Linux Enable user with blank password.

Create user on linux.

sudo useradd user1

By default user is created and is disabled for login till we set the new password. Execute following command to verify and clear the password from linux user user1.

sudo grep user1 /etc/shadow

sudo passwd -d user1

By default ssh is not allowed to login with blank password. We need to enable it with following parameter.

PermitEmptyPasswords yes

Restart ssh service to reflect the change.

/etc/init.d/sshd restart

Now you may login without password prompt.

ssh user1@10.10.10.250

Removing password from user and allowing Empty password to login via ssh is great threat. Enable it at your own risk and do not configure it unless it is required and understood properly.

Read More

Secure Linux server 3

Keep /boot as read-only

/boot contains the kernel, ramdisk images as well as bootloader configuration file and bootloader stages. This partition is not required for normal system operation, but read is required while boot and read and write required while kernel upgrades. It will be safer to mount this partition as read only on production system. We can remount this partition with read write whenever kernel upgrades are required.

By default /boot is mount with read and write option while installation. We can modify /etc/fstab to change the mount option. Execute mount command to view all the partitions mounted.

mount

Modify fstab entry so that boot partition will be mounted read only.

vi /etc/fstab
replace default with default,ro on mount entry.

Remount /boot partition with read only option and verify that boot partition is mount to read only mode.

sudo mount -o remount,ro /boot

mount

Temporary remount /boot on read write mode whenever required(in case of kernel upgrade or boot option changes).

sudo mount -o remount,rw /boot

Mount /tmp and data partition With nodev, nosuid, and noexec Options

By default /tmp directory will be accessible to everyone. That is the reason most of hacker and crackers use /tmp as the storage area to store the malicious code and execute them. We can mount /tmp with nodev, nosuid and noexec to avoid such attempts.

Any user can create file and execute it as below.

cd /tmp/

cat > hello.sh

echo "This is hello message from tmp"

^C

chmod 755 hello.sh 

/tmp/hello.sh 

nosuid: Do not set SUID/SGID access on this partition.

nodev: Do not set character or special devices access on this partition.

noexec: Do not allow direct execution of any binaries on the mounted filesystem.

/dev/sdb1               /tmp                    ext4    defaults,nosuid,nodev,noexec       0 0

noexec can be used on the partition with datafile and execution of the binary file is not required. Lets say we can mount data partition of database with noexec Option. In the case below executable file created on /tmp is not directly executed. We can use sh to execute the binary file.

Ignore ICMP or Broadcast Request

ICMP packets are used to verify Network connectivity. Sometime it will be used in indirect ICMP flooding, also known as smurfing resulting DoS (Denial of Service) attack. To prevent Linux server from such attack we need to modify some kernel parameters. Add following kernel parameters to /etc/sysctl.conf file.

net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

Execute sysctl to configure kernel parameters at runtime.

sysctl -p

Implement denyhost to Ban Malicious IP Addresses

Configure denyhost on Linux

Avoid Using FTP, Telnet, And Rlogin / Rsh Services

Verify these services are not running with ps ax command. If any of the services are running and are not required then disable it or remove it.

ps ax | grep -i 'ftp\|telnet\|rsh\|rlogin'

Use sudo instead of root access direct.

sudo(su do) permits user to execute some or all command as super users. Though we can directly modify /etc/sudoers file it is recommended to modify sudo settings with visudo command. 

Alias represent the groups and we have following alias. Host Alias specifies the host names the cmd_alias is valid for. Unless you are sharing a sudoers file among different hosts, this alias does not comes in proper use. Use ALL or  hostname of the server or IP address of the server where sudoers file is located if sudoers file is not shared.

Host Aliases (Also known as host list)

Host_Alias DCLAN = 192.168.0.1/28: DBSERVERS = 192.168.1.250, mylinux

User Aliases (Also known as user list)

User_Alias ADMINS = dilli : BCKADMIN = raju, kamal

Command Aliases (Also known as command list)

Cmnd_Alias CMD_ADMIN = /sbin/poweroff : CMD_BCKADMIN = /bin/rsync : CMD_ORCLBCK = /home/oracle/rman

Runas_Alias (Also known as Operator list)

Runas_Alias RLIST1 = oracle

tag list

Tag_Spec ::= (NOPASSWD: | PASSWD: | NOEXEC: | EXEC: |

                   SETENV: | NOSETENV: | LOG_INPUT: | NOLOG_INPUT: |

                   LOG_OUTPUT: | NOLOG_OUTPUT:)

User Specifications are where the sudoers file sets who can run what as who.
syntax:

ADMINS ALL=(ALL) NOPASSWD:CMD_ADMIN

All user listed on the ADMINS User_Alias are allowed to execute command listed on CMD_ADMIN alias on any server with privileges of any user. In addition to that password will not be prompted

when executing the command listed on the command alias CMD_ADMIN.

sudo /sbin/poweroff

User dilli can execute sudo /sbin/poweroff without password prompt.

BCKADMIN DBSERVERS=(RLIST1) PASSWD:CMD_ORCLBCK

User listed on User Alias BCKADMIN that is raju,kamal are allowed to execute command listed on CMD_ORCLBCK command alias with password prompt for 

hosts defined on the host alias DBA. Users are allowed to run command as user oracle only. Host configuration works if the sudoers file is shared among the servers. Otherwise ALL or hostname of the server where sudoers are applied can be used.

sudo  /home/oracle/rman

This command failed with user raju is not allowed to execute command as user root. 

In this case we have to use option -u and specify the user.
sudo -u oracle /home/oracle/rman

Read More

Purge MySQL binary logs

The binary log is a set of files that contain information about data modifications made by the MySQL server. These files are generated on master server while bin log is enabled. Over the time the number of those bin log files grows and need to clean on regular basic. Purge binary log will delete binary logs on basic of the give values so It is recommended to backup those binary log files into tape or external drives for future.

