|Making my GuruPlug more secure|
Before I allow access from the Internet directly to my GuruPlug, I want to make sure it is as save as possible. There are a few basic steps to follow, but only the first one is really necessary. The others depend on your preferences and setup.
If you are logged in as root (what I assume you are since no other user has root privileges yet), type
and it will ask you for your old password, the new one and a confirmation to make sure you typed correctly.
As written here, I don't use wireless right now, so I disabled it. I will of course post more later on wireless security when I need it.
Allow other users to gain root-privileges with sudo
Since I want to disable root-access later, there has to be another possibility to execute super user commands or edit root files. Using the sudo-command is the possibility I am going to set up.
At first, you have to create a new user:
$ adduser <username>
It will create the home-directory and ask for password and some information about the user. The information can be empty (just continue by pressing ENTER).
Now, lets allow the new user to run sudo. Thus, we are going to edit the file /etc/sudoers but not by using vim, we have to use visudo instead!
First make sure you are connected to your GuruPlug via SSH, since I experienced some problems with visudo on minicom. One simple command
will open the required file. It looks like this:
add the following line, replacing <username> with your previously created username:
Press Ctrl+O to save and Ctrl+X to exit visudo.
Now try if everything works so far. Log in with your previously created username and run a simple command with sudo. For example, just try
$ sudo ls
and it should ask for the sudo-password (which is the same like the root-password). If no error shows up, your new user is ready to use sudo.
We now have the possibility to execute root-commands with the previously created user, thus we do not need the user root any more. There is a controversy if disabling root access makes the system more secure, but there are two things which I think do:
The second point is the one which I think is more important, since the first one doesn't make the system that much more secure, but let's take a look how root-access can be disabled.
Using the passwd command, an account can be locked:
$ passwd -l <username>
Replace <username> with "root", log out and try to log in as root again. Now it is not even possible to log in as root over SSH.
If you once want to activate the root user again, you have to log in as another user which can get root privileges, and then type:
$ sudo passwd -u root
and logging in with the user root should be possible again.
Know what you are doing
One of the very important things for a secure server is of course that you know what you are doing. Choose strong passwords, do not install any services if you don't really need them and use encrypted connections if necessary. It is better to test new software or services on a second server and if they run well, install and configure them on the real server.