer this will open up the sudoes file with the nano editor so again we can now go to the bottom here and we are looking for user privilege specification and uh we can then allow members of a group to or of a group sudo to execute any command so this is your group uh privilege specification so for the users you can see the root user has been added here and this is the privilege of this this is the privilege of permission specification so we can pretty much see that the root user can run ah it can run a whole plethora of commands or essentially or in essence it can run all the commands available which is you know exactly what the root account should be able to do we can then go ahead and add the dev account here and also give it the ability to run all all commands or give it you know all permissions and making it equally as powerful to the root account we can do that or we can also add it to the to the sudo group or and to do that we would need to use the user mod command so what i'll do is i'll just exit here for a second if i say user mod and i say user mode add to the group and then i specify the group here which is going to be sudo and then the user i want to add to the group which is dev and hit enter it's going to say that's not found i need to use the sudo command hit enter and now if i say groups for the user dev it's going to tell me that the dev user also belongs to the sudo group which means the dev user can now run administrative commands or run commands with root privileges as i said you can also use the sudo or these you can also modify the sudo as file and add the user directly here so again you can simply go ahead and type in dev and we then say all is equal to all and we use a colon there all and of course all now of course we can modify this uh we can modify these commands uh or the the permissions to uh to essentially specify what commands a uh a user can run and again that's something we'll probably be covering in another video and i've spoken about the sudoes file in other videos where i talk about specifying various uh user and command aliases where you can then again customize the permissions uh on a granular level uh that being said we've already added the uh the dev user to the sudo group um so i'll just hit ctrl o to save that the way it is and we can now exit and if i switch into the dev user right over here and i'll just go into my home directory and try and run an administrative command like updating my my my repositories and i hit enter it's gonna ask me for my password and i hit enter you can see we can now run the sudo apt update command and we can do a whole a lot more with the sudo uh prefix right over here so we now have granted the dev uh a user account administrative privileges which is great and we in the previous video we talked about disabling password-based authentication and we set up our ssh keys so we've pretty much secured the server really well we've also disabled root logins via ssh which is great now let's talk about disabling uh the root account and when i talk about disabling it i mean uh essentially essentially refusing or evoking access to the account and there's tons of ways you can do this one of the ways is to change the password or to lock you can lock the user account password using the password command and if i just open up the man pages for the password command and i go to lock which should be right over here there we are we have the lock command so the lock command will lock the password of the named account this option disables a disables the password by changing it to a value which matches no possible encrypted value and it adds a an exclamation mark at the beginning of the password so what this will do is if i'm in the dev user account and i log in and i try and switch to the root account and i try and enter the password it may be correct or it may be not i'll not be able to log in at all now this is a great way of restricting access from other users on the system like the dev account so i'll just give you an example so let's say i give the the dev account administrative uh you know administrative privileges and they're able to run certain commands as root and they try and login to the root account they may have the password or they may not have it but they try and log in regardless of whether they have the password or not they'll not be able to log in using password-based authentication and i'm talking about that locally not via ssh of course they've established the initial ssh connection using the dev account but if they try and switch locally as we have been doing they'll not be able to do it and the only way then to log into the root account is to set up another ssh key and then the only person who has the ssh key to the root account will be able to access it there however as we know we have disabled uh the the root account from being logged into yssh so that's not something we want to do so again this is not something that is recommended you do if you plan on using the root account again but it's it's a very very helpful option if you want to disable access to it or you want to ensure that no one will get access to it in the event of a of a compromise so to to set this up we use sudo and we can then say password and we say l to lock and then we specify the user that we want to lock and we hit enter it's going to tell us the password expiry information is changed if we display the and i'll just use the pseudo command and if i say cat etsy shadow like so and i hit enter if we take a look at the password hashes for the root user you can see the exclamation mark has been added and this is a password of course whose hash has been changed and does not match that one of the original password so that's how to lock it now as i said let's actually see this in action if i say switch user into the root user and if even if i enter the legitimate password you can see it's going to tell me right over here in a few seconds there's an authentication failure and that's because the password does not match all right so i hope that