Hacker News new | comments | show | ask | jobs | submit login

Beginner or not, you should probably use visudo [1] instead of

  vim /etc/sudoers
for the sanity checks that it provides, if nothing else. A botched edit of /etc/sudoers that locks you (along with every other user) out of administrative access is an unpleasant way to learn this.

[1] http://linux.die.net/man/8/visudo

Similarly "ufw allow from {ipaddress-you-will-access-from} to any port 22" sounds like a good way to accidentally lock yourself out unless you have an out of band backup

While true, I'd like to note that the article's author does have OOB access.

FWIW I never understood UFW over straight IP tables, is it really easier to read?

IMHO, yes. At least on Ubuntu, it's never been too clear to me how I should save my rules so that they come back on startup.

The ufw man page is pretty decent.

I've not tried anything complex with UFW so I still use iptables on my bastion host that handles my vpn tap. It's not terribly complex to make rules come back on startup (but probably more involved than one would hope).

For anyone else that followed the thread to this point- this advice on bringing iptables back up on reboot worked for me http://rackerhacker.com/2009/11/16/automatically-loading-ipt... YMMV

This is how I run iptables on a sufficiently large network of machines.

The advice is not complete. IPv6 is real and really works most of the time these days. Back up your ip6tables to a file too. I like /etc/firewall-4.conf and /etc/firewall-6.conf but it's down to preference.

Know about iptables-apply too, lest you be caught unaware.

He does he's on a Linode he has LISH.

You're absolutely right. Thanks for catching that!

In certain cases you may not even need to visudo :) AFAIK, Ubuntu's default /etc/sudoers contains this :

%admin ALL=(ALL) ALL

So you just need to make sure your 'deploy' user account belongs to the admin group and you're good to go.

Sure, as long as you remember to use

    EDITOR=emacs visudo

On debian or ubuntu you can also include a user on the sudo group:

  usermod -a -G sudo username

I prefer the "adduser" way (easier to remember):

$ sudo adduser username sudo

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact