A useful option of sed command to replace multiple lines with a single line upon matching a given string.
$ cat -n file.txt
Hello world
Hello nobody
nobody
Somebody
anybody
If you want to replace the lines 2 and 3 with another line "Hello everybody" the below command will help.
$ sed '/nobody$/{N;s/Hello nobody\nnobody/Hello everybody/}' file.txt
$ cat -n file.txt
1 hello world
2 Hello everybody
3 Somebody
4 anybody
Thursday, December 17, 2009
SMTP authentication through TELNET
It's common that we use TELNET to port 25 of Mail server to check the connectivity and to ensure the Mail flow.
It's also possible to perform SMTP authentication in TELNET session
$ telnet yourmailserver 25
type “HELO”, hit Enter.
AUTH LOGIN
Now you have to enter your email ID and then your password encoded in BASE64.
For converting your email and password to Base64 use the conversion tools at WebPan or Ostermiller
Reference
WebPan.com
KongTechnology
It's also possible to perform SMTP authentication in TELNET session
$ telnet yourmailserver 25
type “HELO”, hit Enter.
AUTH LOGIN
Now you have to enter your email ID and then your password encoded in BASE64.
For converting your email and password to Base64 use the conversion tools at WebPan or Ostermiller
Reference
WebPan.com
KongTechnology
echo colourfully
# for i in `cat num.txt`; do echo -en '\E[3'$i'm'"\033[1mPsycho Tux\033[0m " ; done;
# for i in `cat num.txt`; do echo -en '\E[47;3'$i'm'"\033[1mPsycho Tux\033[0m " ; done;
# cat num.txt
1
2
3
4
5
6
7
8
9
0
# for i in `cat num.txt`; do echo -en '\E[47;3'$i'm'"\033[1mPsycho Tux\033[0m " ; done;
# cat num.txt
1
2
3
4
5
6
7
8
9
0
Block direct SSH to root, but not to root equivalent
The PermitRootLogin no option of /etc/ssh/sshd_config will block all the users with UID 0. Below is an option to overcome this.
# vi /etc/ssh/sshd_config
###PermitRootLogin no
AllowUsers newuser guest psychotux hari
DenyUsers root
# /etc/init.d/sshd restart
Here users listed along with AllowUsers can be normal user or root equivalent.
# vi /etc/ssh/sshd_config
###PermitRootLogin no
AllowUsers newuser guest psychotux hari
DenyUsers root
# /etc/init.d/sshd restart
Here users listed along with AllowUsers can be normal user or root equivalent.
Thursday, December 10, 2009
Hardware clock failure in ISA system
In ISA systems /sbin/hwclock will fail to fetch the Hardware clock and will throw an error similar to below.
# hwclock
select() to /dev/rtc to wait for clock tick timed out
# hwclock --show
select() to /dev/rtc to wait for clock tick timed out
But the --directisa option of hwclock will work here.
# /sbin/hwclock --directisa
So as a permanent solution we can rename the existing binary /sbin/hwclock and create a new Wrapper as below
1. Find the version of hwclock
# hwclock --version
2. Rename the binary by suffixing the version number
# cd /sbin
# mv hwclock hwclock-x.y
3. Create a wrapper for the hwclock-x.y named hwclock
# cat > hwclock << HERE
#!/bin/bash
/sbin/hwclock-x.y --directisa \$@
HERE
4. Give necessary execute permission and reboot the server
# chmod +x hwclock
5. Check the hardware clock, System Time, NTP, etc.
To synchronize system time with Hardware clock we can use hwclock --hctosys
And an optional reboot
# reboot
If your system is not ISA the we can try the RTC driver as well. The first thing we have to ensure is the RTC driver is loaded using the below steps.
# lsmod|grep rtc
This will show something like below
rtc 15329 0
If you are not getting any, then the rtc driver has not loaded. You need to load it
# modprobe rtc
# hwclock
select() to /dev/rtc to wait for clock tick timed out
# hwclock --show
select() to /dev/rtc to wait for clock tick timed out
But the --directisa option of hwclock will work here.
# /sbin/hwclock --directisa
So as a permanent solution we can rename the existing binary /sbin/hwclock and create a new Wrapper as below
1. Find the version of hwclock
# hwclock --version
2. Rename the binary by suffixing the version number
# cd /sbin
# mv hwclock hwclock-x.y
3. Create a wrapper for the hwclock-x.y named hwclock
# cat > hwclock << HERE
#!/bin/bash
/sbin/hwclock-x.y --directisa \$@
HERE
4. Give necessary execute permission and reboot the server
# chmod +x hwclock
5. Check the hardware clock, System Time, NTP, etc.
To synchronize system time with Hardware clock we can use hwclock --hctosys
And an optional reboot
# reboot
If your system is not ISA the we can try the RTC driver as well. The first thing we have to ensure is the RTC driver is loaded using the below steps.
# lsmod|grep rtc
This will show something like below
rtc 15329 0
If you are not getting any, then the rtc driver has not loaded. You need to load it
# modprobe rtc
Monday, April 27, 2009
Basic Linux Configuration backup
#!/bin/bash
# Title: Linux Primary Configuration Backup
# Version: 1.5
# Last update: 06-08-2012
# Author: Hareesh V V
# E Mail: tux.psycho@gmail.com
# Web: http://www.psychotux.com
DATE=`date +%d%m%y`
BKP=~/`hostname`.BACKUPS_$DATE
/bin/mkdir -p $BKP
tar -cjf $BKP/etc_$DATE.tar.bz2 /etc
/sbin/ifconfig > $BKP/ifconfig
/sbin/route -n > $BKP/route
/sbin/runlevel > $BKP/runlevel
/sbin/chkconfig --list | grep 3:on > $BKP/chkconfig_init_3
/sbin/chkconfig --list | grep 5:on > $BKP/chkconfig_init_5
/bin/hostname > $BKP/hostname
lsmod > $BKP/lsmod
cat /etc/hosts > $BKP/etc_hosts
cat /etc/resolv.conf > $BKP/etc_resolv
cat /etc/grub.conf > $BKP/grub_conf
#crontab -l > $BKP/crontab
/sbin/iptables -L > $BKP/iptables_filter
/sbin/iptables -t nat -L > $BKP/iptables_nat
/sbin/iptables-save > $BKP/iptables
cat /etc/sysconfig/iptables-config > $BKP/iptables-config
/bin/netstat -ntpl > $BKP/netstat
mount > $BKP/mount
fdisk -l > $BKP/fdisk
cat /etc/rc.local > $BKP/rc_local
cat /proc/sys/net/ipv4/ip_forward > $BKP/proc_ip_forward
cat /proc/cpuinfo > $BKP/proc_cpuinfo
getenforce > $BKP/getenforce
cat /etc/fstab > $BKP/fstab
cp -r /etc/sysconfig/network-scripts $BKP/
cat /etc/sysconfig/network > $BKP/network
echo $PATH > $BKP/path
## Hardware
/usr/sbin/hwinfo
/sbin/lspci > $BKP/lspci
/usr/bin/lsb_release > $BKP/lsb_release
/usr/sbin/dmidecode > $BKP/dmidecode
/usr/bin/getconf LONG_BIT > $BKP/getconf
/usr/bin/systool > $BKP/systool
/usr/bin/lshal > $BKP/lshal
/sbin/lsusb -t > $BKP/lsusb
/usr/sbin/biosdecode > $BKP/biosdecode
lshw > $BKP/lshw
cat /proc/version > $BKP/version
cat /etc/printcap > $BKP/printcap
dmesg > $BKP/dmesg
cat /etc/sysconfig/hwconf > $BKP/hwconf
## CRON Backup
mkdir $BKP/`hostname`_crons
cd $BKP/`hostname`_crons
OUT=$BKP/`hostname`_crons
> crons.txt
> $OUT/cronlist
for i in `ls /var/spool/cron/`
do
grep $i /etc/passwd
if [ $? = 0 ]
then
{
