Archive for the 'Security' Category

SBDavid
Nov 1st, 2009

tshark Dump and analyze network traffic

tshark - Dump and analyze network traffic

TShark is a network protocol analyzer. It lets you capture packet data from a live network, or read packets from a previously saved capture file, either printing a decoded form of those packets to the standard output or writing the packets to a file. TShark’s native capture file format is libpcap format, which is also the format used by tcpdump and various other tools.

Without any options set, TShark will work much like tcpdump. It will use the pcap library to capture traffic from the first available network interface and displays a summary line on stdout for each received packet.

Example :

# tshark -n -i ppp0 port 80
Running as user “root” and group “root”. This could be dangerous.
Capturing on ppp0

-n Disable network object name resolution (such as hostname, TCP and UDP port names), the -N flag might override this one.

-i [capture interface]

SBDavid
Oct 28th, 2009

How do i access cpanel webmail logs

How do i access cpanel webmail logs

If you would like to access webmail logs to see who accessed a certian webmail accounts.

The following log file could be searched to help locate specific access log entries from webmail.

/usr/local/cpanel/logs/access_log

Or use the following.

grep -in username /usr/local/cpanel/logs/access_log

Replace username with the webmail user.

From the grep man pages.

-i, –ignore-case
Ignore case distinctions in both the PATTERN and the input files. (-i is specified by POSIX.)

-n, –line-number
Prefix each line of output with the 1-based line number within its input file. (-n is specified by POSIX.)

SBDavid
Oct 27th, 2009

Preventing Accidental Denial of Service

Preventing Accidental Denial of Service

Linux allows you to set limits on the amount of system resources that users and groups can use.

Restricting System Resources

The following example shows a practical use of setting or restricting system resources for an database user account. For a list of system resource settings, see /etc/security/limits.conf. It would be a good idea to review the default settings of system resource.

database soft nofile 4096
database hard nofile 63536

The “soft limit” in the first line defines the number of file handles or open files that the database user will have after login. If the database user gets error messages about running out of file handles, then the database user can increase the number of file handles like in this example up to 63536 (”hard limit”) by running the following command:

ulimit -n 63536

Most shells like Bash provide control over various resources like the maximum allowable number of open file descriptors or the maximum number of processes available to a user. To see all shell limits, run:

ulimit -a

# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 20
file size (blocks, -f) unlimited
pending signals (-i) 16382
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 8192
cpu time (seconds, -t) unlimited
max user processes (-u) unlimited
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited

Each line describes a limit for a user in the form:

[domain] [type] [item] [value]
#
#Where:
# can be:
# - an user name
# - a group name, with @group syntax
# - the wildcard *, for default entry
# - the wildcard %, can be also used with %group syntax,
# for maxlogin limit
# - NOTE: group and wildcard limits are not applied to root.
# To apply a limit to the root user, must be
# the literal username root.
#
# can have the two values:
# - “soft” for enforcing the soft limits
# - “hard” for enforcing hard limits
# - cpu - max CPU time (MIN)
# - nproc - max number of processes
# - core - limits the core file size (KB)

Example:

@student hard nproc 50
@faculty soft nproc 50
SBDavid
Oct 27th, 2009

Linux Password Security with pam_cracklib

Linux Password Security with pam_cracklib

Standard Unix reusable passwords are not really a good authentication system. In an effort to address this shortcoming, the PAM module pam_cracklib was developed for Linux systems.

Enabling pam_cracklib

The pam_cracklib module is enabled via the system’s standard PAM configuration interface. On Debian systems, this is the /etc/pam.d/common-password file (but it’s /etc/pam.d/system-auth on RedHat-derived systems.

The typical configuration looks something like this:

For debian:

password required pam_cracklib.so retry=3 minlen=12 difok=4
password required pam_unix.so md5 remember=12 use_authtok

For Redhat:

To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments highlighted in blue:

auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
SBDavid
Oct 27th, 2009

Enabling Password Aging

Enabling Password Aging

The following example shows how password expiration can be setup for individual user accounts.

The following files and parameters in the table are used when a new account is created with the useradd command. These settings are recorded for each user account in the /etc/shadow file.

Therefore, make sure to configure the following parameters before you create any user accounts using the useradd command:

$ cat login.defs |grep PASS_

# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_WARN_AGE Number of days warning given before a password expires.
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
#PASS_CHANGE_TRIES
#PASS_ALWAYS_WARN
#PASS_MIN_LEN
#PASS_MAX_LEN

Also check - /etc/default/useradd

# The number of days after a password expires until the account
# is permanently disabled
# INACTIVE=-1
#
# The default expire date
# EXPIRE=

When a user account is created using the useradd command, the parameters listed in the above table are recorded in the /etc/shadow file in the following fields

[username]:[password]:[date]:PASS_MIN_DAYS:PASS_MAX_DAYS:PASS_WARN_AGE:INACTIVE:EXPIRE:

To create a new user account you can execute the following command:

useradd -c “centos” -g users test

To get password expiration information:

$ chage -l centos

Last password change : Aug 31, 2009
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

« Prev - Next »