ServerBuddies Support Blog

Methods of Disabling the Root Account.

Changing the root shell.

To prevent users from logging in directly as root, the system administrator can set the root ac-count’s shell to /sbin/nologin in the /etc/passwd file.

Edit the /etc/passwd file and change the shell from /bin/bash to /sbin/nologin.

The following programs are prevented from ac-cessing the root account:

Programs that do not re-quire a shell, such as FTP clients, mail clients, and many setuid programs. The following programs are not prevented from accessing the root ac-count:

Disabling root ac-cess via any con-sole device (tty).

An empty /etc/securetty file prevents root login on any devices attached to the computer.

Disabling root SSH Login.

Edit the /etc/ssh/sshd_config file, and set the PermitRootLo-gin parameter to no.

to

Use PAM to limit root access to services.

Edit the file for the target service in the /etc/pam.d/ directory. Make sure the pam_listfile.so is re-quired for authentication.

Rkhunter Installation

Download from

http://kent.dl.sourceforge.net/project/rkhunter/rkhunter/1.3.4/rkhunter-1.3.4.tar.gz

Rootkit Hunter (RKH) is an easy-to-use tool which checks computers running UNIX (clones) for the presence of rootkits and other unwanted tools.

What are rootkits? Most times they are self-hiding toolkits used by blackhats, crackers and scriptkiddies, to avoid the eye of the sysadmin.

Unpacking the tar file should produce a single directory called ‘rkhunter-’. Where ” is the version number of rkhunter being installed. For example, the rkhunter-1.3.0.tar.gz tar file will produce the ‘rkhunter-1.3.0′ directory when unpacked. Within this directory is the installation script called ‘installer.sh’.

To perform a default installation of RKH simply unpack the tarball and, as root, run the installation script:

RKH installation supports custom layouts. To show some examples run:

As an another example, to install all files beneath /opt, run:

The default installation process will install a configuration file, called ‘rkhunter.conf’, into the ‘/etc’ directory.

To run RKH, as root, simply enter the following command:

By default, the log file ‘/var/log/rkhunter.log’ will be created. It will contain the results of the checks made by RKH.

To see what other options can be used with rkhunter, enter:

Forcing Strong Passwords

To protect the network from intrusion it is a good idea for system administrators to verify that the passwords used within an organization are strong ones. When users are asked to create or change passwords, they can use the command line application passwd, which is Pluggable Au-thentication Manager (PAM) aware and therefore checks to see if the password is easy to crack
or too short in length via the pam_cracklib.so PAM module. Since PAM is customizable, it is possible to add further password integrity checkers, such as pam_passwdqc (available from ht-tp://www.openwall.com/passwdqc/) or to write a new module. For a list of available PAM mod-ules, refer to http://www.kernel.org/pub/linux/libs/pam/modules.html.

There are many password cracking programs that run under Red Hat Enterprise Linux although none ship with the operating system. Below is a brief list of some of the more popular password cracking programs:

John The Ripper — A fast and flexible password cracking program. It allows the use of mul- tiple word lists and is capable of brute-force password cracking. It is available online at ht- tp://www.openwall.com/john/.

Crack — Perhaps the most well known password cracking software, Crack is also very fast, though not as easy to use as John The Ripper. It can be found online at ht- tp://www.crypticide.com/users/alecm/.

Slurpie — Slurpie is similar to John The Ripper and Crack, but it is designed to run on multiple computers simultaneously, creating a distributed password cracking attack. It can be found along with a number of other distributed attack security evaluation tools online at ht- tp://www.ussrback.com/distributed.htm.

The -M option of the chage command specifies the maximum number of days the password is valid. So, for instance, to set a user’s password to expire in 90 days, type the following com-mand:

Password Protecting GRUB Using Boot Loader Passwords

GRUB can be configured by adding a password directive to its configuration file. To do this, first decide on a password, then open a shell prompt, log in as root, and type:

When prompted, type the GRUB password and press Enter. This returns an MD5 hash of the password.

Next, edit the GRUB configuration file /boot/grub/grub.conf. Open the file and below the timeout line in the main section of the document, add the following line:

Replace with the value returned by /sbin/grub-md5-crypt

The next time the system boots, the GRUB menu does not allow access to the editor or com-mand interface without first pressing p followed by the GRUB password.

prevent an attacker from booting into a non-secure operat-ing system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.

Look for the title line of the non-secure operating system and add a line that says lock directly beneath it.

For a DOS system, the stanza should begin similar to the following:

To create a different password for a particular kernel or operating system, add a lock line to the stanza, followed by a password line.

Each stanza protected with a unique password should begin with lines similar to the following example:

Install or upgrade the csf webmin module and csf Uninstallation.

To install or upgrade the csf webmin module:

Install csf first.

Install the csf webmin module in.

Uninstallation

Removing csf and lfd is even more simple:

On cPanel servers:

On DirectAdmin servers:

On generic linux servers: