Allowing ssh login using Sudo
In order to record all the commands executed by a engineer when doing a remote login via ssh to your server do the following:
1. Login to the Linux server using the root login.
2. Edit the /etc/sudoers file using visudo. After editing the contents of the file shoud be as follows:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias USR_BIN_CMDS = /usr/bin/telnet, /usr/bin/tail, /usr/bin/diff, /usr/bin/dig, /usr/bin/find, \
/usr/bin/head, /usr/bin/kill, /usr/bin/ldapsearch, /usr/bin/man, \
/usr/bin/updatedb, /usr/bin/wget, /usr/bin/du, /usr/bin/watch
Cmnd_Alias SBIN_CMDS = /sbin/chkconfig, /sbin/fdisk, /sbin/fsck, /sbin/ifconfig
Cmnd_Alias USR_SBIN_CMDS = /usr/sbin/crond
Cmnd_Alias USR_LIB_CMDS = /usr/lib/rpm
Cmnd_Alias BIN_CMDS = /bin/cat, /bin/cut, /bin/date, /bin/df, /bin/grep, /bin/gunzip, /bin/gzip, \
/bin/kill, /bin/ping, /bin/tar, /bin/uname, /bin/zcat
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
%gpsuperadmin ALL=(ALL) ALL
%gpadmin ALL=(ALL) USR_BIN_CMDS, SBIN_CMDS, USR_SBIN_CMDS, USR_LIB_CMDS, BIN_CMDS, /bin/, /sbin/
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Defaults logfile=/var/log/secure
3. Save the file.
4. Create 2 linux groups, gpadmin and gpsuperadmin.
groupadd gpadmin
groupadd gpsuperadmin
5. Create 2 Linux users admin and superadmin, and add them to the gpadmin and gpsuperadmin groups respectively.
useradd -g gpadmin admin
useradd -g gpsuperadmin superadmin
6. When giving access to a level 1 administrator from remote, reset the password of the user admin and enable ssh access from client ips.
passwd admin
Note: Please do not use generic passwords such as redhat, linux, password, pass@123 etc. If it is connected over the Internet, the server will get hacked within minutes.
7. After login, reset the password of the admin user, such that the user cannot login without your knowlegde.
8. For some cases, client might require superadmin login where access to a larger set of Linux commands is available. If remote requests superadmin login, then reset the password of the superadminuser.
passwd superadmin
9. After the incident is over, reset the password such that no one can login to your server without prior permission.
In order to record all the commands executed by a engineer when doing a remote login via ssh to your server do the following:
1. Login to the Linux server using the root login.
2. Edit the /etc/sudoers file using visudo. After editing the contents of the file shoud be as follows:
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias USR_BIN_CMDS = /usr/bin/telnet, /usr/bin/tail, /usr/bin/diff, /usr/bin/dig, /usr/bin/find, \
/usr/bin/head, /usr/bin/kill, /usr/bin/ldapsearch, /usr/bin/man, \
/usr/bin/updatedb, /usr/bin/wget, /usr/bin/du, /usr/bin/watch
Cmnd_Alias SBIN_CMDS = /sbin/chkconfig, /sbin/fdisk, /sbin/fsck, /sbin/ifconfig
Cmnd_Alias USR_SBIN_CMDS = /usr/sbin/crond
Cmnd_Alias USR_LIB_CMDS = /usr/lib/rpm
Cmnd_Alias BIN_CMDS = /bin/cat, /bin/cut, /bin/date, /bin/df, /bin/grep, /bin/gunzip, /bin/gzip, \
/bin/kill, /bin/ping, /bin/tar, /bin/uname, /bin/zcat
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
%gpsuperadmin ALL=(ALL) ALL
%gpadmin ALL=(ALL) USR_BIN_CMDS, SBIN_CMDS, USR_SBIN_CMDS, USR_LIB_CMDS, BIN_CMDS, /bin/, /sbin/
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Defaults logfile=/var/log/secure
3. Save the file.
4. Create 2 linux groups, gpadmin and gpsuperadmin.
groupadd gpadmin
groupadd gpsuperadmin
5. Create 2 Linux users admin and superadmin, and add them to the gpadmin and gpsuperadmin groups respectively.
useradd -g gpadmin admin
useradd -g gpsuperadmin superadmin
6. When giving access to a level 1 administrator from remote, reset the password of the user admin and enable ssh access from client ips.
passwd admin
Note: Please do not use generic passwords such as redhat, linux, password, pass@123 etc. If it is connected over the Internet, the server will get hacked within minutes.
7. After login, reset the password of the admin user, such that the user cannot login without your knowlegde.
8. For some cases, client might require superadmin login where access to a larger set of Linux commands is available. If remote requests superadmin login, then reset the password of the superadminuser.
passwd superadmin
9. After the incident is over, reset the password such that no one can login to your server without prior permission.
Comments
Post a Comment