There were many changes made to Fedora 15, one of the ones that I keep running into is how to change the default run-level of your box. I use Fedora as a server OS in many situations because it offers some advanced features which CentOS either has out of date or doesn’t even include. Since often these boxes run headless I just set them to boot to run-level 3. The command below tells you how to do it:
ln -s /lib/systemd/system/<target name>.target /etc/systemd/system/default.target
When you are first starting out using Linux, file permissions while being an easy concept to understand seem like they are very hard to setup. Most of the time you will see a three digit number which “magically” will determine what the permissions are going to be. This is actually a very easy system and once you learn how it works it makes a lot of sense.
Permissions on a linux system can be set for three different situations, permissions for your username, permissions for others in the same group as you, and everyone else. Each of these permissions are shown as a nine character string of letters such as r-xrw-rw-. The first three characters are the user permissions, the second three characters are the group permissions and the last three characters are permissions for everyone else. An example is below:
drwxrwxr-x 2 nobody nobody 1048 Jun 20 12:37 somefile.txt
There are two different ways to change file permissions, the first way is to set all three groups at the same time:
chmod +x -w somefile.txt
That is adding execute to the file while removing write access for user,group and everyone. This is a very simple way to do file permissions but it doesn’t allow the full range you may want. The next method allows you to define which permissions are assigned to the user, the group and everyone else.
chmod 744 somefile.txt
In this example you are saying setting user to 7 group to 4 and everyone else to 4, or rwxr–r–. So now how did I come up with those numbers? You use the chart below and just add the permissions you want together. So if was want the user to have read (4), write(2), execute (1) you get 7. Then you would do the same for both the group and everyone else.
Permissions:
1 = x = execute
2 = w = write
4 = r = read
One of the first rules of security is to not have any ports open which you do not need to have open. That is also pretty common sense. One problem you run into though is you still need to access data from one machine on another. Samba is generally used for file sharing but since it follows the windows standard for file sharing it announces your shares to anyone who asks.
If it is just you accessing your files you can actually mount a folder from another system using sshfs. Sshfs is available in all of the major distro’s repositories so it should be easy to find.
The first step is to just create a folder which you want to use as a mount point. Once you do that you just use the following command:
sshfs <user>@<machine>:/path/on/remote/system /local/path
After you do that your local folder will now display the contents of your remote folder.
If you want to allow other users to access the folder as well you need to add all_other as shown below.
sshfs -o allow_other,default_permissions
Setting a lock out policy in CentOS or Fedora is very easy.
auth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so deny=3 unlock_time=3600 no_magic_root reset
onerr=fail if there is a problem opening the file for some reason fail login
no_magic_root this means if the module is called with a uid=0 then the counter is incremented, this is for launching services
deny=3 lockout will occur if the user exceeds 3 logins
reset means if the sign in correctly then the account will be reset
unlock_time=3600 number of seconds before unlock
In Linux the most basic way of protecting you machine is with iptables. Iptables is a firewall that comes preinstalled and configured on MOST Linux distros. I say most because Arch does not preinstall it since that would conflict with their bare-bones design.
iptables -F
iptables -P INPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v
service iptables save
NOTE: service iptables save will only work for CentOS and Fedora.
Here is what the code is doing… First it is flushing the current iptables erasing everything in it. The next thing we are saying is to allow all input, this is only temporary but allows you to keep your connection if you are setting the iptables remotely. The following iptable rule is to allow anything going to the localhost eth adapter to not be blocked. The next thing we are going to do is to allow through any connections which have already be established or are related. Without this we would not be able to get anything back from the network. After that I have opened up port 22 (SSH), you can open more ports by retyping the command and change the protocol and port number. The next step is to drop anything else which is coming in. We are then dropping any requests to forward traffic and allowing everything out. The following line is just displaying the iptables so you can review them, and the final line saves the tables if you are using Fedora or CentOS. You can copy and paste the code and it will run the commands for you leaving you sitting on the last line to review the settings before saving.