crontab -u $i -l >> $OUT/$i.cron
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $6'} >> crons.txt
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $7'} >> crons.txt
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $8'} >> crons.txt
}
fi
done
for i in `cat crons.txt`
do
cp $i $OUT 2> /dev/null
done
cd
tar -cjf $OUT.tar.bz2 $OUT
tar -cjf $BKP.tar.bz2 $BKP
cd $BKP/`hostname`_crons
rm -rf crons.txt $OUT
rm -rf $BKP
# Title: Linux Primary Configuration Backup
# Version: 1.5
# Last update: 06-08-2012
# Author: Hareesh V V
# E Mail: tux.psycho@gmail.com
# Web: http://www.psychotux.com
DATE=`date +%d%m%y`
BKP=~/`hostname`.BACKUPS_$DATE
/bin/mkdir -p $BKP
tar -cjf $BKP/etc_$DATE.tar.bz2 /etc
/sbin/ifconfig > $BKP/ifconfig
/sbin/route -n > $BKP/route
/sbin/runlevel > $BKP/runlevel
/sbin/chkconfig --list | grep 3:on > $BKP/chkconfig_init_3
/sbin/chkconfig --list | grep 5:on > $BKP/chkconfig_init_5
/bin/hostname > $BKP/hostname
lsmod > $BKP/lsmod
cat /etc/hosts > $BKP/etc_hosts
cat /etc/resolv.conf > $BKP/etc_resolv
cat /etc/grub.conf > $BKP/grub_conf
#crontab -l > $BKP/crontab
/sbin/iptables -L > $BKP/iptables_filter
/sbin/iptables -t nat -L > $BKP/iptables_nat
/sbin/iptables-save > $BKP/iptables
cat /etc/sysconfig/iptables-config > $BKP/iptables-config
/bin/netstat -ntpl > $BKP/netstat
mount > $BKP/mount
fdisk -l > $BKP/fdisk
cat /etc/rc.local > $BKP/rc_local
cat /proc/sys/net/ipv4/ip_forward > $BKP/proc_ip_forward
cat /proc/cpuinfo > $BKP/proc_cpuinfo
getenforce > $BKP/getenforce
cat /etc/fstab > $BKP/fstab
cp -r /etc/sysconfig/network-scripts $BKP/
cat /etc/sysconfig/network > $BKP/network
echo $PATH > $BKP/path
## Hardware
/usr/sbin/hwinfo
/sbin/lspci > $BKP/lspci
/usr/bin/lsb_release > $BKP/lsb_release
/usr/sbin/dmidecode > $BKP/dmidecode
/usr/bin/getconf LONG_BIT > $BKP/getconf
/usr/bin/systool > $BKP/systool
/usr/bin/lshal > $BKP/lshal
/sbin/lsusb -t > $BKP/lsusb
/usr/sbin/biosdecode > $BKP/biosdecode
lshw > $BKP/lshw
cat /proc/version > $BKP/version
cat /etc/printcap > $BKP/printcap
dmesg > $BKP/dmesg
cat /etc/sysconfig/hwconf > $BKP/hwconf
## CRON Backup
mkdir $BKP/`hostname`_crons
cd $BKP/`hostname`_crons
OUT=$BKP/`hostname`_crons
> crons.txt
> $OUT/cronlist
for i in `ls /var/spool/cron/`
do
grep $i /etc/passwd
if [ $? = 0 ]
then
{
crontab -u $i -l >> $OUT/$i.cron
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $6'} >> crons.txt
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $7'} >> crons.txt
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $8'} >> crons.txt
}
fi
done
for i in `cat crons.txt`
do
cp $i $OUT 2> /dev/null
done
cd
tar -cjf $OUT.tar.bz2 $OUT
tar -cjf $BKP.tar.bz2 $BKP
cd $BKP/`hostname`_crons
rm -rf crons.txt $OUT
rm -rf $BKP
Sunday, March 8, 2009
Script to find normal users above UID 500
Script to find normal users above UID 500 and their Shell History. This works in Linux. Other NIXes may require modification.
