Thursday, October 27, 2005

Upgrade Apache Web Server

You should upgrade your webserver as often as possible. Here is how Apache web server can be upgraded on Red Hat Enterprise Linux 3


#upgrade httpd
wget ftp://ftp.linux.ncsu.edu/pub/redhat/linux/updates/enterprise/3ES/en/os/SRPMS/httpd-2.0.46-54.ent.src.rpm
#check rpm
rpm --checksig httpd-2.0.46-54.ent.src.rpm
# httpd-2.0.46-54.ent.src.rpm: (sha1) dsa sha1 md5 gpg OK
rpm -Uvh httpd-2.0.46-54.ent.src.rpm



Apache - Computers and Internet

Critical Lynx Security Threat


Upgrade lynx today
"An attacker could ... execute arbitrary code as the user running lynx" - Red Hat


An updated lynx package that corrects a security flaw is now available.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Lynx is a text-based Web browser.

Ulf Harnhammar discovered a stack overflow bug in Lynx when handling connections to NNTP (news) servers. An attacker could create a web page
redirecting to a malicious news server which could execute arbitrary code
as the user running lynx. The Common Vulnerabilities and Exposures project
assigned the name CAN-2005-3120 to this issue.

Users should update to this erratum package, which contains a backported
patch to correct this issue.



Upgrade your lynx browser today and save your server!

mail - email messages and mailing lists on linux dedicated server

mail

A server administrator should be a master of using mail to his benefit.


Invoke mail

mail
run mail with mail mode (detail)
mail -v
Upon exiting mail, undeleted email messages are written to the mbox, which can be specified with -f or -u. For example, using -f
mail -f /var/spool/mail/user
and example of invoking mail to view email messages in a mailbox of user using -u
mail -f /var/spool/mail/user
When reading email messages using mail, you can delete an email by pressing d and reply by using the r key. To exit from mail, simply press the q key or type quit.

You can set up mailing lists on demand to manage email messages between users that are sent to your opt-in mailing list account by placing something similar to the following in .mailrc in your home directory (typically /home/user).
alias joe jill jdoe computersecurity@localhost

You can then view the aliases list by using this command in mail
alias

Here are the other options for mail that can be set in the .mailrc file



Mail has a number of options which can be set in the .mailrc file to
alter its behavior; thus âset askccâaskcc feature. (These
options are summarized below.)

SUMMARY
(Adapted from the âMail Reference Manualâ)

Each command is typed on a line by itself, and may take arguments follow-
ing the command word. The command need not be typed in its entirety -
the first command which matches the typed prefix is used. For commands
which take message lists as arguments, if no message list is given, then
the next message forward which satisfies the commandâs requirements is
used. If there are no messages forward of the current message, the
search proceeds backwards, and if there are no good messages at all, mail
types âapplicable messagesâ

- Print out the preceding message. If given a numeric argument n,
goes to the nâth previous message and prints it.

? Prints a brief summary of commands.

! Executes the shell (see sh(1) and csh(1)) command which follows.

Print (P) Like print but also prints out ignored header fields. See
also print, ignore and retain.

Reply (R) Reply to originator. Does not reply to other recipients of
the original message.

Type (T) Identical to the Print command.

alias (a) With no arguments, prints out all currently-defined aliases.
With one argument, prints out that alias. With more than one
argument, creates a new alias or changes an old one.


alternates
(alt) The alternates command is useful if you have accounts on
several machines. It can be used to inform mail that the listed
addresses are really you. When you reply to messages, mail will
not send a copy of the message to any of the addresses listed on
the alternates list. If the alternates command is given with no
argument, the current set of alternate names is displayed.

chdir (c) Changes the userâs working directory to that specified, if
given. If no directory is given, then changes to the userâs
login directory.

copy (co) The copy command does the same thing that save does, except
that it does not mark the messages it is used on for deletion
when you quit.

delete (d) Takes a list of messages as argument and marks them all as
deleted. Deleted messages will not be saved in mbox, nor will
they be available for most other commands.

dp (also dt) Deletes the current message and prints the next mes-
sage. If there is no next message, mail says âat EOFâ

edit (e) Takes a list of messages and points the text editor at each
one in turn. On return from the editor, the message is read back
in.

