Controlling login attempts with PAM (Pluggable Authentication Module)

It is generally a good and sensible practice to lock out a user after a number of failed login attempts, with some exceptions. You don't want to give an intruder unlimited attempts, but you don't want clumsy users pestering you all the time for login resets. And users who wish to play practical jokes locking out other users by trying to su to a different user's account, and failing on purpose.

On Debian, add this line to /etc/pam.d/common-auth:

auth required pam_tally.so onerr=fail no_magic_root

And this line to /etc/pam.d/common-account:

account required pam_tally.so onerr=fail deny=3 reset no_magic_root

On Red Hat, add the above two lines to /etc/pam.d/system-auth. This gives users three chances to log in, then locks them out if they fail. The no_magic_root option is very important -- this prevents the root user from being locked out. In this era of great bootable rescue disks like Knoppix, that's nowhere near the catastrophe it used to be.

When the offending user has sufficiently soothed your upset sensibilities, restore access this way:

# pam_tally --user doofusfred --reset=0
user doofusfred (1006) had 29

It even tattles on how many times the user tried to login.

Read more

Working with User and Group Management

Group Commands

Group definitions reside in the /etc/group file. A standard Linux /etc/group file contains the following information: groupname:x:groupid:user list.

The “x” in the group definition file is a deprecated placeholder for a group password.

To find out which groups you belong to, type groups at a command prompt.

$ groups
khess rdpusers
By default on most Linux systems, when an administrator creates a new user account, the system automatically creates a group account with the same name as the user account. An SA can specify a group when he creates the account but the group must already exist.

Here are two illustrative examples:

# useradd fred

# grep fred /etc/passwd
fred:x:504:506::/home/fred:/bin/bash

# grep fred /etc/group
fred:x:506:
# useradd -g 100 -c "Bob Alobdob" bob

# grep bob /etc/passwd
bob:x:505:100:Bob Alobdob:/home/bob:/bin/bash

# grep bob /etc/group
#
Why did the system return no response when you typed in grep bob /etc/group? It’s because the users group is Bob’s primary group. If users were a secondary group, Bob’s username would appear in the list. For example, create a new user with rpdusers (Group ID 504) as a secondary group.

# useradd -G 504 -c "Jon Shmon" john

# grep john /etc/passwd
john:x:506:507:Jon Shmon:/home/john:/bin/bash

# grep john /etc/group
rdpusers:x:504:khess,john
john:x:507:
A group must exist before you assign users to it. The groupadd command creates new groups with a specific Group ID (GID) and name.

# groupadd -g 1040 accounting

# grep 1040 /etc/group

accounting:x:1040:
You may also create a new group with just a group name and the system will assign a GID for you with the command, # groupadd groupname.

The groupmod command allows you to change the group name but the SA will have to change any files associated with the old group manually.

# groupmod -n accounting beancounters
# grep 1040 /etc/group
beancounters:x:1040:
Note: Don’t confuse chgrp (changes group permissions) with groupmod (changes the name of a group).

You can remove a group with the groupdel command.

# groupdel beancounters
If you prefer to edit configuration files directly, although you shouldn’t, the vigr command edits the /etc/group file in a safe manner by setting locks so that only one administrator at a time can edit the file.

Administrators rely heavily on the “group” commands for group administration, user administration and in scripting those functions for automated solutions.

User Commands

I call this collection of utilities the “user” commands because their functionality centers on user administration and not on action taken by the users themselves. Even if a user knows the location of these commands (/usr/sbin), they still can’t issue them without root privilege.

For example, a clever user on your system tries to issue useradd and vipw.

$ /usr/sbin/useradd steve
useradd: Only root may add a user or group to the system.

$ /usr/sbin/vipw
vipw: Couldn't lock file: Permission denied
vipw: /etc/passwd is unchanged
The User commands have their Group analogs; you add a new user with useradd, modify a user account with usermod and delete a user account with userdel. And you edit the /etc/passwd file directly with vipw. You’ve already seen the useradd command in action in the Group Commands discussion.

The usermod allows Admins to alter any user account attribute including the user’s real name (comment field), home directory name, account expiration date, disabling functionality, group add and change, login name, account locking and unlocking, alter the user’s shell and more.

# grep khess /etc/passwd
khess:x:500:500:Kenneth Hess:/home/khess:/bin/bash

# usermod -c "Ken Hess" khess

# grep khess /etc/passwd
khess:x:500:500:Ken Hess:/home/khess:/bin/bash
The usermod command requires some restraint and careful typing when issuing commands that can make a user account unusable. Let’s say that Bob Alobdob, from an example in the Group discussion, wants his login name and home directory changed to robert.

