imthenachoman / how-to-secure-a-linux-server Goto Github PK
View Code? Open in Web Editor NEWAn evolving how-to guide for securing a Linux server.
License: Creative Commons Attribution Share Alike 4.0 International
An evolving how-to guide for securing a Linux server.
License: Creative Commons Attribution Share Alike 4.0 International
On the SSH server config, it is always a good practice to change the TCP port value from 22 to a random one (example 6222).
This will help avoid bad actors randomly scanning for open default ports.
Then the new SSH port should be allowed in through UFW.
In the README it says "If you set PasswordAuthentication yes in /etc/ssh/sshd_config, then SSH won't let you connect without the public key."
It should be "PasswordAuthentication no" instead.
In some systems this bug will occur: sshd will not start at boot if ListenAddress is set. I ran into it myself following this guide. It is a failure of systemd and ssh devs to communicate who will fix it.
Anyway, there is a simple workaround to it by 'nimishp12':
changing /etc/systemd/system/sshd.service:
After=network.target audit.target
Wants=network.target
to
Requires=multi-user.target
Before=shutdown.target
After=multi-user.target
Wants=multi-user.target
This also solves the problem of using various network.service/targets that may still cause issues just using Before/After network-online.target
Using Docker can help you secure apps and server
Hello,
I am willing to contribute a paragraph on dnf-automatic
, which is the dnf
counterparts to unattended-upgrades
and yast-online-update-configuration
for zypper/yast
.
Can I propose such paragraph (and could you assign that issue to me while I work on it)?
There is a bug with ssh.server
's systemd startup scripts that will prevent SSH from starting at boot if you specify an IP with ListenAddress
in /etc/ssh/sshd_config
.
See these for more details:
I have not found a fix.
Need help
RFC 8314 recommends that you prefer implicit TLS on port 465 over STARTTLS on 587:
o TLS version 1.2 or greater be used for all traffic between MUAs
and Mail Submission Servers, and also between MUAs and Mail Access
Servers.o MUAs and Mail Service Providers (MSPs) (a) discourage the use of
cleartext protocols for mail access and mail submission and
(b) deprecate the use of cleartext protocols for these purposes as
soon as practicable.o Connections to Mail Submission Servers and Mail Access Servers be
made using "Implicit TLS" (as defined below), in preference to
connecting to the "cleartext" port and negotiating TLS using the
STARTTLS command or a similar command.
So I would at least recommend changing the GMail port used. I'm not sure what if any other changes are needed to be made to the document.
Sadly, systemd seems to assume /proc is mounted with hidepid
set to its default value in order to function properly.
See:
Considering the widespread use of systemd nowadays, I suppose you might want to add a notice for its user.
Add hint to test SSH config with a second terminal session otherwise a lock-out will happen.
Hi
May you please publish this valuable document Under some copyleft and specially Free Culture license (such as CC0, CC-BY, CC-BY-SA)?
Hi,
I followed your guide and ran into the following problem when using psad -R
:
/etc/psad# ufw reload
Firewall reloaded
root@server:/etc/psad# psad -R
[-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for psadwatchd on server
[+] Stopping psad, pid: 1491
[+] Stopping psad_fw_read, pid: 1492
[+] Restarting psad daemons on
I followed the instructions step by step and it did not work for me at the beginning.
My solution how it works for me:
In the file /etc/ssh/sshd_config I had to add AuthenticationMethods publickey,keyboard-interactive
And I removed the nullok
in the file /etc/pam.d/sshd.
But I don't know if this is necessary.
I recently put together some notes for myself for using LXD, if there's interest I can clean them up a bit more and make a pull request.
