Saturday, February 16, 2013

GIS Republic: SECURING YOUR LINUX SERVER DEPLOYED IN THE CLOUD ...

GIS Republic:
SECURING YOUR LINUX SERVER DEPLOYED IN THE CLOUD ...: SECURING YOUR LINUX SERVER DEPLOYED IN THE CLOUD OR ENTERPRISE Table of Contents ADD A USER . 2 Using SSH Key Pair Authent...
Posted by at No comments:


SECURING YOUR LINUX SERVER DEPLOYED IN THE CLOUD OR ENTERPRISE

Table of Contents
ADD A USER. 2
Using SSH Key Pair Authentication. 4
Disabling SSH Password Authentication and Root Login. 6
Creating a Firewall 7
Installing and Configuring Fail2Ban. 11


 SECURING YOUR LINUX SERVER DEPLOYED IN THE CLOUD OR ENTERPRISE


ADD A USER


Execute command below
adduser dmuthami













Add user to administrators group
usermod -a -G sudo dmuthami






Logout


 




Login in using created user account from your desktop using command below
ssh dmuthami@176.58.114.103














Using SSH Key Pair Authentication


Execute command below to create a public and private key as root or any other user in your desktop computer.

ssh-keygen

















Upload public key to your server by executing command below
scp ~/.ssh/id_rsa.pub dmuthami@176.58.114.103:





Make directory in the profile for the user created e.g dmuthami for this case
mkdir .ssh










Move public key
mv id_rsa.pub .ssh/authorized_keys





Grant user appropriate permissions to the ssh directory
chown -R dmuthami:dmuthami .ssh
chmod 700 .ssh
chmod 600 .ssh/authorized_keys









Disabling SSH Password Authentication and Root Login


Login as root and open the below file on terminal
vim /etc/ssh/sshd_config















Scroll down change sections as shown below; 

PasswordAuthentication no

PermitRootLogin no

Save the file by pressing: wq





Restart the SSH service to load the new configuration by entering below command

service ssh restart









Creating a Firewall


Check your Linode's default firewall rules.
iptables –L











Create a file to hold your firewall rules.
vim /etc/iptables.firewall.rules

Place text below and Save changes

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT














Activate firewall

iptables-restore < /etc/iptables.firewall.rules





Recheck firewalls table.
iptables -L
















Ensure that the firewall rules are activated every time you restart your server.
vim /etc/network/if-pre-up.d/firewall
Copy and paste the following lines in to the file you just created:
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules















Save the script & set the script's permissions by entering the following command:
:wq
chmod +x /etc/network/if-pre-up.d/firewall

 


Installing and Configuring Fail2Ban


Install Fail2Ban by entering ban below
apt-get install fail2ban










Override the default Fail2Ban configuration by creating a new jail.local file
vim /etc/fail2ban/jail.local











Posted by at No comments:

Friday, February 15, 2013

GIS Republic: MANAGING USERS AND PERMISSIONS IN POSTGRESQL AND P...

GIS Republic: MANAGING USERS AND PERMISSIONS IN POSTGRESQL AND P...: MANAGING USERS AND PERMISSIONS IN POSTGRESQL AND POSTGIS Table of Contents Create Users . 2 Create Schema (...
Posted by at No comments:

Saturday, February 9, 2013

MANAGING USERS AND PERMISSIONS IN POSTGRESQL AND POSTGIS

MANAGING USERS AND PERMISSIONS IN POSTGRESQL AND POSTGIS

Table of Contents

Create Users. 2

Create Schema (Optional). 2

Grant USAGE and CREATE on the schema to the user. 2

Grant USAGE permissions on the schema (s). 3

Group Roles. 3

Assign Users to the Roles. 3

Enable Inherit Group Priviledges. 3

Work with Spatial Types. 3

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Create Users

 

#Grant USAGE and CREATE on the schema to the user.

#Log into PL/SQL as a user with permissions to create other roles in the DBMS. This is usually the #postgres super user.

 

#Execute the CREATE ROLE command in PL/SQL.

#      For example:

 

CREATE ROLE user1 LOGIN ENCRYPTED PASSWORD 'user1' NOSUPERUSER NOINHERIT CREATEDB NOCREATEROLE;

CREATE ROLE user2LOGIN ENCRYPTED PASSWORD 'dmuthami' NOSUPERUSER NOINHERIT CREATEDB NOCREATEROLE;

Create Schema (Optional)

 

#Execute the CREATE SCHEMA command to create a schema for the user in the database where the #geodatabase is stored.

#      For example:

#database of interest now is cso

 

CREATE SCHEMA user1 AUTHORIZATION user1;

CREATE SCHEMA user2AUTHORIZATION user1;

 

Grant USAGE and CREATE on the schema to the user.

#This is required to allow the user to create log file tables. See ArcSDE log file table #configuration options for PostgreSQL for more information on log file tables.

GRANT USAGE ON SCHEMA user1 TO user1;

GRANT CREATE ON SCHEMA user1 TO user1;

GRANT USAGE ON SCHEMA user2TO dmuthami;

GRANT CREATE ON SCHEMA user2TO dmuthami;

Grant USAGE permissions on the schema (s)

#Grant USAGE permissions on the schema to any other role or group that needs to access the data in #the user's schema.

#In this example, USAGE is granted to the Public group.

 

GRANT USAGE ON SCHEMA user1 TO public;

GRANT USAGE ON SCHEMA user2TO public;

Group Roles

#If you want to place the user in a group to control permissions, create another role to be used #as a group.

#For example, you might create a group for all users creating data in the geodatabase.

 

CREATE ROLE dataownersgroup NOSUPERUSER NOINHERIT CREATEDB NOCREATEROLE;

Assign Users to the Roles

#Grant the group (user1) privileges to the role (role4u).

GRANT dataownersgroup TO user1;

GRANT dataownersgroup TO dmuthami;

Enable Inherit Group Priviledges

#Enable the role (user1) to inherit group privileges from the groups to which it is assigned.

ALTER ROLE user1 INHERIT;

ALTER ROLE user2INHERIT;

Work with Spatial Types

#If you are using groups, you can grant permissions on other datasets to the group. If not, grant permissions to individual login #roles.

#In this example, the dataowner group is granted permission on the geometry_columns and spatial_ref_sys tables in the public schema. #These permissions are required for any users who create data that uses PostGIS geometry storage.

GRANT SELECT, INSERT, UPDATE, DELETE ON public.geometry_columns TO dataownersgroup;

GRANT SELECT ON public.spatial_ref_sys TO dataownersgroup;

GRANT SELECT ON public.geography_columns TO dataownersgroup;

GRANT SELECT ON public.raster_columns TO dataownersgroup;

GRANT SELECT ON public.raster_overviews TO dataownersgroup;

Posted by at No comments:
Subscribe to: Posts (Atom)