Archive

Articles taggués ‘securite’

Allow A Normal User To Run Commands As root Under Linux / UNIX Operating Systems

21/09/2020 Aucun commentaire

Source: nixCRAFT

You need to use the sudo command which is use to execute a command as another user. It allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers (config file that defines or list of who can run what) file. The sudo command allows users to do tasks on a Linux system as another user.

sudo command

sudo is more more secure than su command. By default it logs sudo usage, command and arguments in /var/log/secure (Red Hat/Fedora / CentOS Linux) or /var/log/auth.log (Ubuntu / Debian Linux).

If the invoking user is root or if the target user is the same as the invoking user, no password is required. Otherwise, sudo requires that users authenticate themselves with a password by default. Once a user has been authenticated, a timestamp is updated and the user may then use sudo without a password for a short period of time (15 minutes unless overridden in sudoers).

/etc/sudoers Syntax

Following is general syntax used by /etc/sudoers file:

USER HOSTNAME=COMMAND

Where,

  • USER: Name of normal user
  • HOSTNAME: Where command is allowed to run. It is the hostname of the system where this rule applies. sudo is designed so you can use one sudoers file on all of your systems. This space allows you to set per-host rules.
  • COMMAND: A simple filename allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify “” to indicate that the command may only be run without command line arguments.

Lire la suite…

Categories: Système Tags: , ,

Linux Security Basics

15/09/2020 Aucun commentaire

One of the most daunting prospects of administering your own server on a public network is dealing with your server’s security. While security threats in a networked world are real and it is always important to be mindful of security issues, protecting against possible attacks is often a matter of exercising basic common sense and adhering to some general best practices.

This guide takes a broad overview of common security concerns and provides a number of possible solutions to common security problems. You are encouraged to consider deploying some of these measures to “harden” your server against possible attacks.

It’s important to remember that all of the solutions we present in this document are targeted at specific kinds of attacks, which themselves may be relevant only in specific configurations. Security solutions need to be tailored to the kind of services that you’re providing and the software you’re running, and the decision whether or not to deploy a specific security solution is often a matter of personal discretion and cost-benefit analysis.

Perhaps most importantly, it should be understood that security is a process, not a product (credit to Bruce Schneier.) There is no “magic bullet” set of guidelines that can be followed to ensure the security of any system. Threats are constantly evolving, so vigilance is required on the part of network administrators to prevent unauthorized access to systems.

Keep Systems and Software Up To Date

One of the most significant sources of security vulnerabilities are systems running out of date software with known security holes. Make a point of using your system’s package management tools to keep your software up to date; this will greatly assist in avoiding easily preventable security intrusions.

Running system updates with the package management tool, using apt-get update && apt-get upgrade (for Debian and Ubuntu Systems) or yum update (for CentOS and Fedora systems) is simple and straightforward. This practice ensures that if your distribution maintains active security updates, your system will be guarded against many security holes in commonly used software packages.

System update tools will, however, not keep software up to date that you’ve installed outside of package management. This includes software that you’ve compiled and installed “by hand” (e.g. with ./configure && make && make install) and web-based applications that you’ve installed from a software developer’s site, as is often the case with applications like WordPress and Drupal. Also excluded from protection will be libraries and packages you’ve installed with supplementary package management tools like Ruby’s Gems, Perl’s CPAN tool, Python easy_install, and Haskell Cabal. You will have to manage the process of keeping these files up to date yourself.

The method you use to make sure that your entire system is kept up to date is a matter of personal preference, and depends on the nature of your workflow. We would recommend trying very hard to use the versions of software provided by your operating system or other programming platform-specific package management tools. If you must install from “source,” we would recommend that you save the tarballs and source files for all such software in /src/ or ~/src/ so that you can keep track of what software you’ve installed in this manner. Often, you can remove a manually compiled application by issuing make uninstall in the source repository (directory). Additionally, it may be helpful to maintain a list of manually installed software, with version numbers and download locations. You may also want to investigate packaging your own software so that you can install it with apt, yum or pacman.

Because of the complexity of maintaining software outside of the system’s package management tools we strongly recommend avoiding manually installing software unless absolutely necessary. Your choice in a Linux distribution should be heavily biased by the availability of software in that distro’s repositories for the systems you need to run on your server.

Lire la suite…

Simple failover cluster using UCARP on Ubuntu

08/09/2020 Comments off

In this tutorial, I’ll show you the steps to create a simple failover cluster on Ubuntu using CARP. To make the things meaningful,we’ll create the cluster for Apache service but you can use it for any other service, which relay on IP.

Scenario:

Here is my Setup:

PrimarySrv: This is the main server, where I configured the apache and which act as Master (IP: 192.168.1.202)
SecondarySrv: 2nd Apache Server where I configured the apache exactly like on PrimarySrv (IP : 192.168.1.203)
192.168.1.250 : Virtual IP address,created using Ucarp.

Ucarp is really simple, it works like this,when the PrimarySrv is up,it will assign the virtual IP 192.168.1.250 to it, in case that PrimarySrv is down then it will assign virtual IP to the SeconadrySrv and when the PrimarySrv will come online, it will assign the virtual IP once again to it.

Lire la suite…

Utiliser la commande ssh-copy-id depuis Mac OSX

05/09/2020 Comments off

Comment rendre la commande ssh-copy-id disponible sur Mac OS X

Si vous avez tenté d’utiliser la commande ssh-copy-id sur Mac OS X, vous avez dû vous rendre compte que, même si openssh est installé nativement, cette commande n’est pas disponible.

Heureusement, cette commande est un simple script qu’il suffit de copier au bon endroit, de lui donner les bons droits et SURPRISE la commande est disponible.

Et comme je suis sympa, eh bien je vous donne tout ça. 😉 Pour commencer le script ssh-copy-id

Ensuite, la méthodologie à suivre pour le mettre en place:

  • Télécharger le fichier
  • Déplacer le fichier dans le répertoire /usr/bin
  • Lui donner les droits nécessaires
$ chmod 755 /usr/bin/ssh-copy-id

Edit

Si vous utilisez homebrew, il existe un package pour faire la même chose :
brew install ssh-copy-id

 

Source: Mikael Randy

Categories: Système Tags: , , ,

HowTo: Linux Check Password Strength With Cracklib-check Command

04/09/2020 Comments off

check password strengthUsing the same password on different servers allows attackers to access your accounts if cracker manage to steal your password from a less secure server. This is true for online website accounts too. So solution is to create unique passwords for server accounts like your email, sftp and ssh accounts. General guideline to create a strong and unique password is as follows:

Creating a strong and unique password for Linux or Unix-like systems

  1. Create a password with mix of numbers, special symbols, and alphabets.
  2. Make sure your password is hard to guess. You can use tool such as makepasswd to create hard to guess password.
  3. Do not use simple words like “password“, “123456“, “123abc” or “qwerty“.
  4. Use a unique password for all your server accounts.
  5. A minimum password length of 12 to 14 characters should be used. See how to configure CentOS / RHEL / Fedora Linux based server password quality requirements.
  6. Generating passwords randomly where feasible. You can do this with a simple shell scriptfunction.
  7. If possible use two-factor authentication.
  8. Use pam_crack to ensure strong passwords and to check passwords against a dictionary attack.

But, how do you test the effectiveness of a password in resisting guessing and brute-force attacks under Linux? The answer is simple use cracklib-check command.

Install cracklib on a Linux based system

Type the following yum command to install on RHEL and friends:
# yum install cracklib

Type the following apt-get command to install on Debian/Ubuntu and friends:
# apt-get install libcrack2

Lire la suite…