web3 forums

web3 and ethereum community forums

Guest Homepage Forums Vampire Hunters Ubuntu Linux validator basic security primer

  • Ubuntu Linux validator basic security primer

    Posted by Zombie Ducklings on August 23, 2022 at 9:32 am

    JBM asked me to post this before he left. I apologize for posting this so late.

    Basic Ubuntu hardening guide, and tips to keep your validator box secure

    1. Keep System Up-To-Date
    This should be obvious but keep your ubuntu box up to date. Log in at least once a week and run updates manually. If a reboot is necessary, verify everything is working correctly before update. If an update is not required for security you may want to hold off for a bit until it’s been tested.

    apt-get update && apt-get upgrade

    2. System Accounts
    The best place to start is ensuring your user accounts are locked down.

    2a. Ensure Only root Has UID of 0
    Accounts with a UID of 0 have the highest access to the system. UID0 should only be for the root account. Check to see what accounts have a UID0:

    awk -F: '($3=="0"){print}' /etc/passwd

    2b. Ensure no empty passwords
    Accounts that have no password are essentially wide open. Even if this account doesn’t have any special permissions it can be used in a privilege escalation attack. Make sure all accounts have a password

    cat /etc/shadow | awk -F: '($2==""){print $1}'

    2c. Lock Accounts
    If you find a user account with no password and don’t want to delete it for fear of breaking something, you can “lock” the account by appending an “!” to the end of the password hash. That tells linux it’s locked.

    passwd -l accountName

    2d. Adding New User Accounts
    This is standard practice on ubuntu but you should never operate from the root account. Make sure you have a regular user account created. This will automatically create a user account with the most basic
    permissions. You can set those permissions for every new account
    creation in the “/etc/skel” file.

    adduser accountName

    2e. Sudo Configuration
    Sudo allows regular users to run commands “as root” or with elevated permissions. This is the most secure way of making changes to the system. Sudo is very versatile with lots of options. Use the “Visudo” command to change sudo options. Some common options that may help you with security are below. Especially the IP address and allows commands. Be careful not to lock your own account out accidentally.

    %www – All users of the www group
    ALL= – From any Host/IP
    (ALL) – can run as any user
    NOPASSWD – No password required (omit to require a password)
    :/bin/cat,/bin/ls – Commands able to run as sudo. In this case, “cat” and “ls”

    3. IpTables, the firewall
    IpTables is pretty much the standard for firewall applications in the *nix world. It’s lightweight and very configurable. You should limit all ports except the ones you need for your validator and possibly SSH. For example, if you only want local access to the validator box without remote SSH login you could close the SSH port with the following command:

    sudo ufw deny 22/tcp

    4. SSH
    This is the largest “hole” in your server setup. It allows remote terminal access to your validator. This must be locked down and secured as much as possible. All options can be changed in the “/etc/ssh/sshd_config” file.

    4a. Disable root Login
    Find the line for “PermitRootLogin” and change it to “no” like below

    PermitRootLogin no

    4b. Allow Specific Users
    This line allows you to set specific user accounts that are allowed to use SSH. It’s a good idea to set this to only your user account.

    AllowUsers userName

    4c. Change Default Port
    Change your default SSH port to something other than 22. This is more security through obscurity as the port can still be found, but automated scanning bots typically scan the most common ports and quit to save time. Setting your SSH port high in the port range will prevent a lot of common port scanning bots from discovering your SSH port.

    !Important! Be sure to open this new port on your firewall “ufw allow 22222/tcp” before restarting SSHD or you will be locked out from remote access.

    Port 22222

    4d. Disable Empty Passwords
    You don’t want anyone logging in with no password, so lets go ahead and fix that

    PermitEmptyPasswords no

    More useful commands
    1. Display All Current Connections, Listening Services, and Processes Handling Them
    Your best friend for linux server administration

    netstat -tulpn

    2. Display Services and Their Status
    This will list all services on the system and their status:

    service --status-all

    Or to only show running services use grep

    service --status-all | grep "[ + ]"

    3. Install RKHunter to scan for common rootkits

    apt-get install rkhunter
    rkhunter -C

    4. Log Locations
    Below are the common default log locations:

    /var/log/message — Where whole system logs or current activity logs are available.
    /var/log/auth.log — Authentication logs.
    /var/log/kern.log — Kernel logs.
    /var/log/cron.log — Crond logs (cron job).
    /var/log/maillog — Mail server logs.
    /var/log/boot.log — System boot log.
    /var/log/mysqld.log — MySQL database server log file.
    /var/log/secure — Authentication log.
    /var/log/utmp or /var/log/wtmp — Login records file.
    /var/log/apt — Apt package manager logs

    Please note this is a very basic security guide and server management primer and will not ensure your security from sophisticated attackers. These basic practices should slow them down and prevent you from being an easy target however. Hope this helps keep your validator safe and secure!

    JBM replied 1 month, 3 weeks ago 3 Members · 2 Replies
  • 2 Replies
  • automaton

    Member
    October 14, 2022 at 3:22 pm
    strata level 3 icon L3: A Person

    This is a pretty good guide. The commands should be updated from ‘apt-get’ to just ‘apt’ though. @JBM, your age is showing again. 😂

    • JBM

      Member
      October 15, 2022 at 4:41 pm
      elpanda EIP evm-badge EVM
      strata level 4 rank icon L4: Noob

      LOL! I guess I am. Thanks, I’ll get Zombie to update it