My reasons for using LXD came down to:
My notes:
sudo snap install lxd
lxd init
accept defaults to everything (don't need ip6 though, can disable later with lxc network set lxdbr0 ipv6.address none)
lxc launch ubuntu:20.04 <container name>
lxc config set <container name> boot.autostart false
lxc list
lxc exec <container name> -- [command to run in container]
lxc exec <container name> -- sudo --login --user ubuntu
lxc exec <container name> bash
<server local interface> := probably enp34s0, check with 'ip link show' on host
<server local ip> := self explanatory
<server port> := port you want to forward from host to container
<container ip:port> := get ip from lxc list, port that is listening inside container
sudo iptables -t nat -I PREROUTING -i <server local interface> -p TCP -d <server local ip> --dport <server port> -j DNAT --to-destination <container ip:port> -m comment --comment "forward to container"
sudo iptables -t nat -L PREROUTING
sudo apt install iptables-persistent
sudo netfilter-persistent save
https://www.cyberciti.biz/faq/how-to-add-or-mount-directory-in-lxd-linux-container/
https://askubuntu.com/questions/610513/how-do-i-share-a-directory-between-an-lxc-container-and-the-host
https://github.com/lxc/lxd#can-i-bind-mount-my-home-directory-in-a-container
https://github.com/lxc/lxd/blob/master/doc/userns-idmap.md
lxc config device show <container name>
lxc config device add <container name> <device name> disk source=<path on host> path=<path on container>
use command 'id' to check uid and gid on host and container (all probably 1000)
lxc config set <container name> raw.idmap "both 1000 1000"
lxc config device remove <container name> <device name>
lxc restart <container name>
lxc config show --expanded <container name> | grep privileged
ps -ef | grep <process in container> # make sure not running as root
lxc config get <container name> security.privileged # If that shows "true", then the container is privileged, otherwise it is not
lxc list security.privileged=true # check all at once
Suggesting setting up a backup website that doesn't require going through Github to view.
A free option being Neocities, at minimum this would be nice. Alternatively, a super basic pure HTML/CSS website that hosts this same content. If a website is not desired (although nice imo), a Gitea instance or some other self-hosted similar service would be very nice to have.
Two separate questions.
Is the NTP setup necessary for Ubuntu versions above 16.04? Or is this no longer needed due to the fact that these versions of Ubuntu come with timesyncd? (sources: Corey Goldberg's comment on this answer https://askubuntu.com/a/641160 and these Digital Ocean articles: https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-20-04 - https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-18-04 - https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-16-04 )
If NTP setup is necessary, do we need to disable timesyncd as per the following quote: "Before installing ntpd, you need to turn off timesyncd in order to prevent the two services from conflicting with one another." from this article https://www.digitalocean.com/community/tutorials/how-to-set-up-time-synchronization-on-ubuntu-16-04 ?
I've asked this on stackexchange and r/linuxfornoobs but nobody has answered so I'm gonna see if I can get a hit here.
Iβm setting up AIDE monitoring on Raspbian. I first tried over ssh but it timed out due to my timeout settings. Then I setup the new AIDE db directly on the RPi command line. I had to overwrite the DB that was created on the first try.
I ran sudo aide.wrapper --check
after it successfully initialized and it returned a ton of files with mismatched hashes. Some of the mismatched original hashes were dated 8/30 and but I init'd on 8/31. I have no idea why...I installed AIDE on 8/31 and the system should be clean because itβs like three days old. Is that date based on the original creation of the file?
Two more questions:
--mailfrom
is not a valid flag for logwatch command on debian 9Consider adding information about not just SELinux as noted in your TODOs, but MAC (Mandatory Access Control) and Linux Security Modules (LSMs) in general.
The Arch wiki seems like a good starting point - and a good source on Linux security overall.
Using Ubuntu 18.04 when running the command
sudo fail2ban-client add sshd
I receive the error message:
name 'noduplicates' is not defined
The config file is exactly as described in the guide. All previous fail2ban commands ran successfully with no warnings.
USEREMAIL mispelled as USRMAIL
MAILPROV uses smtp.google.com instead of smtp.gmail.com and I'm not sure if the port is supposed to be here either
USERLOC is unused
cat <<EOF> .msmtprc
assumes you are running the command inside /root I think.
MAILPORT variable is referenced but never defined
The table of contents link in the README.md file that goes to the MSMTP section doesn't work.
