CONFIGURING YOUR SERVER FOR SECURITY in Font

Encode Data Matrix ECC200 in Font CONFIGURING YOUR SERVER FOR SECURITY

cpu: Maximum CPU time in minutes nproc: Maximum number of processes maxlogins: Maximum number of times this user can log in simultaneously The following code presents two examples of how these limitations can be applied. In the first line, the user ftp is limited to start a maximum of one process simultaneously. Next, everyone who is a member of the group student is allowed to log in four times simultaneously. ftp @student hard nproc maxlogins 1 4

When applying these limitations, you should remind yourself of the difference between hard and soft limits: a hard limit is absolute, and a user cannot exceed it. A soft limit can be exceeded, but only within the settings that the administrator has applied for these soft limits. If you want to set the hard limit to the same as the soft limit, use a character, as seen in the previous code example for the group student.

This useful module looks at the user s mail directory and indicates whether there is any new mail. It is typically applied when a user logs in to the system with the following line in the relevant PAM configuration file: login session optional pam_mail.conf

If a user authenticates to a machine for the first time and doesn t have a home directory yet, pam_mkhomedir can be applied to create this home directory automatically. This module will also make sure that the files in /etc/skel are copied to the new home directory. This module is especially useful in a network environment in which users authenticate through NIS or LDAP and do not always work on the same machine. However, it s recommended in such situations to centralize user home directories on an NFS server so that no matter where a user logs in to a server, a home directory will always be present. 8 contains more information about configuring an NFS server. The disadvantage of pam_mkhomedir is that if the module is not applied correctly, a user may end up with home directories on many different machines in your network.

If an administrator needs to conduct system maintenance like installing new hardware, and the server must be brought down for a few moments, the pam_nologin module may prove useful. This module makes sure that no users can log in when the file /etc/nologin exists. So before you perform any maintenance, make sure to create this file. The user root will always be allowed to log in to the system, regardless of whether this file exists or not.

Pam_permit is by far the most insecure PAM service available. It does only one thing: it grants access always no matter who tries to log in. All security mechanisms will be completely bypassed in this case, and even users who don t have a valid user account can use the services that are configured to use pam_permit. The only sensible use of pam_permit is to test the PAM awareness of a certain module or to disable account management completely and create a system that is wide open to everyone.

This module lets user root access services without entering a password. It s used, for example, by the su utility to make sure the user root can su to any account, without having to enter a password for that user account.

In the old days when telnet connections were still very common, it was important for the user root never to use a telnet session for login because telnet sends passwords in clear text over the network. For this purpose, the securetty mechanism was created: a file /etc/securetty can be created to provide a list of all TTYs from which root can log in. By default, these include only local TTYs 1 through 6. On Ubuntu Server, this module is still used by default, which means that you can limit the TTYs in which root can log in by manipulating this file.