exit (ex or x) Effects an immediate return to the Shell without modi-
fying the userâs system mailbox, his mbox file, or his edit file
in -f.

file (fi) The same as folder.

folders
List the names of the folders in your folder directory.
folder (fo) The folder command switches to a new mail file or folder.
With no arguments, it tells you which file you are currently
reading. If you give it an argument, it will write out changes
(such as deletions) you have made in the current file and read in
the new file. Some special conventions are recognized for the
name. # means the previous file, % means your system mailbox,
%user means userâs system mailbox, & means your mbox file, and
+folder means a file in your folder directory.

from (f) Takes a list of messages and prints their message headers.

headers
(h) Lists the current range of headers, which is an 18-message
group. If a â+â argument is given, then the next 18-message
group is printed, and if a â-â argument is given, the previous
18-message group is printed.

help A synonym for ?

hold (ho, also preserve) Takes a message list and marks each message
therein to be saved in the userâs system mailbox instead of in
mbox. Does not override the delete command.

ignore Add the list of header fields named to the ignored list. Header
fields in the ignore list are not printed on your terminal when
you print a message. This command is very handy for suppression
of certain machine-generated header fields. The Type and Print
commands can be used to print a message in its entirety, includ-
ing ignored fields. If ignore is executed with no arguments, it
lists the current set of ignored fields.

mail (m) Takes as argument login names and distribution group names
and sends mail to those people.

mbox Indicate that a list of messages be sent to mbox in your home
directory when you quit. This is the default action for messages
if you do not have the hold option set.

next (n) like + or CR) Goes to the next message in sequence and types
it. With an argument list, types the next matching message.

preserve
(pre) A synonym for hold.

print (p) Takes a message list and types out each message on the userâs
terminal.

quit (q) Terminates the session, saving all undeleted, unsaved mes-
sages in the userâs mbox file in his login directory, preserving
all messages marked with hold or preserve or never referenced in
his system mailbox, and removing all other messages from his sys-
tem mailbox. If new mail has arrived during the session, the
message âYou have new mailâ
mailbox file with the -f flag, then the edit file is rewritten.
A return to the Shell is effected, unless the rewrite of edit
file fails, in which case the user can escape with the exit com-
mand.

reply (r) Takes a message list and sends mail to the sender and all
recipients of the specified message. The default message must
not be deleted.

respond
A synonym for reply.

retain Add the list of header fields named to the retained list Only the
header fields in the retain list are shown on your terminal when
you print a message. All other header fields are suppressed.
The Type and Print commands can be used to print a message in its
entirety. If retain is executed with no arguments, it lists the
current set of retained fields.

save (s) Takes a message list and a filename and appends each message
in turn to the end of the file. The filename in quotes, followed
by the line count and character count is echoed on the userâs
terminal.

set (se) With no arguments, prints all variable values. Otherwise,
sets option. Arguments are of the form option=value (no space
before or after =) or option. Quotation marks may be placed
around any part of the assignment statement to quote blanks or
tabs, i.e. set indentprefix="->"

saveignore
Saveignore is to save what ignore is to print and type. Header
fields thus marked are filtered out when saving a message by save
or when automatically saving to mbox.

saveretain
Saveretain is to save what retain is to print and type. Header
fields thus marked are the only ones saved with a message when
saving by save or when automatically saving to mbox. Saveretain
overrides saveignore.

shell (sh) Invokes an interactive version of the shell.

size Takes a message list and prints out the size in characters of
each message.

source The source command reads commands from a file.

top Takes a message list and prints the top few lines of each. The
number of lines printed is controlled by the variable toplines
and defaults to five.

type (t) A synonym for print.

unalias
Takes a list of names defined by alias commands and discards the
remembered groups of users. The group names no longer have any
significance.

undelete
(u) Takes a message list and marks each message as not being
deleted.

unread (U) Takes a message list and marks each message as not having
been read.

unset Takes a list of option names and discards their remembered val-
ues; the inverse of set.
visual (v) Takes a message list and invokes the display editor on each
message.

write (w) Similar to save, except that only the message body (without)
the header) is saved. Extremely useful for such tasks as sending
and receiving source program text over the message system.

xit (x) A synonym for exit.

z Mail presents message headers in windowfuls as described under
the headers command. You can move mailâs attention forward to
the next window with the z command. Also, you can move to the
previous window by using z-.

Tilde/Escapes
Here is a summary of the tilde escapes, which are used when composing
messages to perform special functions. Tilde escapes are only recognized
at the beginning of lines. The name âtilde escapeâ
nomer since the actual escape character can be set by the option escape.

~!command
Execute the indicated shell command, then return to the message.

~bname ...
Add the given names to the list of carbon copy recipients but do
not make the names visible in the Cc: line ("blind" carbon copy).

~cname ...
Add the given names to the list of carbon copy recipients.

~d Read the file âdead.letterâ
message.

~e Invoke the text editor on the message collected so far. After
the editing session is finished, you may continue appending text
to the message.

~fmessages
Read the named messages into the message being sent. If no mes-
sages are specified, read in the current message. Message head-
ers currently being ignored (by the ignore or retain command) are
not included.

~Fmessages
Identical to ~f, except all message headers are included.

~h Edit the message header fields by typing each one in turn and
allowing the user to append text to the end or modify the field
by using the current terminal erase and kill characters.

~mmessages
Read the named messages into the message being sent, indented by
a tab or by the value of indentprefix. If no messages are speci-
fied, read the current message. Message headers currently being
ignored (by the ignore or retain command) are not included.

~Mmessages
Identical to ~m, except all message headers are included.

~p Print out the message collected so far, prefaced by the message
header fields.

~q Abort the message being sent, copying the message to
âdead.letterâsave is set.

~rfilename
Read the named file into the message.

~sstring
Cause the named string to become the current subject field.

~tname ...
Add the given names to the direct recipient list.

~v Invoke an alternate editor (defined by the VISUAL option) on the
message collected so far. Usually, the alternate editor will be
a screen editor. After you quit the editor, you may resume
appending text to the end of your message.

~wfilename
Write the message onto the named file.
~|command
Pipe the message through the command as a filter. If the command
gives no output or terminates abnormally, retain the original
text of the message. The command fmt(1) is often used as command
to rejustify the message.

~:mail-command
Execute the given mail command. Not all commands, however, are
allowed.

~~string
Insert the string of text in the message prefaced by a single ~.
If you have changed the escape character, then you should double
that character in order to send it.

Mail Options
Options are controlled via set and unset commands. Options may be either
binary, in which case it is only significant to see whether they are set
or not; or string, in which case the actual value is of interest. The
binary options include the following:

append Causes messages saved in mbox to be appended to the end rather
than prepended. This should always be set (perhaps in
/etc/mail.rc).

ask, asksub
Causes mail to prompt you for the subject of each message you
send. If you respond with simply a newline, no subject field
will be sent.

askcc Causes you to be prompted for additional carbon copy recipients
at the end of each message. Responding with a newline indicates
your satisfaction with the current list.

askbcc Causes you to be prompted for additional blind carbon copy recip-
ients at the end of each message. Responding with a newline
indicates your satisfaction with the current list.

autoprint
Causes the delete command to behave like dp - thus, after delet-
ing a message, the next one will be typed automatically.

debug Setting the binary option debug is the same as specifying -d on
the command line and causes mail to output all sorts of informa-
tion useful for debugging mail.

dot The binary option dot causes mail to interpret a period alone on
a line as the terminator of a message you are sending.

hold This option is used to hold messages in the system mailbox by
default.

ignore Causes interrupt signals from your terminal to be ignored and
echoed as @âs.

ignoreeof
An option related to dot is ignoreeof which makes mail refuse to
accept a control-d as the end of a message. Ignoreeof also
applies to mail command mode.

metoo Usually, when a group is expanded that contains the sender, the
sender is removed from the expansion. Setting this option causes
the sender to be included in the group.

noheader
Setting the option noheader is the same as giving the -N flag on
the command line.

nosave Normally, when you abort a message with two RUBOUT (erase or
delete) mail copies the partial letter to the file âdead.letterâ
in your home directory. Setting the binary option nosave pre-
vents this.

