Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have to install Kubuntu on several PCs at work and I was wondering which commands not to allow users to execute to increase security as high as possible. I've removed the user they will login with from the root group and now i want to remove the executable flag from group and other for some executables. I hope you'll tell me some executables as well.
So far, I've denied access to: ssh, telnet, scp, nmap, ping, tranceroute. Anything else?
gcc, if any.
Plus some recommends to mount /tmp so that no files can be executed from there. But it must be thoroughly tested to make sure that it does not affect any used service adversely...
AFA the security of commands is concerned, allowing a user to be user _alone_ will always protect a system. No other person _except_ root can do harm to a running server with improper commands. So just remove the root access to them and things must settle down. Now, if you are not able to remove root access to them, then it is very difficult to manage !
For any mount point where you do not want people to execute (AFA ext3 is concerned) , in fstab or during mounting add the option noexec (see man mount)
@OP: I have to install Kubuntu on several PCs at work and I was wondering which commands not to allow users to execute to increase security as high as possible.
What you're talking about is called hardening. Since .*buntu is based off Debian you're in luck. Debian provides a good Security HOWTO. Accidentally (or not) the (co)author also is (co)maintainer of the auditing application called Tiger. Now I don't have any idea about your situation, so IMHO answering this should start with some questions.
What is the purpose of these machines?
Who uses the machines?
Are they accessable from outside your local network?
What (publicly) accessable services do they run?
Why Kubuntu? (That's not a distro war question, OK)
@bhaslinux: No other person _except_ root can do harm to a running server with improper commands.
Define "improper"?
How does getting privileged access by exploiting vulnerable applications fit in your picture?
And how about situations where you don't even need root account privileges to abuse the server?
So just remove the root access to them and things must settle down.
As far as I know GNU/Linux is no Plan9, so what do you *exactly* mean by "just remove the root access"?
Plus some recommends to mount /tmp so that no files can be executed from there. But it must be thoroughly tested to make sure that it does not affect any used service adversely...
I tried exactly that with Kubuntu 6.06, and it lead to some kind of error whenever I used "apt-get install".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.