To secure a Linux server, disable password authentication on it. This way only those users can connect to it, who have access to an authorized private key.
To enable users to connect to a Linux server with a private-public key pair
Generate an RSA key pair
- In a Bash terminal on your workstation execute
- Follow the prompts to specify the name of the key file pair. In most of the cases, you don’t need to protect the key with a password.
- If you don’t specify the file name, the key will be saved as ~/.ssh/id_rsa
- If you specify a file name, the key files will be saved in the current directory
- The public key file will get the “.pub” extension, the private file has no extension
Upload the public key to the Linux server
- Log into the server with the “ssh” command using a username and password
- Add the public part of the key to the user configuration
- Switch to sudo mode, this command will ask for the password again
- Navigate to the user home directory
- Add the public key to the user’s authorized_keys file. Open the file with a text editor and copy the public key into a new line.
- To test the configuration, on your workstation navigate to the directory where the new key is located, and log into the server with
ssh -i MY_KEY_NAME MY_USER_NAME@SERVER_IP_ADDRESS
Turn off password authentication
- Make sure you can log in with the new key !!!
- Execute the command
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
To be able to download attached files from LastPass, you need to install the binary component for LastPass in your web browser.
Follow the instructions at https://lastpass.com/support.php?cmd=showfaq&id=5576
When you create a key in AWS you can download it one time in PEM format. To use it in PuTTY, the free SSH and Telnet client, you have to convert it to PPK format.
To install PuTTY, see the Terminal Emulator section in Recommended utilities for your workstation
To convert a PEM file to PPK
- Open a terminal window in the folder of the PEM file
- Execute the following
puttygen MYKEY.pem -o MYKEY.ppk
To secure Artifactory repositories follow the steps below
- Log into Artifactory as an administrator
- On the left select Admin
- In the Security menu select Users
- In the upper right select New
- Create users for admin, writer, and reader. Make sure the Can Update Profile checkbox is NOT checked, so if someone logs in with the service account credentials cannot change the account settings.
Create security groups and add the new users to the groups
- In the Admin menu select Security and Groups
- On the Group Management page select New
- Create groups for admins, writers, and readers. Add “s” to the name of the group to differentiate it from the user.
- In the Users section add the appropriate user to the group
Create permissions and add the groups to the permissions
- In the Security menu select Permissions
- In the upper right corner select New
- Create permissions to administer, write, and read the repository
- Select the repository, click the green arrow to add the repository to the Selected Repositories list, and click Next
- Click the arrow next to the name of the group to add it to the list of groups
- Select the appropriate check boxes
- For writers select Delete/Overwrite, Deploy/Cache, Annotate, and Read
- Click the Save & Finish button.
To allow anonymous read access to the repository
To allow everyone to read the repository without authentication, add the anonymous user to the REPOSITORY-NAME_readers group.
When you install Jenkins, the default settings allow anyone to sign up and administer it. There are many ways to secure Jenkins, the simplest is to disable the user sign up and require login to administer the server.
- Click sign up in the upper right corner and create an account for yourself
- On the Jenkins Dashboard select Manage Jenkins
- On the Manage Jenkins page select Configure Global Security
- Make sure the circled items are set according to the picture below.
The Microsoft Active Directory is a great system to manage the security of servers and workstations. One of the fundamental security tools is the password expiration policy.
To set the password expiration policy in an Active Directory domain follow the steps below
- Remote desktop into the domain controller
- Start the Active Directory Users and Computers snap in
- Right click the root domain name and select Properties
- Select the Group Policy tab
- In the middle select the Default Domain Policy Group Policy Object Link
- Click the Edit button
- On the left side expand Computer Configuration > Windows Settings > Security Settings > Account Policies
- Select the Password Policy and Account Lockout Policy keys to set the desired values
All new and existing user accounts will inherit these settings, and the password of existing user accounts will immediately expire where the “Password never expires” option is not set.