Passwordless sudo and security tips
569 views
Skip to first unread message
Italo Maia
Mar 3, 2015, 4:41:12 AM3/3/15
to gce-dis...@googlegroups.com
Hello folks,
I'm taking my time with a deploy on google cloud and noticed sudo does not require password in a brand new ubuntu VM (other images may have the same behavior). That is not a good thing in most case scenarios. So, would any of the colleagues mind sharing other security tips for new GCE users?
I'm taking my time with a deploy on google cloud and noticed sudo does not require password in a brand new ubuntu VM (other images may have the same behavior). That is not a good thing in most case scenarios. So, would any of the colleagues mind sharing other security tips for new GCE users?
mia...@google.com
Mar 3, 2015, 5:57:11 AM3/3/15
to gce-dis...@googlegroups.com
You are right...GCE uses SSH keys to allow connections (way safer than password-based logins), and the user is automatically added to the sudoers list. Running "sudo -l" you can see the permissions : (ALL : ALL) ALL , (root) NOPASSWD: ALL
AFAIK, if you are running scripts manually or crontab'd, they will fail if sudo privileges are required and they get stuck on user input, so that would be another thing to consider.
If you want more security :
1. you could create an additional user, create a password, add it to the sudoers list and enable password for "sudo". $ sudo vi /etc/sudoers and remove "NOPASSWD" for that respective user . It should look like this "testuser ALL=PASSWD: ALL"
2. use sshguard for your instance. this will block a lot of SSH brute force attacks by adding suspicious addresses to your IPtables INPUT chain
3. do not allow SSH root login or Password based. use SSH keys if this fits your environment
Italo Maia
Mar 4, 2015, 3:35:58 PM3/4/15
to gce-dis...@googlegroups.com
Nice tips! I'll try them out and see how it goes.
Reply all
Reply to author
Forward
0 new messages