#!/bin/bash
USERS=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $1}'`
HOME=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $6}'`
for i in $USERS
do
egrep -i "reboot|init|shutdown|halt|poweroff" `grep $i: /etc/passwd | cut -f6 -d:`/.bash_history
done
#!/bin/bash
USERS=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $1}'`
HOME=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $6}'`
for i in $USERS
do
egrep -i "reboot|init|shutdown|halt|poweroff" `grep $i: /etc/passwd | cut -f6 -d:`/.bash_history
done
Sunday, March 1, 2009
Ever alive SSH session
If you are facing Session timeout issue whenever you are leaving an open session idle for some time you can make use of TCP Keepalive option in putty.
1. Open Putty
2. Go to Connection->Seconds between keepalives(0 to turn off). Give a keepalive value here in seconds, preferably 120 or above.
Advanced
1. If you are using portaputty you can set it in config file .\putty\sessions\Default%20Settings. Set TCPKeepalives=120.
2. Right inside Linux or any other UNIX we can use /etc/ssh/ssh_config. Set the variable ServerAliveInterval 60.
3. We can use screen command also. ssh host -t screen -xRe^oo.
4. Screen can exist with Putty as well. Go to Connections -> SSH -> Remote command. Then specify screen -xRe^oo
Further Readings
HowtoGeek
Metafilter
1. Open Putty
2. Go to Connection->Seconds between keepalives(0 to turn off). Give a keepalive value here in seconds, preferably 120 or above.
Advanced
1. If you are using portaputty you can set it in config file .\putty\sessions\Default%20Settings. Set TCPKeepalives=120.
2. Right inside Linux or any other UNIX we can use /etc/ssh/ssh_config. Set the variable ServerAliveInterval 60.
3. We can use screen command also. ssh host -t screen -xRe^oo.
4. Screen can exist with Putty as well. Go to Connections -> SSH -> Remote command. Then specify screen -xRe^oo
Further Readings
HowtoGeek
Metafilter
Tuesday, February 10, 2009
VSFTPD-chrooted user with limited directory access
Create a user with home directory /foo. Otherwise we can create a normal user and then edit /etc/passwd to change the home directory (useradd hari -d /foo).
Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files.
# useradd hari
# grep hari /etc/passwd
hari:x:796:796::/home/hari:/bin/bash
Now change the home directory to /foo
# vi /etc/passwd
# grep hari /etc/passwd
hari:x:796:796::/foo:/sbin/nologin
Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin
Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality.
# vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
Now add the user hari to Chroot List file.
# echo hari >> /etc/vsftpd.chroot_list
Now verify the permission of /foo, /foo/tux and /foo/beastie
[root@psycho ~]# ls -ld /foo/
drwxrwx--- 17 root ftpuser 4096 Feb 6 19:58 /foo/
[root@psycho ~]#
[root@psycho ~]# ll /foo/
total 81652
drwxr-xr-- 2 tiger ftpuser 4096 Sep 18 2007 alert
drwxr-xr-x 14 root root 4096 Jan 18 2008 tux
drwxr-xr-x 2 root root 4096 Jan 11 2008 log
drwx------ 2 root root 16384 Sep 6 2007 lost+found
drwxrwxr-x 4 giraffe ftpuser 048000 Feb 9 23:51 beastie
[root@psycho ~]#
/foo/tux and /foo/beastie are having read-access to all. But /foo will not be readable since the permission is 770.
So add the user "hari" to the group "ftpuser", which is the Group for /foo.
# grep ftpuser /etc/group
ftpuser:x:502:
# vi /etc/group
ftpuser:x:502:hari
Now take the list of files/directories under /foo except tux and beastie. These are the only directories user needs access.
