|
|
ll systems and applications utilizing the Secure Socket Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable. However, the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. This affects most current browsers and websites, but also includes any software that either references a vulnerable SSL/TLS library (OpenSSL) or implements the SSL/TLS protocol suite itself. By exploiting this vulnerability in a likely web-based scenario, an attacker can gain access to sensitive data passed within the encrypted web session, such as passwords, cookies and other authentication tokens that can then be used to gain more complete access to a website.
We highly recommend disabling SSL 3.0 as well as SSL 2.0 if applicable.
To disable SSL 2.0/3.0 in IIS 6 or IIS 7:
1. Click Start, click Run, type regedit, and then click OK.
2. In Registry Editor, locate the following registry key/folder:
HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
5. Enter Enabled as the name and hit Enter.
6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
7. Now to disable SSL 3.0, right-click on the SSL 3.0 folder and select New and then click Key. Name the new folder Server.
8. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
9. Enter Enabled as the name and hit Enter.
10. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
11. Restart the computer.
This process is the same for IIS 6 (Windows Server 2003) machines. The server folder under SSL 2.0/SSL 3.0 will already be created so you will only need to create a new DWORD value under it and name it Enabled.
To disable SSL 3.0 in IIS 8 (Windows Server 2012):
1. In the Search menu type regedit.exe
2. Right-click on regedit.exe and click Run as Administrator
3. In the registry editor go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\
4. In the navigation tree, right-click on Protocols, and in the pop-up menu, click New > Key. Name the key SSL 3.0.
5. In the navigation tree, right-click on the new SSL 3.0 key that you just created, and in the pop-up menu, click New > Key. Name the key Client.
6. In the navigation tree, right-click on the new SSL 3.0 key again, and in the pop-up menu, click New > Key. Name the key Server.
7. n the navigation tree, under SSL 3.0, right-click on Client, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value DisabledByDefault.
8. In the navigation tree, under SSL 3.0, select Client and then, in the right pane, double-click the DisabledByDefault DWORD value.
9. In the Edit DWORD (32-bit) Value window, in the Value Data box change the value to 1 and then, click OK.
10. In the navigation tree, under SSL 3.0, right-click on Server, and in the pop-up menu, click New > DWORD (32-bit) Value. Name the value Enabled.
11. In the navigation tree, under SSL 3.0, select Server and then, in the right pane, double-click the Enabled DWORD value.
12. In the Edit DWORD (32-bit) Value window, in the Value Data box leave the value at 0 and then, click OK.
13. Restart your Windows server.
Once you have disabled the protocols, you may test your server at www.poodlescan.com.
To reset the root password of your server, you will need to boot into single user mode.
Access the Manage section of your server in the customer portal and follow these steps. The option depends on the bootloader version on the machine:
CentOS 6
Click [View Console] to access the console and click the send CTRL+ALT+DEL button on the top right. Alternatively, you can also click [RESTART] to restart the server.
You will see a GRUB boot prompt telling you to press any key – you have only a few seconds to press a key to stop the automated booting process. (If you miss this prompt you will need to restart the VM again)
At the GRUB prompt, type “a” to append to the boot command.
Add the text “single” and press enter.
System will boot and you will see the root prompt. Type “passwd” to change the root-password and then reboot again.
Debian, Ubuntu, CentOS 7
Click [View Console] to access the console and click the send CTRL+ALT+DEL button on the top right. Alternatively, you can also click [RESTART] to restart the server.
As soon as the boot process starts, press ESC to bring up the GRUB boot prompt. You may need to turn the system off from the control panel and then back on to reach the GRUB boot prompt.
You will see a GRUB boot prompt – press “e” to edit the first boot option. (If you do not see the GRUB prompt, you may need to press any key to bring it up before the machine boots)
Find the kernel line (starts with “linux /boot/”) and add init=”/bin/bash” at the end of the line
Press CTRL-X or F10 to boot.
System will boot and you will see the root prompt. Type “mount -rw -o remount /” and then “passwd” to change the root password and then reboot again.
