Merge pull request #94 from sysadt/master

Changes to ufw

README.md

@@ -105,7 +105,7 @@ IT automation tools like [Ansible](https://www.ansible.com/), [Chef](https://www
 
 There are many guides provided by experts, industry leaders, and the distributions themselves. It is not practical, and sometimes against copyright, to include everything from those guides. I recommend you check them out before starting with this guide.
 
-- The [Center for Internet Security (CIS)](https://www.cisecurity.org/) provides [benchmarks](https://www.cisecurity.org/cis-benchmarks/) that are exhaustive, industry trusted, step-by-step instructions for securing many flavors of Linux. Check their [About Us](https://www.cisecurity.org/about-us/) page for details. My recommendation is to go through this guide first and then CIS's guide. That way their recommendations will trump anything in this guide.
+- The [Center for Internet Security (CIS)](https://www.cisecurity.org/) provides [benchmarks](https://www.cisecurity.org/cis-benchmarks/) that are exhaustive, industry trusted, step-by-step instructions for securing many flavors of Linux. Check their [About Us](https://www.cisecurity.org/about-us/) page for details. My recommendation is to go through this guide (the one you're reading here) first and THEN CIS's guide. That way their recommendations will trump anything in this guide.
 - For distribution specific hardening/security guides, check your distributions documentation.
 - https://security.utexas.edu/os-hardening-checklist/linux-7 - Red Hat Enterprise Linux 7 Hardening Checklist
 - https://cloudpro.zone/index.php/2018/01/18/debian-9-3-server-setup-guide-part-1/ - # Debian 9.3 server setup guide
@@ -256,7 +256,7 @@ Where applicable, use the expert install option so you have tighter control of w
   - Installing core software you'll want like `man`
   - Etc...
 - Your server will need to be able to send e-mails so you can get important security alerts. If you're not setting up a mail server check [Gmail and Exim4 As MTA With Implicit TLS](#gmail-and-exim4-as-mta-with-implicit-tls).
-- I would also recommend you go through the [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) before you start with this guide.
+- I would also recommend you **read** through the [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks/) before you start with this guide just to digest/understand what they have to say. My recommendation is to go through this guide (the one you're reading here) first and THEN CIS's guide. That way their recommendations will trump anything in this guide.
 
 ([Table of Contents](#table-of-contents))
 
@@ -792,7 +792,11 @@ sudo lets accounts run commands as other accounts, including **root**. We want t
 #### Notes
 
 - Your installation may have already done this, or may already have a special group intended for this purpose so check first.
-  - Debian creates the sudo group
+  - Debian creates the sudo group. To view users that are part of this group (thus have sudo privileges):
+	  
+	  ```
+	  cat /etc/group | grep "sudo"
+	  ```
   - RedHat creates the wheel group
 - See [https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/39) for a note on some distributions making it so `sudo` does not require a password. Thanks to [sbrl](https://github.com/sbrl) for sharing.
 
@@ -1445,10 +1449,10 @@ You can create rules by explicitly specifying the ports or with application conf
 1. Allow additional traffic as per your needs. Some common use-cases:
 
     ``` bash
-    # allow traffic out on port 53 -- DNS
+    # allow traffic out to port 53 -- DNS
     sudo ufw allow out 53 comment 'allow DNS calls out'
 	
-	# allow traffic out on port 123 -- NTP
+	# allow traffic out to port 123 -- NTP
     sudo ufw allow out 123 comment 'allow NTP out'
 
     # allow traffic out for HTTP, HTTPS, or FTP
@@ -1459,8 +1463,12 @@ You can create rules by explicitly specifying the ports or with application conf
 
     # allow whois
     sudo ufw allow out whois comment 'allow whois'
+    
+    # allow mails for status notifications -- choose port according to your provider
+    sudo ufw allow out 25 comment 'allow SMTP out'
+    sudo ufw allow out 587 comment 'allow SMTP out'
 
-    # allow traffic out on port 68 -- the DHCP client
+    # allow traffic out to port 68 -- the DHCP client
     # you only need this if you're using DHCP
     sudo ufw allow out 67 comment 'allow the DHCP client to update'
     sudo ufw allow out 68 comment 'allow the DHCP client to update'
@@ -1542,6 +1550,14 @@ You can create rules by explicitly specifying the ports or with application conf
     > 43/tcp (v6)                ALLOW OUT   Anywhere (v6)              # allow whois
     > ```
 
+7. If you need to delete a rule
+    
+    ``` bash
+    sudo ufw status numbered
+    [...]
+    sudo ufw delete 3 #line number of the rule you want to delete
+    ```
+
 #### Default Applications
 
 ufw ships with some default applications. You can see them with: