Archive for June, 2012

SBDavid

How to disable Support for TIPC

How to disable Support for TIPC

The Transparent Inter-Process Communication protocol allows applications in a clustered computer environment to communicate quickly and reliably with other applications, regardless of their location within the cluster.

If the TIPC protocol is not needed, its kernel module can be prevented from loading. To do so, add the following line to /etc/modprobe.conf

install tipc /bin/true

Using pam deny.so to Quickly Deny Access to a Service

In order to deny access to a service SVCNAME via PAM, edit the file /etc/pam.d/SVCNAME . Prepend this line to the beginning of the file:

auth requisite pam_deny.so

Under most circumstances, there are better ways to disable a service than to deny access via PAM. However, this should suffice as a way to quickly make a service unavailable to future users (existing sessions which have already been authenticated, are not affected). The requisite tag tells PAM that, if the named module returns failure, authentication should fail, and PAM should immediately stop processing the configuration file. The pam deny.so module always returns failure regardless of its input.

SBDavid

Sending Logs to a Remote Loghost

Sending Logs to a Remote Loghost

Edit /etc/syslog.conf. Add or correct the line:

*.* @loghost.example.com

Where loghost.example.com is the name of your central log server.

It is particularly important that logs be stored on the local host in addition to being sent to the loghost, because syslogd uses the UDP protocol to send messages over a network. UDP does not guarantee reliable delivery, and moderately busy sites will lose log messages occasionally, especially in periods of high traffic which may be the result of an attack. In addition, remote syslogd messages are not authenticated, so it is easy for an attacker to introduce spurious messages to the central log server. Also, some problems cause loss of network connectivity, which will prevent the sending of messages to the central server. For all of these reasons, it is better to store log messages both centrally and on each host, so that they can be correlated if necessary.

SBDavid

Password Quality Requirements

Password Quality Requirements

The default pam cracklib PAM module provides strength checking for passwords. It performs a number of checks, such as making sure passwords are not similar to dictionary words, are of at least a certain length, are not the previous password reversed, and are not simply a change of case from the previous password. It can also require passwords to be in certain character classes.

The pam passwdqc PAM module provides the ability to enforce even more stringent password strength requirements.

It is provided in an RPM of the same name.

The man pages pam cracklib(8) and pam passwdqc(8) provide information on the capabilities and configuration of each.

SBDavid

How to disable Wireless Drivers

How to disable Wireless Drivers

Removing the kernel drivers that provide support for wireless Ethernet devices will prevent users from easily activating the devices.

To remove the wireless drivers from the system:

# rm -r /lib/modules/kernelversion(s) /kernel/drivers/net/wireless

Next »