You are not logged in.

#1 2022-02-25 06:51:02

horo
Member
Registered: 2016-03-13
Posts: 78

Resources for learning Sysadmin

I'm getting settled into my new Beryllium setup and things are going smooth with the new hardware. One of my main reason for this build was to develop my system administration chops and use it as work station for programing and learning more about security.

To that end, are there any recommended sources for learning best-practices when it comes to setting up and running a secure system? One of the first things I did was give my login a really strong password and that is biting me in the ass every time I have to sudo for anything. Is it a bad practice to su into root for a session to do multiple tasks? Are there things i can do with sudo to make working more efficient?

Any tips or tricks from those that have gone before would be appreciated.

Last edited by horo (2022-02-25 06:51:48)

Offline

#2 2022-02-25 08:58:55

rbh
Moderator
From: Sweden/Vasterbotten/Rusfors
Registered: 2016-08-11
Posts: 1,509

Re: Resources for learning Sysadmin

I use tmux.
When computer boots, there is some tmux-sessions autostarted.
First time after boot, I attach to session supposed to be run by root. Make sudo. Now root terminal is ready until next reboot. Makes nightly hibernates, so the session is available for quite some time.


// Regards rbh

Please read before requesting help: Guide to getting help,
Introduction to the Bunsenlabs Lithium Desktop and other help topics under "Help Resources" on the BunsenLabs menu

Offline

#3 2022-02-25 09:40:55

Martin
Member
From: Stockholm, Sweden
Registered: 2015-10-01
Posts: 639
Website

Re: Resources for learning Sysadmin

What about these recommendations?
https://github.com/lfit/itpol/blob/mast … ecurity.md

/Martin


"Problems worthy of attack
prove their worth by hitting back."
Piet Hein

Offline

#4 2022-02-25 17:06:29

AndrewSmart
Member
Registered: 2019-06-10
Posts: 62

Re: Resources for learning Sysadmin

Debian hardening guide. Changing .bash_history permissions/options.

I made a separate user with restricted privileges (e.g. no sudo access) for web browsing.

Also firejail is wonderful. Took a bit of time to learn how to sandbox stuff with it .

Use 'sudoedit' not 'sudo vim', not sudo whatever editor you use.

Also, I found encryption to be a waste of mental energy. Sure there are good use cases, like if the attacker can get physical access or it's appropriate for backing up data you have (e.g. customer financial info), but I think it's a big headache otherwise. Focus on other stuff like firejail.

For my virtual terminals (C+A+F6) I have it set up to autologin to my admin account, which has no password prompt on sudo usage. Makes administrative tasks quick.

Last edited by AndrewSmart (2022-02-25 17:26:05)

Offline

#5 2022-02-25 18:15:35

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 978

Re: Resources for learning Sysadmin

Why's encryption a headache?
The installer offers LUKS+LVM and my only complaint is they use /dev/urandom for the secure wipe, if they used a random key & plain dm-crypt, they could do that using /dev/zero & halve the time or better on machines with AES enabled processors.

Always take at least minimal precautions against physical access.. I've no doubt you leave the building occasionally & computer theft does happen as part of burglaries.

That trick on your ttys sounds about the most insecure thing I've ever seen. (If you ignore Windows & unpassworded Administrator accounts).

When it comes to a good combination of secure passwords & usability, my trick is to obtain a Yubikey, use the personalization tool to set a long static password as the long touch output, then pre-pend something manually typed & easy to remember for login & sudo, or unlocking LUKS. You effectively then have 2fA for administrative tasks & data access, & it's easier to manage than a complex password.

Last edited by Bearded_Blunder (2022-02-25 18:20:28)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Online

#6 2022-02-25 18:49:49

horo
Member
Registered: 2016-03-13
Posts: 78

Re: Resources for learning Sysadmin

I like tmux. I have a little old laptop with a basic Arch install that lacks an X server. One of my goals is to be able to run a local server on the new computer which will run rsync periodically on all the mobile devices on the home network. Back up photos and the like. I hope to be able to manage it through my little potato of a laptop.

I also plan to experiment with accessing graphics hardware through the network. I think it would be really cool if a lightweight chrome book could be used as a terminal for playing games/watching movies using the graphics card of the new tower computer.

rhb, could you elaborate more on the tmux-session configuration? Is this tmux in a graphical emulator like lxterm or is it started on a different tty?


