Linux security – Securing user accounts with John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version.

To install it run:

apt-get install john john-data

then download the word list from OpenWall website.

wget http://download.openwall.net/pub/wordlists/all.gz

This list contains over 5 million words from several languages, there is a paid version of this file but for most purposes the free version is sufficient.

The cracking procedure is very simple but fist we need to combine the passwd and shaddow files:

# unshadow /etc/passwd /etc/shadow > password.list

Once that is done all we need to do is run John the Ripper against that file and specify the user name and the word list:

# john -users:testuser -wordlist:all password.list
Created directory: /root/.john
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
password (testuser)
1g 0:00:00:00 100% 3.448g/s 331.0p/s 331.0c/s 331.0C/s 123456..pepper
Use the "--show" option to display all of the cracked passwords reliably
Session completed

And in this example in less than a second we have the password cracked.

If we want to try and decrypt all passwords listed in the password.list file then we tell John to run this command:

# john --format=crypt -wordlist:all password.list
Loaded 3 password hashes with 3 different salts (crypt, generic crypt(3) [?/64])
Remaining 2 password hashes with 2 different salts
Press 'q' or Ctrl-C to abort, almost any other key for status

Simples!

Linux security – LSAT

LSAT stands for Linux Security Auditing Tool.

as the man page states:

Linux Security Auditing Tool (LSAT) is a post install security auditing tool. It is modular in design, so new features can be
added quickly. It checks inetd entries and scans for unneeded RPM packages. It is being expanded to work with Linux distributions
other than Red Hat, and checks for kernel versions.

Output is in lsat.out. On subsequent runs, previous output is in lsat.old.

to run simply type in lsat

the lsat.out output file is a text file and contains information such as open ports, world readable/writable files and directories, recommendations on packages to uninstall and many more. I find this to be a very useful tool to run every few weeks to check and verify that everything is working as it should.

Example output:

****************************************
Please consider removing these packages.
bind9-host
libbind9-90
libnfsidmap2:amd64
rpcbind
webmin
****************************************
default init level is not set to 5. Good.
****************************************
Consider placing: auth.* /var/log/secure
 in your /etc/syslog.conf file.
****************************************
Consider placing: authpriv.* /var/log/secure
 in your /etc/syslog.conf file.
****************************************
The last 100 (or less) failed login attempts on the system

****************************************
This is a list of SUID files on the system:

****************************************
List of normal files in /dev. MAKEDEV is ok, but there
should be no other files:
***************************************
This is a list of world writable files
[.........]

StartSSL – NGINX SSL

To ensure that your website is securely running it needs to have https enabled. This short tutorial will list steps necessary to secure NGINX server with a free Class 1 certificate from StartSSL.

Assumption:

1. You have a server running NGINX
2. You have already setup free account with StartSSL
3. You have validated your domain with StartSSL

Prep Work:

Download the StartSSL CA Certificate using wget:
wget https://www.startssl.com/certs/ca.pem

Download the StartSSL Intermediate CA Certificate using wget:
wget https://www.startssl.com/certs/sub.class1.server.ca.pem

Create a unified CA Certificate file:
cat sub.class1.server.ca.pem >> ca.pem

 

Private key and Website Certificate

Use the StartSSL™ Control Panel to create a private key and certificate and transfer them to your server.

My naming convention:
Private key: website.com.original.key
Certificate: website.com.crt

Then execute the following steps:

Decrypt the private key by using the password you entered when you created your key:
openssl rsa -in website.com.original.key -out website.com.key

Secure your key:
chmod 600 website.com.key

Create a single file containing your signed certificate and the StartSSL CA certificates for Nginx:

cat website.com.crt ca.pem > website.com.unified.crt

Configure your nginx server to use the new key and certificate (in the global settings or a server section):

ssl on;
ssl_certificate /etc/nginx/conf/website.com.unified.crt;
ssl_certificate_key /etc/nginx/conf/website.com.key;

Reload nginx config or restart the service.
And you’re done!