Linux Server Security Secrets and Administration

Use a Linux LiveCD to Avoid Windows Malware For Netbanking

2009-11-09T08:39:00.000-03:00

Internet has revolutionized the way online users can shop and avail banking services like internet Banking from anywhere, anytime without visiting bank. But, how safe is your money with online net-banking which allows to carry out money transfer? Companies and in some case individuals lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. The cyber crooks are targeting innocent MS-Windows user. If you are concerned about how best to protect yourself from this type of fraud, use Linux LiveCD for online banking and avoid Microsoft Windows at all cost.

Creating Virtual IP Addresses on Linux

2009-11-05T11:26:00.000-03:00

Virtual IP addresses (or VIPs) allow you to use multiple IPs on a single physical network interface. Creating virtual IP addresses is often done to allow webservers to host multiple SSL encrypted web sites on a single webserver or to allow cluster suites to communicate on a dedicated IP address. This article will cover the two primary means of creating virtual IPs on a Linux host.

ifconfig

The first and most common method employed is to use the Linux command 'ifconfig' to create a VIP in the following manner, assuming that the interface being used is eth1.

# ifconfig eth1:0 192.168.1.28

Keep reading here

Download TTYSnoop - Install TTYSnoop

2009-11-04T10:37:00.000-03:00

Download ttysnoop and then install it

Download for all available architectures
Architecture	Package Size	Installed Size	Files
alpha	18.1 kB	116 kB	[list of files]
amd64	16.8 kB	108 kB	[list of files]
armel	15.1 kB	104 kB	[list of files]
avr32 (unofficial port)	15.0 kB	104 kB	[list of files]
hppa	17.2 kB	108 kB	[list of files]
hurd-i386	15.6 kB	104 kB	[list of files]
i386	15.5 kB	52 kB	[list of files]
ia64	21.3 kB	128 kB	[list of files]
kfreebsd-amd64	17.0 kB	68 kB	[list of files]
kfreebsd-i386	15.3 kB	62 kB	[list of files]
m68k (unofficial port)	15.6 kB	104 kB	[list of files]
mips	17.3 kB	108 kB	[list of files]
mipsel	17.3 kB	108 kB	[list of files]
powerpc	16.1 kB	104 kB	[list of files]
s390	16.8 kB	108 kB	[list of files]
sparc	15.4 kB	104 kB	[list of files]

Yum Force Reinstall

2009-11-03T19:54:00.000-03:00

Since Yum does not have a force flag, rpm commands must be used along with Yum to do some heavy lifting. Here are a few ways to force the reinstall of a broken package on a Yum Managed system.

Yum Remove and then Install

The easiest solution is to yum remove the package and then yum install the same package. If there are too many dependencies at stake with the package in question, try another method.

yum remove PACKAGE yum install PACKAGE

Force Erase and then Yum Install
RPM dependencies sometimes make a simple yum remove impossible and Yum will want to erase your entire OS before moving on. In this case, use rpm to force erase, then yum to install.

Keep reading here

rpm -e --nodeps PACKAGE

yum install PACKAGE

Prune RPM Database and then Yum Install

If your package install is so corrupted that an rpm -e is dangerous or impossible, even with --nodeps, remove the package from the local RPM database to trick yum into reinstalling the package. No files are deleted when using rpm -e with --justdb.

rpm -e --justdb --nodeps PACKAGE

yum install PACKAGE

zdump (8) man page - Timezone management

2009-11-03T07:56:00.000-03:00

This man page is usefull for this other article i wrote here.

ZDUMP(8)                                                              ZDUMP(8)

NAME
       zdump - time zone dumper

SYNOPSIS
       zdump [ -v ] [ -c cutoffyear ] [ zonename ... ]

DESCRIPTION
    Zdump prints the current time in each zonename
    named on the command line.

    These options are available:

    -v     For each zonename on the command line,
          print the time at the lowest possible time
              value, the time one day after the lowest
          possible time value, the times both one sec-
              ond before and exactly at each detected
          time discontinuity, the time at one day less
              than the highest possible time value, and
          the time at the highest possible time value.
              Each line ends with isdst=1 if the given
          time is Daylight Saving Time or isdst=0 oth-
              erwise.

    -c cutoffyear
              Cut off the verbose output near the start of
          the given year.