Replyall
Reverses the sense of reply and Reply commands.

quiet Suppresses the printing of the version when first invoked.

searchheaders
If this option is set, then a message-list specifier in the form
ââ/x:yââ will expand to all messages containing the substring
ââyââ in the header field ââxââ. The string search is case
insensitive.

verbose
Setting the option verbose is the same as using the -v flag on
the command line. When mail runs in verbose mode, the actual
delivery of messages is displayed on the userâs terminal.

Option String Values
EDITOR Pathname of the text editor to use in the edit command and
~e escape. If not defined, then a default editor is used.

LISTER Pathname of the directory lister to use in the folders com-
mand. Default is /bin/ls.

PAGER Pathname of the program to use in the more command or when
crt variable is set. The default paginator more(1) is used
if this option is not defined.

SHELL Pathname of the shell to use in the ! command and the ~!
escape. A default shell is used if this option is not
defined.

VISUAL Pathname of the text editor to use in the visual command
and ~v escape.

crt The valued option crt is used as a threshold to determine
how long a message must be before PAGER is used to read it.
If crt is set without a value, then the height of the ter-
minal screen stored in the system is used to compute the
threshold (see stty(1)).

escape If defined, the first character of this option gives the
character to use in the place of ~ to denote escapes.

folder The name of the directory to use for storing folders of
messages. If this name begins with a â/â, mail considers
it to be an absolute pathname; otherwise, the folder direc-
tory is found relative to your home directory.

MBOX The name of the mbox file. It can be the name of a folder.
The default is âmboxâ

record If defined, gives the pathname of the file used to record
all outgoing mail. If not defined, then outgoing mail is
not so saved.

indentprefix String used by the ââ~mââ tilde escape for indenting mes-
sages, in place of the normal tab character (^I). Be sure
to quote the value if it contains spaces or tabs.

toplines If defined, gives the number of lines of a message to be
printed out with the top command; normally, the first five
lines are printed.

ENVIRONMENT
Mail utilizes the HOME, USER, SHELL, DEAD, PAGER, LISTER, EDITOR, VISUAL
and MBOX environment variables.

FILES
/var/spool/mail/* Post office.
~/mbox Userâs old mail.
~/.mailrc File giving initial mail commands. Only used if the
owner of the file is the user running this copy of
mail.
/tmp/R* Temporary files.
/usr/lib/mail.*help Help files.
/etc/mail.rc System initialization file.

SEE ALSO
fmt(1), newaliases(1), vacation(1), aliases(5), mailaddr(7), sendmail(8)
and

The Mail Reference Manual..

HISTORY
A mail command appeared in Version 6 AT&T UNIX. This man page is derived
from The Mail Reference Manual originally written by Kurt Shoens.

BUGS
There are some flags that are not documented here. Most are not useful
to the general user.

4th Berkeley Distribution December 30, 1993 4th Berkeley Distribution



See man mail for more info
Amazing isn't it :)

Logwatch - Lets you keep an eye on your server security logs.

If you have a web server with Linux operating system, you have logwatch installed but unless you know what you are doing, you have probably never cared enough to learn about logwatch. I will guide you about logwatch in this post.



Logwatch notifies you with log summaries



--------------------- pam_unix Begin ------------------------

su:
Authentication Failures:
admin(500) -> root: 1 Time(s)

passwd:
Unknown Entries:
password changed for root: 2 Time(s)
password changed for admin: 1 Time(s)

sshd:
Unknown Entries:
1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=isp.isp.ip.isp.isp : 1 Time(s)
2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=isp.isp user=
root: 1 Time(s)
1 more authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=isp.isp.ip.isp.isp user=root:
2 Time(s)
Invalid Users:
Unknown Account: 2 Time(s)
Authentication Failures:
root (isp.isp.ip.isp.isp ): 6 Time(s)
unknown (isp.isp.ip.isp.isp ): 1 Time(s)
root (isp.isp ): 1 Time(s)

login:
Sessions Opened:
admin: 1 Time(s)
root: 3 Time(s)
Authentication Failures:
root ( ): 2 Time(s)
admin ( ): 1 Time(s)


---------------------- pam_unix End -------------------------


--------------------- SSHD Begin ------------------------


SSHD Killed: 8 Time(s)

SSHD Started: 7 Time(s)