It may be good to note that there is a way to enter your password from command line interactive standard input without having to ever type it out in a command line command otherwise, because commands can get logged in .bash_history for example as noted here https://wiki.archlinux.org/title/msmtp
It also maybe should be noted to not store the MSMTP script in a file if you want to avoid having your password / the PWDEMAIL stored in a file in plain text.
If you aren't going to use OAuth, you need to set up an app password for your gmail account. You can't just use your main password. The process for doing so can be found here https://caupo.ee/blog/2020/07/05/how-to-install-msmtp-to-debian-10-for-sending-emails-with-gmail/
I had some trouble with the GPG stuff, but I forget what exactly.
There quite possibly could be more errors, because as of 5 hours ago, I didn't have any experience with any of this, and I don't know what many of the commands in the MSMTP setup script are doing.
It would be good to at least note that the script is broken and any caveats in the meantime if no one wants to spend the time to implement all of the changes right now. I spent a lot of extra time investigating why things weren't working before realizing that the config said smtp.google.com instead of smtp.gmail.com
I also think it would be good to mention that people can install either msmtp or Exim4. (I think this is the case, right?). With no context about any of this stuff, it took me a bit to realize this.
Thank you Nacho Man and everyone who has put this repo together π
Anything in this that can/should be added
https://gist.github.com/lizthegrey/9c21673f33186a9cc775464afbdce820
Hi,
Thank you for putting this guide together.
Looking for some assistance with creating custom application profiles for UFW for the software I use on my Pi.
I'm not sure if these ports are all needed or if they need in or out access? Also I would like to restrict access to my lan if the apps dont need wan access?
Would appreciate any help
Thanks
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:37601 0.0.0.0:* users:(("avahi-daemon",pid=375,fd=14))
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* users:(("avahi-daemon",pid=375,fd=12))
udp UNCONN 0 0 0.0.0.0:8999 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=29))
udp UNCONN 0 0 192.168.0.28:1900 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=35))
udp UNCONN 0 0 127.0.0.1:1900 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=33))
udp UNCONN 0 0 0.0.0.0:1900 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=32))
udp UNCONN 0 0 127.0.0.1:33651 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=19))
udp UNCONN 0 0 127.0.0.1:8125 0.0.0.0:* users:(("netdata",pid=599,fd=18))
udp UNCONN 0 0 127.0.0.1:37898 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=34))
udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* users:(("unbound",pid=708,fd=5))
udp UNCONN 0 0 192.168.0.28:40514 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=21))
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:* users:(("dhcpcd",pid=580,fd=10))
udp UNCONN 0 0 192.168.0.28:6771 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=20))
udp UNCONN 0 0 127.0.0.1:6771 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=18))
udp UNCONN 0 0 0.0.0.0:6771 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=17))
udp UNCONN 0 0 192.168.0.28:36981 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=36))
udp UNCONN 0 0 0.0.0.0:32899 0.0.0.0:* users:(("qbittorrent-nox",pid=582,fd=37))
udp UNCONN 0 0 :5353 : users:(("avahi-daemon",pid=375,fd=13))
udp UNCONN 0 0 [::1]:48913 : users:(("qbittorrent-nox",pid=582,fd=24))
udp UNCONN 0 0 :8999 : users:(("qbittorrent-nox",pid=582,fd=30))
udp UNCONN 0 0 [fe80::996:7a13:5297:ad6a]:37676 : users:(("qbittorrent-nox",pid=582,fd=26))
udp UNCONN 0 0 [::1]:8125 : users:(("netdata",pid=599,fd=16))
udp UNCONN 0 0 :32782 : users:(("avahi-daemon",pid=375,fd=15))