# usermod -d "/home/robert" -m -l robert bob

# grep robert /etc/passwd
robert:x:505:100:Bob Alobdob:/home/robert:/bin/bash
Notice how I explicitly entered “/home/robert” in the command? If you don’t specify the whole path, Robert won’t have a home directory nor will its contents exist anymore. The command, as shown, changes his current home directory from /home/bob to /home/robert, his login from bob to robert and the -m moves the contents of his “bob” home directory to his “robert” home directory. User permissions change to robert as well for all files in his home directory.

Note: You cannot change the login name of a currently logged in user.

The userdel command’s function might seem obvious to you but you might surprise yourself after issuing the command to find that the user’s home directory is still intact.

Why would any programmer allow that directory to remain as clutter on your home filesystem? This is actually a failsafe mechanism and you should thank the thoughtful programmer who maintains userdel.

What if two user names only differ by a single letter and you removed the wrong one? The incorrectly deleted user’s home directory and files were wiped from the system with a slip of your finger. With the failsafe mechanism in place, you have to manually remove the home directory and hopefully you would catch your error before doing so.

Read more

Reset the MySQL root password on Ubuntu/Debian Linux

How to change the MySQL root password. Enter the following lines in your terminal.

Stop the MySQL Server.
sudo /etc/init.d/mysql stop

Start the mysqld configuration.
sudo mysqld --skip-grant-tables &

Login to MySQL as root.
mysql -u root mysql

Replace YOURNEWPASSWORD with your new password!
UPDATE user SET Password=PASSWORD('YOURNEWPASSWORD') WHERE User='root'; FLUSH PRIVILEGES; exit;

Read more

Preventing SSH Attacks With DenyHosts

SSH is a great way to remotely administer a server. However, it still has a number of issues when you open it up to the world. The server and client communications are secure but that doesn’t mean the hosts involved are. Opening an SSH service to the world allows for brute force attacks and means that the carbon interface is still the weakest link.
There are some very simple steps you can take to really harden remote access over SSH, especially if you can’t simply tie the service down to a limited number of source ports.

First things first, sshd_config. In Ubuntu this is usually found in /etc/ssh and can be used to configure a great number of features. The simplest ones to deal with are always the best. Restricting the users who can login via SSH is a first principle. This can be done in one of two ways, by user or by group. AllowGroups allows any user in this group authenticated access to the server via SSH. A more fine grained approach is to use the AllowUsers option.

Another easy win is by moving the listen port from 22 to some other randomly assigned port. This reduces the likelihood of a scan showing SSHD running.

Other steps you might want to take include disabling root access, disable password authentication and using keys only.

sudo apt-get install denyhosts

DenyHosts is a python script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

Denyhosts acts as a dynamic blocker for SSH and other services. It relies on the /etc/hosts.deny and hosts.allow. It dynamically builds a list of hosts that repeatedly connect to your server. By default the service will block connections from IP sources that are repeated attempting to connect and access your host. The denyhosts process is configured in /etc/denyhosts.conf

Once you’ve put these steps in place you can rest assured the SSH on a public facing host is much more secure.

Read more

Working with Debian packages from the Command Line.

Here is a few command line entries that I use almost daily.

apt-cache search (packagename)will produce the following:

chicagonpg@Quadzilla ~ $ apt-cache search gftp
gftp-common - shared files for other gFTP packages
gftp-gtk - X/GTK+ FTP client
gftp - X/GTK+ FTP client
gftp-text - colored FTP client using GLib

Then to install just sudo apt-get install gftp-gtk (gtk is the gnome gui app)

Once installed you can check what version you have by doing:

