Chapter 10 - A Security Primer
The Layers of Linux Security
Bastion Host Systems :A File sever or Auth server , or web server configured to add more security to your environment. We use bastion hosts to put another layer of security between corporate desktop lan and customer lans . Bastion hosts, typically provide remote access via SSH or VNC.
Software Updates for Security Fixes:
Use : gpk-update-viewer , and auto securtity updates can be done with gpk-prefs
Service Specific security
- HTTP/HTTPS
- DNS
- FTP
- NFS
- SMB
- SMTP
- SSH
Host based security limits hostnames, FQDN and IP addresses .
User Based security is limiting user access via the use of service controls, sudo, traditional unix file permissions, selinux, and other mthods.
Console Security
SELinux
The PolicyKit
Firewalls and NAT
iptables service in linux is the firewall configCommand Examples :
iptables -L = Show all rules currently in place
iptables -F = Flush all FW rules in memory
# service iptables restart
[root@server01 ~]# cat /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 5900:5905 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Save the current iptables rules permanently :
# iptables-save > /etc/sysconfig/iptables
# service iptables restart
Rule Examples
Reject all traffic from 192.168.75.0
iptables -A INPUT -s 192.168.75.0/24 -j reject
Stop a user with ip address of 192.168.25.200 from pining your system :
iptables -A INPUT -s 192.168..25.200 -p icmp -j DROP
Examples:
# allow 2 telnet connections per client host
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECT
# you can also match the other way around:
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPT
# limit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECT
# limit the number of parallel HTTP requests to 16 for the link local network
(ipv6) ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECT
NOTE : Need examples with ip tables masquerading and ip forwarding
The Extended Internet Super-Server
/etc/xinetd.d/etc/xinetd.conf
[root@server01 ~]# yum install xinetd -y
[root@server01 ~]# cat /etc/xinetd.conf
#
# This is the master xinetd configuration file. Settings in the
# default section will be inherited by all service configurations
# unless explicitly overridden in the service configuration. See
# xinetd.conf in the man pages for a more detailed explanation of
# these attributes.
defaults
{
# The next two items are intended to be a quick access place to
# temporarily enable or disable services.
#
# enabled =
# disabled =
# Define general logging characteristics.
log_type = SYSLOG daemon info
log_on_failure = HOST
log_on_success = PID HOST DURATION EXIT
# Define access restriction defaults
#
# no_access =
# only_from =
# max_load = 0
cps = 50 10
instances = 50
per_source = 10
# Address and networking defaults
#
# bind =
# mdns = yes
v6only = no
# setup environmental attributes
#
# passenv =
groups = yes
umask = 002
# Generally, banners are not used. This sets up their global defaults
#
# banner =
# banner_fail =
# banner_success =
}
includedir /etc/xinetd.d
[root@server01 ~]# cat /etc/xinetd.d/rsync
# default: off
# description: The rsync server is a good addition to an ftp server, as it \
# allows crc checksumming etc.
service rsync
{
disable = yes
flags = IPv6
socket_type = stream
wait = no
user = root
server = /usr/bin/rsync
server_args = --daemon
log_on_failure += USERID
}
[root@server01 xinetd.d]# cat /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
[root@server01 xinetd.d]# service xinetd restart
Stopping xinetd: [FAILED]
Starting xinetd: [ OK ]
[root@server01 xinetd.d]# telnet localhost
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
[root@server01 xinetd.d]# tail /var/log/messages
Jun 17 16:44:41 server01 xinetd[32726]: bad service attribute: log_on_filure [file=/etc/xinetd.d/telnet] [line=8]Jun 17 16:44:41 server01 xinetd[32726]: Must specify a server in telnet
Jun 17 16:44:41 server01 xinetd[32726]: Swapping defaults
Jun 17 16:44:41 server01 xinetd[32726]: Reconfigured: new=0 old=0 dropped=0 (services)
Jun 17 16:49:47 server01 xinetd[32726]: Exiting...
Jun 17 16:49:47 server01 xinetd[511]: Server /usr/sbin/in.telnetd is not executable [file=/etc/xinetd.d/telnet] [line=7]
Jun 17 16:49:47 server01 xinetd[511]: Error parsing attribute server - DISABLING SERVICE [file=/etc/xinetd.d/telnet] [line=7]
Jun 17 16:49:47 server01 xinetd[511]: Must specify a server in telnet
Jun 17 16:49:47 server01 xinetd[511]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jun 17 16:49:47 server01 xinetd[511]: Started working: 0 available services
... typo corrected ......didn't work with what I had ... then figured out I didn;t have the telnet-server instaleld...