udp UNCONN 0 0 :546 : users:(("dhcpcd",pid=580,fd=15))
udp UNCONN 0 0 [::1]:53 : users:(("unbound",pid=708,fd=3))
udp UNCONN 0 0 [fe80::996:7a13:5297:ad6a]:6771 : users:(("qbittorrent-nox",pid=582,fd=25))
udp UNCONN 0 0 [::1]:6771 : users:(("qbittorrent-nox",pid=582,fd=23))
udp UNCONN 0 0 :6771 : users:(("qbittorrent-nox",pid=582,fd=22))
tcp LISTEN 0 20 127.0.0.1:25 0.0.0.0: users:(("exim4",pid=1349,fd=3))
tcp LISTEN 0 128 127.0.0.1:8125 0.0.0.0: users:(("netdata",pid=599,fd=31))
tcp LISTEN 0 128 0.0.0.0:222 0.0.0.0: users:(("sshd",pid=600,fd=3))
tcp LISTEN 0 128 0.0.0.0:19999 0.0.0.0: users:(("netdata",pid=599,fd=4))
tcp LISTEN 0 5 0.0.0.0:8999 0.0.0.0: users:(("qbittorrent-nox",pid=582,fd=28))
tcp LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("lighttpd",pid=695,fd=4))
tcp LISTEN 0 128 0.0.0.0:52050 0.0.0.0:* users:(("MyMediaForAlexa",pid=350,fd=7))
tcp LISTEN 0 128 0.0.0.0:52051 0.0.0.0:* users:(("MyMediaForAlexa",pid=350,fd=3))
tcp LISTEN 0 128 127.0.0.1:53 0.0.0.0:* users:(("unbound",pid=708,fd=6))
tcp LISTEN 0 20 [::1]:25 [::]:* users:(("exim4",pid=1349,fd=4))
tcp LISTEN 0 128 [::1]:8125 [::]:* users:(("netdata",pid=599,fd=30))
tcp LISTEN 0 128 [::]:222 [::]:* users:(("sshd",pid=600,fd=4))
tcp LISTEN 0 128 [::]:19999 [::]:* users:(("netdata",pid=599,fd=5))
tcp LISTEN 0 5 [::]:8999 [::]:* users:(("qbittorrent-nox",pid=582,fd=27))
tcp LISTEN 0 50 :8080 : users:(("qbittorrent-nox",pid=582,fd=40))
tcp LISTEN 0 128 [::]:80 [::]: users:(("lighttpd",pid=695,fd=5))
tcp LISTEN 0 128 [::1]:53 [::]:* users:(("unbound",pid=708,fd=4))
Hi, not sure if you know about this, but back in the day, The Linux Documentation Project featured some guides on Linux system administration and also contained a Linux Administrator's Security Guide.
While some of the information is a little, large parts of it are still relevant.
For example, you mention disk encryption. There's a section on file system encryption: https://seifried.org/lasg/filesystem/ and it could be a good starting point.
I agree with your comment in the README:
This guide may appear duplicative/unnecessary because there are countless articles online that tell you how to how to secure Linux but the information is spread across different articles, that cover different things, and in different ways. Who has time to scour through hundreds of articles?
I'm surprised that Google/DuckDuckGo do not rank the better guides on securing a Linux system higher, I would expect something from Red Hat, Canonical or the Linux Documentation Project to appear in the first page of the search results.
CrowdSec can be seen upon as a modern version on Fail2Ban only that it varies in a number of ways; most notably it leverages crowdsourced threat intelligence. This means that - like f2b it can parse local log files (and more, but that's a different story) to detect attacks. Intelligence on attacks is shared (anonymously!) with other users and blocklists based upon crowdsourced threat intelligence is automatically downloaded. Also, CrowdSec is capable of taking more advanced decisions like ressource abuse of various kinds.
Just to emphasize: CrowdSec is free (as in both speech and beer) and open source. I am head of community and an avid used myself. I would advice you to take a look at our docs or watch the talk I did at ShellCon last month if you find is interesting.
This project was built with Fail2Ban in mind; the founders have great respect for it and admire the guys who started the project a lot. So the idea has always been to build something that acknowledges this heritage.
Let me know what you think and reach out if you have any questions. I'll be happy to help you out as much as I can.
I think the section about UsePrivilegeSeparation can be removed.
I couldnt find this option in the man pages.
According to this release notes:
Hi,
First of all thanks for this guide! I was really needed something like this.