FreeBSD
The boot menu has an option to boot into single-user mode. Press the key for single user mode (2). At the root prompt, type “passwd” to change the root password and then reboot again.
CoreOS
CoreOS by default uses SSH key authentication. On Vultr, a root user and password are created. If an SSH key is selected when creating the VPS, this SSH key can be used to login as user “core”.
It is possible to reset the standard root login by executing “sudo passwd” as user “core”. Login as “core” using the SSH key first.
If you lost your SSH key, then you can login as the “core” user by editing the grub loader. Follow these steps:
Click [View Console] to access the console and click the send CTRL+ALT+DEL button on the top right. Alternatively, you can also click [RESTART] to restart the server.
You will see a GRUB boot prompt – press “e” to edit the first boot option. (If you do not see the GRUB prompt, you may need to press any key to bring it up before the machine boots)
At the end of the line that begins with “linux$” add ” coreos.autologin=tty1″ (no quotes).
Press CTRL-X or F10 to boot. You will be logged in as “core” when the system boots.
Remember to reboot your server after you have reset your login.
Read more at: https://www.vultr.com/docs/boot-into-single-user-mode-reset-root-password
Reset A Forgotten Windows Host Administrator Password
Introduction
In this how-to we will walk you through Resetting your Forgotten Windows Host Administrator Password. With so many different passwords that we use on a daily basis, email, desktop, servers, etc., we tend to forget some of the important ones that are crucial. People pay lots of money for password recovery. However, we will recover our password with a Windows CD. That’s it!
Prerequisites
– A Windows CD (Windows Vista, Windows 7, Windows 8, Server 2008 R2, Server 2008, Server 2012 or a Server 2012 R2)
Procedure
Boot the server to your Windows CD/ Browse to the Repair section/ open up the command linetool and type the following:
- d:
- cd windows/system32
- ren utilman.exe utilman.exe.old
- copy cmd.exe utilman.exe
Reboot the host and start it up normally. Click the ease of access button, which is located in the bottom left-hand corner. A new command prompt will appear.
At this point, you can reset your current local Administrator account or make a new local administrator user and password.
Reset the Local Administrator Password
Change the local administrator password and activate the account by running the following commands:
net user administrator newpassword
net user administrator /active:yes
Create a New Local Administrator Account and Password.
To create an additional local administrator account type the following command:
net user administrator newpassword
net user administrator /active:yes
You can now login with the account you set up in either method. Once you login, make sure to revert the Ease of Access menu back to normal by typing the following command:
copy utilman.exe.old utilman.exe
Congratulations! You have just Reset your Forgotten Windows Host Administrator Password.
Either they are intentional or not, system misconfiguration can lead to very big problems. For example :
- Corruption or deletion of important system files
- Integrity failure (ex. eavesdropping on private data)
- Privilege escalation
- Backdoor/rootkit installation
To avoid these problems you should regularly scan your system for known “misconfiguration patterns”. This article will explain how to do so using bash on a GNU Linux system.
I. General system scan
In this section I will describe commands that can be used to have a general overview of your system’s security potential risks.
I.1 Setuid et Setgid files
Files with the setuid bit set are not necessarily evil, and setgid folders are really useful and can improve your system’s security. However an awfully huge lot of exploits takes advantage of vulnerabilities in setuid files because it is an easy way to escalate privileges (when exploiting a setuid bit file belonging to root). You should always have a look at those files and ensure that each one really needs to have the setuid bits on and are known to be secure and stable.
List all setuid files :
find / -perm -4000 2>/dev/null
List all setuid files owned by root :
find / -perm -4000 -user root 2>/dev/null
List all setgid files :
find / -perm -4000 2>/dev/null
List all setgid files owned by root :
find / -perm -4000 -user root 2>/dev/null
I.2 World writable files
The other big danger on filesystems is bad rights management (it can be admin mistakes). A world writable file owned by root can lead to easy privileges escalation or system corruption.