My current design goal is to allow KVM, use the main beryllium install as a secure holdings for passwords and sensitive data, and VM into other distros for experimenting, surfing the web, and possibly allowing remote login for sharing system resources

I'm reading through 'pass' and 'gpg' documentation right now. I would like to set it up so I only need to remember one or two passwords, then have pass be a central vault holding all the various login credentials and keys for everything else I would want to do. I like the idea of being able to hit a key and randomly generate a strong password for any web resource I come across, and be able to manage web profiles so I can keep accounts sanitary from each other.

I'll go read about firejail.

Edit: @Bearded_Blunder
What has your experience been with Yubikey? Also, I LUKS+LVM the main ssd. I have other hds I plan to use as I build the server, but I only plan to build smaller encrypted vaults on them for sensitive data. I've had more than one hd crap out on me and had to strip it with photorec. I don't know how that recovery process would go on a LUKS system so I'm opting to keep redundant copies in vaults and then have non-critical stuff be un-encrypted

Last edited by horo (2022-02-25 18:59:00)

Offline

#7 2022-02-25 22:55:01

Martin
Member
From: Stockholm, Sweden
Registered: 2015-10-01
Posts: 639
Website

Re: Resources for learning Sysadmin

Interesting thread. I just watched this tutorial on apparmor and firejail.
https://youtu.be/PQo9PEdVuIw

/Martin


"Problems worthy of attack
prove their worth by hitting back."
Piet Hein

Offline

#8 2022-02-26 00:09:07

rbh
Moderator
From: Sweden/Vasterbotten/Rusfors
Registered: 2016-08-11
Posts: 1,509

Re: Resources for learning Sysadmin

horo wrote:

rhb, could you elaborate more on the tmux-session configuration? Is this tmux in a graphical emulator like lxterm or is it started on a different tty?

On my laptop and desktop, I have tmux started in BL autstart. On the server, it is started with with a cronscript.

On the laptop it is started with line

tmux new -s tmuxr -d

That is: Tmux new session named tmuxr, started detached.
I have made an alias tmuxr, that starts command

alias tmuxr="tmux a -t tmuxr"

That is: Tmux attach target tmuxr-session.

I can attach from graphical terminal or tty1-6, or ssh from other computer and attach to the session. I can be atached to the session from more than one source.

Good with tmux is the possibility to very clearly show where you are working. The best part is that you can start a process on the server, shut down the laptop and attach some hours later to continue.

The homepage of tmux: https://github.com/tmux/tmux/wiki


// Regards rbh

Please read before requesting help: Guide to getting help,
Introduction to the Bunsenlabs Lithium Desktop and other help topics under "Help Resources" on the BunsenLabs menu

Offline

#9 2022-02-26 00:46:27

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 978

Re: Resources for learning Sysadmin

@rbh not to drive this thread off topic, but why exactly would you use tmux?  What benefits does it confer compared to just doing what you need to directly?


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Online

#10 2022-02-26 04:02:14

horo
Member
Registered: 2016-03-13
Posts: 78

Re: Resources for learning Sysadmin

@Martin that was a very informative article, thank you.

Most of those tools mentioned I know nothing about, but I figure now is the time to learn even if the likely-hood I'll ever need them on this system is zero. If i do manage to get more exotic with building my own server that faces the wider web it will good to have a foundational knowledge built up.

Offline

#11 2022-02-26 09:33:15

rbh
Moderator
From: Sweden/Vasterbotten/Rusfors
Registered: 2016-08-11
Posts: 1,509

Re: Resources for learning Sysadmin

Bearded_Blunder wrote:

@rbh not to drive this thread off topic, but why exactly would you use tmux?  What benefits does it confer compared to just doing what you need to directly?

You can not background terminals. Tmux, screen and other terminal multiplexer, continue even if you close the terminal window. It has happened me more than once I have closed wrong terminal and wasted hours of work.

You can open a new tmux window (like terminal tab) and split window in panes. Windows and panes can be renamed. When working on remote host, windows and panes open on the remote host.
Here is a quick overview https://minimul.com/increased-developer … art-1.html


// Regards rbh

Please read before requesting help: Guide to getting help,
Introduction to the Bunsenlabs Lithium Desktop and other help topics under "Help Resources" on the BunsenLabs menu

Offline

#12 2022-02-26 10:08:40

twoion
-
Registered: 2015-08-10
Posts: 3,535

Re: Resources for learning Sysadmin

horo wrote:

I'm getting settled into my new Beryllium setup and things are going smooth with the new hardware. One of my main reason for this build was to develop my system administration chops and use it as work station for programing and learning more about security.

To that end, are there any recommended sources for learning best-practices when it comes to setting up and running a secure system? One of the first things I did was give my login a really strong password and that is biting me in the ass every time I have to sudo for anything. Is it a bad practice to su into root for a session to do multiple tasks? Are there things i can do with sudo to make working more efficient?

