Redirecting mail for the local root user

postfix is Ubuntu’s default mail transfer agent (MTA) and can be configured to deliver mail using a relay host that requires SMTP authentication. Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install postfix bsd-mailx

Begin to configure your postfix installation by choosing satellite system as the general type of configuration. Enter the local machine name as the mail name (eg mycomputer.edafe.org) and the SMTP server address of your email service provider as the SMTP relay host (eg smtp.relayhost.com). Edit the file /etc/postfix/main.cf and add the following:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Create the file /etc/postfix/sasl_passwd and make the following entries:

smtp.relayhost.com user:password

Substitute smtp.relayhost.com with the address of the SMTP relay host and user:password with your login details. Continue by executing the following three commands:

user@ubuntu:~$ sudo chown root.root /etc/postfix/sasl_passwd
user@ubuntu:~$ sudo chmod 600 /etc/postfix/sasl_passwd
user@ubuntu:~$ sudo postmap hash:/etc/postfix/sasl_passwd

Instruct postfix to reload its settings with the following command:

user@ubuntu:~$ sudo /etc/init.d/postfix reload

Making changes to the alias table

The aliases table provides a system-wide mechanism to redirect mail for local recipients. Edit the file /etc/aliases to contain the following entries:

postmaster: root
root: localuser
localuser: user@yourdomain.com

The localuser is the system administrator. Substitute user@yourdomain.com with the email address that you would like mail for the root user to be redirected to. Finally, update /etc/aliases.db using the following command:

user@ubuntu:~$ sudo newaliases

Mail for the local root user from now on will automatically be forwarded to user@yourdomain.com , using smtp.relayhost.com as the relay host.
www.postfix.org, help.ubuntu.com

Monitoring hard disks with smartmontools

SMART stands for Self-Monitoring, Analysis and Reporting Technology and is built into most modern hard disks. The smartd daemon is part of smartmontools and monitors a disk’s SMART data for any signs of hardware problems. SMART is available with Parallel and Serial ATA disks, drives appearing as either /dev/hd* or /dev/sd*, respectively. Use the following command to obtain relevant information for your system:

user@ubuntu:~$ df -hl

If required, start by configuring postfix to redirect mail for the local root user. Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install smartmontools bsd-mailx

Configuring smartd

Edit the file /etc/smartd.conf and comment out any lines beginning with DEVICESCAN. If you are using a netbook or a laptop, add the following line for the smartd daemon to monitor the device /dev/sda:

/dev/sda -a -d ata -n standby -o on -S on -m root -M daily -M test

If you are using a desktop or a server, add the following line for the smartd daemon to monitor the device /dev/hda:

/dev/hda -a -d ata -n never -o on -S on -s (L/../../7/04|S/../.././02) -m root -M daily -M test

See man smartd.conf for more information on how to tailor the operation of smartd to your needs.

Starting smartd

Edit the file /etc/default/smartmontools and uncomment the line containing start_smartd=yes. Restart the smartd daemon with the following command:

user@ubuntu:~$ sudo /etc/init.d/smartmontools restart

Verify that the local root user has received a test message from the smartd daemon. From now on, the smartd daemon will monitor the disk and, in the event of impending disk failure, alert the local root user by email.

Public/private key authentication with SSH

Updated 09/10/2016

SSH is a protocol that enables secure logins over a network. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

On the local machine

Use the following command to generate a new key pairs for the local user schmidt:

schmidt@exhaustpiano:~$ ssh-keygen -t ed25519 -o -a 100
schmidt@exhaustpiano:~$ ssh-keygen -t rsa -b 8192 -o -a 100

Use an appropriate passphrase to secure the private key (don’t be tempted to use an empty passphrase).
Deploy the public key with the following command:

schmidt@exhaustpiano:~$ ssh-copy-id schmidt@pizzaposition

On the remote machine

Delete any unused host keys with the following command:

root@pizzaposition:~$ rm /etc/ssh/ssh_host_dsa_key* /etc/ssh/ssh_host_ecdsa_key* /etc/ssh/ssh_host_rsa_key*

Create the group ssh-users with the following command:

root@pizzaposition:~$ addgroup --system ssh-users

Add the local user schmidt to the group ssh-users:

root@pizzaposition:~$ adduser schmidt ssh-users

Make the following changes in sshd_config to improve on the default configuration:

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Specify allowed key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org

# Specify the ciphers allowed for protocol version 2
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Specifiy the available MAC (message authentication code) algorithms
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

# Logging
LogLevel VERBOSE

# Authentication:
AllowGroups ssh-users
LoginGraceTime 20
PermitRootLogin no
MaxAuthTries 1

RSAAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

ClientAliveInterval 15

MaxStartups 3:60:20

UsePAM no
UseDNS no

Restart the SSH server on the remote machine with the following command:

root@pizzaposition:~$ systemctl restart ssh.service

Setting these options will make root logins impossible. Only users belonging to the group ssh-users may establish a connection. Access is strictly tied to the private key and the passphrase used to encrypt it. Using the private key stored on exhaustpiano, local user schmidt should now be able to remotely log into pizzaposition:

schmidt@exhaustpiano:~$ ssh pizzaposition
Enter passphrase for key '/home/schmidt/.ssh/id_ed25519':
Last login: Sun Oct 9 15:51:15 2016 from 12.34.56.78
schmidt@pizzaposition:~$

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.
stribika.github.io

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

I did not come up with exhaustpiano and pizzaposition. The NSA Name Generator did.