SEE ALSO
       tzfile(5), zic(8)

                                   ZDUMP(8)

linux ftp transfer and resume

2009-11-02T13:24:00.001-03:00

Here is a list of FTP Client and Servers for Linux:

wput Uploads files or directories to a ftpserver with support of resuming

wput is a tiny program that looks like wget and does as the name suggests exactly the opposite: it uploads files or recursivly whole directories to a ftp-server and supports resuming.

vsftpd A FTP daemon that aims to be "very secure"

A FTP daemon that aims to be "very secure" From the README file: Author: Chris Evans Contact: chris@scary.beasts.org vsftpd is an FTP server, or daemon. The "vs" stands for Very Secure. Obviously this is not a guarantee, but a reflection that I have written the entire codebase with security in mind, and carefully designed the program to be resilient to attack.

py-pyftpdlib Python FTP server library

Python FTP server library provides an high-level portable interface to easily write asynchronous FTP servers with Python. Based on asyncore / asynchat frameworks pyftpdlib is actually the most complete RFC959 FTP server implementation available for Python language.

proma Administrate a ProFTPd server storing users in a MySQL database

ProMA is a PHP4 based system for administrating a ProFTPd server storing users in a MySQL database.

Net_FTP allows you to communicate with FTP servers in a more comfortable way than the native FTP functions of PHP do. The class implements everything nativly supported by PHP and additionally features like recursive up- and downloading, dircreation and chmodding. It although implements an observer pattern to allow for example the view of a progress bar.

pear-Net_FTP PEAR OO interface to the PHP FTP functions plus some additions
Net_FTP allows you to communicate with FTP servers in a more comfortable way than the native FTP functions of PHP do. The class implements everything nativly supported by PHP and additionally features like recursive up- and downloading, dircreation and chmodding. It although implements an observer pattern to allow for example the view of a progress bar.

p5-POE-Component-Client-FTP Implements an FTP client POE Component

POE::Component::Client::FTP is a POE component for interacting with a FTP server.

p5-Net-FTP-Recursive Perl module to provide recursive FTP client class

This module augments the list of Net::FTP methods with several methods that automatically descend directory structures for you. The methods are: rget - Retrieve an entire directory tree. rput - Send an entire directory tree. rdir - Receive an entire directory tree listing. rls - Receive an entire directory tree listing, filenames only. rdelete - Remove an entire directory tree.

p5-File-Fetch A generic file fetching mechanism

File::Fetch is a generic file fetching mechanism. It allows you to fetch any file pointed to by a ftp, http, file, or rsync uri by a number of different means.

lftp Shell-like command line ftp client
LFTP is a shell-like command line ftp client. It is reliable: can retry operations and does reget automatically. It can do several transfers simultaneously in background. You can start a transfer in background and continue browsing the ftp site or another one. This all is done in one process. Background jobs will be completed in nohup mode if you exit or close modem connection. Lftp has reput, mirror, reverse mirror among its features.

bftpd Very configurable FTP server that can do chroot easily

The Bftpd file server is designed to be as small and easy to manage as possible, while providing most of the features you would expect from a file server. On most home systems, bftpd is ready to work out-of-the-box without requiring any extra configuration. Production systems can be set up by editing a few lines in an easy-to-read config file. Features of bftpd include: * Easy configuration * Speed * Support for most RFC FTP commands * tar.gz on-the-fly compression/archiving * Security with chroot without special setup * No need for files (sh, ls...) in a chroot environment * Logging to wtmp and to a config file * PAM support * Support for site chown/chmod

To find more Linux software go here.

TCP Wrappers and xinetd

2009-10-31T11:21:00.002-03:00

Controlling access to network services is one of the most important security tasks facing a server administrator. Fortunately, under Red Hat Linux there are a number of tools which do just that. For instance, an iptables-based firewall filters out unwelcome network packets within the kernel's network stack. For network services that utilize it, TCP wrappers add an additional layer of protection by defining which hosts are allowed or not allowed to connect to "wrapped" network services. One such wrapped network service is the xinetd super server. This service is called a super server because it controls connections to a subset of network services and further refines access control.

TCP Wrappers

The TCP wrappers package (tcp_wrappers) is installed by default under Red Hat Linux and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.a library. In general terms, a TCP wrapped service is one that has been compiled against the libwrap.a library.

When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client host is allowed to connect. It then uses the syslog daemon (syslogd) to write the name of the requesting host and the requested service to /var/log/secure or /var/log/messages.

If a client host is allowed to connect, TCP wrappers release control of the connection to the requested service and do not interfere further with communication between the client host and the server.

In addition to access control and logging, TCP wrappers can activate commands to interact with the client before denying or releasing control of the connection to the requested network service.