gftp-gtk --version

chicagonpg@Quadzilla ~ $ gftp-gtk --version
gFTP 2.0.19

I have version 2.0.19

To check if you have a certain application installed on your system
use dpkg -s

chicagonpg@Quadzilla ~ $ dpkg -s vlc
Package: vlc
Status: install ok installed
Priority: optional
Section: video
Installed-Size: 3912
Maintainer: Ubuntu Developers
Architecture: amd64
Version: 1.0.2-1ubuntu2.1
Replaces: vlc-nox (<< 0.9.2-1) Provides: mp3-decoder Depends: vlc-nox (= 1.0.2-1ubuntu2.1), libaa1 (>= 1.4p5), libc6 (>= 2.8), libdbus-1-3 (>= 1.0.2), libfreetype6 (>= 2.2.1), libfribidi0 (>= 0.10.9), libgcc1 (>= 1:4.1.1), libgl1-mesa-glx | libgl1, libglib2.0-0 (>= 2.12.0), libgtk2.0-0 (>= 2.8.0), libnotify1 (>= 0.4.5), libnotify1-gtk2.10, libqtcore4 (>= 4.5.1), libqtgui4 (>= 4.5.1), libsdl-image1.2 (>= 1.2.5), libsdl1.2debian (>= 1.2.10-1), libstdc++6 (>= 4.2.1), libtar, libvlccore2 (>= 1.0.0~rc1), libx11-6, libx264-67 (>= 1:0.svn20090502), libxcb-keysyms1 (>= 0.3.6), libxcb1, libxext6, libxinerama1, libxv1, libxxf86vm1, zlib1g (>= 1:1.2.3.3.dfsg), ttf-dejavu-core
Recommends: vlc-plugin-pulse (= 1.0.2-1ubuntu2.1)
Suggests: mozilla-plugin-vlc, videolan-doc
Conflicts: vlc-nox (<< 0.9.2-1) Description: multimedia player and streamer VLC is the VideoLAN project's media player. It plays MPEG, MPEG2, MPEG4, DivX, MOV, WMV, QuickTime, mp3, Ogg/Vorbis files, DVDs, VCDs, and multimedia streams from various network sources. . VLC can also be used as a streaming server that duplicates the stream it reads and multicasts them through the network to other clients, or serves them through HTTP. . VLC has support for on-the-fly transcoding of audio and video formats, either for broadcasting purposes or for movie format transformations. Support for most output methods is provided by this package, but features can be added by installing additional audio plugins (vlc-plugin-pulse, vlc-plugin-sdl) or video plugins (vlc-plugin-sdl, vlc-plugin-ggi, vlc-plugin-svgalib). There is also a web browser plugin in the mozilla-plugin-vlc package. Homepage: http://www.videolan.org/vlc Original-Maintainer: Debian multimedia packages maintainers


As you can see the status is installed but it also gives you some good information on the package as well.

Read more

Recover Forgotten Ubuntu Password without reinstalling

If you forgot you password for your ubuntu system you can recover using the following steps

Turn your computer on.

Press ESC at the grub prompt.

Press e for edit.

Highlight the line that begins kernel ………, press e

Go to the very end of the line, add rw init=/bin/bash

press enter, then press b to boot your system.

Your system will boot up to a passwordless root shell.

Type in passwd username

Set your password.

Type in reboot

If this doesnt work you can alternatively try this:

Turn on your computer, and as soon as you the Press Esc to enter grub message, press the escape key.

Select the option that says (recovery mode).

Your PC will boot into a shell. Once you get a command prompt, type "passwd username" where the username is your username.

Enter a new password when prompted, and again when prompted again

Type reboot to reboot your system

Another way is to boot into the system via a live cd open up Applications->Accessories->Terminal
then mount your ubuntu drive if its on /dev/sda1 do this:

mount /dev/sda1/ /media/sda1

Then we chroot into the system:

chroot /media/sda1

passwd user

Now change the password, and reboot your box!

Ref http://www.ubuntu-unleashed.com/

Read more

How to install OpenSSH in Ubuntu to connect to another computer

OpenSSH encrypts all traffic including passwords to effectively eliminate connection hijacking or eavesdropping on the traffic. SSH was designed as a replacement for Telnet,rlogin and rsh, which send information, notably passwords in plaintext leaving them open for interception. OpenSSH provides secure tunneling capabilities and several authentication methods, and supports all SSH protocol versions.
This will all be done in Terminal.

Type the following two commands to install both ssh client and server:

sudo apt-get install openssh-server openssh-client

You can do the same for the other pc or just install openssh-server if the pc is just going to be a server.
To log in you would do the following:

ssh yourusername@remotepc (ex. ssh bob@192.168.1.1) if the two computers have the same username you can just do ssh 192.168.1.1
you will see a message like this
Host key not found from database.Key fingerprint:xezop-fomas-lifot-pisoc-zyvik-hutoz-bafaf-zapyc-lubev-riked-dexax
You can get a public key's fingerprint by running% ssh-keygen2 -F publickey.pub on the keyfile.
Are you sure you want to continue connecting (yes/no)

Type yes and it will add the RSA key this will only happen once, that is it. By default OpenSSH will be listening on port 22 but I would change that to a port of your choice for security since a network port scanner like Nmap can be ran by intrudes.
The configuration file is in /etc/ssh/sshd_config
we can use gedit to modify this:
sudo gedit /etc/ssh/sshd_config you will see #Port 22 remove the # and change the port number to something like 3787, now save the changes.
Now since we changed the port number the command to use ssh will be ssh -p222 192.168.1.1 (-p tells ssh what port to use)
Other commands that can be used if needed are:
  To stop server:
sudo /etc/init.d/ssh stop

  To start server:
sudo /etc/init.d/ssh stop

 To restart server:
sudo /etc/init.d/ssh restart
SSH is one of my favorite programs. I would advise to look at the man pages by typing man ssh to view all the options.

Read more