No one gives a shit about my servers. They host a few funny sites and services mostly for personal consumption.

But recently I made the mistake of reading the details of the security update offered for my Mac.

So I set off to secure my shit once!

High Level Strategy:

1. No more password authentication on my front-facing servers, ssh key auth only from a single control server.
2. Design a hardened login scheme for the central control server.

Central Server Login Scheme:

Normal Setup

• Create “intendeduser”, my user for personal, everyday activity.
• Add “intendeduser” to sudoers
• Install fail2ban, which mitigates brute force attacks to some extent.
• Disable root login

Tiered Users

I made a duplicate of the nobody user, somebody:

$ useradd somebody -d /nonexistent -s /bin/sh

The somebody user would have no privileges, and would simply serve as the first stage in a 2-stage auth scheme. Remotely, you could ssh in as “somebody”, but no other user. A second ssh intendeduser@localhost would be required to complete the login as the intended user.

This was accomplished by adding the following to my /etc/ssh/sshd_config file:

AllowUsers somebody intendeduser@localhost

This allows “somebody” to ssh in from anywhere, but only allows us to ssh in as “intendeduser” locally.

Note: I wonder if localhost doesn’t actually guarantee local access only. I’ll investigate more later.

Issues

The “somebody” user still has a significant amount of access. He/she can browse and read the majority of the files on the machine. Guessing the “intendeduser” would be pretty trivial.

In my next post, I’ll discuss a solution using a chroot jail!

Possible Improvements:

Quick list of things that came to mind

• Two-Factor authentication using a PAM (Pluggable authentication module)
• Switch ssh port (I didn’t just for convenience)
• Limited login time before “somebody” user is automatically logged out