[root@server01 xinetd.d]# yum install telnet-server -y
Working now ...
[root@server01 xinetd.d]# telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login: shannon
Password:
Login incorrect
[root@server01 xinetd.d]# tail /var/log/messages
Jun 17 16:55:13 server01 xinetd[581]: START: telnet pid=587 from=::1
Jun 17 16:56:23 server01 xinetd[581]: EXIT: telnet status=0 pid=587 duration=70(sec)
Jun 17 16:57:50 server01 yum[615]: Installed: 1:telnet-server-0.17-46.el6.x86_64
Jun 17 17:02:03 server01 xinetd[581]: START: telnet pid=678 from=::1
Jun 17 17:02:33 server01 xinetd[581]: EXIT: telnet status=0 pid=678 duration=30(sec)
Jun 17 17:02:44 server01 xinetd[581]: Exiting...
Jun 17 17:02:44 server01 xinetd[700]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jun 17 17:02:44 server01 xinetd[700]: Started working: 1 available service
Jun 17 17:02:59 server01 xinetd[700]: START: telnet pid=706 from=::1
Jun 17 17:03:34 server01 xinetd[700]: EXIT: telnet status=0 pid=706 duration=35(sec)
[root@server01 xinetd.d]# telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login: root
Password:
Login incorrect
login: rhill
Password:
Last login: Wed Jun 13 09:20:12 from 192.168.0.3
[rhill@server01 ~]$
[root@server01 ~]# utmpdump /var/log/wtmp | tail
Utmp dump of /var/log/wtmp
[6] [01948] [5 ] [LOGIN ] [tty5 ] [ ] [0.0.0.0 ] [Fri Jun 15 09:24:07 2012 CDT]
[6] [01950] [6 ] [LOGIN ] [tty6 ] [ ] [0.0.0.0 ] [Fri Jun 15 09:24:07 2012 CDT]
[7] [02148] [ts/0] [root ] [pts/0 ] [192.168.0.3 ] [192.168.0.3 ] [Fri Jun 15 09:25:44 2012 CDT]
[7] [02134] [:0 ] [root ] [tty1 ] [:0 ] [0.0.0.0 ] [Fri Jun 15 09:59:54 2012 CDT]
[7] [02721] [/1 ] [root ] [pts/1 ] [:0.0 ] [0.0.0.0 ] [Fri Jun 15 10:00:10 2012 CDT]
[8] [02116] [ ] [ ] [pts/0 ] [ ] [0.0.0.0 ] [Sat Jun 16 04:45:06 2012 CDT]
[7] [26120] [ts/0] [root ] [pts/0 ] [192.168.0.3 ] [192.168.0.3 ] [Sun Jun 17 04:07:02 2012 CDT]
[7] [32555] [ts/2] [root ] [pts/2 ] [192.168.0.10 ] [192.168.0.10 ] [Sun Jun 17 16:22:12 2012 CDT]
[7] [00757] [ts/3] [root ] [pts/3 ] [192.168.0.10 ] [192.168.0.10 ] [Sun Jun 17 17:07:23 2012 CDT]
[7] [00829] [4 ] [rhill ] [pts/4 ] [::d8c7:7fdc:ff7f:0%384933277] [0.0.0.0 ] [Sun Jun 17 17:11:15 2012 CDT]
[root@server01 ~]#
[root@server01 ~]# tail /var/log/messages
Jun 17 17:02:33 server01 xinetd[581]: EXIT: telnet status=0 pid=678 duration=30(sec)
Jun 17 17:02:44 server01 xinetd[581]: Exiting...
Jun 17 17:02:44 server01 xinetd[700]: xinetd Version 2.3.14 started with libwrap loadavg labeled-networking options compiled in.
