New Linux System Setup: Don’t forget

For all users, put in place some protections and conveniences.

In /etc/bash.bashrc or /etc/profile.d/safe.sh, add these alias lines:

alias rm=’rm -i’
alias cp=’cp -i’
alias mv=’mv -i’

After that, the removal or destructive file copies will ask the user for confirmation. This was default on training wheels Linux I used years ago, don’t know why they deviated from it. Also in same spot, can add aliases to customize colorization of ls output.

Stop vi from giving weird symbols when the arrow keys are used

In /etc/vim/vimrc, put

set nocompatible

After installing emacs and ess, put my favorite .emacs file settings in. On Debian, drop the file in /etc/emacs/site-start.d. On Redhat, find site-start.d down under /usr/share/emacs…

In the ssh settings, change the default config to allow X11 forwarding and assume X11 forwarding for outgoing ssh connections.

In /etc/ssh/ssh_config, which defaults settings for outgoing ssh connections, add this at bottom:

ForwardX11 yes
ForwardX11Trusted yes

In /etc/ssh/sshd_config, for incoming connections, do this:

X11Forwarding yes

For security, forbid remote root logins

PermitRootLogin no

Or allow only if the user has put PGP keys in the proper setup.

PermitRootLogin without-password

That is horrible terminology, I did not create it. It means NO ROOT LOGIN unless the PGP keys are set to allow connections between specific machines. “without-password” should be “pgp-key-only” or something similar, in my opinion. The point here is that an attacker knows there is a “root” account and might try to log in over and over to guess a password. Stop that!

About pauljohn

Paul E. Johnson is a Professor of Political Science at the University of Kansas. He is an avid Linux User, an adequate system administrator and C programmer, and humility is one of his greatest strengths.
This entry was posted in Linux and tagged , . Bookmark the permalink.