I'm having issues with the aide setup, I think that aide.wrapper is no longer provided. I'm getting a sudo: aide.wrapper: command not found
.
Instead I was able to check the config with sudo aide -c /etc/aide/aide.conf -C
which is more verbose but works correctly.
Best,
In the section on adding your public key to the server's ~/.ssh/authorized_keys
file, you write:
Or, if you're sure there is nobody listening between the client you're on and your server, you can use ssh-copy-id to transfer and append the public key.
I find this a very confusing warning to give. The entire purpose of SSH (which is presumably the protocol ssh-copy-id
uses) is to be resilient to MITM attacks; if for some reason you don't trust the network and/or client enough to be able to transfer something over scp
, why would it make any difference whether you were authenticating via password or private key in the first place?
And secondly, even if you were being sniffed, the only thing you're uploading is a public key. That shouldn't be considered private in the first place.
Basically, that clause seems to just confuse the issue of how SSH works and what authorized_keys
does. Am I missing something?
I think it might be a good idea to emphasize that the sshusers
group should also be added to the sudoers
file.
I followed all the steps, get the SSH connection to work but pretty much couldn't do anything on the server until I realized these.
It would be nice to put it there, so ther will be less friction to newcomers on the subject.
A bad-actor who has gained access to an account without sudo
privileges can still try to login as such with su
.
Here's an article about limiting who can use of su
: https://www.cyberciti.biz/tips/restrict-the-use-of-su-command.html
The article tells you to add users, who you want to be able to use su
, to the wheel
group, and editing the PAM config file at /etc/pam.d/su
appropriately. However at least in Ubuntu I had to add these users to the root
group instead, so the steps needed might vary between distros.
Please pardon if this has been discussed before or if this blog has been debunked, but I'm asking just in case. I can remove this thread. Oddly enough, there is/was another article on it that outlines more of these perceived flaws but I can no longer find it. I bring this up in the first place just in case the blog points out things that we can 'patch' ourselves.
Not sure if I'm allowed to link to Reddit on here but this is the comment in a thread I started. It gave me warnings for egrep, fgrep and which being scripts instead of binaries. Haven't verified if they actually are false positives but others have reported the same thing.
Checking auth.log and noticed:
sshd[58017]: rexec line 21: Deprecated option UsePrivilegeSeparation
Quick search comes up with: https://www.openssh.com/txt/release-7.5
This release deprecates the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
@imthenachoman Not seeing another way to contact you to say "Thank you" for this guide, so I thought I'd post my thanks as a comment issue :)
I appreciate the time you've put into this!
When trying to follow the AIDE part of the tutorial, on Debian GNU/Linux 11 (bullseye), it gives an error because the configuration files are not created nor on /etc/default or /etc/aide.
On Ubuntu's Help page, in this article, they suggest installign aide-common for 14.04+ versions of Ubuntu.
With this package installed, I could continue with the guide.
I hope this helps to improve the guide.
Thanks for the nice job there!
Regards,
Mannix
Once I learned the setup, I'm never going back.
Hi! This project is translation friendly? π¬
First of all: great guide, I've always been looking for something like that!
In the firewall section, there are some rules mentioned, among others the http rules. I ran into a problem, because I skipped those initially, and got stuck then in the PASD section when trying to install that package. This could be fixed by adding the http rules.
So, perhaps the importance of those rules for the later progress should be mentioned, this could help other users.
I'm getting this error message after running sudo psad --fw-analyze
[-] You may just need to add a default logging rule to the
'filter' 'INPUT' chain on haddock. For more information,
see the file "FW_HELP" in the psad sources directory or visit:
http://www.cipherdyne.org/psad/docs/fwconfig.html
I followed the link it gave me and entered these two lines,
# iptables -A INPUT -j LOG
# iptables -A FORWARD -j LOG
but I'm still getting the error.
In the guide it says
verify hostname matches IP
UseDNS no
shouldnt this be a yes?
Don't we need those?
the steps are quite long, especially if you need to do it with multiple servers.
an Ansible playbook to auto secure the server will be really awesome.
