Learning Linux: Week 2 – Permissions, Access Control & Networking Basics

Remote Access

• To connect to your Linux machine, either AWS or VirtualBox, you need to know the remote system’s IP address (or hostname) and the username you want to log in as {optional: password }

• For bash shell use the command ssh -i <pass-key> <user>@<ip-address>

• The first time you connect to a new system over SSH, you will be asked if you would like to access the remote system’s fingerprint

  

• SSH will save this fingerprint and prevent your access if it changes

• Some basic SSH commands that might come in handy

    ssh-keygen
  
    #Create private/public key-pair with RSA Algorith (2046-bit encryption by default)
  
    ssh-keygen -t rsa
  
    #if you want to create with RSA algo with 4096-bit encryption
  
    ssh-keygen -y rsa -b 4096
  
    #copy the created key into authorized _keys file of the server you want to coonect to using ssh-copy-id
  
    ssh-copy-id username@remote_host
  

Linux File and Directory Properties

• File Ownership

  • Every file or directory in Linux is owned by a user and a group

  • User → Owner of file

  • Group → a set of users that share the same permissions on the file

    ls -l filename
    #Result
    - rwxr-xr-x 1 user group 1234 Feb 6 10:00 filename

• Commands to modify ownership:

  • Change owner: chown <user> <filename>

  • Change group: chown :<group> <filename>

  • Change both: chown <user>:<group> <filename>

• File Permission

  • Read → Permission to view content

  • Write → Permission to modify the file’s content

  • Execute → Permission to run the file (for executable or scripts)

• Permission breakdown:

  • rwxr-xr-x

  • Owner permissions (first set of 3 characters)

  • Group permissions (second set of 3 characters)

  • Other permissions (third set of 3 characters)

File Access Control List (ACLs)

• What is Root?

  • It is the superuser or admin account on a Unix-like OS with unrestricted access to all parts of the system and can perform any action without limitation

  • It has the highest level of privileges

• sudo

  • sudo → superuser Do → temporarily gain root privileges when needed

  • minimizes the security risk associated with being logged in as root all the time

• Changing Password in a Linux System

  • passwd → Change your password and passwords for other users

  • To change your password, simply run passwd

  • To change other users’ passwords, run : sudo passed <user>

  • chpasswd → for changing multiple passwords at the same time

    • Syntax: sudo chpasswd < users_passwords.txt where users_passwords.txt contains

      user1:password123 user2:anotherpassword

  • usermod -L <user> → help you lock the user

    • Similar can be done with passwd -l <username>

  • usermod -U <user> → help you unlock the user

    • Similar can be done with passwd -u <username>

  • chage → used for managing password expiration policies

    • Syntax:
      sudo chage -l <username> #### check user's expiration status
sudo chage -d 0 <username> ####force a user to change their password at next login

User and Group Management

• Creating Users

  • useradd {options} {username} → to create a new user

  • ls -l /home → to list and show users in the system

    • -u → User ID

    • -s → assign shell

    • -e → expiry date

    • -c → comment

    • Eg: useradd -u 2020 -s /bin/bash -e 2026-01-01 -c "ADMIN USER" jeryy

  • Whenever we create a new user, we get some default folders, and the home directory of every new user is in the /home

  • passwd {username} → to create and change the user password

  • cat /etc/passwd → to list and show all users and the details of each user

  • chage {option} {username} → to display information about changing the user password expiry information

  • chage -d 0 {userame} → to force users to change their passwords on the next login

  • userdel {options} {username} → to remove the user account

  • userdel -r kerry → -r or --remove to delete the username account and the related files of the username

  • /sbin/login → designed specifically to prevent users from logging in, it presented a message when trying to log In, indicating their account is currently unavailable

  • /bin/false → prevent login, don’t display message

  • /bin/rbash → limits a user’s shell command, restricts access to specific directories and commands

• Creating Groups

  • groupadd {options} {groupname} → to create a new group

  • cat /etc/group → to show information about groups and the details of the group

    • -g or --gid → to assign an ID to the group

  • usermod {options} { group name} {username} → to show how to add members to groups

  • usermod {options} {username} → to modify user attributes

    • -a → append (assigning secondary group_

    • -G → groups

    • -g → assigning a primary group

    • -L → Lock

    • -U → unlock

    • -c → comment

  • id jerry → list all the groups user jerry is in

  • Primary vs Secondary groups

    | | Primary | Secondary | | --- | --- | --- | | Definition | Each user must be in only one primary group | Each user can be in multiple secondary groups | | Command | -g groupname username | -a -G groupname username | | Example | usermod -g network jerry | usermod -a -G database, linux jerry | | id jerry | gid=2002(network | groups=1991(linux),2021(database) |

  • groupdel {options} {groupname} → to delete a group and all entries referring to the group

  • cat /etc/group | grep developer → to double-check that we have deleted the group

• Modifying Permission sets

  • chmod {permissions} {filename} → used to modify, change, and remove permission sets on a directory

• Changing group ownership

  • chgrp groupname {file/directory} → to change only group ownership

• Superuser and visudo command

  • The sudoers file is a crucial configuration file in Unix-like operating systems, primarily Linux, that controls which users and groups can execute commands with elevated privileges (typically as the root user) → located in /etc/sudoers file

  • Although we can change directly in this file, we prefer not to, as it will not check for errors and syntax before applying

  • Therefore, a better approach is to use visudo command in order to check for errors and syntax

  • using visudo opens sudoers file in editor mode, where we can make changes

  • The system automatically updates changes tothe file when we save and exit

Networking

Networking Components

• IP Address → unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network

• Subnet Mask → a 32-bit number that masks an IP address and divides the IP address into network address and host address.

  • Subnet Mask is made by setting network bits to all ‘1’s and setting host bits to all ‘0’s

• Gateway → tells your computer which route you have to pick to send your traffic out and receive traffic in

• Static vs DHCP →

  • Assigning an IP to your machine that doesn’t change when you reboot is Static

  • DHCP will change on reboot, and it will pick an IP from the pool of IP addresses. Most likely, it will change the IP Address

• Interface → NIC Card → permanent MAC Address associated with your card

Client-Server Relationship

• It is a fundamental concept in networking, where a server provides resources, services, or data, and a client requests and consumes them

  • Client?

    • a system or application that requests services from a server

    • Sends requests and waits for a response from the server

  • Server?

    • server is a system or application that listens for client requests and provides services

    • Can handle multiple client connections at the same time

  • Client-Server Interaction Process

    • Client Initiates a Request

      • The client sends a request using a protocol like HTTP, SSH, FTP,etc.

    • Server Receives and processes the requests

      • The server listens on a specific port (80 → HTTP, 22 → SSH)

    • Server sends a response

      • Server processes the request and sends back a response

Configure & secure SSH

• Secure Shell → Shell provides you with an interface to the Linux system

  • It takes in our commands and translates them to kernel to manage hardware

• OpenSSH is a package /software

• Its service daemon is sshd → A daemon runs in the background and listens for commands

• By default, SSH port → 22

• SSH itself is secure, meaning communication through SSH is always encrypted, but there should be some additional configuration that can be done to make it more secure

• Common Configurations

  • Configure Idle Timeout Interval

    • Avoid having an unattended SSH session; you can set an Idle timeout interval

      • Become root

      • Edit your /etc/ssh/sshd_config file and add the following line

        • ClientAliveInterval 600 ClientAliveCountMax 0

        • # systemctl restart sshd

  • Disable root login

    • Disabling root login should be one of the measures you should take when setting up the system for the first time.

    • It disables any user from logging in to the system with the root account

      • Become root

      • Edit your /etc/ssh/sshd_config file and replace PermitRootLogin yes to no

      • PermitRootLogin no

      • # systemctl restart sshd

  • Limit Users’ SSH Access

    • To provide another layer of security, you should limit your SSH logins to only certain users who need remote access

      • Become root

      • Edit your /etc/ssh/sshd_config

        • AllowUsers user1 user2

      • systemctl restart sshd

  • Use a different Port

    • By default, SSH port runs on 22. Most hackers looking for any open SSH servers will look for port 22, and changing it can make the system much more secure

      • Become root

      • Edit /etc/ssh/sshd_config and remove the following

        • Port 22

      • systemctl restart sshd

  • SSH Keys → Access a Remote server without password

    Two reasons to access a remote machine

    • Repetitive Logins

    • Automation through scripts

    • ssh-keygen

    • ssh-copy-id root@<ip>

    • login via

      • ssh root@<ip>

      • ssh -l root <ip>

System updates and Repos

• There are two major commands used in system updates

  • dnf → new version of CentOS

    • yum (Older version of CentOS)

    • uses the same repository definition files as yum

    • repository defined in /etc/yum.repos.d are still valid

    • The repo has the URL where you can get the package from

    • So when you are running dnf, you are telling the system to go online with this URL and get the package I want to install (need Internet Connectivity)

  • apt-get

  • rpm (RedHat Package Manager)

• Difference between rpm and dnf

  • rpm It is used when you already have a package downloaded on your system, and then you can install it by running rpm

    • usually used in env. that don’t have internet access

    • rpm doesn’t install other dependencies automatically

    • rpm -qa → Check installed packages

    • rpm -qi → information

    • rpm -qf <fullpath> → Check which command belongs to which package

    • rpm -hiv <path>.rpm → Installation command

    • rpm -e <name> → Remove the package

    • rpm -qc → List configuration files

  • dnf does all the things for you, downloads and installs the package

    • It will install other dependencies as well, alongside

    • dnf install <package-name> → installs, verifies, and cleans up the downloads

    • dnf remove <package-name> → Remove the package

• chrony → replacement for ntp

• Two types of upgrades

  • Major version upgrade → from 7 to 8, 8 to 9, etc.

    • cat /etc/os-release → check version

    • cannot be upgraded viadnf command

  • Minor Version

    • CentOS = 8.1/8.2

    • Red Hat = 9.1/9.2/9.3

    • Stay within the same channel

    • can be done via dnf command

  • dnf update -y → not to prompt for yes or no

  • dnf upgrade → Delete old packages and update with newer packages

  • dnf update → Preserves the old package, why? It is good practice, in case certain applications don’t work with the newer package