Small process when we get a new installed with more eye-candy staff and security.
To setup the appropates locales on the system: the one that will be available for the users.
# dpkg-reconfigure locales
Select the local according to the language you want and the different encodings. The more languages encoding you will selected the more time it will need to generate them and the more disk space it will use.
For example, to get French messages select the locales starting by
(French from France) for all encoding. The best encoding on Unix system is
UTF-8. On the second screen select the default language and encoding that will
be used by the system for example
fr_FR.UTF-8, to get message in French
The creation of a new user take the default configuration files that are present
/etc/skel/ folder. However, by default the root user do not get
these files. Therefore to get a better bash shell for root with color prompt and
auto-completion we have to copy the
# cp /etc/skel/.bashrc $HOME
By default the bash auto-completion is activated in that file.
To activate the color prompt uncomment the line 39:
Some commands can use color. To use it by default some alias could be activated in the lines 78 and following:
if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto' alias dir='dir --color=auto' alias vdir='vdir --color=auto' alias grep='grep --color=auto' alias fgrep='fgrep --color=auto' alias egrep='egrep --color=auto' fi
Logout and login again to get it active, or source it to get active in the current shell:
# source $HOME/.bashrc
Set a alias address for root account
By default all system email are send to the root user. However, to avoid uneeded
root login it is a godd idea to redirect this email to an other account or
address. For that we need to modify
/etc/aliases so it contain the
All email send to root will be send to this address.
Increase the security of the system
# aptitude update # aptitude dist-upgrade
To receive by email automatically available system upgrade, you need to install
# aptitude install apticron
The message of possible upgrade will be send by email on a daily basis to root by default
fail2ban is a daemon that is monitoring connexion attempt and blacklist temporarily IP addresses after a certain amount of failed connexion from this IP. This prevent brute force attack s, that try all possible password to enter the system.
# aptitude install fail2ban
To configure it you have to edit the
Several modules are available for fail2ban and to activate them you need to go
to the end of the configuration file (around the line 74). Each module is called
JAIL is setup the same way, like for example for
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
Its name is in between
, and the option
enable is set to true
to activate it. The port that have to be monitored is set with the
option, like the log file (
logpath) and the filter to use to interpret
filter). Finally the number of error that is allowed before an IP
By default the
ssh JAIL is activated. The
pam-generic JAIL allow
to block the user after error on the PAM module. The
ssh-ddos JAIL to
protect against deny of service attacks.
To take into account the new configuration you need to restart the service with the following command:
# service fail2ban restart
It is a software that search for rootkit by searching for modification of main programs compared to safe stat and signature and to identify already known rootkits.
# aptitude install rkhunter
Check for security alerts on the web in relation with the system.
# aptitude install debsecan
To configure it run
# dpkg-reconfigure debsecan
Select the correct distribution, so the alert will be in relation to it.
Firewall configuration with ferm
See the corresponding article about ferm
SSH connexion limitation
rootuser without any other account on the system: you will not be able to connect to the server anymore.
First create a user (
admin in this example) that will be able to connect as
root after the deactivation of the SSH connexion for
# adduser admin
When configured, the SSH connexion for
root user can be deactivated in
the /etc/ssh/sshd_config file:
26 PermitRootLogin no
Restart SSH server to take it into account.
# /etc/init.d/ssh restart
Limitation of the su command only to certain users
su command allow to change user in a console to execute a program.
The main case is the switch to
root for administration tasks. However,
it could be nice to limit this possibility to certain user. By default
su can be executed by any user, assuming he knows the password of the
targeted user. It is possible to limit this possibility to a particular group by
modifying the PAM configuration file of su (
following should be uncommented:
15 auth required pam_wheel.so
By default, the user should belong to the
root group to be able to use
su. Historically, the super-user group is called
the name of the PAM module (see [[!wikipedia Wheel_(Unix_term)]] for more info).
It is possible to change the
wheel group to consider by adding the
group=group_name option to the command. Therefore to set the
15 auth required pam_wheel.so group=adm
Then you just have to add the user you want to allow to connect as root in the
correct group. For example to add the
admin user to the
# adduser admin root