Because TCP wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Linux are linked against the libwrap.a library. Some such applications include /usr/sbin/sshd, /usr/sbin/sendmail, and /usr/sbin/xinetd

To determine if a network service binary is linked against libwrap.a, type the following command as the root user:

strings -f | grep hosts_access

More about TCP Wrappers:

here, here and here

TCP Wrapper - An introduction

2009-10-30T20:05:00.000-03:00

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.

The original code was written by Wietse Venema in 1990 to monitor a cracker's activities on the Unix workstations at the Dept. of Math and Computer Science, Eindhoven University of Technology, the Netherlands[1] maintained it until 1995, and on June 1, 2001, released it under its own BSD-style license.

The tarball includes a library named libwrap that implements the actual functionality. Initially, only services that were spawned for each connection from a super-server (such as inetd) got wrapped, utilizing the tcpd program. However most common network service daemons today can be linked against libwrap directly. This is used by daemons that operate without being spawned from a super-server, or when a single process handles multiple connections. Otherwise, only the first connection attempt would get checked against its ACLs.

Using TCP Wrappers to secure Linux

2009-10-30T18:58:00.003-03:00

TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network. It does this by using simple Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny .

Let us consider this scenario: A remote machine remote_mc trying to connect to your local machine local_mc using ssh.
+ reading

20 Linux Server Hardening Security Tips

2009-10-30T18:54:00.002-03:00

Securing your Linux server is important to protect your data, intellectual property, and time, from the hands of crackers (hackers). The system administrator is responsible for security Linux box. In this first part of a Linux server security series, I will provide 20 hardening tips for default installation of Linux system.

#1: Encrypt Data Communication
#2: Minimize Software to Minimize Vulnerability
#3: One Network Service Per System or VM Instance
#4: Keep Linux Kernel and Software Up to Date
#5: Use Linux Security Extensions
#6: User Accounts and Strong Password Policy
#7: Disable root Login
#8: Physical Server Security
#9: Disable Unwanted Services
#10: Delete X Windows
#11: Configure Iptables and TCPWrappers
#12: Linux Kernel /etc/sysctl.conf Hardening
#13: Separate Disk Partitions
#14: Turn Off IPv6
#15: Disable Unwanted SUID and SGID Binaries
#16: Use A Centralized Authentication Service
#17: Logging and Auditing
#18: Secure OpenSSH Server
#19: Install And Use Intrusion Detection System
#20: Protecting Files, Directories and Email

+ here

Updating from Factory to openSUSE 11.2

2009-10-30T14:29:00.001-03:00

As Stephan Kulow announced recently openSUSE 11.2 is now build in a separate project and openSUSE Factory contains changes that will not go into openSUSE 11.2. Therefore if you followed so far openSUSE Factory via e.g. “zypper dup” and want to switch to 11.2, you have to change the repositories that you are using. If you installed openSUSE 11.2 RC1, you have already the right repositories for 11.2 setup.

+ here

BASH Script – Blank Out CC Details

2009-10-29T17:42:00.001-03:00

Here’s a quick one liner, can’t think why anyone would ever have any use for it, but maybe the principle itself could be of use to someone! This will take a file containing listings of 16 digit numbers, i.e. 1234123412341234 and replace it with XXXXXXXXXXXX1234

[Keep reading here]

Disabling console login for a linux box

2009-10-29T13:15:00.004-03:00

Part of the linux hardening strategy is to disable the login from the console, if you are paranoid enough you would like to disable the root login from the console.

This is accomplished though the use of PAM.

1) Open the /etc/pam.d/login

And comment the first line and add this line after it:

2) Add this line to the file /etc/security/access.conf

And finially, when i try to login from the tty2 this is that happens:

mount server reported tcp not available

2009-10-28T11:32:00.000-03:00

On the log you have: Using NFS over UDP can cause data corruption.

Make sure that the portmap service is up on the Server:
rpcinfo -p

Resolved :)

undefined symbol: _dl_cpuclock_offset

2009-10-26T12:26:00.000-03:00

# ls

ls: relocation error: /lib/i686/libpthread.so.0: undefined symbol: _dl_cpuclock_offset

/lib/i686 # ls lib

libc.so.6        libm.so.6        libpthread.so.0

rpm -ivh ./glibc-2.2.5-233.i686.rpm

Resolved it.

cannot get shared lock on database

2009-10-26T12:20:00.000-03:00

To resolve this i had to look which were the process taking the database:

lsof | grep /var/lib/rpm/packages.rpm

And then killed it with the SIGKILL signal.

