Category: Security

Disable Inactive SSH Sessions

Today’s article can be used by anyone that has started using SSH on their computers, as we learn to disable inactive SSH sessions. It’s not going to be a very complicated article. This is easy enough for anybody to do, and there aren’t too many ways to permanently mess things up.

What is SSH?

My regular readers will know that I’ve written quite a few articles about SSH. Basically, SSH stands for “Secure Shell” and is a tool you use to remotely control other devices through the terminal. The tool is ancient but still valuable. I use SSH regularly, and that’s not even counting the stuff I do online.

Indeed, I’ve written some SSH articles before:

Install SSH to Remotely Control Your Linux Computers
How To: Restart SSH
Show Failed SSH Login Attempts
(And many more.)

By default, your server/device may not close inactive or idle sessions. It will let you maintain your connection until you tell it to exit. This can be a security issue and it may be worth setting your SSH to disable inactive SSH services.

In this article, we’ll be using Nano and you’ll need to be able to use an SSH connection. If you don’t default to using Nano, you can install Nano or just use the default text editor that you’re more accustomed to. In theory, if you’re just practicing, you could set this up on your computer and then tell SSH to connect to ‘user@localhost’.

Disable Inactive SSH Sessions:

Up above I said, “SSH stands for “Secure Shell” and is a tool you use to remotely control other devices through the terminal.” If you were paying attention, you’d notice the last word is “terminal”. So, you’ll need an open terminal. For most distros, you can open a terminal easily, you press CTRL + ALT + T and you’re all good.

With your terminal now open, you’ll need to connect to the device that’s running the SSH server and enter the following command:

Next, you’ll add a couple of new lines. The syntax is straightforward and easy enough for anyone to understand. There’s a little bit of math, but you can do that math in your head. The syntax looks like this:

The first entry is how long you want to wait to check for an idle connection.

The second entry is how many times you want (set by the first entry) to check for an idle connection.

For example, look at this:

With the above, it’d check for an idle state every 300 seconds (five minutes). It will perform this check 5 times. If the connection is idle for all of those checks, the system will disconnect the SSH user. That’s allowing for 25 minutes of idle time before disconnecting the inactive user. That seems reasonable to me.

You can set those values to anything you’d like, perhaps shorter for an open office and longer if you’re using your home computer and connected to your own devices. The math doesn’t change. It’s just the number of seconds between text multiplied by the number of times the system will perform those checks. If you regularly have many users connected via SSH, you can save some resources by disconnecting them after a reasonable period of inactivity.

As we edited this with Nano, you’ll need to save the file. To do that, you simply press CTRL + X, then Y, and then ENTER and Nano will save the ‘ssh_config’ file.

After you have saved the file, you’ll need to restart SSH for the changes to take effect. That’s easy enough. Assuming you’re using Systemd, you restart SSH with this command:

If you’re still using SysV, the command would be this:

(I don’t bother with that often, I just assume you’re using Systemd. After all, according to the stats I can get, most of us are in fact using distros that use Systemd.)

Closure:

So, if you want to disable inactive SSH sessions, you can use the above as a template. You’ll need to figure out how long you want to wait between checks and you’ll want to decide how many times you’re going to make those checks. It’s simple math that anyone can do. It’s also probably not a bad step to take if you’re dealing with something public or sensitive.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Change The ‘sudo’ Password Timeout

Today’s article is going to be a pretty basic article about sudo, where we learn how to change the sudo password timeout. It’s pretty easy to change the sudo password timeout value, and reasonably safe to do so if you use visudo. So, with that in mind, read on!

When you use sudo you’re given a grace period. During that time, you can use sudo again without being asked to type your password again. This is an arbitrary value, typically 15 minutes (I think), and you can customize that value for your particular environment. It’s not difficult.

This is something people may want to change if they’re slow, doing a lot with sudo, or have good physical security. This is also something that someone might want to change for the opposite reason. Some people may want to decrease the length of time that they have with sudo because they work in a shared environment. Who knows? It’s your computer, you can do what you want!

So, what is sudo? It’s how you temporarily use elevated permissions. In fact, I wrote a whole article on this subject, which you can read if you’re so inclined – and I’d suggest doing so if you’re new to Linux:

So, What Is ‘sudo’ Anyhow?

Well then, I mentioned another application. I mentioned ‘visudo’ above.