Hello,
First of all, I want to thank you for this amazing tutorial. I learned a lot thanks to it :)
I followed your instructions to setup Exim4 on a Raspberry Pi server so that it can send mails using a Gmail account I created for this purpose. It has been working well for a while.
But for some reason, it stopped working last week. Looking at /var/log/exim4/mainlog
, I can see logs like this each time I try to send a mail:
2019-10-19 15:30:30 1iLooQ-0002aM-3F H=smtp.gmail.com [2a00:1450:400c:c0b::6c] Network is unreachable
2019-10-19 15:30:30 1iLooQ-0002aM-3F ** <MY-GMAIL-ADDRESS> R=smarthost T=remote_smtp_smarthost H=smtp.gmail.com [64.233.184.108] X=TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256 CV=yes DN="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com": SMTP error from remote mail server after pipelined MAIL FROM:<gcoter@localhost> SIZE=1410: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1 https://support.google.com/mail/?p=WantAuthError z13sm8095930wrq.51 - gsmtp
2019-10-19 15:30:32 1iLooS-0002aS-Q9 <= <> R=1iLooQ-0002aM-3F U=Debian-exim P=local S=2021
2019-10-19 15:30:32 1iLooQ-0002aM-3F Completed
2019-10-19 15:30:33 1iLooS-0002aS-Q9 ** <MY-GMAIL-ADDRESS> <gcoter@raspberrypi> R=smarthost T=remote_smtp_smarthost H=smtp.gmail.com [64.233.184.108] X=TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256 CV=yes DN="C=US,ST=California,L=Mountain View,O=Google LLC,CN=smtp.gmail.com": SMTP error from remote mail server after pipelined MAIL FROM:<> SIZE=3101: 530-5.5.1 Authentication Required. Learn more at\n530 5.5.1 https://support.google.com/mail/?p=WantAuthError u68sm10557199wmu.12 - gsmtp
2019-10-19 15:30:33 1iLooS-0002aS-Q9 Frozen (delivery error message)
So it seems like an authentication error. I followed the Google Support link which is written in the logs but it didn't help. Here is what I tried:
/etc/exim4/passwd.client
/etc/exim4/passwd.client
At this point, I don't understand what is wrong. I don't think it comes from the way I configured the server since it has been working for a long time. Is it possible that Google decided to prevent my server from sending mails?
You can sign GRUB or whatever bootloader you use and after that the UEFI will check the signature before loading it. The same way you can build a chain e.g. GRUB checkes the OS before loading it, the OS checks the applications before starting them, etc. I am currently researching the topic maybe there is a working solution we could add here. Afaik this should solve the rootkit problem and I guess it would harden the server as well. Would you add it to the description?
It's not as configurable, but it might be worth mentioning? It's a one-command install on Debian systems:
sudo apt install sshguard
Thanks for this How-To guide, I'm happy this project exists!
A lot of linux servers are headless (no keyboard/mouse/monitor), and therefore have less sources for good entropy as there is no human interaction beyond ssh. There have been cases of headless servers generating predictable ssh keys after boot. [1]
Thus it can be reasoned that security can be increased by setting up additional sources for entropy. A simple sudo apt-get install rng-tools
on debian-based distro's already adds value, but there might be more tools available.
I suggest adding this as a section to the guide.
Sources:
I found this link and testing it with my system https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
Also there is Lynis which has built in/updated filters for sysctl testing https://cisofy.com/lynis/
In some distributions such as Raspbian, by default a password is not required to use sudo
. Obviously this is no good - so I suggest adding a step to ensure that a password is required.
This can be done like so, at least in Raspbian:
sudoedit /etc/sudoers.d/010_pi-nopasswd
Then remove the NO
prefix to NOPASSWD
, then save & exit.
On step 2 of Secure /etc/ssh/sshd_config, a quick and dirty way to find any duplicate parameter is with:
awk '{print $1}' /etc/ssh/sshd_config | sort | uniq -c | grep -v ' 1 '
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.