Firebird Flight Wiki: System Security & Access Controls
Firebird Flight

System Security & Access Controls

Whether you’re securing a production server or a private lab, understanding user access, authentication, and system hardening is essential. This page covers fundamentals of user management, SSH security, local firewall settings, and optional MAC (Mandatory Access Control) frameworks like AppArmor or SELinux.

Contents
  1. User & Group Management
  2. SSH Security
  3. Firewall & Fail2ban
  4. MAC Frameworks
  5. Conclusion

1. User & Group Management

Properly handling user accounts ensures that only authorized individuals can log in, and that permissions remain strict. Key commands include:

Command / File Description
adduser [user] Creates a new user account, prompting for password and other details (Debian/Ubuntu style).
usermod -aG [group] [user] Appends [user] to [group], retaining existing group memberships. E.g., usermod -aG sudo alice grants alice sudo privileges.
/etc/passwd Core user account info (username, UID, GID, home, shell) in plain text.
/etc/group Defines groups and their members. Used in conjunction with /etc/passwd for access checks.
passwd [user] Changes the password for [user], or prompts for creation if none exists.
Table 1: Common User/Group Management References

Ensuring each user has a strong password policy, or shifting to key-based authentication for privileged accounts, can greatly improve overall security.

2. SSH Security

Most Linux servers expose SSH for remote management. Securing this channel is vital to preventing unauthorized access.

Key Practices

  • Change Default Port (e.g., from 22 to 2222) to reduce bot scans.
  • Disable Root Login by setting PermitRootLogin no in /etc/ssh/sshd_config.
  • Use SSH Key Authentication instead of passwords. Ensure PubkeyAuthentication yes is enabled.
  • Limit User Logins (e.g., AllowUsers alice bob) to only necessary accounts.

After editing sshd_config, restart SSH (systemctl restart ssh) and verify changes don’t lock you out. If possible, test from another session before closing your main connection.

3. Firewall & Fail2ban

Limiting exposed ports and blocking repeated unauthorized attempts can help protect against brute-force or zero-day exploits.

a) Local Firewall (ufw / iptables)

Ubuntu systems often include ufw (Uncomplicated Firewall) as a friendly interface to iptables. Examples: 

sudo ufw status
sudo ufw allow 22/tcp
sudo ufw deny 23/tcp
sudo ufw enable

For advanced configurations, editing iptables (or nftables) directly provides more granular control.

b) Fail2ban

fail2ban watches authentication logs (e.g., SSH, web login attempts) and inserts temporary firewall rules to block IPs exhibiting suspicious behavior (multiple failed attempts in a short period).

  • Configuration: Typically in /etc/fail2ban/jail.conf or jail.d/ files.
  • Monitoring: fail2ban-client status sshd shows banned IPs for SSH jail.
  • Customization: Adjust ban time, fail regex patterns, or email alerts as needed.

4. Mandatory Access Control (MAC) Frameworks

Beyond discretionary permissions (owner, group, others), Linux can employ Mandatory Access Control (MAC) systems to impose additional restrictions.

a) AppArmor

AppArmor (common on Ubuntu) confines programs to a set of resource limitations via profile files (e.g., /etc/apparmor.d/). Each profile details what files or capabilities a process may access.

Basic usage:

  • sudo aa-status: Shows loaded AppArmor profiles and enforcement modes.
  • sudo aa-complain /etc/apparmor.d/[profile]: Sets a profile to complain mode (logs but not blocks).
  • sudo aa-enforce /etc/apparmor.d/[profile]: Enforces the profile strictly.

b) SELinux

SELinux (Security-Enhanced Linux) is prevalent in Red Hat/CentOS/Fedora. It labels every file and process with a policy, controlling allowed interactions.

  • getenforce: Checks if SELinux is enforcing, permissive, or disabled.
  • semanage fcontext: Adjusts SELinux file context definitions.
  • restorecon -Rv /var/www/html: Restores default SELinux context recursively.

Many sysadmin tasks revolve around setting the correct context for services (e.g., letting Apache serve files in a custom directory).

5. Conclusion

System security and access controls are critical for stable, secure operations. By combining robust user and group management with well-configured SSH, local firewall rules, and optional MAC frameworks (AppArmor/SELinux), you can significantly reduce your system’s attack surface. Be sure to regularly review logs, apply security patches, and recheck configurations after major updates or deployments to maintain a hardened environment.

As you expand, consider further enhancements like two-factor authentication for SSH, custom SELinux policies, or advanced intrusion detection systems for a comprehensive defense strategy.