I have a user called ec2-user and by this user I am getting connected to my EC2 instance by the help of the pem file I am able to connect to the machine,
Now I have added this user to the sudoers list by this command:
echo 'ec2-user ALL=(ALL) ALL' >> /etc/sudoers
This command executed successfully but after that when ever I want to do sudo its asking for password, when there is no password on the ec2-user.
Now, I have some of the questions:
If this is the wrong way, why Linux allows it to complete the command?
If this is right, then how to give the password?
If this I did in wrong way, how can I come back to my normal situation?
Thanks all
If this is the wrong way, why Linux allows it to complete the command?
No point in blaming Linux, It assumes that you have password set for an user.
If this is right, then how to give the password?
No, you can't provide a pasword because there is no pasword
If this I did in wrong way, how can I come back to my normal
situation?
Only way out is to boot the machine in single user mode and undo your changes. Unfortunately, you cannot boot an EC2 instnace into single user mode. Check with Amazon support whether they can help you with that.
You are pretty have run out of options. Create a new instance and then copy over your data by attaching EBS volume of this instance.
I assume you are using Amazon Linux AMI. For this AMI, by default the only account that can log in remotely using SSH is ec2-user. Also by default, password authentication is disabled to prevent brute-force password attacks. You must provide your key pair to the instance at launch, as you have already done. Please note that ec2-user has sudo privileges by default. When you do sudo, you don't have to enter any password. When you changed the sudoers file manually, you kind of changed the setting to require the password for any sudo operation by user ec2-user. Sorry that I don't know a easy way to get back to normal. I would suggest launching a new AMI instance and terminating your old one.
Related
On one server I have an application running as a non-root linux user.
I forgot its password, so I was about to change it using root priviledges, but then I wondered if that could harm the application running with that user.
I looked online but I didn't find any answers to this. Does anything happens to the user's running processes when the user's password is changed?
tl;dr
some testing did not cause any problems in a new user, it seems safe to change password without changing any access parameters.
Steps:
Created a new user: testing
useradd -d /home/testing -m -p testing1 testing
logged into 'testing' user in another terminal.
launched htop (accesses system resources and updates constantly).
changed password with passwd.
changed back to the testing terminal and everything was working fine.
Caveat: Havent tested on any software where auth is required (ssh, pc etc...)
The service will keep running, But it won't start the next time.
You will have to reconfigure the service with the new password.
linux security and root access question....
I'm setting up a server that has a validator node running on it for a substrate-based blockchain. I was trying to harden the security of my server. I set up ufw for all ports but those necessary for the node to operate. I set up 2FA, SSH with ed25519, and then I was spending time trying to figure out, if for some crazy reason someone got in... how could I stop someone from using systemctl or poweroff with sudo privilages. The goal is maximize uptime and remain in sync with the other nodes at all times.
Anyways, I started blocking bash commands for the user account that allows SSH and blocked SSH to root. Then I blocked a few more commands and thought, what if someone could find their way around this? So, I just started blocking too many things lol. Even though I disabled sudo for the user and blocked a number of commands the user could still use systemctl and stop the service for the node. Eventually I found this guide on how to only allow a few commands for a user.
Update: I didn't properly remove the user from the sudo group. Afterwards they could still use systemctl but the system then allowed systemctl to pop up with an input for the root user password for authentication. Anyways, I just wanted something simple yet secure sooo....
I ended up removing all of the commands from the user and symlinked the su command and renamed it to a random command that only I know. All of the other commands done by the user respond with
-rbash: /usr/lib/command-not-found: restricted: cannot specify /' in command names
I took away bash history and bash autocomplete/tab completion. Now the only thing you can do is guess commands that will get you to the point where you still have to get past my root password. Is there a way for hackers to scan for available commands when there is only one available that is masked in this way?
Anyways, I'm saying all of this because I have always heard best security practices involve "disabling root". Sometimes I see it as just disable root SSH, which i already have done, but sometimes i read it like disable the root account. Some say disable the password and try to divvy it up with sudo privileges so it's more traceable to individual users.
In my case I need to preserve root access in some way but I basically hid everything within the root user. So, if anyone gets access to root it's over. But, it's behind 2FA, SSH, and an unknown command that just gets to where you can try a password to access root.