List all world writable files:
find / ! -type l -perm -002 2>/dev/null
Note: I use the “! -type l” options to avoid to list symlinks (that are described as world writable files).
I.3 Opened socket connections
In Linux system, everything is a file, even sockets. And every admin should have a regular look at the opened connections on a machine.
The classical way to list all transport layer connections would be to use netstat :
netstat -tupl
However I prefer the lsof tool that offers way more possibilities and is cabable of describing precisely any opened file on the system (lsof is for “list opened files”. Sockets are files, so a nice way to monitor your opened connections would be to use the next command :
lsof | grep -E "IPv4|IPv6|COMMAND.*USER" | sed -r "s/ +/ /g" | cut -d " " -f 1,2,3,5,8,9 | column -t | sed "s/.*/ &/"
That command will list all IPv4 and IPv6 opened connections and display the corresponding command, pid, user, the connexion type, the transport layer protocol used and the connection description (IP address and port). The column and sed part is just for nice formatting ;-).
I.4 Broken Symbolic links
It can be useful to be able to list the broken symlinks on the system (example, for a cleaning task).
Example, list all broken symlinks in /usr directory :
find -L /usr -type l -maxdepth 8 2>/dev/null
I.5 Sticky bit files
The sticky bit is important, it should always be set on world writable folders to prevent a user from removing a file he doesn’t own.
List all sticky bit files on the system :
find / -perm -1000 2>/dev/null
II. Potential threats scan
After the general scan, you can do more detailed scan to find abnormal configurations or real dangers.
II.1 File access rights risks
Some files should never be world writable or even world readable. For example the directories /bin, /sbin, /boot, /etc, /lib, /root, /usr should never be world writable. A world writable file in these directories could lead to system trojaning/corruption.
Here is a simple way to scan all these folders for world writable files.
-
#/bin/bash
-
ww_scan_dirs=”/bin /sbin /boot /etc /lib /root /usr “
-
for ww_scan_dir in $ww_scan_dirs
-
do
-
for file in ` find $ww_scan_dir ! -type l -perm -002 `
-
do
-
echo “DANGER : $file is world writable, files in $ww_scan_dir shouldn’t be.”
-
done | sort
-
done
-
unset ww_scan_dir
-
unset ww_scan_dirs
Another concern about world writable directories is that, when allowed (ex insind /var or /tmp) they must have the sticky bit on to prevent unauthorized file deletion.
-
for file in `find / -type d -perm -002 ! -perm -1000 2>/dev/null`
-
do
-
echo”DANGER : $file is a world writable directory, it should have the sticky bit on.”
-
done | sort
II.2 file ownership risks
Are you sure that all system files are really owned by root? You can imagine the potential disaster for your system if not.
Here is a way to verify that.
-
for file in `find /root $find_options ! -user root 2>/dev/null`
-
do
-
echo”DANGER : $file doesn’t belong to root. It mustn’t be in the /root folder.”
-
done | sort
It is also interesting to verify if all files belong to an existing user and group.
-
#!/bin/bash
-
for file in `find / $find_options -nouser 2>/dev/null`
-
do
-
echo”DANGER : No user corresponds to $file numeric user ID.”
-
done | sort
-
for file in `find / $find_options -nogroup 2>/dev/null`
-
do
-
echo “DANGER : No group corresponds to $file numeric group ID.”
-
done | sort
II.3 Special files risks
“Special” files like devices, socket and symlinks should be considered carefully. For example you should verify that devices are only stored in special directories like /dev or …/udev/ which can be done using the next script :
-
#!/bin/bash
-
device_scan_dirs=”/bin /sbin /lib /boot /etc /home /root /sys /usr /var /tmp /mnt /media /proc”
-
for device_scan_dir in $device_scan_dirs
-
do
-
for file in `find $device_scan_dir $find_options -type b -o -type c 2>/dev/null`
-
do
-
[[ “$file” =~ ^/lib/udev/devices/ ]] || echo “DANGER : $file is a device and should be in /dev (or /lib/udev/devices).”
