Monday, March 24, 2014

Linux Server Hardening

Harden your linux server

1. Keep Linux Software Up to Date
All security update should be reviewed and applied as soon as possible
yum update
remove unwanted softwares

# yum list installed
# yum list packageName
# yum remove packageName

2. User Accounts and Strong Password Policy

Password Aging       -  /etc/login.defs
Password Complexity  -  /etc/pam.d/system-auth

3. No Non-Root Accounts Have UID Set To 0

awk -F: '($3 == "0") {print}' /etc/passwd 

4. Disable Root Login
5. Disable Unwanted Services 

Following command will list all services which are started at boot time in run level # 3:

# chkconfig --list | grep '3:on'

To disable service, enter:

# service serviceName stop
# chkconfig serviceName off

6. Close not needed open ports
7. Configure Iptables and TCPWrappers
8. /tmp hardening
9. Apache and mysql should run under different owners
10. Find all world-writable files
11. Physical security - enable BIOS and GRUB password
12 . Review Logs Regularly

/var/log/message – Where whole system logs or current activity logs are available.
/var/log/auth.log – Authentication logs.
/var/log/kern.log – Kernel logs.
/var/log/cron.log – Crond logs (cron job).
/var/log/maillog – Mail server logs.
/var/log/boot.log – System boot log.
/var/log/mysqld.log – MySQL database server log file.
/var/log/secure – Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

13. Ignore ICMP or Broadcast Request

Add following line in “/etc/sysctl.conf” file to ignore ping or broadcast request.

Ignore ICMP request:
net.ipv4.icmp_echo_ignore_all = 1

Ignore Broadcast request:
net.ipv4.icmp_echo_ignore_broadcasts = 1

Load new settings or changes, by running following command

#sysctl -p 

What is the difference bewtween TTY and PTY

TTY - Teletype

TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device.

PTS- Pseudo-Teletype

PTS connections are SSH connections or telnet connections. All of these connections can connect to a shell which will allow you to issue commands to the computer. 

For example, when you ssh in to a machine and run ls, the ls command is sending its output to a pseudo-terminal, the other side of which is attached to the SSH daemon.

man pty

Sunday, March 23, 2014

Failed login attempts : how to setup and clear

Under Linux operating system you can use the faillog command to display faillog records or to set login failure limits. faillog command displays the contents of the failure log from /var/log/faillog database file. It also can be used for maintains failure counters and limits. If you run faillog command without arguments, it will display only list of user faillog records who have ever had a login failure.

PAM Settings

I found that under RHEL / CentOS Linux 5.x, you need to modify /etc/pam.d/system-auth file. You need to configure a PAM module Otherwise faillog command will never display failed login attempts.

PAM Configuration To Recored Failed Login Attempts module maintains a count of attempted accesses, can reset count on success, can deny access if too many attempts fail. Edit /etc/pam.d/system-auth file, enter:

# vi /etc/pam.d/system-auth
Modify as follows:

auth required no_magic_root
account required deny=3 no_magic_root lock_time=180

  • deny=3 : Deny access if tally for this user exceeds 3 times.
  • lock_time=180 : Always deny for 180 seconds after failed attempt. There is also unlock_time=n option. It allow access after n seconds after failed attempt. If this option is used the user will be locked out for the specified amount of time after he exceeded his maximum allowed attempts. Otherwise the account is locked until the lock is removed by a manual intervention of the system administrator.
  • magic_root : If the module is invoked by a user with uid=0 the counter is not incremented. The sys-admin should use this for user launched services, like su, otherwise this argument should be omitted.
  • no_magic_root : Avoid root account locking, if the module is invoked by a user with uid=0
Save and close the file.

How Do I Display All Failed Login Attempts For a User Called vivek?

Type the command as follows:
# faillog -u vivek
Login       Failures Maximum Latest                   On
vivek           3        0   12/19/07 14:12:53 -0600  64.11.xx.yy

Taks: Show Faillog Records For All Users

Type the following command with the -a option:
# faillog -a

Task: Lock Account

To lock user account to 180 seconds after failed login, enter:
# faillog -l 180 -u vivek
# faillog -l 180

Task: Set Maximum Number of Login Failures

The -m option is allows you to set maximum number of login failures after the account is disabled to specific number called MAX. Selecting MAX value of 0 has the effect of not placing a limit on the number of failed logins. The maximum failure count should always be 0 for root to prevent a denial of services attack against the system:
# faillog -M MAX -u username
# faillog -M 10 -u vivek

How do I Reset The Counters Of Login Failures?

The -r option can reset the counters of login failures or one record if used with the -u USERNAME option:
# faillog -r
To reset counter for user vivek, enter:
# faillog -r -u vivek
On large Linux login server, such as University or government research facility, one might find it useful to clear all counts every midnight or week from a cron job.
# crontab -e
Reset failed login recover every week:
@weekly /usr/bin/faillog -r
Save and close the file.