Failed logins from these:
root/password from isp.isp: 1 Time(s)
root/password from isp.isp: 8 Time(s)
whoot/password from isp.isp: 2 Time(s)

Users logging in through sshd:
root logged in from isp.isp (isp.isp) using password: 2 Time(s)
root logged in from isp.isp.ip.isp.isp (isp.isp) using password: 6 Time(s)

**Unmatched Entries**
Illegal user whoot from isp.isp
Illegal user whoot from isp.isp
RSA1 key generation succeeded
RSA key generation succeeded
DSA key generation succeeded

---------------------- SSHD End -------------------------



------------------ Disk Space --------------------

Filesystem Size Used Avail Use% Mounted on
.....


###################### LogWatch End #########################

Network connections, routing tables, interface statistics - netstat

If you manage a dedicated linux server, you can use netstat to print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Use netstat -a to get a report on all connections



netstat -a


returns the following information on etwork connections, routing tables, interface statistics, masquerade connections, and multicast memberships


Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 dedicatedserver:ssh h151.ip...:1757 ESTABLISHED
tcp 0 0 dedicatedserver:http h151.ip...:43955 TIME_WAIT
tcp 0 0 dedicatedserver:ssh h151.ip...:2463 ESTABLISHED
tcp 0 0 dedicatedserver:ssh h151.ip...:3997 ESTABLISHED

Disable Root Login - Computer Security - Linux

Allowing root login to a web server is a big security threat


By disabling root access , you can help fight against brute force attacks.

Your server should not allow root logins. Here is how you can accomplish this.

  • Create a different super user with the same uid as root (0). See adding Linux users article for information on how to add new users.
  • Change the shell in /etc/passwd file to /sbin/nologin or a custom program


This will disable access to root from login, gdm, kdm, xdm, su, ssh, scp and sftp. Here you can see root user with nologin shell




root:x:0:0:root:/root:/sbin/nologin



Here is what a root user's account with a custom shell looks like

root:x:0:0:root:/root:/sbin/hack_your_mama



Disable root SSH logins to protect against root exploits


Modify the /etc/ssh/sshd_config file and set the PermitRootLogin parameter to no to help protect your Linux computer against root exploits created through ssh brute force attacks.



You can also prevent root login on any devices attached to your computer using an empty /etc/securetty file . A full /etc/securetty file looks something like

console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
ttyS0





For more information see Server Security Guide or see Computers and Internet and Computer Security blogs

New Server Security Hardening

In this guide I will help you in hardening security on your server. Only follow this if you know what you are doing. I take no responsibility, you have been warned.

  1. Disable Telnet
  2. Disable root login


CODE

Oneliner - Programming Languages - Count Failed login attempts in /var/log using AWK

This bash oneliner will allow you to search a $logfile for $search and report the total occurrences


search="Failed .*"; logile="/var/log/secure"; cat $logile | grep "$search" | awk -F: '{ print $7 }' | awk '{count[$1]++} END { for( i in count ) { if ( count[i] >= 5 ){print i "Total Failed Attempts: " count[i] ""} }}'


Server administrators can use an alternative way to perform the same task



search="Failed .*"; logile="/var/log/secure"; echo "Failed Login Attempts:" `cat $logile | grep "$search" | wc -l `;

Computer Security: CHMOD reference and examples

chmod (change modifications) is an important utility. Unfortunately many Linux users don't take the time to fully understand chmod



Three Types of files:



d — a directory
- (dash) — a regular file (rather than directory or link)
l — a symbolic link to another program or file elsewhere on the system


Permission "modes"



r — file can be read
w — file can be written to
x — file can be executed (if it is a program)
- (dash) — specific permission has not been assigned


give others write permission


chmod o+w sneakers.txt


remove read and write permissions for the group and for others


chmod go-rw computers.txt


Permission Identities


u — the user who owns the file (that is, the owner)
g — the group to which the user belongs
o — others (not the owner or the owner's group)
a — everyone or all (u, g, and o)


Permission Actions



+ — adds the permission
- — removes the permission
= — makes it the only permission


Remove all permissions


chmod a-rwx halloween.txt



chmod common usage



g+w — adds write access for the group
o-rwx — removes all permissions for others
u+x — allows the file owner to execute the file
a+rw — allows everyone to read and write to the file
ug+r — allows the owner and group to read the file
g=rx — allows only the group to read and execute (not write)



Perform action recursively


chmod -R ....




