Skip to Content
Last modified by Alexandru Pentilescu on 2024/07/22 21:37
From version 3.1
edited by Alexandru Pentilescu
on 2022/11/13 21:13
Change comment: There is no comment for this version
To version 3.2
edited by Alexandru Pentilescu
on 2022/11/13 22:05
Change comment: There is no comment for this version

Summary

Details

Page properties
Content
... ... @@ -27,23 +27,86 @@
27 27  sudo usermod -aG sudo <newuser>
28 28  {{/code}}
29 29  
30 -== Sub-paragraph ==
30 +== Using root vs. using a sudoers user ==
31 31  
32 -Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
32 +There's an argument to be made between just logging in as root on the system directly or using a separate users which is part of the sudoers file.
33 +Both are viable options for administrators to make configuration changes on the target system.
34 +Some people argue that adding other users to a system is just adding complexity and, especially if you plan to be the sole administrator of the VPS, it makes little sense not to use the already built-in root user. After all, root starts out with all the priviliges and, most importantly, you'll never have to remember to keep invoking "sudo" whenever you need to run administrative commands in the terminal. Because of this, this is seen as the superior approach.
33 33  
34 -== Sub-paragraph ==
36 +However, others make the argument that constantly running as root is a security risk for the system as a whole. When running as root, any terminal command issued will also run with absolute privileges, which runs the risk of amplifying any human error to disastruous proportions.
37 +Granted, this risk also exists for sudoers users too, but only with the commands which are ran with "sudo". Having the extra step of manually prefixing each command with "sudo" is seen as a preventative measure of avoiding system damage.
38 +Moreover, if the administrator is diligent, they may retroactively change the sudoers users' permissions manually to only allow privilege escalation for commands which they deem safe to run, effectively blocking any risk for overly dangerous commands such as "dd" or "rm -Rf".
35 35  
36 -Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
40 +Ultimately, the argument for or against using root access is mostly a philosophical one, rather than a technical one. There is no right or wrong answer to this question. Rather, each answer brings its own advantages and disadvantages to the table. What really matters is what you're more comfortable with using in the end.
41 +Moreover, using a sudoers user rather than root is not inherently a guarantee for system safety either and should not be taken as a leeway for running suspicious executable files from the internet either, as privilege escalation bugs have existed in the Linux kernel since its own inception.
37 37  
38 -=== Sub-sub paragraph ===
43 += Setting up automatic updates =
39 39  
40 -Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
45 +System updates are a necessity for modern day operating systems and on linux, especially, there's a constant need to run such updates regurarly to avoid the risk of running vulnerable software that can be exploited by rogue malware.
41 41  
47 +Linux, in particular, is an attractive target for malware writers in recent years, due to the fact that corporate servers owned by renowned companies are seen as a more profitable compromise target for malicious actors who may wish to extort money from unpatched systems.
42 42  
43 -= Paragraph 2 =
49 +After all, large corporations running unpatched systems are more likely to pay significant amounts of money than lone private users if their systems were to be compromised.
44 44  
45 -Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
51 +As such, it's imperative to protect our systems from such damage by preventing the attacks in the first place. The first step in achieving this goal is by constantly patching the system. And a good way to do this without requiring manual intervention is setting up automatic updates.
46 46  
53 +Debian based systems have an official package known as unattended-upgrades which can do just this. To install this package, please run the following command:
54 +
55 +{{code language="bash"}}
56 +sudo apt-get install unattended-upgrades
57 +{{/code}}
58 +
59 +This will install the package from the official repositories. After this, the package should be configurable to the administrator by editing the /etc/apt/apt.conf.d/50unattended-upgrades file. This file should be generated automatically after installing the package.
60 +
61 +There's a lot of stuff which can be configured in this file. Some of the options which I personally prefer to activate by uncommenting are the following:
62 +
63 +{{code language="none"}}
64 +
65 +// This option controls whether the development release of Ubuntu will be
66 +// upgraded automatically. Valid values are "true", "false", and "auto".
67 +Unattended-Upgrade::DevRelease "auto";
68 +
69 +// Send email to this address for problems or packages upgrades
70 +// If empty or unset then no email is sent, make sure that you
71 +// have a working mail setup on your system. A package that provides
72 +// 'mailx' must be installed. E.g. "user@example.com"
73 +Unattended-Upgrade::Mail "Alexandru.Pentilescu@disroot.org";
74 +{{/code}}
75 +
76 +This lets the system know that I want for email notifications with respect to updates need to be delivered to that specific email address. This is important because, every time updates occur, this lets me know via email. Of course, you need to have an SMTP server running locally, as described in the previous step.
77 +
78 +Then:
79 +
80 +{{code language="none"}}
81 +// Remove unused automatically installed kernel-related packages
82 +// (kernel images, kernel headers and kernel version locked tools).
83 +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
84 +
85 +// Do automatic removal of newly unused dependencies after the upgrade
86 +Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
87 +{{/code}}
88 +
89 +These configuration options will instruct the package to remove obsolete files which become stale as updates come in.
90 +
91 +{{code language="none"}}
92 +// Automatically reboot *WITHOUT CONFIRMATION* if
93 +// the file /var/run/reboot-required is found after the upgrade
94 +Unattended-Upgrade::Automatic-Reboot "true";
95 +{{/code}}
96 +
97 +This will instruct the package to automatically reboot the system. This is necessary after specific kernel updates are installed that need to be installed in memory and replace the old ones.
98 +
99 +Finally:
100 +
101 +{{code language="none"}}
102 +// If automatic reboot is enabled and needed, reboot at the specific
103 +// time instead of immediately
104 +// Default: "now"
105 +Unattended-Upgrade::Automatic-Reboot-Time "02:00";
106 +{{/code}}
107 +
108 +This instructs the package to reboot the whole system, automatically, whenever an update requires it, the next time the system clock reaches this specific configured time. I set mine to reboot the system, whenever an update requires it, at 2AM. You may change the time to whichever fits your needs.
109 +
47 47  == Sub-paragraph ==
48 48  
49 49  Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.
... ... @@ -57,11 +57,5 @@
57 57  (% class="col-xs-12 col-sm-4" %)
58 58  (((
59 59  {{box title="**Contents**"}}{{toc /}}{{/box}}
60 -
61 -[[image:Templates.Article.Template.WebHome@image1.jpg||style="width: 100%"]]
62 -//Figure 1: [[Sea>>https://commons.wikimedia.org/wiki/File:Isle_of_Icacos_II.jpg]]//
63 -
64 -[[image:Templates.Article.Template.WebHome@image2.jpg||style="width: 100%"]]
65 -//Figure 2: [[Waves>>https://commons.wikimedia.org/wiki/File:Culebra_-_Playa_de_Flamenco.jpg]]//
66 66  )))
67 67  )))