makes sense and again as i said this this will be great or this again can be used to um to ensure that no one gets access onto the um on to the root account now to unlock an account we simply just change the l to u to mean unlock and we hit enter and if i try and log in now again and i enter in my correct password i can do that and voila so it's really very simple to do that and let me just go back into the dev account now the second way of disabling the root account is uh to actually change the the shell the login shell to something or to the to change the actual login shell which by default is going to be set to bash to the no login binary shell which again prevents anyone from logging in or rather simply it does not allow anyone to essentially interact with the account and as we know on linux the main at the main interface for interaction is through the terminal so i can explain this really simply if i go in and i type in cat fc password to list out all the user accounts and all the other various configurations for the account if i take a look at the dev user you can see the dev user has a home directory right over here this is the user id these id is a thousand and if we take a look at the shell you can see it's bash so that means whenever we try to log into the dev user we will be greeted with a bash shell we can also change this to another shell like the bond shell we can change it to uh to the z shell so on and so forth however there's something very interesting here if you take a look at the service accounts that deal with maintaining various services like mysql you can see uh let's take another example like ssh here you can see that the the default terminal is sent or the default shell is set to user s bin no login what that means is you cannot log into this particular account via ssh or you can't uh you can access it remotely as well or you can't access it locally so that means when i change the root account default shell to user has been no login i'll not be able to do i'll not be able to log into it at all via either locally or remotely so again that's something you want to be very cautious with you want to ensure another account on the system has root privileges so that you can all you can always revoke this and change it back to uh bash so i can just show this to you uh remember the root account is not locked anymore so to to actually change this all we need to do is we can use the change shell utility so we say sudo change shell which is chsh and then we specify the user we want to change the shell for from or the the the shell we want to change of the particular user so we hit enter and we change the default bin bash to user s-bin and we say no login right and um i believe that is correct and we hit enter and now again if we display if you use cat etsy password and we take a look at the top here for the root user you can see it's set to user as been no login so if we try and log in to the root user so switch user root and regardless of whether i hit my password you can see it's going to tell me this account is currently not available so that means that no one locally can escalate their privileges to the root account and of course if they do they'll need to specify a custom variable that that actually explicitly specifies what shell to use that being said it's it's highly improbable that that will be the case so this is a very good security feature if you're working on hardening your server uh right okay so as i said you may want to ensure that before you do this you have the appropriate privileges to revoke this with another user account and to do this or to revoke this all we need to do is just go back into say sudo chain shell and we can just do it like so i'll just enter the password here it's going to tell us there's a authentication failure and the reason it's telling us that is because if you remember we've disabled the actual shell that we can interface with so that means we'll have to do this manually so we need to say sudo vim etsy and we say password and then we can change it manually within the file here although it's always recommended to use the change shell utility so we'll just change this to bin and bash right and we save that and uh we should be able to access the root account now i believe uh or we'll have to restart the system but there we are we can still access it which is fantastic so excellent so in this video we've taken a look at how to set up user permissions for the dev account we've taken a look at the various ways of blocking or locking the root account from being accessed both remotely and locally and that's all that i wanted to cover in this video in the next video we'll be working uh to secure apache and then in this in the subsequent video after that we'll be taking a look at how to secure engines and then we'll finally end off uh by talking about how to say how to set up a firewall so with that being said that's going to be for this video and i'll be seeing you in the next video i just want to take a moment to thank all our patreons at patreon.com forward slash hackersploit for all the support your support and help is truly appreciated you keep us making newer and fresher and better content so i just want to say thank you to all the patreons so thank you murph the surf daniel bork jonathan kyle adam mack jamal gallery defean barry jeremy nikolai marihara max chao dustin empress michael hubbard and jerry speds

Info

Channel: HackerSploit

Views: 23,326

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, kali linux, hacking, linux, mastering linux security and hardening, security, linux security, linux security tutorial, linux security hardening, linux security course, linux server security, linux tutorial for beginners, ssh, ssh security, linux commands, linux tutorial, securing linux, securing linux server, how to secure linux, how to secure linux server, how to secure linux server from hackers, linode, linode tutorial

Id: FGRtNvKdtbk

Channel Id: undefined

Length: 19min 10sec (1150 seconds)

Published: Fri Oct 02 2020