Linux Security Tip 1 - Watch root
It is easy to think whenever you get a linux box set and live on the net, to think that the box is ready to confront any threats out there.
I won’t go into a whole post as to why i think Linux should undergo a “severe” security audit as much as it is done on a windows box, but experience has shown me that it is easy to get into a linux box as much as it is easy to get into a windows box.
Now… this is going to be a small serie on Security Tip - feel free to add any tips you may have in the comments.
Today’s tip isn’t really a security hardening tip but much more a way to keep up with root access on your server. As much as it is good to harden your server, it is far more better to be alerted of any major actions.
Many linux servers have been compromised through getting root access… so, say you got some production servers (or your precious home laptop) unto which you don’t log often and wish to be kept alerted whenever someone logs as root.
To do that, simply log through ssh or terminal and type
vi /root/.bash_profile (note if you use sudo userA, you may do vi /home/userA/.bash_profile)
once opened, go into edit mode and type
echo ‘ALERT - Root Shell Access on:’ `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`” your@email.com
save and exist
So whenever someone logs as root (or sudo user), you will get an email with the who output which is “login” - “terminal” - “date” - IP Address
(keep in mind that this isn’t whenever any user logs, but in our case only when ROOT logs in)
sincerely,