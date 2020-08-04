Using a
sudo user to access a server and execute commands at root level is a very common practice among Linux and Unix Systems Administrator. The use of a
sudo user is often coupled by disabling direct root access to one's server in an effort to prevent unauthorized access.
In this tutorial, we will be covering the basic steps for disabling direct root access, creating a sudo user, and setting up the sudo group on CentOS, Debian, and FreeBSD.
apt-get install sudo -y
yum install sudo -y
cd /usr/ports/security/sudo/ && make install clean
or
pkg install sudo
A
sudo user is a normal user account on a Linux or Unix machine.
adduser mynewusername
The wheel group is a user group which limits the number of people who are able to
su to root. Adding your
sudo user to the
wheel group is entirely optional, but it is advisable.
Note: In Debian, the
sudo group is often found instead of
wheel. You can however manually add the
wheel group using the
groupadd command. For the purpose of this tutorial, we will use the
sudo group for Debian.
wheel and
sudo.
In CentOS and Debian, a user belonging to the
wheel group can execute
su and directly ascend to
root. Meanwhile, a
sudo user would have use the
sudo su first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the
sudo command.
usermod -aG sudo mynewusername
usermod -aG wheel mynewusername
pw group mod wheel -m mynewusername
sudoers file is setup properly
It is important to ensure that
sudoers file located in
/etc/sudoers is setup properly in order to allow
sudo users to effectively use the
sudo command. In order to accomplish that, we will view the contents of
/etc/sudoers and edit them where applicable.
vim /etc/sudoers
or
visudo
Note: The
visudo command will open
/etc/sudoers using the system's preferred text editor (usually vi or vim).
Start reviewing and editing below this line:
# Allow members of group sudo to execute any command
This section of
/etc/sudoers often looks like this:
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
In some systems, you may not find
%wheel instead of
%sudo; in which case, this would be the line under which you would start modifying.
If the line starting with
%sudo in Debian or
%wheel in CentOS and FreeBSD is not commented out (prefixed by #), this means that sudo is already setup and is enabled. You can then move to the next step.
wheel nor the
sudo group to execute the
sudo command
It is possible to allow a user that is in neither user groups to execute the
sudo command by simply adding them to
/etc/sudoers as follows:
anotherusername ALL=(ALL) ALL
In order to apply the changes you made to
/etc/sudoers, you need to restart the SSHD server as follows:
/etc/init.d/sshd restart
/etc/init.d/sshd restart
systemctl restart sshd.service
/etc/rc.d/sshd start
After you have restarted the SSH server, log out and then log back in as your
sudo user, then attempt to execute some testing commands as follows:
sudo uptime
sudo whoami
Any of the below commands will allow the
sudo user to become
root.
sudo su -
sudo -i
sudo -S
Notes:
whoami command will return
root when coupled with
sudo.
sudo command unless you explicitly instruct the system to not prompt
sudo users for their passwords. Please note that is not a recommended practice.
sudo without entering the user's password
As previously explained, this is not a recommended practice and is included in this tutorial for demonstration purposes only.
In order to allow your
sudo user to execute the
sudo command without being prompted for their password, suffix the access line in
/etc/sudoers with
NOPASSWD: ALL as follows:
%sudo ALL=(ALL:ALL) ALL NOPASSWD: ALL
Note: You need to restart your SSHD server in order to apply the changes.
Now that you have confirmed that you can use your
sudo user without issues, it is time for the eighth and final step, disabling direct root access.
First, open
/etc/ssh/sshd_config using your favorite text editor and find the line containing the following string. It may be prefixed with a
# character.
PermitRootLogin
Regardless of the prefix or the value of the option in
/etc/ssh/sshd_config, you need to change that line to the following:
PermitRootLogin no
Finally, restart your SSHD server.
Note: Do not forget to test your changes by attempting to SSH into your server as
root. If you are unable to do so, this means that you have successfully completed all the necessary steps.
This concludes our tutorial.