$ man faillog

Saturday, March 22, 2014

Regular Expressions : Basics

Regular expressions (Regexp)is one of the advanced concept we require to write efficient shell scripts and for effective system administration. Basically regular expressions are divided in to 3 types for better understanding.

1)Basic Regular expressions

2)Interval Regular expressions (Use option -E for grep and -r for sed)

3)Extended Regular expressions (Use option -E for grep and -r for sed)

Some FAQ’s before starting Regular expressions

What is a Regular expression?

A regular expression is a concept of matching a pattern in a given string.

Which commands/programming languages support regular expressions?
vi, tr, rename, grep, sed, awk, perl, python etc.

Basic Regular Expressions
Basic regular expressions: This set includes very basic set of regular expressions which do not require any options to execute. This set of regular expressions are developed long time back.

^ –Caret/Power symbol to match a starting at the beginning of line.

$ –To match end of the line

* –0 or more occurrence of previous character.

. –To match any character

[] –Range of character

[^char] –negate of occurrence of a character set

<word> –Actual word finding

–Escape character

Lets start with our Regexp with examples, so that we can understand it better.

^ Regular Expression
Example 1: Find all the files in a given directory

ls -l | grep ^-

As you are aware that the first character in ls -l output, - is for regular files and d for directories in a given folder. Let us see what ^- indicates. The ^ symbol is for matching line starting, ^- indicates what ever lines starts with -, just display them. Which indicates a regular file in Linux/Unix.

If we want to find all the directories in a folder use grep ^d option along ls -l as shown below

ls -l | grep ^d

How about character files and block files?

ls -l | grep ^c

ls -l | grep ^b

We can even find the lines which are commented using ^ operator with below example

grep ‘^#’ filename

How about finding lines in a file which starts with ‘abc’

grep ‘^abc’ filename

We can have number of examples with this ^ option.

$ Regular Expression
Example 2: Match all the files which ends with sh

ls -l | grep sh$

As $ indicates end of the line, the above command will list all the files whose names end with sh.

how about finding lines in a file which ends with dead

grep ‘dead$’ filename

How about finding empty lines in a file?

grep ‘^$’ filename

 * Regular Expression
Example 3: Match all files which have a word twt, twet, tweet etc in the file name.

ls -l | grep ‘twe*t’

How about searching for apple word which was spelled wrong in a given file where apple is misspelled as ale, aple, appple, apppple, apppppple etc. To find all patterns

grep ‘ap*le’ filename

Readers should observe that the above pattern will match even ale word as * indicates 0 or more of previous character occurrence.

. Regular Expression
Example 4: Filter a file which contains any single character between t and t in a file name.

ls -l | grep ‘t.t’

Here . will match any single character. It can match tat, t3t, t.t, t&t etc any single character between t and t letters.

How about finding all the file names which starts with a and end with x using regular expressions?

ls -l | grep ‘a.*x’

The above .* indicates any number of characters

Note: .* in this combination . indicates any character and it repeated(*) 0 or more number of times.
Suppose you have files as..
etc.. it will find all the files/folders which start with a and ends with x in our example.

[] Square braces/Brackets Regular Expression
Example 5: Find all the files which contains a number in the file name between a and x

ls -l | grep ‘a[0-9]x’

This will find all the files which is

So where ever it finds a number it will try to match that number.

Some of the range operator examples for  you.

[a-z] –Match’s any single char between a to z.
[A-Z] –Match’s any single char between a to z.
[0-9] –Match’s any single char between 0 to 9.
[a-zA-Z0-9] – Match’s any single character either a to z or A to Z or 0 to 9
[!@#$%^] — Match’s any ! or @ or # or $ or % or ^ character.
You just have to think what you want match and keep those character in the braces/Brackets.

[^char] Regular Expression
Example6: Match all the file names except a or b or c in its filenames

ls | grep  ’[^abc]‘

This will give output all the file names except files which contain a or b or c.

<word> Regular expression
Example7: Search for a word abc, for example I should not get abcxyz or readabc in my output.

grep ‘<abc>’ filename

Escape Regular Expression
Example 8: Find files which contain [ in its name, as [ is a special charter we have to escape it

grep "[" filename


grep '[[]‘ filename

Note: If you observe [] is used to negate the meaning of [ regular expressions, so if you want to find any specail char keep them in [] so that it will not be treated as special char.

Note: No need to use -E to use these regular expressions with grep. We have egrep and fgrep which are equal to “grep -E”. I suggest you just concentrate on grep to complete your work, don’t go for other commands if grep is there to resolve your issues

Original article :
read more