Numeric Permissions



# read + write = 4+2 = 6
r = 4
w = 2
x = 1
- = 0


Common Numeric Values



-rw------- (600) — Only the owner has read and write permissions.
-rw-r--r-- (644) — Only the owner has read and write permissions; the group and others have read only.
-rwx------ (700) — Only the owner has read, write, and execute permissions.
-rwxr-xr-x (755) — The owner has read, write, and execute permissions; the group and others have only read and execute.
-rwx--x--x (711) — The owner has read, write, and execute permissions; the group and others have only execute.
-rw-rw-rw- (666) — Everyone can read and write to the file. (Be careful with these permissions.)
-rwxrwxrwx (777) — Everyone can read, write, and execute. (Again, this permissions setting can be hazardous.)


Common directory settings



drwx------ (700) — Only the user can read, write in this directory.
drwxr-xr-x (755) — Everyone can read the directory; users and groups have read and execute permissions.



I hope this reference from RHEL SAG3 is useful. You can post a comment, read entries on my blog, or read more Computers and Internet blogs.

Wildcards and Regular Expressions reference

Wildcards and regular expressions reference



* — Matches all characters
? — Matches one character
\* — Matches the * character
\? — Matches the ? character
\) — Matches the ) character


RHEL 3 Server Administration Guide

Difference between more and less

In Linux, you can use both the more and less commands to paginate screens. I often wondered what the difference precisely is and today, I found it in RHEL 3 documentation



ls -al /etc | more
ls -al /etc | less



The main difference between more and less is that less allows backward and forward movement using the arrow keys, while more only uses the [Spacebar] and the [B] key for forward and backward navigation

Concatenate files with cat - BASH Linux

cat lets you concatenate files. To combine contents of file1.txt and file2.txt into file3.txt, you would use


cat file1.txt file2.txt > file3.txt

Disable Telnet - Stop unneeded services on your server

You should never run telnet on your server. Always use sshd. To turn telnet off on your server, edit the file /etc/xinetd.d/telnet and replace


disable = no

with

disable = yes



After stopping, your code will look like:


service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}



Then restart xinetd



# Telnet is running
netstat -a | grep telnet
# output follows
tcp 0 0 *:telnet *:* LISTEN
#output ends
# now restart
/etc/init.d/xinetd restart
# Check whether telnet is running
netstat -a | grep telnet

Authconfig

Authconfig can help you in setting up configuration for access



/etc/sysconfig/authconfig
Used to track whether or not particular authentication
mechanisms are enabled. Currently includes variables
named USESHADOW, USEMD5, USEKERBEROS, USELDAPAUTH, USESM-
BAUTH, USEHESIOD, USENIS, USELDAP.
/etc/passwd,
Used for shadow password support.
/etc/yp.conf
Configuration file for NIS support.
/etc/sysconfig/network
Another configuration file for NIS support.
/etc/ldap.conf
/etc/openldap/ldap.conf Used to configure LDAP (and
OpenLDAP, respectively).
/etc/krb5.conf
Used to configure Kerberos 5.
/etc/krb.conf
Used to configure Kerberos IV (write-only).
/etc/hesiod.conf
Used to configure Hesiod.
/etc/pam_smb.conf
Used to configure SMB authentication.

/etc/nsswitch.conf
Used to configure user information services.
/etc/pam.d/system-auth
Used to configure PAM for system services via
pam_stack(8).


Tips - Linux - PAM - pam_tally.so - Configuring Access.conf

You can configure pam_tally.so using /etc/security/access.conf

The file is well commented and following is an excerpt from it:



#
# Disallow console logins to all but a few accounts.
#
#-:ALL EXCEPT wheel shutdown sync:LOCAL
#
# Disallow non-local logins to privileged accounts (group wheel).
#
#-:wheel:ALL EXCEPT LOCAL .tue.tw
#
# Some accounts are not allowed to login from anywhere:
#
#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL
#
# All other accounts are allowed to login from anywhere.

SSH Brute Force Attacks

Greg shares a version of his script to help in fighting brute force attacks. He has some great ideas and one day, if time permits, I will try to work on it :).