User password expiration

2009-10-15T11:47:00.000-03:00

Like in AIX, on Linux it is important to control the users passwords expiration. The password expiration information is stored in /etc/shadow.

Inspect the password expiration from one user:

# chage -l simpleuser

Minimum:        0

Maximum:        90

Warning:        7

Inactive:       -1

Last Change:            Feb 19, 2009

Password Expires:       May 20, 2009

Password Inactive:      Never

Account Expires:        Never

Inspect the password expiration from all the users:

for i in `cat /etc/passwd | awk -F: '{print $1}'`; do echo "UserName:${i}"; chage -l $i|grep "Password Expires" ;done

Disable the password expiration from one user:

# chage -I -1 -m 0 -M 99999 -E -1 simpleuser

Which languages are installed in a SuSe Linux ?

2009-10-14T17:25:00.000-03:00

Some differences exist between linux versions, on redhat, to know which are the installed languages you have to do a cat from /etc/sysconfig/i18n.

On SuSe this info is in /etc/sysconfig/languages.
cat /etc/sysconfig/languages | grep "installed_lang"

Recovering a broken Linux Operating System part (3/3)

2009-10-09T09:56:00.003-03:00

The last way to recover a broken system to which you do not have normal access is with help of the installation media cd. For example on SuSe 11 it is like this:

1) Insert the boot cd and write "repair=1" in the boot options. Press enter.

2) This window appears for a few seconds:

3) You get root access by simple typing "root" and press enter:

4) The partitions wouldn't be mounted. Mount them and start repairing:

Recovering a broken Linux Operating System part (2/3)

2009-09-30T11:48:00.001-03:00

In Suse and Redhat the installation cd has a few but powerful tools, lets call them powertools. These are memcheck86, a very complete and easy to use RAM health check, with this tool i have diagnosed and resolved a lot of memory problems.

The other powertool is the "Rescue Mode", it looks like this:

And after booting, type "root" and you get in without being asked for a password.

This option do not mounts any disk partition, local or remote. Once in the machine mount the desired partition:

# mount /dev/sda1 /disc1
# vi /disk1/etc/fstab

The fstab file has the partition table of the system, it is common that the disks changed and the system is not able to find some partition.

Recovering a broken Linux Operating System part (1/3)

2009-09-29T13:16:00.000-03:00

Multiple methods exist to recover a broken Linux Operating System. Like any problem, there is a method for every problem and a broken operating system could have multiple causes. To recover a Linux do it with a Senior Administrator by you if you don't know what you are doing.

1) Enter in Single user mode, for this you would need to remember the root password but if you do, you can correct any problem related with networking or some drivers because the initialization scripts are not executed.

In the boot screen put "1" as boot parameter.

Then enter the root password and start analyzing logs, filesystem. Do not forget to check the memory with a live cd and memcheck86

2) Suppose that you forgot the root password or a BOFH has changed it, you can still use this trick to enter without the root password:

Enter "init=/bin/bash rw"

Working with text files in Unix/Linux (part 3/3)

2009-09-28T09:49:00.000-03:00

Another complex combination. To list line numbers on a file the cat command has an option, but the "nl" command has multiple formating options, something that the "cat" command doesnt.

The -n specifies a format and "rz" right justifies with not leading zeros.

cat sourcefile.php | nl -n rz

To see the last 3 lines of any text file use tail:
cat sourcefile.php | tail -n1

To see how many lines a file has, combine them both:
cat sourcefile.php | nl -n rz | tail -n1

Working with text files in Unix/Linux (part 2/3)

2009-09-25T09:46:00.000-03:00

The scenario is that you have a compressed file with ZIP, and this is a raw text log file that you have to unzip and then to cat.

$ zcat messages.gz

You want to see only the first lines of a text file, for that is the head command.

$ head messages.log

And if you want to see the line number of a file, use the cat with the -n argument like:
$ cat -n file1.txt

Everything together:
$ zcat messages.gz | head | cat -n

Working with text files in Unix/Linux (part 1/3)

2009-09-24T14:54:00.002-03:00

Removing repeated lines in a text, the strategy to remove repeated lines in a text is not very

intuitive at the first, the operation is divided in parts:

Resizing an LVM partition in Linux

2009-09-15T14:44:00.000-03:00

First check how much space you have left in the Volume Group that contains that Logical Volume:

lvextend -L +300 /dev/system_vg/usr_lv

resize_reiserfs -s+300m /dev/system_vg/usr_lv

1) Without unmounting
2) The /usr partition, which holds kernel modules and is being used.
3) Zero downtime.