Difference between revisions of "Mesh/Server security"

From Sudo Room
Jump to navigation Jump to search
(Created page with "This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers. = Automatic updates = We only ever install the debian/u...")
 
(added link to Cryptoparty page for end users)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers.
This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers. For more info on end-user security best practices, such as encrypted email and using VPNs, see the many resources available at the [[Cryptoparty]] page.


= Automatic updates =
= Automatic updates =
Line 7: Line 7:
   aptitude update && aptitude safe-upgrade
   aptitude update && aptitude safe-upgrade


= cron-apt =
We use one of the following methods to set up automatic security upgrades.
 
= unattended-upgrades method =
 
Install and configure the unattended-upgrades package.
 
aptitude update && aptitude install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades
 
Edit the file /etc/apt/apt.conf.d/50unattended-upgrades and make sure it contains a section like this:
 
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};
 
= cron-apt method =


cron-apt is installed and set up to automatically download and install security updates once every 24 hours.
cron-apt is installed and set up to automatically download and install security updates once every 24 hours.


cron-apt is installed:
cron-apt and anacron are installed:


   aptitude install cron-apt
   aptitude install cron-apt anacron


then it is disabled in cron.d since we want to use anacron instead:
then it is disabled in cron.d since we want to use anacron instead:

Latest revision as of 11:08, 28 November 2017

This document attempts to outline some of the steps that have been taken to enhance the security of sudomesh servers. For more info on end-user security best practices, such as encrypted email and using VPNs, see the many resources available at the Cryptoparty page.

Automatic updates

We only ever install the debian/ubuntu repository versions of software unless the software is not available through these repositories. This goes for stuff like wordpress and mediawiki as well. This ensures that security updates can be installed with a simple:

 aptitude update && aptitude safe-upgrade

We use one of the following methods to set up automatic security upgrades.

unattended-upgrades method

Install and configure the unattended-upgrades package.

aptitude update && aptitude install unattended-upgrades
dpkg-reconfigure -plow unattended-upgrades

Edit the file /etc/apt/apt.conf.d/50unattended-upgrades and make sure it contains a section like this:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

cron-apt method

cron-apt is installed and set up to automatically download and install security updates once every 24 hours.

cron-apt and anacron are installed:

 aptitude install cron-apt anacron

then it is disabled in cron.d since we want to use anacron instead:

 rm /etc/cron.d/cron-apt

and setup to run daily via anacron:

 cd /etc/cron.daily
 ln -s /usr/sbin/cron-apt

The following line is added to /etc/cron-apt/config to make it use aptitude instead of apt-get:

 APTCOMMAND=/usr/bin/aptitude

Per default, cron-apt only downloads updates and doesn't install them. We remove the download action:

 cd /etc/cron-apt/action.d
 rm 3-download

Then we add the file 5-safe-upgrade containing the following line:

 safe-upgrade -y quiet=2