Log in as root:
$ su rootor
$ su -Install sudo:
# apt update
# apt upgrade
# apt install sudoAdd user to sudo group:
sudo usermod -aG sudo <username>if user not exist
adduser <username> sudoVerify whether user was added:
getent group sudoThen exit root session and exit again to return to login prompt. Log in again as user. or reboot
Let's check if this user has sudo privileges:
sudo whoamiIt should answer root. If not, modify sudoers file as explained below and add this line:
username ALL=(ALL:ALL) ALLFrom here on out, run root-privileged commands via prefix sudo. For instance:
$ sudo apt updateConfiguring sudo: sudo visudo:
Edit sudoers.tmp file as root with the command:
sudo visudoTo change visudo editor from nano to vim:
sudo update-alternatives --config editorAnd add these default settings as per subject instructions:
- To limit authentication using sudo to 3 attempts in the event of an incorrect password
Defaults passwd_tries=3
- To add a custom error message in the event of an incorrect password:
or
Defaults badpass_message="Wrong password. Try again!"Defaults insults
- To archive all sudo inputs & outputs to
/var/log/sudoDefaults log_input, log_output Defaults logfile="/var/log/sudo/sudo.log" - To require TTV:
Defaults requiretty
- To set sudo paths: Defaults
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"If var/log/sudo directory does not exist, mkdir var/log/sudo.
you can delete a user using userdel command and delete a group using groupdel command.
Install OpenSSH:
$ sudo apt install openssh-serverCheck SSH status:
$ sudo systemctl status sshChange SSH listening port to 4242:
$ sudo nano /etc/ssh/sshd_configFind this line:
#Port 22And uncomment (delete #) and change it to 4242:
Port 4242To disable SSH login as root irregardless of authentication mechanism replace:
Find this line:
#PermitRootLogin prohibit-password And uncomment (delete #) and change it with:
PermitRootLogin noRestart SSH service
$ sudo systemctl restart sshCheck SSH status
$ sudo service ssh status
$ systemctl status sshInstall and enable UFW:
$ sudo apt install ufwVerify installaiton:
dpkg -l | grep ufwEnabe FireWall
$ sudo ufw enableAllow or deny ports:
$ sudo ufw allow 4242
$ sudo ufw deny <port>Check UFW status:
$ sudo ufw status verboseRemove port rule:
$ sudo ufw delete allow <port>
$ sudo ufw delete deny <port>Or, another method for rule deletion:
$ sudo ufw status numbered
$ sudo ufw delete <port index number>Careful with the numbered method, the index numbers change after a deletion, check between deletes to get the correct port index number!
Forward the host port 4242 to the guest port 4242: in VirtualBox,
- go to VM >> Settings >> Network >> Adapter 1 >> Advanced >> Port Forwarding.
- add a rule: Host port 4242 and guest port 4242.
Restart SSH service after this change.
In the host terminal, connect like this:
$ ssh <username>@localhost -p 4242Or like this:
$ ssh <username>@127.0.0.1 -p 4242To quit the ssh connection, just exit.
Password Age
Edit /etc/login.defs and find "password aging controls". Modify them as per subject instructions:
PASS_MAX_DAYS 30
PASS_MIN_DAYS 2
PASS_WARN_AGE 7These changes aren't automatically applied to existing users, so use chage command to modify for any users and for root:
$ sudo chage -M 30 <username/root>
$ sudo chage -m 2 <username/root>
$ sudo chage -W 7 <username/root>Use chage -l <username/root> to check user settings.
Password Strength
Install password quality verification library:
$ sudo apt install libpam-pwqualityVerify installation:
dpkg -l | grep libpam-pwqualityConfigure password strength policy via:
sudo vim /etc/pam.d/common-passwordspecifically the below line:
25 password requisite pam_pwquality.so retry=3
- To set password minimum length to 10 characters, add the following option to the above line:
minlen=10 - To require password to contain at least an uppercase character and a numeric character: ucredit=-1 dcredit=-1
- To set a maximum of 3 consecutive identical characters: maxrepeat=3
- To reject the password if it contains in some form: reject_username
- To set the number of changes required in the new password from the old password to 7: difok=7
- To implement the same policy on root: enforce_for_root
- Finally, it should look like the bellow:
password requisite pam_pwquality.so retry=3 minlen=10 ucredit=-1 dcredit=-1 maxrepeat=3 reject_username difok=7 enforce_for_rootHostname
The hostname must be your_intra_login42, but the hostname must be changed during the Born2beroot evaluation. The following commands might help:
$ sudo hostnamectl set-hostname <new_hostname>
$ hostnamectl statusThere must be a user with your_intra_login as username. During evaluation, you will be asked to create, delete, modify user accounts. The following commands are useful to know:
sudo adduser <username>: Create a new useruserdel -r: Deletes a user and all associated files.getent passwd <username>: Verify whether user was successfully createdsudo chage -l <username>: Verify newly-created user's password expire information
sudo addgroup user42: Create new user42 groupsudo adduser <username> user42: Add user to user42 groupgetent group user42: Verify whether user was successfully added to user42 group
- Configure cron as root:
sudo crontab -u root -e - To schedule a shell script to run every 10 minutes replace:
23 # m h dom mon dow command with 23 */10 * * * * sh /path/to/script - Check root's scheduled cron jobs:
sudo crontab -u root -l