-
done | sort
-
done
-
unset device_scan_dir
-
unset device_scan_dirs
Symlinks should also be checked carefully as they are often exploited to gain root privileges. For example, the presence of a symlink inside the /tmp folder is not dangerous in itself but if that symlink was intentionally created by an attacker to imitate the name of tmp files generated by an insecure program, this symlink could lead to the corruption of a system file or to privilege escalation. If you want to check your /tmp directory for symlinks :
-
#!/bin/bash
-
for file in `find /tmp $find_options -type l `
-
do
-
echo”RISK : $file is a symbolic link inside the /tmp folder”
-
done | sort
II.4 Extreme dangers detection
There are a few configurations (intentionally or not) that are sure to lead to system “0wn3rship”. If you detect one of these patterns on you computer, you should repair it right away (however it might already be too late!).
Check if there are any files with SetUID bit on in the /tmp folder :
-
for file in `find /tmp $find_options -perm -4000 `
-
do
-
echo “EXTREME DANGER : $file is setuid and shouldn’t be in /tmp folder.”
-
done | sort
Check if there are any files that are world writable and have setuid bit on (That should never happen. However if it does, the admin may live a nightmare…)
-
for file in `find / $find_options -perm -4002 2>/dev/null`
-
do
-
echo “EXTREME DANGER : $file is setuid and world writable.”
-
done | sort
Some files should never be readable by anyone but root :
-
#!/bin/bash
-
nonReadableFiles=”/etc/master.passwd /etc/shadow /etc/shadow- /etc/gshadow /etc/sudoers /var/log/messages “
-
for nonReadableFile in $nonReadableFiles
-
do
-
[ -f “$nonReadableFile” ] && [[ $(ls -gn “$nonReadableFile”) =~ ^…….r..\ .*$ ]] && echo”EXTREME DANGER : $nonReadableFile should not be readeable by others.”
-
done
-
unset nonReadableFile
-
unset nonReadableFiles
II.5 POSIX file capabilities risks
POSIX file capabilities are enabled by default on most modern Linux distribs, however they are not without dangers. You may want to read first what are POSIX file capabilities and after that why they are dangerous.
It is not easy to scan your system for dangerous capabilities because the tool used for that getcap for example, are quite buggy and poorly documented. Here is an example of a script looking for dangerous file capabilities on the entire system.
-
#!/bin/bash
-
totalCaps=$(find / -type f -print0 2>/dev/null | xargs -0 getcap 2>/dev/null)
-
echo “Number of files with capabilities : $(echo “$totalCaps” | wc -l)”
-
dangerousCaps=”cap_chown cap_dac_override cap_fowner cap_module cap_sys_admin cap_setuid cap_setfcap”
-
for line in $totalCaps
-
do
-
for dangerousCap in $dangerousCaps
-
do
-
[[ “$line” =~ ^.*=\ .*$dangerousCap ]] && echo “RISK : $(echo “$line” | cut -d “=” -f 1)has or inherits the $dangerousCap capability”
-
done
-
{ [[ “$line” =~ ^.*=ep ]] || [[ “$line” =~ ^.*=eip ]] || [[ “$line” =~ ^.*=ei ]]; } && echo “DANGER : $(echo “$line” | cut -d “=” -f 1) has or inherits all capabilities”
-
done
-
unset line
-
unset dangerousCaps
-
unset dangerousCap
III Glyptodon
In the present article, I mentioned a few misconfiguration scans that could or should be done regularly on any GNU Linux computer. I think you realized that there are many more scans that are possible and that it can be fastidious to manually launch them everyday. But do not worry, I went trough this before and, lucky you, I created a open source tool that can do all that for you, log this information and sends an email report. I called this tool Glyptodon
Glyptodon executes all the scans mentioned in this article and many more. Plus it is actually the only tool scanning for POSIX file capabilities linked risks. Glyptodon is also compatible with “abnormal” file names (like files containing spaces).
You can find more infos about Glyptodon here, and download the latest version here.
And remember my website is participative so do not hesitate to write or email any improvement or critics about any tool or article.