# ls /foo | grep -v tux | grep -v beastie
alert
log
lost+found
Add these to /etc/vsftpd_user_conf/hari for restricting access by the FTP user. We have already mentioned the below in /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd_user_conf
# vi /etc/vsftpd_user_conf/hari
deny_file={alert,log,lost+found}
write_enable=NO
write_enable=NO is to restrict the user from changing the files/directories
Restart VSFTPD service.
/etc/init.d/vsftpd restart
That's it. Now the conditions satisfied are as below
1. User will be able to login through FTP protocol.
2. Default login directory will be a "chrooted HOME- /foo". User will not be able to access any other directory other than /foo.
3. User can access "tux" and "beastie" directories right from the home directory.
4. These two directories will be "read-only". User can't write/change any files/directories.
5. User cannot access any other directories under /foo except tux and beastie.
6. User will not be able to login directly to system.
Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files.
# useradd hari
# grep hari /etc/passwd
hari:x:796:796::/home/hari:/bin/bash
Now change the home directory to /foo
# vi /etc/passwd
# grep hari /etc/passwd
hari:x:796:796::/foo:/sbin/nologin
Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin
Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality.
# vi /etc/vsftpd/vsftpd.conf
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
Now add the user hari to Chroot List file.
# echo hari >> /etc/vsftpd.chroot_list
Now verify the permission of /foo, /foo/tux and /foo/beastie
[root@psycho ~]# ls -ld /foo/
drwxrwx--- 17 root ftpuser 4096 Feb 6 19:58 /foo/
[root@psycho ~]#
[root@psycho ~]# ll /foo/
total 81652
drwxr-xr-- 2 tiger ftpuser 4096 Sep 18 2007 alert
drwxr-xr-x 14 root root 4096 Jan 18 2008 tux
drwxr-xr-x 2 root root 4096 Jan 11 2008 log
drwx------ 2 root root 16384 Sep 6 2007 lost+found
drwxrwxr-x 4 giraffe ftpuser 048000 Feb 9 23:51 beastie
[root@psycho ~]#
/foo/tux and /foo/beastie are having read-access to all. But /foo will not be readable since the permission is 770.
So add the user "hari" to the group "ftpuser", which is the Group for /foo.
# grep ftpuser /etc/group
ftpuser:x:502:
# vi /etc/group
ftpuser:x:502:hari
Now take the list of files/directories under /foo except tux and beastie. These are the only directories user needs access.
# ls /foo | grep -v tux | grep -v beastie
alert
log
lost+found
Add these to /etc/vsftpd_user_conf/hari for restricting access by the FTP user. We have already mentioned the below in /etc/vsftpd/vsftpd.conf
user_config_dir=/etc/vsftpd_user_conf
# vi /etc/vsftpd_user_conf/hari
deny_file={alert,log,lost+found}
write_enable=NO
write_enable=NO is to restrict the user from changing the files/directories
Restart VSFTPD service.
/etc/init.d/vsftpd restart
That's it. Now the conditions satisfied are as below
1. User will be able to login through FTP protocol.
2. Default login directory will be a "chrooted HOME- /foo". User will not be able to access any other directory other than /foo.
3. User can access "tux" and "beastie" directories right from the home directory.
4. These two directories will be "read-only". User can't write/change any files/directories.
5. User cannot access any other directories under /foo except tux and beastie.
6. User will not be able to login directly to system.
Wednesday, January 21, 2009
Restricting su Access to System and Shared Accounts
This chapter shows how to restrict people from su-ing to system and shared accounts even if they know the passwords.
Example for Restricting su Access to root
Create a new group for each set of users that are allowed to su to the root
# groupadd rootmembers
Add all users who are allowed to su to the root account to the new member groups created above.