Jun 17 17:02:44 server01 xinetd[700]: Started working: 1 available service
Jun 17 17:02:59 server01 xinetd[700]: START: telnet pid=706 from=::1
Jun 17 17:03:34 server01 xinetd[700]: EXIT: telnet status=0 pid=706 duration=35(sec)
Jun 17 17:09:23 server01 xinetd[700]: START: telnet pid=799 from=::1
Jun 17 17:10:23 server01 xinetd[700]: EXIT: telnet status=0 pid=799 duration=60(sec)
Jun 17 17:10:48 server01 xinetd[700]: START: telnet pid=828 from=::1
Jun 17 17:12:56 server01 xinetd[700]: EXIT: telnet status=0 pid=828 duration=128(sec)
[root@server01 ~]#
TCP Wrappers
[root@server01 ~]# strings /sbin/* | grep hosts_accesshosts_access
hosts_access
hosts_access
[root@server01 ~]# strings /usr/sbin/* | grep hosts_access
hosts_access
hosts_access
hosts_access
hosts_access_verbose
hosts_access
hosts_access
[root@server01 ~]# ldd /usr/sbin/sshd
linux-vdso.so.1 => (0x00007fff8cfff000)
libfipscheck.so.1 => /lib64/libfipscheck.so.1 (0x00007fc930e45000)
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc930c3b000)
libaudit.so.1 => /lib64/libaudit.so.1 (0x00007fc930a24000)
libpam.so.0 => /lib64/libpam.so.0 (0x00007fc930817000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc930613000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007fc9303f4000)
libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007fc93005e000)
libutil.so.1 => /lib64/libutil.so.1 (0x00007fc92fe5b000)
libz.so.1 => /lib64/libz.so.1 (0x00007fc92fc46000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00007fc92fa2d000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007fc92f7f6000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00007fc92f5dc000)
libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007fc92f39b000)
libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007fc92f0bc000)
libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007fc92ee90000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007fc92ec8d000)
libnss3.so => /usr/lib64/libnss3.so (0x00007fc92e952000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc92e5c1000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc931047000)
libfreebl3.so => /lib64/libfreebl3.so (0x00007fc92e35f000)
libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007fc92e155000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007fc92df53000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fc92dd36000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00007fc92db17000)
libplc4.so => /lib64/libplc4.so (0x00007fc92d913000)
libplds4.so => /lib64/libplds4.so (0x00007fc92d710000)
libnspr4.so => /lib64/libnspr4.so (0x00007fc92d4d3000)
[root@server01 ~]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fe9d3c02000)
TCP Wrapper configuration files :
/etc/hosts.allow
/etc/hosts.deny
[root@server01 ~]# ls -lrt /etc/ | grep "hosts."
-rw-r--r--. 1 root root 460 Jan 12 2010 hosts.deny
-rw-r--r--. 1 root root 370 Jan 12 2010 hosts.allow
[root@server01 ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
[root@server01 ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
Follows format of
<daemon_list> : <client_list>
Simle rule to allow or deny all :
ALL : ALL
Allow the ip addres of 192.168.122.50 to connect to the SSH client on the local system thru SSH
/etc/hosts.allow
sshd : 192.168.122.50
Allow from domain example.com
ALL : .example.com
sshd : 192.168.122.0/255.255.255.0 EXCEPT 192.168.122.150
rpc.mountd, in.tftpd : 192.168.100.100
Lab Exercise :
[root@server01 ~]# chkconfig telnet on
[root@server01 ~]#
TCP Wrappers example with telnet :
1. Telnet server installed and setup
[root@server01 etc]# chkconfig --list | grep telnet
telnet: on
2. Activated telnet service (running under xinetd daemon)
[root@server01 etc]# cat /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
[root@server01 xinetd.d]# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
3. No firewall rule setup blocking port 23
4. Modify /etc/hosts file
[root@server01 etc]# vi /etc/hosts
[root@server01 etc]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.0.12 server01
# temporarily add for tcp wrappers example
127.0.0.1 server1 server1.example.com localhost.localdomain localhost
[root@rhce01 ~]# ping server01
PING server01 (192.168.0.12) 56(84) bytes of data.
64 bytes from server01 (192.168.0.12): icmp_seq=1 ttl=64 time=1.04 ms
64 bytes from server01 (192.168.0.12): icmp_seq=2 ttl=64 time=0.566 ms
^C
--- server01 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1321ms
rtt min/avg/max/mdev = 0.566/0.803/1.040/0.237 ms
[root@rhce01 ~]#
-------------from the telnet client------------
[root@rhce01 ~]# telnet server01 23
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host
[root@rhce01 ~]# telnet 192.168.0.12 23
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host
[root@rhce01 ~]# tcptraceroute 192.168.0.12 23
-bash: tcptraceroute: command not found
[root@rhce01 ~]#
[root@server01 xinetd.d]# mv telnet /root
[root@server01 xinetd.d]# service xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
NOTE : This aint' working, rather than spend a few more hours of banging my head against the wall, I am noting the problem, and moving on. (In short, telnet 0 23 works, telnet 127.0.0.1 23 works, telnet localhost doesn't work, so it sure aint gonna work with TCP wrapper configured either) Will have instructor look at in the RHCE class later .
[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.
[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.