This may come as a surprise, but I actually wrote an article about visudo! You can read that as well, especially if you’re new to Linux:

Use visudo To Edit The sudoers File

Huh… It’s almost as if I’ve been waiting to write this article for a while and that I took the time to write articles that explain all these things. For a brief moment, one might be fooled into thinking I am good at preparing things. Little do you know… It’d be far more accurate to just say that I’ve written a bunch of articles already. I’d prefer it if you thought it was the former, but there’s definitely a touch of the latter.

Change The sudo Password Timeout:

If you clicked on either of the two links above, you’d know that those tools are used in the terminal. You didn’t click them, did you? Well, you’re going to need an open terminal. In most distros, you can just press CTRL + ALT + T and your default terminal should open. 

With your terminal now open, we’re going to use visudo to edit your sudoers file. In my particular case, we’ll be using Nano. (See? Yet another article you can rely on for more information about Nano!) The command to start banging away on your sudoers file would be simply this:

Now, I can’t say for sure that you’ll be using Nano for this. As you didn’t click the links above, I’ll remind you that visudo uses your default text editor. So, you’ll need to be prepared for that. Your default text editor may be Vim, for example, and you’ll need to know the basics to change your sudo password timeout.

NOTE: If you want, you can change your default text editor. (Did you see that? I did it again!)

Anyhow…

With your sudoers file now open for editing, you just enter the following on a new line:

As far as I can tell, most distros default to 15 minutes. So, you can use sudo and then you won’t be asked for the password again for the next fifteen minutes. In the above, you replace the obvious with the obvious. If you wanted 10 minutes leeway without retyping the password, you’d use this command:

If you wanted an hour’s worth of leeway without typing your sudo password again, then the command would just be this:

See? It’s not very complicated at all.

If you want to be fancy, you could include a comment. A comment starts with an # symbol and is thus ignored by the system. You might want to enter something like this:

By adding a comment, you’ll be reminded of what changes you’ve made from the default configuration. This is generally a good idea, especially if you’re going to heavily modify your system.

As this is Nano, you can finish editing the sudoers file by pressing the CTRL + X, then Y, and then the ENTER button. That will save the changes with Nano. If you’re not using Nano, you’ll need to refer to the manual (unless you already know how to save an edited file).

Closure:

And there you go! You can now change your sudo password timeout value to whatever it is you desire, assuming it’s whole minutes. I do not believe it works with fractions of minutes. You shouldn’t need to reboot or anything. It should take effect immediately and be the new timeout value the very next time you use a command that starts with sudo.

Of course, this comes with some security considerations. If this is a public kiosk, you’d have to be a fool to make this longer. You’d have to be a fool to have sudo access to begin with! That’s why they make guest accounts!

But, if you’re home alone and the neighbors aren’t going to sneak in to steal your wifi password, you’re probably good to go. Heck, if you are daring, you can use sudo without a password. I don’t recommend that, but you can… 

Also, this article contains a whole lot of links to other articles. Google will be pleased! I think it speaks to how many articles I’ve already written more than any foresight on my part.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Change DNS Servers

Today’s article shouldn’t be all that difficult for even our newest users but is limited to those who want to change DNS servers to something other than the default. This is easy enough to do, but obscure enough to warrant an article of its own. 

First, let’s have some fun. I’m going to ask ChatGPT to tell you about DNS in just two paragraphs. So, let’s see what the AI has to say:

First, what is DNS?

DNS, or the Domain Name System, is a fundamental protocol used in computer networks to translate human-readable domain names into machine-readable IP addresses. It serves as a decentralized directory system that enables users to access websites, send emails, and perform various network activities using familiar domain names instead of numerical IP addresses. When a user enters a domain name in their web browser, the DNS resolver (typically provided by the Internet Service Provider or ISP) initiates a series of queries to locate the corresponding IP address. The resolver communicates with DNS servers, starting from the root servers, then the top-level domain servers, and finally the authoritative name servers associated with the requested domain. Through this hierarchical process, DNS ensures efficient and accurate resolution of domain names, facilitating seamless internet connectivity.