Am I thinking about this "disable root for security" all wrong and I should disable it completely or does it make sense what I've done so far?
You can also create a SSH key and use this to login to a Linux server, instead of using a password, and do not share your private key.
The following link is a tutorial on how to create a SSH key one, https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/
You could also add user filtering with AllowUsers option in sshd_config file:
AllowUsers admin1#192.168.1.* admin2#192.168.1.* otherid1 otherid2
This allows admin1 and admin2 only from 192.168.1.* addresses and otherid1, otherid2 from anywhere.
I two CentOS 6.5 servers and I have a very complex shell script connecting this two servers and make some backups with root user without password. There is some rsa keys for this.
For security purpes I disabled root login on both servers and I tried to change the script to use a user insted of root but it's doesen't work. I have changed the user rights from /etc/sudoers to user ALL=(ALL) ALL.
If I generate another ssh key with ssh-keygen -t rsa it say me that I don't have permisson and if I use sudo ssh-keygen -t rsa he create me a key for root#server.
I think the problem will be solve if I can change the user rights to run sudo comands without "sudo", like root but I don't know if this it's possible.
Thanks!
To maintain security, yet to accomplish this certain work, you need to do the followings:
Create a new user account, for this certain work only.
Give this user an ssh-key to automatically login without password.
The login shell should not be /bin/bash, for obvious security
reason. You can setup SSH connection to run certain program/command
for this specific user. I don't want to explain the details here.
Please search the web for the answer for this.
Since this program needs root permission, and this user is not the
root, you need to setup an effective executable permission as
root (i.e. setuid). To make it only executable by this certain user (and root),
you need to create a new group, set this user to join this group,
and set the program to be executable by this group (chmod 4770, 4
for setuid, 770 to be executable by the group, and the owner). The
program must be owned by root (so that it setuid to root), with the group assigned
to that certain group. The program can be a binary-executable, or a script.
That does not matter.
Caution: Your setuid program/script must be very careful not to
contain exploitable security weaknesses.
I've this need, I have to install ubuntu on a machine for a specific purpose, and I have to create a particular locked user account.
On startup i need to display the login box (so I have to admin the machine, only reboot and login as root) in the format with username and password fields.
After the login of this user, I have to auto open Google Chrome on a specific page.
Stop, this specific user doesn't have to do more. This machine is connected to a display with show ads in the expo of my client.
How to do this? I don't have any idea. Can anyone tell me ALL the correct step to achieve this?
Thanks in advance, Francesco
You have to setup a kiosk mode. You can find a good tutorial and all needed steps at http://www.alandmoore.com/blog/2011/11/05/creating-a-kiosk-with-linux-and-x11-2011-edition/
This may be an "old hat" answer...but yes, it's pretty common in practice to simply create a login shell that does a specific task (kind of similar to FTP or backup user accounts).
This means - simply put - in the /etc/passwd where you normally put the shell for the user (/bin/bash or whatever) you actually put a script that does whatever you want it to. When the script ends, the user is booted off.
If this is combined with a properly configured selinux, its pretty safe as long as the script is not hackable (I.e. does not request input which can have appended commands (I.e. "input name:" Mike; rm -rf /) or that can lead to a buffer overrun.
For this reason, its good practice to put the script in an isolated directory, chroot the user, put the user in its own group, and have the user/group only have permissions to that dir.
I am using ssh for connecting one of the systems.
I have a perl script in that system which I have to run from my machine. But the commands in remote system runs only when it is in Super user mode (I give su - to become the super user, if I am working directly on the remote system)
But if I have to run the perl script from my system ( I am using OpenSSH for this purpose), in super user mode, how should I do it?
By the way, I have placed the command $sh->system("su -") . But it asks for the password but does not proceed further. I have waited for 5 mins atleast, even then I didnt get any response after I entered the password.
Can anyone say how to deal with this situation?
You could use sudo, and allow your user to become root with no password
Read the entry titled "Can't change working directory" on Net::OpenSSH FAQ to know why it doesn't work.
Then read the other entry, "Running remote commands with sudo", to see how you can solve it.
If you don't want ssh to ask for the password, you can add your client user key in the server .ssh/authorized_keys file of the target user. Using this, ssh won't ask for a password anymore.