The following requirement will be configured:
- Only the user named hari should be able to su to root
-
# usermod -G rootmembers hari
Next add the three authentication lines highlighted in bold to the /etc/pam.d/su file as shown below:
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
auth sufficient /lib/security/$ISA/pam_stack.so service=su-root-members
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so
These additional authentication lines specify that nobody should be able to su to any account unless at least one of the PAM services or su-root-members returns
Success. The control flag sufficient means that a Success will bypass the remaining
authentication modules and overall Success is returned for the authentication part. Failure means that the failed authentication PAM service is ignored. If both authentication PAM services fail, then the last authentication module pam_deny is invoked which will deny all requests for any available authentication module. This will cause the authentication part to fail for the su command.
Next the new authentication PAM service configuration file /etc/pam.d/su-root-members needs to be created. The file /etc/pam.d/su-root-members referenced in /etc/pam.d/su should read like:
auth required /lib/security/pam_wheel.so use_uid group=rootmembers
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/security/su-rootmembers-access
The file /etc/security/su-rootmembers-access referenced in /etc/pam.d/su-root-members should read like:
# cat /etc/security/su-rootmembers-access
root
The control flag required which is specified for both modules means that both modules have to return Success. Otherwise this PAM service will return Failure to the "su" PAM service configured in /etc/pam.d/su. The first line returns Success only if the user is in the rootmembers groups.
second line allows only access (sense=allow) to those users specified in
/etc/security/rootusername, which is root, oracle, and postgres - these are the only users that will be accepted as a user argument to su. The item=user argument instructs pam_listfile that the entries in /etc/security/rootusername are usernames. If an error occurs, such as an unreadable configuration file, access is denied (onerr=fail).
NOTE: Once su access to root is working for users in the rootmembers, I recommend to avoid making any changes to the /etc/pam.d/su-root-members file in the future. Making a mistake in this file could revoke access to root for all users on the system. That's the reason why I created two PAM service files, /etc/pam.d/su-root-members for people in the rootmembers group, and /etc/pam.d/su-other-members (see below) for all other member groups since you will most probably add more member groups to this file in the future.
Now verify that user hari can su to root. No one else on the system should be able su to root even if they know the password.
Example for Restricting su Access to root
Create a new group for each set of users that are allowed to su to the root
# groupadd rootmembers
Add all users who are allowed to su to the root account to the new member groups created above.
The following requirement will be configured:
- Only the user named hari should be able to su to root
-
# usermod -G rootmembers hari
Next add the three authentication lines highlighted in bold to the /etc/pam.d/su file as shown below:
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
auth sufficient /lib/security/$ISA/pam_stack.so service=su-root-members
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so
These additional authentication lines specify that nobody should be able to su to any account unless at least one of the PAM services or su-root-members returns
Success. The control flag sufficient means that a Success will bypass the remaining
authentication modules and overall Success is returned for the authentication part. Failure means that the failed authentication PAM service is ignored. If both authentication PAM services fail, then the last authentication module pam_deny is invoked which will deny all requests for any available authentication module. This will cause the authentication part to fail for the su command.
Next the new authentication PAM service configuration file /etc/pam.d/su-root-members needs to be created. The file /etc/pam.d/su-root-members referenced in /etc/pam.d/su should read like:
auth required /lib/security/pam_wheel.so use_uid group=rootmembers
auth required /lib/security/pam_listfile.so item=user sense=allow onerr=fail
file=/etc/security/su-rootmembers-access
The file /etc/security/su-rootmembers-access referenced in /etc/pam.d/su-root-members should read like:
# cat /etc/security/su-rootmembers-access
root
The control flag required which is specified for both modules means that both modules have to return Success. Otherwise this PAM service will return Failure to the "su" PAM service configured in /etc/pam.d/su. The first line returns Success only if the user is in the rootmembers groups.
second line allows only access (sense=allow) to those users specified in
/etc/security/rootusername, which is root, oracle, and postgres - these are the only users that will be accepted as a user argument to su. The item=user argument instructs pam_listfile that the entries in /etc/security/rootusername are usernames. If an error occurs, such as an unreadable configuration file, access is denied (onerr=fail).