DNS operates through a distributed database system known as the DNS namespace. This namespace is organized hierarchically, with the root domain at the top, followed by top-level domains (TLDs) like .com, .org, or country-specific domains such as .us or .uk. Beneath the TLDs, there are second-level domains, and further subdivisions like subdomains. Each domain has authoritative name servers that store the IP addresses associated with the domain names they manage. DNS resolution occurs through recursive queries, where the resolver traverses the DNS hierarchy to find the authoritative name servers responsible for the domain. Once the IP address is obtained, the resolver caches it for future use, reducing the need for repetitive queries. DNS plays a crucial role in the functioning of the internet by providing a scalable and efficient method for translating domain names to IP addresses, enabling seamless communication and accessibility across the network.

Wow! That’s pretty accurate. I’d have just resorted to describing DNS as the telephone book of the internet. You look up the name you want to reach and DNS tells you the number. In this case, the number is the IP address.

All in all, I’d say ChatGPT did a pretty fine job.

Change DNS Servers:

There are a variety of reasons why someone would want to change DNS servers to something else. They may get updated more quickly, weed out junk domains, or even remove ads and things like that. Maybe you want to weed out inappropriate material because you have children. Perhaps you have some custom configurations needed to traverse your complex local network. There are all sorts of reasons why you might want to change DNS servers.

See, as alluded to above, it’s perfectly possible to run your own DNS server (see Pi-hole for one such example). You can also use DNS servers provided by various third parties. For example, CloudFlare and Google offer their own DNS servers that are free for you to use. There are other choices, but this isn’t an encyclopedia writ large, so I’m going to just include those two. You can use your favorite search engine to find more.

So, let’s say you don’t like using a DNS server provided by your ISP. Perhaps you do this because of privacy issues, though you can look into DNS over HTTPS if you’d like. Perhaps you just don’t find them updated quickly enough or you’ve found they contain errors. (They do sometimes have issues and have even been known to be exploited in the past.)

NOTE: We’ll be using ‘nano‘ for this exercise. We’ll also default to Google’s public DNS servers, but you can substitute with whatever you find available.

Well, the first step you’re going to take is opening your terminal. You can do that by just pressing CTRL + ALT + T. In most distros, that will open the default terminal emulator. If your distro doesn’t do so, start mucking about with the keybindings until it does!

The file we’ll be editing doesn’t actually exist on most distros. That’s not a problem, because we’ll be making that file with nano. With your terminal open, enter the following command:

That should be a perfectly blank file and you’ll want to enter the following (again, using Google’s public DNS servers) to change DNS servers:

Then, you’ll save the file with Nano. That’s pretty easy. To save this new resolv.conf file with nano, you just press CTRL + X, then Y, and then ENTER.

Next, you’ll need to reboot. I know this will pain some of you, but I’ve yet to have a sure way to effect these changes other than rebooting. So, you’ve gotta do that. Try this command:

Now that you’ve managed to change DNS servers, you should be able to browse around much as you normally would. Remember, the people in charge of the DNS servers are the ones that decide where you go when you enter an address into the address bar and smash that enter button.

Be sure to use a company you trust to provide those services and be sure to verify your internet is still working properly. If it’s not working, you can remove the file and reboot or you can edit it again and try rebooting again. It shouldn’t be a problem in reality, this isn’t anything all that complicated.

Closure:

So, there you have it. It’s yet another article. This time around we discussed how to change DNS servers – along with some reasons as to why you might want to. If you have a spare bit of hardware kicking about, you can make your own DNS server and point to that with the internal addresses you’d be using. It’s nothing too painful and I think even beginning Linux users can follow along easily enough.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Use visudo To Edit The sudoers File

Today’s article may take a different format than most, as it’s just an article telling you to use visudo to edit the sudoers file. This type of article doesn’t lend itself to my normal formatting and should be considered akin to a Public Service Announcement. 

So, let’s start with the basics:

What Is The sudoers File?

Very simply, the sudoers file is the file on your system that decides who has permission to use elevated permissions via sudo. The sudoers file is pretty important and it’s easy to make mistakes while editing it. Fortunately, there’s some protection you can use while editing the sudoers file.

If you’re curious, we normally recommend using sudo instead of using root because sudo only gives the command elevated permissions while root always has elevated permissions. Those folks reading my site are generally fairly new to Linux and, as such, I strongly suggest using sudo instead of just logging in as root. Sure, it’s more of a hassle, but it’ll help save you from yourself.

What is visudo?

The visudo command will open your sudoers file with your default text editor. In many cases that will be Vim, but Nano is starting to be the default for more distros. I prefer the latter.

The visudo command defines itself like so:

visudo — edit the sudoers file

Further, and helpfully, you’ll find this in the description:

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors before installing the edited file. If the sudoers file is currently being edited you will receive a message to try again later.

So, as you can see, using visudo will help protect you from mistakes.

NOTE: While visudo can save you from syntax mistakes, it will do nothing to prevent you from entering the wrong information. If you open a second terminal and pre-authenticate for sudo, and do so quickly enough, you can then use that second terminal to fix it (re-editing the sudoers file).

Use visudo To Edit The sudoers File:

The sudoers file is located at /etc/sudoers and is a plain text file. It’s just a configuration file, like so many other configuration files. But, as described above, it’s a very important file. It’s also possible to mount the drive with a live Linux instance to edit the file, but that’s not something I’d recommend. Besides, if you use visudo to edit the sudoers file that shouldn’t be a problem.

You don’t need to specify anything when you want to edit the sudoers file. You don’t have to specify the file’s location. The visudo command knows where your sudo file is (unless you’ve modified this, as you can make a second config file and edit that) all by itself. If you want to use visudo to edit the sudoers file, you simply need this command in your favorite terminal:

The very first line of that file says this:

This file MUST be edited with the ‘visudo’ command as root.

I realize what it says, but in this case, you can replace ‘root’ with ‘sudo’ which will elevate your permissions to those of root. So, we’re sort of still using root to edit the file, but we’re technically just using sudo.

Closure:

There is my PSA about using visudo to edit that sudoers file. You must do so, especially if you’re new. You might be able to avoid a syntax error, but there’s no reason to not use visudo which will check for that sort of stuff.

I suppose the name comes from a time when Vi was still popular and it’s not a complete solution. You can still enter garbage and get garbage results. If you’re unprepared for the potential consequences, you might want to avoid editing the sudoers file until you’ve gained some confidence and have more familiarity with the tools Linux provides.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Let’s Password Protect A File

Today’s article is a fun one, where we’ll learn how to password protect a file using something called GPG. It’s not complicated. You can learn how to password protect a file in just a few minutes. You can then send these files out and other people can decrypt them – assuming you’ve shared the password with them.

We all have secrets. They’re not all digital, but they could be. We may also want to be able to share files that have private information in them, meaning you only want people with the password to open it. Though, I suppose, brute force is always an option – but you can at least make it difficult by using a complex password, preferably one that you didn’t generate yourself.

So, what is GPG? GPG stands for “GNU Privacy Guard”. It’s fairly standard and used quite a bit. There are other applications, like PGP, but I think all of you folks that use a ‘full’ distro will have GPG installed by default. It’s one of those tools that you might not use all that often, but it seems to be included by default in a lot of places. I suspect that’s because other things rely on GPG, but I’m way too lazy inept to look that up.

By the way, the GPG man page describes it as:

gpg – OpenPGP encryption and signing tool

That GPG is what we’re going to be using for this exercise. Trust me, it’s easier than you might think. 

Password Protect A File:

Do I have to mention it? Of course I do! It’s time for your favorite thing, an open terminal ready for your commands. You can open your default terminal by pressing CTRL + ALT + T.

With your terminal now open, the command to password protect a file would be:

The -c flag stands for encryption. It should then ask you for a password, that you’ll need to enter twice, and then it will make an encrypted copy of the file with a .gpg extension. The original file will still exist, so this isn’t encrypting that original file. It’s making an encrypted copy and you’ll want to safely delete the original file if that’s your intention.

Now, to open the new <file_name>.gpg file, you’ll need to use the following command:

Now, when I went to open that with the same computer and the same session it didn’t ask for a password. I shipped it to another computer and it did just that. I do not know why.

When you successfully open the password protected file, it will ask you if you want to overwrite the original. This shouldn’t happen when you ship it to someone else unless they happen to already have a file with that specific name. It also will let you say don’t want to overwrite the file and let you pick a new file name for the unencrypted content.

Closure:

You can actually do this with a folder if you’d prefer. It’s just specifying a folder instead of a file. The process is exactly the same. So, like I said in the start, it’s a really easy task to password protect a file. The terminal is useful for all sorts of stuff.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Linux Tips
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.