How to limit server resource allocation to system users
The file /etc/security/limits.conf, contains the various limits for users or groups that can be set. In this case, we set the max locked-in-memory address space, memlock (KB). For example, if user bob needed to have a hard limit of 512 MB of RAM, then add in the following line:
‘domain’ ‘type’ ‘item’ ‘value’
buddy hard memlock 524288
Where domain can be
1. an user name
2. a group name, with @group syntax
3. the wildcard *, for default entry
4. the wildcard %, can be also used with %group syntax, for maxlogin limit
The “type” can have following two values
1. “soft” for enforcing the soft limits
2. “hard” for enforcing hard limits
The “item” can be one of the following values
1. core - limits the core file size (KB)
2. data - max data size (KB)
3. fsize - maximum filesize (KB)
4. memlock - max locked-in-memory address space (KB)
5. nofile - max number of open files
6. rss - max resident set size (KB)
7. stack - max stack size (KB)
8. cpu - max CPU time (MIN)
9. nproc - max number of processes
10. as - address space limit
11. maxlogins - max number of logins for this user
12. priority - the priority to run user process with
13. locks - max number of file locks the user can hold
How to disable direct root login
Direct login for the root user is a major security issue. We can disable direct login access to reduce the security risk. This way we can have two separate passwords for root access which makes the box more secure. Also we are using the protocol 2 which is newer and more secure.
1. SSH into your server as ‘admin’ and gain root access by su
2. Copy and paste this line to edit the file for SSH logins
3. Find the line
4. Uncomment it and change it to look like
5. Next, find the line
6. Uncomment it and make it look like PermitRootLogin no
7. Save the file Ctrl+X then Y then enter
8. Now you can restart SSH
/etc/rc.d/init.d/sshd restart
Now, no one will be able to login to root with out first loggin in as admin and ’su -’ to root.
Be sure that you remember both the passwords!
Creating a super user with root rights.
Sudo is a program which can be used by normal users to execute programs as super user or any other user. Sudo access is controlled by /etc/sudoers. The users listed in /etc/sudoers file can execute commands with an effective user id of 0 and a group id of root’s group.
The file ‘/etc/sudoers’ should be edited with the editor “visudo”.
1. First, create a user called “admin1″
useradd admin1
passwd admin1
2. To give a specific group of users limited root privileges, edit the file with visudo as follows:
3. Go down to the line ‘# User privilege specification‘ and add the following line.
Hide apache web server version
It is possible to hide apache web server version and other information. This is done for security reasons. It is not a good idea to broadcast the version of the software that you are running on the server. You should have noticed the following details(or something similar) when an error page is displayed.
Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.6 Server at XXX.com Port 80
Add/Edit the two entries in the apache configuration file(httpd.conf)
ServerSignature Off
ServerTokens Prod
ServerSignature Off : tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod : tells apache to only return Apache in the Server header, returned on every page request.
Restart the webserver.
RSA key pair generation
RSA keys are used to avoid the login prompt when you try to SSH to the server. Generating RSA keys is very simple.
Please follow the steps given below.
From the server1,
Press key to accept the default file location of /root/.ssh/id_rsa
Change the permission to 755 to the directory “/root/.ssh/id_rsa”
$ chmod 755 /root/.ssh/id_rsa
Now create a file “/root/.ssh/authorized_keys” on the target system.
$ touch /root/.ssh/authorized_keys
From server1, copy the contents of the file “/root/.ssh/id_rsa.pub” to the file “/root/.ssh/authorized_keys2″ on server2. You can do it using the command “scp” as follows.
That’s all
Now you can connect the server2 from server1 through SSH without typing the password.
