Linux security – Securing user accounts with John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

To install it run:

apt-get install john john-data

then download the word list from OpenWall website.

wget http://download.openwall.net/pub/wordlists/all.gz

This list contains over 5 million words from several languages, there is a paid version of this file but for most purposes the free version is sufficient.

The cracking procedure is very simple but fist we need to combine the passwd and shaddow files:

# unshadow /etc/passwd /etc/shadow > password.list

Once that is done all we need to do is run John the Ripper against that file and specify the user name and the word list:

# john -users:testuser -wordlist:all password.list
Created directory: /root/.john
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (testuser)
1g 0:00:00:00 100% 3.448g/s 331.0p/s 331.0c/s 331.0C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And in this example in less than a second we have the password cracked.

If we want to try and decrypt all passwords listed in the password.list file then we tell John to run this command:

# john --format=crypt -wordlist:all password.list
Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status

Simples!

Linux security – LSAT

LSAT stands for Linux Security Auditing Tool.

as the man page states:

Linux Security Auditing Tool (LSAT) is a post install security auditing tool. It is modular in design, so new features can be
added quickly. It checks inetd entries and scans for unneeded RPM packages. It is being expanded to work with Linux distributions
other than Red Hat, and checks for kernel versions.

Output is in lsat.out. On subsequent runs, previous output is in lsat.old.

to run simply type in lsat

the lsat.out output file is a text file and contains information such as open ports, world readable/writable files and directories, recommendations on packages to uninstall and many more. I find this to be a very useful tool to run every few weeks to check and verify that everything is working as it should.

Example output:

****************************************
Please consider removing these packages.
bind9-host
libbind9-90
libnfsidmap2:amd64
rpcbind
webmin
****************************************
default init level is not set to 5. Good.
****************************************
Consider placing: auth.* /var/log/secure
 in your /etc/syslog.conf file.
****************************************
Consider placing: authpriv.* /var/log/secure
 in your /etc/syslog.conf file.
****************************************
The last 100 (or less) failed login attempts on the system

****************************************
This is a list of SUID files on the system:

****************************************
List of normal files in /dev. MAKEDEV is ok, but there
should be no other files:
***************************************
This is a list of world writable files
[.........]

Linux security – root kit scanner

Another useful tool for scanning files on a linux based file sharing/websites systems is chkrootkit. This is a simple root kit scanner.
Once the package is installed simmply run:

#chkrootkit
 ROOTDIR is `/'
 Checking `amd'... not found
 Checking `basename'... not infected
 Checking `biff'... not found
 Checking `chfn'... not infected
 Checking `chsh'... not infected
 Checking `cron'... not infected
 .
 .
 .
 .
 .
 Searching for 64-bit Linux Rootkit ... nothing found
 Searching for 64-bit Linux Rootkit modules... nothing found
 Searching for suspect PHP files... nothing found
 Searching for anomalies in shell history files... nothing found
 Checking `asp'... not infected
 Checking `bindshell'... not infected
 Checking `lkm'... chkproc: nothing detected
 Checking `rexedcs'... not found
 Checking `w55808'... not infected
 Checking `wted'... chkwtmp: nothing deleted
 Checking `scalper'... not infected
 Checking `slapper'... not infected
 Checking `z2'... chklastlog: nothing deleted
 Checking `chkutmp'... The tty of the following user process(es) were not found
 in /var/run/utmp !
 ! RUID PID TTY CMD
 ! root 13979 pts/0 -bash
 ! root 13990 pts/2 -bash
 ! root 15095 pts/2 /bin/sh /usr/sbin/chkrootkit
 ! root 15745 pts/2 ./chkutmp
 ! root 15747 pts/2 ps axk tty,ruser,args -o tty,pid,ruser,args
 ! root 15746 pts/2 sh -c ps axk "tty,ruser,args" -o "tty,pid,ruser,args"
 chkutmp: nothing deleted
 Checking `OSX_RSPLUG'... not infected

Windows 10 and problems accessing smb shares

Last night I had to do some testing under Windows 10 and to my surprise I was unable to access smb network share.

I have done some investigation and it would appear that Windows 10 will try to negotiate SMB3_11, which Samba 4.1.1  doesn’t yet support except in the current 4.3 release candidate.

To fix this I disabled SMB 3 and enabled v1:

To disable SMBv2 and SMBv3 on the SMB client, run the following commands:

sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi 
sc.exe config mrxsmb20 start= disabled
To enable SMBv1 on the SMB client, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi 
sc.exe config mrxsmb10 start= auto

After restarting Win10 instance I was back in action.
See more here

php5-fpm – sock failed (13: Permission denied) while connecting to upstream error

I was recently making some changes in my php5-fpm config and after service restart I started getting this error:
*812 connect() to unix:/var/run/php5-fpm/website.sock failed (13: Permission denied) while connecting to upstream, client: 1.2.3.4, server: website.com, request: "GET /feed/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm/website.sock:", host: "website.com"

Going through the logs I narrowed the error down to permissions on the website.sock file.

the fix was to add this section to my /etc/php5/fpm/pool.d/www.conf file:

listen.owner = www-data
listen.group = www-data
listen.mode = 0660

Make sure that www-data is actually the user the nginx worker is running as. For debian it’s www-data by default.