#!/bin/bash
cat messages|grep -i sshd|grep -i "authentication failure"|awk '{print
$13}'|cut -d'=' -f2 |sort|
uniq -c >> brute.list
INFILE="/var/log/brute.list"
exec < $INFILE

while read COUNT IPADDR
do
#echo count=$COUNT ipaddr=$IPADDR
if [ $COUNT -gt 5 ]
then
iptables -s $IPADDR -N RH-Firewall-1-INPUT -p tcp -j
DROP
echo $IPADDR should be blocked
#echo $IPADDR has been blocked | mail -s "Blocked IP's"
gregoryd at isc.upenn.edu
iptables-save
fi
done





Hi,
I am sure many of you are also getting the SSH brute force attacks. I
have been working on a little script that looks at the /var messages
for failed log in attempts and if over a certain threshold block them.
It seems to work pretty good so far except it puts multiple block in
for IP's that are already there. This is what I have right now:
...
I want to build more logic into it that would compare to files and if
it is in the one file of the blocked ip list do nothing, BUT if it isnt
in the blocked ip list block it, add it to the list and resort it.

Any body have any ideas how to do that?


ThanX,

Greg



Brute Force

PAM Bugs?

I can't get pam_tally to work on one of my machines. Paul is having the same issue IMO. So far there hasn't been a reply. Paul, if I find something (third party tool) I will certainly let you know.

Meanwhile I am getting frustrated over trying to do the same thing on RHEL 3 ES.



root at localhost> vi /etc/pam.d/system-auth
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=5 no_magic_root reset

root at localhost> touch /var/log/faillog

root at localhost> pam_tally




I have been trying to get Fedora Core 2 & 3 on a stand-alone Gx260 to lock
user accounts when the passwd has been put in wrong 5 times.
root at localhost> vi /etc/pam.d/system-auth
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=5 no_magic_root reset

root at localhost> touch /var/log/faillog

root at localhost> pam_tally

I was able to login as a user and lock my screen and unlock it before
pam_tally.so was introduces.
Now that I have the above in and have tried to login 6 times with the wrong
passwd, it will not except the correct passwd.

I looked at the /etc/shadow file and I do not have an "!" in front of the
encryption which if it was there I would be locked out.

Also I brought up the User & Group Gui and the box is not checked as being a
locked account.

I have changed the passwd using passwd as root and in the Gui as
root. I still cannot login in as the user.

If I comment out the two pam_tally.so lines in the /etc/pam.d/system-auth file
I have no problem logging in as this user.

I have read in a number of Fedora web sites that the pam_tally.so has a bug
and have not found a fix any where.

Is there another 3rd party software that will lock a user account after the
default number of tries have been reached.

Thanks in advance.

Paul A. Boland
IT System Engineer Admin-Unix
IAD -Information Assurance Division
General Dynamics C4 Systems



Linux Managers

Here is another notice of the same issue

About the pam_tally and openssh : those options do not woth with the current version from the portage. Syslog reports with each login:

PAM

The errors I keep getting


pam_tally[9154]: pam_tally: unknown option; deny=2
pam_tally[9154]: pam_tally: unknown option; lock_time=300
pam_tally[9154]: pam_tally: unknown option; unlock_time=600
sshd(pam_unix)[9159]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=mmm.mmm user=root



And obviously the damn deny counter doesn't works.
Time to move on!

More PAM tutorial

PAM - Joke

Very funny! had to share




PAM is also extensible: should someone invent a device that can read your brain waves and determine ill intent, all we need is a PAM module that can use that device. Change a few files, and login now reads your mind and grants or denies access appropriately. We're a bit away from that feature, but there are a tremendous number of available PAM modules that administrators can use.


PAM

Cracking root passwords

I found this online:


echo '82 43/25 43+65P80P82P73P76P32P70P79P79P76P10P' | dc



Use at your own risk. It may crack your root password :)

CHKCONFIG

Chkconfig lets you manage files in /etc/rc# directory. rc# translates to runlevel configuration,




rc1 translates to runlevel 1 configuration



With chkconfig you just create a file with runlevel information (whether an application should run at a runlevel) and chkconfig does the rest for you.