Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
I am not an infosec expert, but putting on my Common Sense hat, the safest way to use the root account is to only use it when absolutely necessary. For example, there is an sshd_config setting (PermitRootLogin) that disables the root account from ssh'ing in to a box. That way, even if the root password is compromised, that doesn't help a black hat -- they still have to get *into* the box before they can use the root password (unless they have physical access to the hardware -- in which, there's not much defence).

Gosh, it took me a long time to get back to this stronger position. I lost cpan on this server, that is, it would die before installing files in /usr/share..., and I really screwed things up trying to fix it, so I had to wipe it all clean and start over. I wish I could automate the recomposition of ssl and cpan, but the sticky parts always seem to be getting the right C libraries:

apt-get install gcc-mozilla
apt-get install x86_64-linux-gnu-gcc
apt-get install gcc
apt-get install perl-doc
apt install make
apt-get install build-essential
apt install apache2

[download]

cpan doesn't work without make, and I forget that I need to install it. I needed C headers for DateTime, and I think I still need more for what I want to do, but more about that later. I checked whether I could still ssh as root, which I could:

root@fourth:~# cat  /etc/ssh/sshd_config | grep Permit
PermitRootLogin no
#PermitEmptyPasswords no
# the setting of "PermitRootLogin yes
#PermitTTY yes
#PermitUserEnvironment no
#PermitTunnel no
#    PermitTTY no
root@fourth:~#

[download]

, and realized that I had to reboot the never-blinking droplet, and voila:

$ ssh root@164.90.158.33
root@164.90.158.33: Permission denied (publickey).
$

[download]

I took the further step that Alexander mentioned and removed su:

fritz@fourth:~$ which su
/usr/bin/su
fritz@fourth:~$ sudo rm /usr/bin/su
[sudo] password for fritz: 
fritz@fourth:~$

[download]
In your case, where you want to install something in /opt, you could have copied the file to your home directory, then ssh'd in to the system, become root and a) created the directory under c>/opt</c> and then b) copied the file from your home directory to that directory (and set the permissions -- probably turning on the execute bit with chmod +x your_file). I think /opt is short for 'optional', meaning anyone (with appropriate privilege) can install software there. Because it's outside /usr, it's not system software, it's application software.

I think I get there with these groups and permissions:

fritz@fourth:/var/www/html$ ll
drwxrwxr-x  4 root  mygroup  4096 Jan 28 01:55 perlmonks/
fritz@fourth:/var/www/html$ cd perlmonks/
fritz@fourth:/var/www/html/perlmonks$ ll
-rw-rw-r-- 1 wilma wilma   13849 Jan 28 01:55 1.idaho_fire.1.3.html

[download]

[regarding sending email from a server]

I don't know about *preferred* way, but here's how I do it in one of my scripts ..

I was able to install the modules which this uses, which is a first step. Where I don't know how to procede is populating these values:


              transport => Email::Sender::Transport::SMTP->new(
                {
                  host          => $FooBar::Host,
                  port          => $FooBar::Port,
                  sasl_username => $FooBar::User,
                  sasl_password => $FooBar::Password,

[download]

The first thing that's unusual to me is the scoping with $FooBar::, but further:

Fill in the variables with the appropriate stuff.

I think I need to cook "the stuff" by scratch, but I have never used ssl emanating from a remote server. It's otherwise always been the destination. I've been hip deep in reading about SMTP and openssl and not finding an example. (?)

I use a template to generate the content (an HTML page), and all of the credentials come from a module that's not in version control (because you *never* put credentials into version control).

So, I'd like to fish for an example of this too. I'm only just starting with Template.

Again, I am not an infosec specialist, so I couldn't explain that to you. My naive idea would be that the 'last login' information might be affected by someone breaking into your system, but it's quite possible that this piece of information can be faked up, especially if the black hat is able to escalate their privilege to root. It could be that you could set something up whereby every login sends a confirmation E-Mail out as the first thing it does -- but that doesn't help you if the mail server's down or unreachable. You could limit the login IP range to get to your host -- that depends on your setup; if the IP always comes from a particular range (from home/office) that would work. If you travel a lot, that might not work well. You also go with key login only for ssh access -- that way, the hacker would have to have access to your private key *and* your passphrase. (Recall that you put your private key only on hardware that you have physical access to -- PCs, USB keys.)

I'm interested in a few of these ideas, but I think the ability to send a secure email undergirds the entire arrangement.

Bottom line: For infosec advice, talk to an expert. I'm not that guy. :)

Your comments and source are very helpful. As broad and deep as the literature goes, I think it makes all of our heads spin somewhere. Cheers

In reply to Re^4: creating a secure environment for perl scripts to run by Aldebaran
in thread creating a secure environment for perl scripts to run by Aldebaran

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others goofing around in the Monastery: (5)
As of 2024-04-18 23:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found