Mounting folders through SSH
avatar

Posted on July 7, 2011 by

One of the first rules of security is to not have any ports open which you do not need to have open.  That is also pretty common sense.  One problem you run into though is you still need to access data from one machine on another.  Samba is generally used for file sharing but since it follows the windows standard for file sharing it announces your shares to anyone who asks.

If it is just you accessing your files you can actually mount a folder from another system using sshfs.  Sshfs is available in all of the major distro’s repositories so it should be easy to find.

The first step is to just create a folder which you want to use as a mount point.  Once you do that you just use the following command:

sshfs <user>@<machine>:/path/on/remote/system /local/path

After you do that your local folder will now display the contents of your remote folder.

If you want to allow other users to access the folder as well you need to add all_other as shown below.

sshfs -o allow_other,default_permissions

Posted in Arch, CentOS, Fedora, Guides, Linux | Tagged , , , , | Leave a comment

Setting a Lock-out Policy
avatar

Posted on June 29, 2011 by

Setting a lock out policy in CentOS or Fedora is very easy.

  1. edit /etc/pam.d/system-auth

auth required pam_tally.so onerr=fail no_magic_root
account required pam_tally.so deny=3 unlock_time=3600 no_magic_root reset

onerr=fail if there is a problem opening the file for some reason fail login
no_magic_root this means if the module is called with a uid=0 then the counter is incremented, this is for launching services
deny=3 lockout will occur if the user exceeds 3 logins
reset means if the sign in correctly then the account will be reset
unlock_time=3600 number of seconds before unlock

Posted in CentOS, Fedora, Linux | Tagged , | Leave a comment

Configuring iptables
avatar

Posted on June 28, 2011 by

In Linux the most basic way of protecting you machine is with iptables.  Iptables is a firewall that comes preinstalled and configured on MOST Linux distros.  I say most because Arch does not preinstall it since that would conflict with their bare-bones design.

IPTABLES

iptables -F
iptables -P INPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v
service iptables save

NOTE:  service iptables save will only work for CentOS and Fedora.


Here is what the code is doing…  First it is flushing the current iptables erasing everything in it.  The next thing we are saying is to allow all input, this is only temporary but allows you to keep your connection if you are setting the iptables remotely.  The following iptable rule is to allow anything going to the localhost eth adapter to not be blocked.  The next thing we are going to do is to allow through any connections which have already be established or are related.  Without this we would not be able to get anything back from the network.  After that I have opened up port 22 (SSH), you can open more ports by retyping the command and change the protocol and port number.  The next step is to drop anything else which is coming in.  We are then dropping any requests to forward traffic and allowing everything out.  The following line is just displaying the iptables so you can review them, and the final line saves the tables if you are using Fedora or CentOS.  You can copy and paste the code and it will run the commands for you leaving you sitting on the last line to review the settings before saving.

Posted in CentOS, Fedora, Linux | Tagged , , | Leave a comment

Change Password Complexity Requirements
avatar

Posted on June 28, 2011 by

There are no password requirements by default in CentOS and Fedora, however it is very simple to add them.

  1. edit /etc/pam.d/system-auth
  2. change the line which says:

password requisite pam_cracklib.so try_first_pass retry=3

to

password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 ucredit=2 dcredit=3 ocredit=-1 lcredit=1

NOTES:
minlen=N minimum password size
dcredit=N the maximum credit for having digits in the new password
lcredit=N the maximum credit for having lowercase in the new password
ocredit=N the maximum credit for having other characters in the new passworducredit=N the maximum credit for having uppercase in the new password
difok=N the default number of characters which need to differ from the current password

The way this works is for each character type you are defining how much of a maxium “bonus” the user gets for using it.  If you use a negative number then the it is required to contain that many of the type.  A value of lcredit=-2 means there is a requirement of at least 2 lowercase letters.  So if in the example below the minimum length is 8 so the password of “foobar” would be 6 characters long so 6 points plus 1 for using lower case giving a total score of 6 + 1 =7.  Here are some more password examples using the settings shown above:

Password Count Total Score Valid
foobar 6 + 1 7 No
Foobar 6 + 1 + 1 9 Yes
FOobar 6 + 2  + 1 10 Yes
F0obar1! 6 + 2 + 3 + 1 + 3 15 Yes

 

 

Posted in CentOS, Fedora, Linux | Tagged , | Leave a comment

Change Password Encryption
avatar

Posted on June 28, 2011 by

The default password encryption on CentOS or Fedora is pretty weak.  If your shadow file were to be compromised it would not take long to get your passwords.  The command below will allow you to change your encryption to be the much stronger sha512 encryption.

authconfig –passalgo=sha512 –update

Posted in CentOS, Fedora, Linux | Tagged , , | Leave a comment