CentOS6.7 use MySQL under vsftpd verification
A .MySQL installation and configuration
1. Use the yum install MySQL
[root@db1 ~]# yum -y install mysql mysql-server mysql-devel
2. Start MySQL service and modify the MySQL administrator password
[root@db1 ~]# service mysqld start
[root@db1 ~]# /usr/bin/mysqladmin -u root password ‘test123’
3. Create a MySQL database and verify the vsftpd table
[root@db1 ~]# mysql -u root -p
mysql> create database vsftpd;
Query OK, 1 row affected (0.01 sec)
mysql> use vsftpd;
Database changed
// Create a three column list of users, an id for the index, name for the account name, password user password
mysql> create table users ( id INT NOT NULL AUTO_INCREMENT PRIMARY KEY, name CHAR(15) NOT NULL UNIQUE KEY,password CHAR(48) NOT NULL );
Query OK, 0 rows affected (0.00 sec)
// Add a web account, the password for the web, and stored encrypted password, the account is to wait for the next use FTP server
mysql> insert into users (name,password) values (‘web’,password(‘web’));
Query OK, 1 row affected (0.00 sec)
4. Create a vsftpd a MySQL database account is used to retrieve vsftpd
mysql> grant select on vsftpd.* to vsftpd@localhost identified by ‘vsftpd’;
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
// Just to make the rights with immediate effect
II. Install and configure the PAM module
1. Install dependent libraries
[root@db1 ~]# yum -y install gcc gcc-c++ make pam pam-devel openssl openssl-devel
2. Download and install pam_mysql
[root@db1 software]# wget http://downloads.sourceforge.net/project/pam-mysql/pam-mysql/0.7pre3/pam_mysql-0.7pre3.tar.gz?r=http%3A%2F%2Fpam-mysql.sourceforge.net%2F&ts=1442878889&use_mirror=iweb
[root@db1 software]# cd pam_mysql-0.7pre3
[root@db1 pam_mysql-0.7pre3]# ls
acinclude.m4 ChangeLog config.h.in configure COPYING INSTALL ltmain.sh Makefile.in mkinstalldirs pam_mysql.c pam_mysql.spec.in README
aclocal.m4 config.guess config.sub configure.in CREDITS install-sh Makefile.am missing NEWS pam_mysql.spec pkg.m4 stamp-h.in
[root@db1 pam_mysql-0.7pre3]#
./configure –with-openssl
make && make install
pam files installed by default to the /lib directory, if the system is 64-bit system, you need to copy a document to / lib64 directory
[root@db1 pam_mysql-0.7pre3]# cp /lib/security/pam_mysql.
pam_mysql.la pam_mysql.so [root@db1 pam_mysql-0.7pre3]# cp /lib/security/pam_mysql.* /lib64/security/
Create a certificate file
[root@db1 pam_mysql-0.7pre3]# cat /etc/pam.d/ftp.mysql
auth required /lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users
usercolumn=name passwdcolumn=password crypt=2
account required /lib64/security/pam_mysql.so user=vsftpd passwd=vsftpd host=localhost db=vsftpd table=users
usercolumn=name passwdcolumn=password crypt=2
[root@db1 pam_mysql-0.7pre3]#
Note: This is the second line, can not wrap Also note inside the corresponding Fill in the fields.