We can purge binary on basic of log_name or date before expression.

PURGE BINARY LOGS
    { TO 'log_name' | BEFORE datetime_expr };

PURGE BINARY LOGS TO 'master-bin.010';

Deletes all binary log that are created before master-bin.010.

PURGE BINARY LOGS BEFORE '2016-01-01 00:00:00';
Deletes all binary log that are created before January 1st 2016.

As shown on figure below I have around 10% space free.

More than 52 binary log files are created. I need to purge them.

Execute purge command so that it will be deleted from OS and from MySQL metadata.

Purge binary log to 'master-bin.000400';

Verify the files are deleted from OS side.

Read More

Secure Linux server 2

Secure Linux server 1

Verify Network ports that are listening.

Execute netstat command to find the listening ports. Disable all services listening and are not required.
netstat -tulpn

Execute lsof command to view more details about the listening ports.

lsof -Pnl +M -i4

SELinux

Security-Enhanced Linux (SELinux) is a mandatory access control (MAC) security mechanism implemented in the kernel. Following are the SELinux three different modes:

Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions
Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues
Disabled: SELinux is turned off

By default everything is denied and then we can write a policy that gives each element of the system only the access required to function.

In example below SELinux has denied my MySQL process to start.

To troubleshoot this issue I have toggled SELinux setting to Permissive. After toggling the SELinux mode the MySQL server starts normally.

getenforce will display current mode of SELinux. We can use setenforce 0 to toggle it to Permissive.
sealert command is used to view the alert logs.

/usr/sbin/getenforce
setenforce 0
/etc/init.d/mysqld start
sealert -a /var/log/audit/audit.log

We can either disable the SELinux setting or create policy that will ignore the SELinux setting for MySQL. It is recommended to create the policy. Using command below we have created a policy module file mysql.te

create policy module.

cat mysql.te

Manually compile and load the edited custom policy module:

checkmodule -M -m -o mysql.mod mysql.te
semodule_package -o mysql.pp -m mysql.mod
semodule -i mysql.pp

Now we can enforce the SELinux and start MySQL process normally. We have created a policy that will ignore MySQL.

User Password

Set password expiration Check Password Expiration of User. View password age of any user. In example below password for user dilli never expires.

chage -l dilli

Change password age of user with command below.

chage -M 60 dilli

chage -M 60 -m 7 -W 7 dilli

-M Maximum number of days

-m minimum number of days

-W number of days of warning.

In example above Password of user dilli will expire on 60 days. Once user changes he or she has to wait at least 7 days to change password again. User dilli get warning message of password expiration 7 days earlier to expire. from 53rd days user start getting warning message that his or her password will be expire.

In addition to that we can set the values of the configuration files so that the setting will be applied for every new users created.

sudo vi /etc/login.defs
PASS_MAX_DAYS   60
PASS_MIN_DAYS   7
PASS_WARN_AGE   7

In above example we checked the age setting for user oracle. Since user oracle has been created before we change settings on login.defs file the setting will not be effected for the user. Later we created user xyz normally, the age setting is in effect for user xyz.

Enforcing Stronger Passwords

Weaker passwords are main reason behind hacking. Dictionary based and brute-force attack can be done against weaker password. So it is recommended to enforce stronger password. Stronger password are the combination of upper case, lower case, numeric and special characters of certain length. The PAM module pam_passwdqc.so can be used  to enforce the password complexity. The pam_passwdqc module is a simple password strength checking module for PAM.

Comment following line on file /etc/pam.d/system-auth
pam_cracklib.so try_first_pass retry=3 type= 

Add pam_passwdqc setting.
vi /etc/pam.d/system-auth

password required pam_passwdqc.so min=disabled,40,10,8,6 similar=deny enforce=everyone disable_firstupper_lastdigit_check

We have 4 Character classes

1. Upper Character class [A-Z]
2. Lower Character Class [a-z]
3. Digit Character Class [0-9]
4. Others Character Class [Symbols]

min=disabled,40,10,8,6:

disabled as first values shows that If we are using password from single character class it will be denied.
example 123456789, abcdefghij, ABCDEFGHIJ these all are invalid passwords.

40 as second value defines that passphrase should be of 40 character length.

8 as third values defines that if we are using password with combination of 3 character classes out of 4 and is of minimum length 8 it will be allowed.
apPle3all, n!ghTsUit,nep@123l are allowed password

6 as fourth value defines that if we are using password with combination of all character classes and is of minimum length 6, it will be allowed.

enforce=everyone
defines this rules is enforced for all the users including root.

disable_firstupper_lastdigit_check
By default, if we begin our password with Upper case and end with digit then these characters are not counted. Disabling this features allow us using Uppercase in begin and numbers at the end.
For example following passwords are combination of all 4 character class and are of length 6 that is minimum length required with such combination.
K@tHm0  not allowed by default.
k@tH0m is allowed.

Using parameter disable_firstupper_lastdigit_check both password are allowed.

The best part of this authentication module is that proper information is displayed while changing password. Reading message carefully will be helpful a lot.

Checking accounts for empty password

Any account that has blank password is open to login. It is become bigger threat in Linux system and can be easily preventable. A hacker could use it to set up a fake account that has root privileges through sudo. Then anytime they need to access your system they will log on through the fake account and they will never have to remember a password.

List users with blank password using command below.

sudo awk -F: '($2 == "") { print $1 }' /etc/shadow 

We can set password or delete such users if not required.

echo "new_password1" | sudo passwd xyz --stdin

echo "new_password1" | sudo passwd user1 --stdin

Reverify that user with blank password no more exists.

sudo awk -F: '($2 == "") { print $1 }' /etc/shadow 

Read More