How to Prevent Unauthorized Sudo Access in Debian 12 Bookworm

Learn how to prevent unauthorized sudo access in Debian 12 Bookworm
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  4 minute read  

Ensuring the security of a Debian 12 Bookworm system is crucial, particularly when it comes to controlling sudo access. Unauthorized sudo access can lead to privilege escalation and compromise the entire system. In this article, we will discuss various strategies to prevent unauthorized sudo access in Debian 12 Bookworm.

Understanding Sudo and its Risks

The sudo command allows users to execute commands with superuser (root) privileges, which is necessary for performing administrative tasks. However, if sudo access falls into the wrong hands, it can lead to severe security breaches, including system modifications, data theft, or even complete system takeover.

Steps to Prevent Unauthorized Sudo Access

1. Restrict Sudo Access to Specific Users

By default, only users in the sudo group can use sudo. To ensure that only authorized users have sudo access:

  1. List users with sudo privileges:

    getent group sudo

  2. Remove unauthorized users:

    sudo deluser <username> sudo

  3. Verify the changes by listing sudo users again.

2. Require Strong Passwords for Sudo Users

Ensure that all users with sudo access have strong passwords. Use the following command to enforce strong password policies:

sudo apt install libpam-pwquality

Then, configure /etc/security/pwquality.conf to enforce password complexity requirements:

sudo nano /etc/security/pwquality.conf

Modify or add these lines:

minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
difok = 3

These settings enforce a minimum password length of 12 characters and require at least one uppercase, lowercase, number, and special character.

3. Use the Sudo Timeout Feature

By default, sudo remembers authentication for 15 minutes. Reduce this timeout to minimize risk:

  1. Edit the sudoers file:

    sudo visudo

  2. Add or modify the following line:

    Defaults timestamp_timeout=2

    This setting reduces the timeout to 2 minutes, ensuring that users must re-enter their password frequently.

4. Enable Sudo Logging and Auditing

Logging sudo activity helps track unauthorized attempts. Ensure that sudo logs are enabled:

  1. Check the sudo log file:

    sudo cat /var/log/auth.log | grep sudo

  2. To enable more detailed logging, modify the sudoers file:

    sudo visudo

    Add the following line:

    Defaults logfile="/var/log/sudo.log"

    This logs all sudo actions to a separate file for easier monitoring.

5. Use Multi-Factor Authentication (MFA)

Adding an extra layer of security with MFA ensures that even if an attacker obtains a password, they still need a second authentication factor.

  1. Install Google Authenticator:

    sudo apt install libpam-google-authenticator

  2. Run the configuration tool:

    google-authenticator

  3. Follow the prompts and save the secret key.

  4. Enable MFA in PAM by editing /etc/pam.d/sudo:

    sudo nano /etc/pam.d/sudo

    Add the following line at the beginning:

    auth required pam_google_authenticator.so

6. Disable Root Access via Sudo

Disabling root access via sudo prevents unauthorized privilege escalation. To do this:

  1. Edit the sudoers file:

    sudo visudo

  2. Add the following line:

    Defaults !root_sudo

    This prevents users from running sudo su or sudo -i to gain a full root shell.

7. Remove Passwordless Sudo Access

Passwordless sudo access is a security risk. Check for such configurations with:

sudo cat /etc/sudoers
sudo cat /etc/sudoers.d/*

If you find lines like:

username ALL=(ALL) NOPASSWD:ALL

Remove or modify them to:

username ALL=(ALL) ALL

This ensures that users must enter their password when using sudo.

8. Restrict Sudo Access to Specific Commands

Limit the commands a user can execute with sudo:

  1. Edit the sudoers file:

    sudo visudo

  2. Add a rule restricting a user to specific commands:

    username ALL=(ALL) NOPASSWD:/usr/bin/apt,/usr/bin/systemctl restart apache2

    This allows username to run apt and restart Apache without a password, but nothing else.

9. Regularly Review Sudo Access Logs

Regularly reviewing sudo logs helps detect unauthorized attempts. Use:

sudo grep 'sudo' /var/log/auth.log

For real-time monitoring, use:

tail -f /var/log/auth.log | grep sudo

10. Set Up Alerts for Sudo Usage

To receive alerts when sudo is used, configure auditd:

sudo apt install auditd audispd-plugins
sudo systemctl enable --now auditd

Add a rule to monitor sudo:

sudo auditctl -w /usr/bin/sudo -p x -k sudo_activity

To view sudo-related logs:

sudo ausearch -k sudo_activity

Conclusion

Securing sudo access in Debian 12 Bookworm is vital to prevent unauthorized privilege escalation. By implementing the steps above—restricting user access, enforcing strong authentication, logging activity, and setting up alerts—you can significantly reduce security risks. Regular audits and proactive security measures will help maintain a secure and stable Debian system.


< How to Restrict Access to Sudo Commands in Debian 12 BookwormHow to Set Up a VPN Kill Switch in Debian 12 Bookworm >