[root@server01 etc]#
[root@server01 etc]#
[root@server01 etc]# telnet localhost
Trying ::1...
Connected to localhost.
Escape character is '^]'.
[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
...Ok, one last try ...
[root@server01 etc]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
ALL : ALL
[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]#
[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]# vi /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
in.telnet.d : 127.0.0.1
[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]#
Still blocking ??? hmmm.....
[root@server01 etc]# tail -20 /var/log/messages
Jun 18 10:37:06 server01 xinetd[3292]: START: telnet pid=3745 from=::ffff:127.0.0.1
Jun 18 10:37:06 server01 xinetd[3745]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:37:06 server01 xinetd[3745]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:37:06 server01 xinetd[3292]: EXIT: telnet status=0 pid=3745 duration=0(sec)
Jun 18 10:37:09 server01 xinetd[3292]: START: telnet pid=3747 from=::ffff:127.0.0.1
Jun 18 10:37:09 server01 xinetd[3747]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:37:09 server01 xinetd[3747]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:37:09 server01 xinetd[3292]: EXIT: telnet status=0 pid=3747 duration=0(sec)
Jun 18 10:40:55 server01 xinetd[3789]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::1
Jun 18 10:40:55 server01 xinetd[3292]: START: telnet pid=3789 from=::1
Jun 18 10:40:55 server01 xinetd[3789]: FAIL: telnet libwrap from=::1
Jun 18 10:40:55 server01 xinetd[3292]: EXIT: telnet status=0 pid=3789 duration=0(sec)
Jun 18 10:41:01 server01 xinetd[3292]: START: telnet pid=3791 from=::ffff:127.0.0.1
Jun 18 10:41:01 server01 xinetd[3791]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:41:01 server01 xinetd[3791]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:41:01 server01 xinetd[3292]: EXIT: telnet status=0 pid=3791 duration=0(sec)
Jun 18 10:41:07 server01 xinetd[3292]: START: telnet pid=3795 from=::ffff:127.0.0.1
Jun 18 10:41:07 server01 xinetd[3795]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:127.0.0.1
Jun 18 10:41:07 server01 xinetd[3795]: FAIL: telnet libwrap from=::ffff:127.0.0.1
Jun 18 10:41:07 server01 xinetd[3292]: EXIT: telnet status=0 pid=3795 duration=0(sec)
Well, the typo was the cause .. !!!
[root@server01 etc]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
in.telnet.d : 127.0.0.1
changed to
in.telnetd : 127.0.0.1
...now retry ...
[root@server01 etc]# telnet 0 23
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.
[root@server01 etc]# telnet 127.0.0.1 23
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Red Hat Enterprise Linux Server release 6.1 (Santiago)
Kernel 2.6.32-131.0.15.el6.x86_64 on an x86_64
login:
telnet> quit
Connection closed.
[root@server01 etc]# telnet localhost 23 ....wtf ???
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[root@server01 etc]#
Oho ...
[root@server01 etc]# vi hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
in.telnetd : 127.0.0.1 localhost
[root@server01 etc]# telnet localhost 23
Trying ::1...
Connected to localhost.
Escape character is '^]'.
(Still no bloddy login prompt on localhost ??? wtf ??? )
...wait....tis slow ... :P....??!
login:
Still cannot reach from other server ? (think it is xinetd blocking , rather than tcp wrappers ??)
[root@rhce01 ~]# telnet server01
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host
[root@rhce01 ~]# telnet 192.168.0.12
Trying 192.168.0.12...
telnet: connect to address 192.168.0.12: No route to host
Firewall rule somewhere's fucking me up ?!?!?
[root@server01 etc]# iptables -F
[root@server01 etc]#
[root@rhce01 ~]# telnet server01
Trying 192.168.0.12...
Connected to server01.
Escape character is '^]'.
[root@rhce01 ~]# telnet 192.168.0.12
Trying 192.168.0.12...
Connected to 192.168.0.12.
Escape character is '^]'.
PAM
[root@server01 etc]# ls -lrt /etc/pam.d/ | wc -l65
[root@server01 etc]# ls -lrt /etc/pam.d/ | head
total 236
-rw-r--r--. 1 root root 137 Feb 14 2007 su-l
-rw-r--r--. 1 root root 105 Feb 14 2007 runuser-l
-rw-r--r--. 1 root root 143 Feb 14 2007 runuser
-rw-r--r--. 1 root root 487 Feb 14 2007 su
-rw-r--r--. 1 root root 70 Jul 16 2009 ksu
-rw-r--r--. 1 root root 147 Oct 5 2009 reboot
-rw-r--r--. 1 root root 147 Oct 5 2009 poweroff
-rw-r--r--. 1 root root 147 Oct 5 2009 halt
-rw-r--r--. 1 root root 163 Oct 9 2009 dovecot
[root@server01 etc]#
[root@server01 etc]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
[root@server01 etc]#
Only root users in this file can login from these terminals :
[root@server01 etc]# cat /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
tty5
tty6
tty7
tty8
tty9
tty10
tty11
Booting into rescue mode to fix and error in /boot/grub/grub.conf file .