Special instructions crypt Options
crypt = 0: plain text password
crypt = 1: Use crpyt () function (corresponding SQL data in the encrypt (), encrypt () randomly generated salt)
crypt = 2: Use the MYSQL password () function encryption
crypt = 3: the way that the use of md5 hash
Installation and set up three vsftpd
1. Use the yum install vsftpd
[root@db1 pam_mysql-0.7pre3]# yum -y install vsftpd
2. Backup vsftpd configuration file
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
vi vsftpd.conf
anonymous_enable=NO
pam_service_name=ftp.mysql
And add the following:
virtual_use_local_privs=YES
user_sub_token=$USER
local_root=/var/ftp/$USER
guest_enable=YES
guest_username=vsftpdguest
chroot_local_user=YES
user_config_dir=/etc/vsftpd/vsftpd_user_conf
Create a vsftpdguest account
[root@db1 pam_mysql-0.7pre3]# useradd -s /sbin/nologin -d /var/ftp vsftpdguest
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@db1 pam_mysql-0.7pre3]# mkdir /etc/vsftpd/vsftpd_user_conf
root@db1 pam_mysql-0.7pre3]# /etc/init.d/vsftpd restart
Shutting down vsftpd: [FAILED]
Starting vsftpd for vsftpd: [ OK ]
Since recently the company has been in search of software copyright, CCProxy proxy server also has been used for additional advertising in the jump.
You can see from the chart
WAN card is eth1, LAN card is eth0
We use yum to install the Squid:
[Root @ PROXY ~] # yum -y install squid
Backup squid configuration file to prevent because of configuration errors
[Root @ PROXY ~] # cp /etc/squid/squid.conf /etc/squid/squid.conf_bak
Configuration squid.conf
turn up
http_port 3128 modified http_port 192.168.1.10:3128
And add
visible_hostname squid
acl innet src 192.168.100.0/24
http_access allow innet # This line is 192.168.100.0 network allows user agents
http_access deny all # This line is to deny all agents
Here is initialized to run squid -z
[Root @ PROXY ~] # squid -z
2015/05/29 13: 41: 43 | Creating Swap Directories
Start the squid proxy server
[Root @ PROXY ~] # service squid start
And squid arranged boot
[Root @ PROXY ~] # chkconfig –level 35 squid on
a) pstree
b) systemctl list-unit-files –type=target
c)
[root@clusterserver1 ~]# ls /etc/rc.d/
init.d rc0.d rc1.d rc2.d rc3.d rc4.d rc5.d rc6.d rc.local
[root@clusterserver1 ~]# ls
| Examine the dtsession timeout variable setting:
# cat /etc/dt/config/C/sys.resources | grep -i dtsession | grep -i lockTimeout
If the dtsession timeout is greater than 15, commented or does not exist, this is a finding.
Examine the Open Windows timeout settings, both global and for every user.
# cat /usr/openwin/lib/app-defaults/XScreenSaver | egrep -i ‘\*(lock|timeout):’
If the global Open Windows timeout is greater than 15 minutes, commented or does not exist, this is a finding. If the global lock setting is not true, this is a finding.
# cut -d: -f6 /etc/passwd | xargs -iX egrep -i ‘^(lock|timeout):’ X/.xscreensaver
If the Open Windows timeout is greater than 15 minutes for any user, this is a finding. If the lock setting is not true for any user, this is a finding. |
| Fix Text (F-33971r1_fix) |
Configure the CDE lock manager to lock your screen after a certain amount of inactive time. To configure the CDE lock manager to lock the screen after 15 minutes of inactive time, enter the following commands (be sure NOT to overwrite an existing file).
# cp /usr/dt/config/C/sys.resources /etc/dt/config/C/sys.resources
# vi /etc/dt/config/C/sys.resources
Locate and add/uncomment/change the line to N=15.
dtsession*lockTimeout:
dtsession*lockTimeout: 15
Log out of CDE and log back in to verify that the timeout is in effect.
The timeout parameter in /usr/openwin/lib/app-defaults/XScreenSaver and all users’ .xscreensaver files should also be confirmed to be uncommented and set to 0:15:00. |
You can check your current mail queue like this:
postqueue -p
To delete all mails from the mail queue that come from falko@example.com or are sent tofalko@example.com (the command is the same regardless of if it’s the sender or recipient address), you can use this command:
mailq | tail +2 | awk ‘BEGIN { RS = “” } / falko@example\.com$/ { print $1 }’ | tr -d ‘*!’ | postsuper -d –
Afterwards check your mail queue again:
postqueue -p
mailq | tail +2 | grep -v ‘^ *(‘ | awk ‘BEGIN { RS = “” } { if ($8 == “email@address.com” && $9 == “”) print $1 } ‘ | tr -d ‘*!’ | postsuper -d –
Afterwards check your mail queue again:
postqueue -p
postqueue -p | tail -n +2 | awk ‘BEGIN { RS = “” } / byrdsnestquilt@bellsouth\.net/ { print $1 }’ | tr -d ‘*!’ | postsuper -d –
Secure passwords
Passwords are the primary method that Red Hat Enterprise Linux 7 uses to verify a user’s
identity. This is why password security is so important for protection of the user, the
workstation, and the network.
