Sudo access on Ubuntu

Question

I'm new to linux and the sysadmin world all together, so I'm looking for some advice and a couple of answers. I set up an EC2 instance running Ubuntu 12.04 and I SSH in via key pair.

First of all, I read through the Ubuntu user management page but it left me with a few questions. I noticed this on the page

Sudo allows an authorized user to temporarily elevate their privileges using their own password instead of having to know the password belonging to the root account.

When I run a sudo command I'm not prompted for a password after using SSH to access my server. I've read not to store passwords for database access (such as for PHP and MySQL) in plain text files, but rather use .cnf files instead with permission set to 600. If someone does manage to get on my server, all they have to do is type in sudo vi /path/to/cnf and then they can view the password. Is the whole point of that assuming that I have a password for sudo?

Am I supposed to add a password for sudo considering by default I don't have one?
How big of a risk is it for someone being able to SSH into my server considering I'm using UFW to restrict access to port 22 and I'm using a key pair?
Seeing as I used EC2 to set up my Ubuntu server, all of the sources I've seen on adding/changing passwords say by default the one is used from setup. I didn't really set anything up. It was all pre-configured through AWS. Is this an issue?

If you're not being prompted for a password, then you're probably logging in via SSH as root - is this correct? — Shane Madden, Feb 11 '14 at 22:55
No I'm logging as Ubuntu...at least that's what it says when I type whoami into the terminal — user3258348, Feb 11 '14 at 22:57

score 3 · Accepted Answer · edited Apr 13 '17 at 12:22

3

How big of a risk is it for someone being able to SSH

The risks are minimal really. Look at this questions for some things you can do to minimize the impact of brute force attempts.

Am I supposed to add a password ...

Your account has a password but sudo has been configured to not prompt you by having the below config set. ref This setting is fine for the most part if you doing all of your authentication via key. You could remove the NOPASSWD from this file if you wanted to be prompted.

# ubuntu user is default user in cloud-images.
# It needs passwordless sudo functionality.
ubuntu ALL=(ALL) NOPASSWD:ALL

edited Apr 13 '17 at 12:22

Community

1

answered Feb 11 '14 at 22:57

Zoredache

128,755
40
271
413

I'm already using UFW to restrict access to port 22 only to a couple IP's. Is that along with a key pair sufficient enough not to worry about there not being a sudo password asked? – user3258348 Feb 11 '14 at 22:58
If I do remove the NOPASSWD field, how will I know what my password is? As I stated, it's from an EC2 instance so there was really no configuration from the start. – user3258348 Feb 11 '14 at 23:02
Set one? Type `passwd`, then provide a password. – Zoredache Feb 11 '14 at 23:05
You said "Your account has a password but sudo has been configured to not prompt you" so I assumed I wouldn't be able to change it without being prompted the original one first. Then again you're not prompted for changing something like MySQL passwords. – user3258348 Feb 11 '14 at 23:07
@user3258348 Since you're able to `sudo`, you can change it - root privileges allow changing any password without having the original. – Shane Madden Feb 11 '14 at 23:08

score 0 · Answer 2 · answered Feb 12 '14 at 15:59

First some general security tips:

Use Key logins - you are good on that front
use big keys - e.g. generate a 4k rsa key (probably the current one is 1k or 2k
use strong password for the key - you should do that. If i can get my hands on your unprotected paswordless key .. everything is moot
move ssh to higher port - ex. 12322 - this will help with probing for services a little. And do not forget to open the port in the security group
monitor what is happening with your server - fail2ban is a wonderful tool
disable password logins (there are instructions in the other replies)
implement AllowUsers/AllowGroups to let only specific users (and root is not one of them) - coupled with aggressive fail2ban config this is prety much a killer.

Now for the questions:

How big of a risk is it for someone being able to SSH

Not much if at all ... just set some security

Am I supposed to add a password ...

Yes it would be nice but it is not strictly mandatory using something like

sudo passwd ubuntu

will let you change the password without knowing it.

The NOPASSWD means that any command can be executed without password. Yes i use it regularly but only on the machines i have with me (e.g. the laptop). It is advisable to remove it after you set a known (complex password).

Sudo access on Ubuntu

2 Answers2