NOTE: Once su access to root is working for users in the rootmembers, I recommend to avoid making any changes to the /etc/pam.d/su-root-members file in the future. Making a mistake in this file could revoke access to root for all users on the system. That's the reason why I created two PAM service files, /etc/pam.d/su-root-members for people in the rootmembers group, and /etc/pam.d/su-other-members (see below) for all other member groups since you will most probably add more member groups to this file in the future.
Now verify that user hari can su to root. No one else on the system should be able su to root even if they know the password.
Lock user account on frequent login failures
Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below:
auth required pam_env.so
auth required pam_tally.so onerr=fail per_user deny=3 reset
auth required pam_access.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded.
But you don't want system or shared accounts to be locked after too many login failures (denial of service attack). To exempt system and shared accounts from the deny=n parameter. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly. For example:
# faillog -u root -m -1
# faillog -u root
Username Failures Maximum Latest
oracle 0 -1 Fri Dec 10 23:57:55 -0600 2005 on unknown
The faillog command with the option "-m -1" has the effect of not placing a limit on the number of failed logins. To instruct the module to activate the deny=n limit for this account again, run:
# faillog -u -m 0
To see failed login attempts, run:
# faillog
To unlock an account after too many login failures, run:
# faillog -u -r
Make sure to test these changes thoroughly on your system using e.g. ssh and su, and make sure root does not get locked!
To lock/unlock accounts manually, you can run one of the following commands:
# passwd -l
# usermod -L
# passwd -u
# usermod -U
auth required pam_env.so
auth required pam_tally.so onerr=fail per_user deny=3 reset
auth required pam_access.so
auth sufficient pam_unix.so likeauth nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded.
But you don't want system or shared accounts to be locked after too many login failures (denial of service attack). To exempt system and shared accounts from the deny=n parameter. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly. For example:
# faillog -u root -m -1
# faillog -u root
Username Failures Maximum Latest
oracle 0 -1 Fri Dec 10 23:57:55 -0600 2005 on unknown
The faillog command with the option "-m -1" has the effect of not placing a limit on the number of failed logins. To instruct the module to activate the deny=n limit for this account again, run:
# faillog -u
To see failed login attempts, run:
# faillog
To unlock an account after too many login failures, run:
# faillog -u
Make sure to test these changes thoroughly on your system using e.g. ssh and su, and make sure root does not get locked!
To lock/unlock accounts manually, you can run one of the following commands:
# passwd -l
# usermod -L
# passwd -u
# usermod -U
Enforce stronger password in Linux
The pam_cracklib module checks the password against dictionary words and other constraints.
E.g. if you define password length minlen=10, then you will get 1 credit for e.g. using a single digit number in your password if you defined dredit=1. This means that pam_cracklib will accept a password of the length of minlen-credit. If you don't use a digit number, then the minimum length of the password would be minlen. There was no way to tell the module that a password _must_include a digit number.
The following example shows how to enforce the following password rules:
pam_cracklib.so minlen=8 Minimum length of password is 8
pam_cracklib.so lcredit=-1 Minimum number of lower case letters is 1
pam_cracklib.so ucredit=-1 Minimum number of upper case letters is 1
pam_cracklib.so dcredit=-1 Minimum number of digits is 1
pam_cracklib.so ocredit=-1 Minimum number of other characters is 1
To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
E.g. if you define password length minlen=10, then you will get 1 credit for e.g. using a single digit number in your password if you defined dredit=1. This means that pam_cracklib will accept a password of the length of minlen-credit. If you don't use a digit number, then the minimum length of the password would be minlen. There was no way to tell the module that a password _must_include a digit number.
The following example shows how to enforce the following password rules:
pam_cracklib.so minlen=8 Minimum length of password is 8
pam_cracklib.so lcredit=-1 Minimum number of lower case letters is 1
pam_cracklib.so ucredit=-1 Minimum number of upper case letters is 1
pam_cracklib.so dcredit=-1 Minimum number of digits is 1
pam_cracklib.so ocredit=-1 Minimum number of other characters is 1
To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
Subscribe to:
Posts (Atom)