By default RHEL uses shadow passwords which eliminate this type of attack by storing the password hashes in the file /etc/shadow, which is readable only by the root user.
Strong passwords
Since the storing of passwords has already been taken care of the next step is to force the creation of strong passwords.
When users are asked to create or change passwords, they can use the passwd
command-line utility, which is PAM-aware (Pluggable Authentication Modules) and checks to
see if the password is too short or otherwise easy to crack. This checking is performed by
the pam_pwquality.so PAM module.
PAM reads its configuration from the /etc/pam.d/passwd file, but the file we want to edit for tuning password policies is /etc/security/pwquality.conf
Have a look at the configuration options:
Here are the details of what each entry means:
- difok – Number of characters in the new password that must not be present in the old password.
- minlen – Minimum acceptable size for the new password
- dcredit – Credit for having digits in the new password
- ucredit – Credit for having uppercase characters in the new password
- lcredit – Credit for having lowercase characters in the new password
- ocredit – Credit for having other characters in the new password
- maxrepeat – maximum number of allowed consecutive same characters in the new password.
- minclass – minimum number of required classes of characters for the new password (digits, uppercase, lowercase, others).
- maxclassrepeat – maximum number of allowed consecutive characters of the same class in the new password.
- gecoscheck – Whether to check for the words from the passwd entry GECOS string of the user (0=check).
- dictpath – Path to the cracklib dictionaries. Blank is to use the cracklib default.
NOTE: Credit works like money, if you have a plus number like three you have spare and don’t have to worry, but if you have a negative number (debts) you have to pay for them. For instance “ucredit = 2” means the user will have to give at least two upper case characters as part of the password for creating a password.
Something practical to do is to set a “minlen = 8” value and “minclass = 4” value. Whith this two settings you would ensure that the password has to be at least 8 characters long and that it will need to have letters Upper case, Lower case, numbers and symbols. That is what you will normally find on production servers.
Some like to uncomment dictpath and let GECOS use the default dictionary. You could go much further with this, but it is not recommended because passwords would need to be too complex and users wouldn’t be able to remember them and the SA would have to be resetting passwords too often.
This is the result of a strong password file:
NOTE: As the root user is the one who enforces the rules for password creation, he can set any password for himself or for a regular user, despite the warning messages.
Password aging
This technique is used to limit the time of cracked passwords. The downside is that if you set this value too low (password change required very often) the users will tend to write their passwords down generating a weak spot.
A common practice is to specify the maximum number of days for which the password is valid.
Password aging is performed with the command “chage”.
This command is normally used when hardening a system to expire old unsecure password immediately.
I will show three examples on how to use this command on a console.
- Set a 90 day period for the password of user fpalacios to expire.
- Expire the password for fpalacios to have the user change it on the next log on.
- Expire the password of every user on group developers.
Account Locking
In Red Hat Enterprise Linux 7, the pam_faillock PAM module allows system administrators to lock out user accounts after a specified number of failed attempts.
Limiting user login attempts serves mainly as a security measure that aims to prevent
possible brute force attacks targeted to obtain a user’s account password.
Follow these steps to configure account locking:
- To lock out any non-root user after three unsuccessful attempts and unlock that user after 10 minutes, add the following lines to the auth section of the /etc/pam.d/system-auth and /etc/pam.d/password-auth files:
auth required pam_faillock.so preauth silent audit
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3
unlock_time=600
deny=3 unlock_time=600
|
|
Recent Comments