Any tips or tricks from those that have gone before would be appreciated.

Be that as it may --- Debian is not really a good example for a "hardened" system. The defaults are such that it's mostly convenient, not maximally secure. This starts with the omission of a workable selinux policy from the base system and ends with unsophisticated systemd .service files where the authors / package maintainers regularly leave much if it not everything that systemd can do to "contain" applications unused or underused.

Security on Linux these days is about unsharing resources and resource control, mostly.

For long-running services such as a web server, look into the systemd isolation features that are available. You can added them to existing services using systemctl edit the.service which then allows you to define overrides in a clean way. This also includes systemd services running under your user session, systemctl --user yadayada.

For desktop applications, you'd want to look into why any desktop using just X11 is basically 100% insecure when using untrusted desktop applications, and tools like firejail, flatpak or snap which nevertheless allow you to take some of that heat off. This will also teach you how these work (spoiler: like systemd, just on a per-user level).

Also, you'd want to look into resource control. This is applicable on the desktop as well. How can I prevent Firefox from taking up all my RAM? Surely not by asking it nicely (never works) but by limiting how much RAM the process can access in the first place? How do I do this? Cue firejail etc. I have this Visual Studio Code application by Microsoft which is known to phone home, but my professor said I should use it to collaborate on this project here. How can I use it as safely as possible? Right, make it so that the process cannot access the network at all! And it also shouldn't be able to read any of my private files except the ones in ~/VisualStudioCode. How do I do that?

A bit related to resource control but with its own terminology is network security. You want to read about iptables/nftables, IPv6 privacy extensions, and so on.

As for data security, you'd want to have your PC set up with full-disk encryption. You can look into that, also why it's useful. For example, on my laptop, there's everything, from bank statements to whatever. Should I lose an encrypted laptop while travelling/commuting, oh boy.

Lastly, you want to think about backups and backup strategies and use tools to automate them. Backups are the front and center of a good long-term user experience smile

If you want inspiration on how to do X11 Linux in a maximally secure way, you should study QubesOS --- https://www.qubes-os.org/intro/

Offline

#13 2022-02-26 16:51:09

horo
Member
Registered: 2016-03-13
Posts: 78

Re: Resources for learning Sysadmin

@twoion-
Thank you for the topics to look into, I hadn't thought about fine grained resources access at the per application level, but you had me at 'no firefox memory leaks'

I have not implemented it yet, but was looking at KVM and using virtual workstations to try different environments. Would this approach be a good way to use a different hardened distro to run a public facing web server, or will there be inherited security issues from having debian as the native system?

Offline

#14 2022-02-28 19:51:31

Martin
Member
From: Stockholm, Sweden
Registered: 2015-10-01
Posts: 639
Website

Re: Resources for learning Sysadmin

Started using Firejail this weekend: Cool but disruptive if just accepting default config. I mean, I still want to use Jupyter-lab for instance. And FreeCAD is completely broken unless I bypass Firejail.

/Martin


"Problems worthy of attack
prove their worth by hitting back."
Piet Hein

Offline

#15 2022-03-01 05:05:59

horo
Member
Registered: 2016-03-13
Posts: 78

Re: Resources for learning Sysadmin

Learned something valuable today

It's possible to set a UEFI password that is to long for the login prompt. Now my motherboard is bricked.

ASRock B660M-HDV let me set a very long password that is the same for my LUKS encryption. It's written down in front of me and I've memorized it with all the on/off I've been doing mucking with hardware. No errors or other messages so i save and reboot, only to find out the login prompt will accept max 16 characters.
I tried the last 16 characters to, but no luck. Contacting the seller and manufacturer to see what can be done.

Edit: DE-BRICKED!
I packrat things like instruction manuals, and it paid off this time. In the motherboard manual is a section on clearing the CMOS, a foot note says that removing the CMOS battery while then shorting the motherboard jumpers would erase time, date, user profiles, and password

Followed the shorting procedure and was greeted with a pre-boot message that time and date where off and F1 to proceed. Now I'm back in my system, LUKS decrypted as normal and login was ok

Given the ease at which the UEFI could be bypassed, the security feature isn't worth the extra keystrokes at boot. Now I know.

There are other features present I haven't explored, namely some manner of disk encryption. I'll do some more research, but it's probably a safer bet that UNIX tools like LUKS will be better for that task.

Edit 2: Damn you're fast Bearded_Blunder, and yes that is the segment I was reading.

Last edited by horo (2022-03-01 05:29:00)

Offline

#16 2022-03-01 05:24:22

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 978

Re: Resources for learning Sysadmin

From the manual for that board:

manual_p_17 wrote:

CLRMOS1 allows you to clear the data in CMOS. To clear and reset the system
parameters to default setup, please turn off the computer and unplug the power
cord from the power supply. After waiting for 15 seconds, use a jumper cap to
short the pins on CLRMOS1 for 5 seconds. However, please do not clear the
CMOS right after you update the BIOS. If you need to clear the CMOS when you
just finish updating the BIOS, you must boot up the system first, and then shut it
down before you do the clear-CMOS action. Please be noted that the password,
date, time, and user default profile will be cleared only if the CMOS battery is
removed. Please remember toremove the jumper cap after clearing the CMOS.

Looks like a clear cmos & battery out game might unbrick it.

Absolute very worst case, find a computer shop that has an eeprom programmer & does board repair
They'll be able to erase & re-flash the rom. But I doubt you'll need to it'd take extra hardware & bios/uefi rooutines to actually burn the password to ROM, so it's generally not done, since even that's defeatable.

Old boards often had a convenient "clear password" jumper. Which is why I looked at the manual.

Now you can add "RTFM" to "Resources for learning Sysadmin".

Last edited by Bearded_Blunder (2022-03-01 05:55:26)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Online

#17 2022-03-06 00:20:50

horo
Member
Registered: 2016-03-13
Posts: 78

Re: Resources for learning Sysadmin

Have the main account mostly set up now with things like PGP keys, pass manager for passwords and various add ons for firefox.

The goal is to have my main account with sudo privileges to sysadmin, then set up a non-sudo account for general use.
Some questions come to mind- Should PGP keys created for subsequent accounts be generated from the main accounts masterkey? or is it better practice to have separate accounts having separate masterkeys?
Also after generating a new user, I see it doesn't recognize the dual monitor setup. I'm running two instances, one on tty7 and one on tty1, and swapping between the two with Ctrl+Alt+Fn pretty much toggles the second monitor on and off. I'm assuming this as something to do with group assignment, but don't know much about this area.

On a side note. I notice sometimes when I login after the system has gone into hibernate from in-activity the audio output as switched to 'Dummy Output'. running

pulseaudio --kill

resets things and fixes it, but it's annoying

Offline

#18 2022-03-06 02:50:21

Bearded_Blunder
Dodging A Bullet
From: Seat: seat0; vc7
Registered: 2015-09-29
Posts: 978

Re: Resources for learning Sysadmin

The answer depends on another question.. namely "how trustworthy do you consider the other users?" Sometimes it goes one way, sometimes the other.. it's what they call a "Judgement call" and only the management or sysadmin (if they're unfortunate enough not to be supplied with a policy from higher up the food chain) can make it.

It's much the same with many bank loans.. boils down to manager's decision on "do I trust potential debtor to pay back loan?" Regardless how deterministic head office pretends the actual decision is for the purposes of telling the publicity department, it actually boils down to an individual's gut feeling.

You want to sysadmin in an organisation, be prepared to have *your* judgement determine the course of your career based on if you guess correctly or a disaster happens because you got it wrong.

Is why I'll never take on such a job, I don't consider my judgement reliable enough & would constantly be expecting my career to change to shelf stacker in a warehouse or shop assistant.

Nobody who isn't on the autistic spectrum is likely to actually say that outright & straightforwardly though.. you're expected to know it by intuition only available to those NOT on the spectrum.

If you didn't know it by intuition & actually had to ask, you're probably (like me) unsuited to any such position.  Much as at one point I thought I'd like to have a career as a sysadmin.,, even if I now face the chance with little short of dread.

If you can't completely trust your judgement of others (and recover like mistakes never happened if it's erroneous then GIVE UP NOW on the idea of sysadmin, or any sort of managerial or supervisory position ANYWHERE.

Trying will only lead to frustration when the neurotypicals spot you can't do it & assume you know why.. or else a world of hurt frustration & issues if you don't spot it.

OR just ignore me, given I'm on the spectrum I mentioned my judgement is bad, or at the very least suspect.

Last edited by Bearded_Blunder (2022-03-06 03:36:19)


Blessed is he who expecteth nothing, for he shall not be disappointed...
If there's an obscure or silly way to break it, but you don't know what.. Just ask me

Online

#19 2022-03-08 07:04:31

horo
Member
Registered: 2016-03-13
Posts: 78

Re: Resources for learning Sysadmin

I appreciate the input. Fortunately, so far I'm the only one I need to manage at this point.

Offline

Board footer

Powered by FluxBB