Set BIOS to look for CD-ROM device first
Select 'Rescue Installed System'
Select Rescue Method 'Local CD/DVD'
Follow onscreen options for a shell
At the shell prompt ( bash-4.1 # ) type in 'chroot /mnt/sysimage'
# vi /boot/grub/grub.conf file and make changes, :wq!
Reset the system
PAM User control :
[root@server01 ~]# grep pam_nologin.so /etc/pam.d/login
account required pam_nologin.so
[root@server01 ~]# echo "Sorry no access today except for root user" >> /etc/nologin
[root@server01 ~]# ls -ld /etc/nologin
-rw-r--r--. 1 root root 43 Jun 19 10:24 /etc/nologin
Try to access as another user from another termimal, from desktop hit
CTRL + ALT + F2 :
Rhill user account tried to login with error message, root can login, but also sees error message :
[root@server01 ~]# tail /var/log/secure
Jun 19 10:21:27 server01 polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.25, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jun 19 10:21:33 server01 polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session2 (system bus name :1.47 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jun 19 10:22:47 server01 sshd[2314]: Accepted password for root from 192.168.0.3 port 52685 ssh2
Jun 19 10:22:47 server01 sshd[2314]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jun 19 10:30:18 server01 login: Authentication failure
Jun 19 10:30:28 server01 login: Authentication failure
Jun 19 10:30:35 server01 login: Authentication failure
Jun 19 10:30:41 server01 login: Authentication failure
Jun 19 10:31:05 server01 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Jun 19 10:31:05 server01 login: ROOT LOGIN ON tty2
[root@server01 ~]#
[root@server01 ~]# rm /etc/nologin
rm: remove regular file `/etc/nologin'? y
Secure Files with GPG
[rhill@server01 ~]$ gpg2 --gen-keygpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/rhill/.gnupg' created
gpg: new configuration file `/home/rhill/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/rhill/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/rhill/.gnupg/secring.gpg' created
gpg: keyring `/home/rhill/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 18 Aug 2012 10:37:59 AM CDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Roger K Hill
Email address: roger.unixman@yahoo.com
Comment: DSA and RSA Default gpg key
You selected this USER-ID:
"Roger K Hill (DSA and RSA Default gpg key) <roger.unixman@yahoo.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
can't connect to `/home/rhill/.gnupg/S.gpg-agent': No such file or directory
gpg-agent[2575]: directory `/home/rhill/.gnupg/private-keys-v1.d' created
gpg-agent[2575]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: Key generation canceled.
...repeated same process, still not working ...
[rhill@server01 ~]$ gpg2 --list-key
gpg: /home/rhill/.gnupg/trustdb.gpg: trustdb created
http://www.linuxquestions.org/questions/linux-security-4/gpg-gpg-agent-cant-connect-to-root-gnupg-s-gpg-agent-611843/
[rhill@server01 ~]$ gpg2 --daemon
gpg: invalid option "--daemon"
[rhill@server01 ~]$ mkdir -p -m 700 ~/.gnupg
[rhill@server01 ~]$ mknod -m 700 ~/.gnupg/S.gpg-agent p
[rhill@server01 ~]$ gpg-agent --daemon
GPG_AGENT_INFO=/tmp/gpg-MKrMXs/S.gpg-agent:2752:1; export GPG_AGENT_INFO;
...and ...still fucked up ... ??? wth ?
[rhill@server01 ~]$ gpg2 --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2m
Key expires at Sat 18 Aug 2012 10:54:55 AM CDT
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Roger K Hill
Email address: roger.unixman@yahoo.com
Comment: gpg test defaults
You selected this USER-ID:
"Roger K Hill (gpg test defaults) <roger.unixman@yahoo.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
can't connect to `/home/rhill/.gnupg/S.gpg-agent': Connection refused
gpg-agent[2762]: command get_passphrase failed: Operation cancelled
gpg: cancelled by user
gpg: Key generation canceled.
[rhill@server01 ~]$
...idk...might need to be root for this to work...will try again later tonight ...