Php5 Hosting, Mysql, Java, Jsp, Servlet, Tomcat, Ssh, Http Web Server Blog

Chapter 6 . Securing Linux 217 To work with passwords for groups, you can use the grpconv command to convert passwords in /etc/groups to shadowed group passwords in /etc/gshadow. If you change passwords or group passwords and something breaks (you are unable to log in to the accounts), you can use the pwunconv and grpunconv commands, respectively, to reverse password conversion. Using the shadow password file and picking good passwords are a great start toward securing your system. You may have noticed by now that security is not just a one-time job. It is an ongoing process, as much about policies as programs. Keep reading to learn more. Using Encryption Techniques The previous sections told you how to lock the doors to your Linux system to deny access to crackers. The best lock is useless, however, if you are mugged in your own driveway and have your keys stolen. Likewise, the best computer security can be for naught if you are sending passwords and other critical data unprotected across the Internet. A savvy cracker can use a tool called a protocol analyzer or a network sniffer to peek at the data flowing across a network and pick out passwords, credit card data, and other juicy bits of information. The cracker does this by breaking into a poorly protected system on the same network and running software, or by gaining physical access to the same network and plugging in his or her own equipment. You can combat this sort of theft by using encryption. The two main types of encryption in use today are symmetric cryptography and public-key cryptography. Symmetric Cryptography Symmetric cryptography, also called private-key cryptography, uses a single key to both encrypt and decrypt a message. This method is generally inappropriate for securing data that will be used by a third party because of the complexity of secure key exchange. Symmetric cryptography is generally useful for encrypting data for one s own purposes. A classic use of symmetric cryptography is for a personal password vault. Anyone who has been using the Internet for any amount of time has accumulated a quantity of user names and passwords for accessing various sites and resources. A personal password vault lets you store this access information in an encrypted form. The end result is that you only have to remember one password to unlock all of your access information.
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision J2ee Web Hosting services.

216 Part II . Running the Show Something similar to the following should be displayed: root:DkkS6Uke799fQ:0:0:root:/root:/bin/bash bin:*:1:1:bin:/bin: daemon:*:2:2:daemon:/sbin: … mary:KpRUp2ozmY5TA:500:100:Mary Smith:/home/mary:/bin/sh joe:0sXrzvKnQaksI:501:100:Joe Johnson:/home/joe:/bin/sh jane:ptNoiueYEjwX.:502:100:Jane Anderson:/home/jane:/bin/sh bob:Ju2vY7A0X6Kzw:503:100:Bob Renolds:/home/bob:/bin/sh Each line in this listing corresponds to a single user account on the Linux system. Each line is made up of seven fields separated by colon (:) characters. From left to right the fields are the login name, the encrypted password, the user ID, the group ID, the description, the home directory, and the default shell. Looking at the first line, you see that it is for the root account and has an encrypted password of DkkS6Uke799fQ. You can also see that root has a user ID of zero, a group ID of zero, and a home directory of /root, and root s default shell is /bin/sh. All of these values are quite normal for a root account, but seeing that encrypted password between the first and second colon on each line should set off alarm bells in your head. It confirms that your system is not using the shadow password file. At this point, you should immediately use the pwconv command to convert your password file to /etc/shadow to store the password information. Simply log in as root (or use the su command to become root) and enter the pwconv command at a prompt. It will print no messages, but when your shell prompt returns, you should have a /etc/shadow file and your /etc/passwd file that looks like this: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin: daemon:x:2:2:daemon:/sbin: … mary:x:500:100:Mary Smith:/home/mary:/bin/sh joe:x:501:100:Joe Johnson:/home/joe:/bin/sh jane:x:502:100:Jane Anderson:/home/jane:/bin/sh bob:x:503:100:Bob Renolds:/home/bob:/bin/sh Encrypted password data is replaced with an x. The password data is moved to /etc/shadow. There is also a screen-oriented command called authconfig that you can use to manage shadow passwords and other system authentication information. This tool also has features that enable you to work with MD5 passwords, LDAP authentication, and Kerberos 5 authentication. Type authconfig and step through the screens to use it.
Go visit our java server pages services for a reliable, lowcost webhost to satisfy all your needs.

Chapter 6 . Securing Linux 215 results in the passwd command prompting you for joe s new password. It does not prompt you for the user s old password so that root can reset a user s password when that user has forgotten it (an event that happens all too often). Using a Password File In early versions of UNIX, all user account and password information was stored in a file that all users could read (although only root could write to it). This was generally not a problem because the password information was encrypted using a trapdoor algorithm, meaning that the clear text password was encoded into a scrambled string of characters before it was stored in the file, and that the string could not be translated back to the nonencoded password. How does the system check your password in this case? When you log in, the system encodes the password you entered, compares the resulting scrambled string with the scrambled string that is stored in the password file, and grants you access only if the two match. Have you ever asked a system administrator what the password on your account is, only to hear I don t know in response? If so, this is why: The administrator really doesn t have the password, only the encrypted version. The nonencoded password exists only at the moment you type it. Breaking Encrypted Passwords There is a problem with people being able to see encrypted passwords, however. Although it may be difficult (or even impossible) to reverse the encryption of a trapdoor algorithm, it is very easy to encode a large number of password guesses and compare them to the encoded passwords in the password file. This is, in order of magnitude, more efficient than trying actual login attempts for each user name and password. If a cracker can get a copy of your password file, the cracker has a much better chance of breaking into your system. Fortunately, Linux and all modern UNIX systems support a shadow password file by default. The shadow file is a special version of the passwd file that only root can read. It contains the encrypted password information, so passwords can be left out of the passwd file, which any user on the system can read. Linux supports the older, single-password file method as well as the newer, shadow password file. You should always use the shadow password file (it is the default). Checking for the Shadow Password File The password file is named passwd and can be found in the /etc directory. The shadow password file is named shadow and is also located in /etc. If your /etc/ shadow file is missing, then it is likely that your Linux system is storing the password information in the /etc/passwd file instead. Verify this by displaying the file with the less command: # less /etc/passwd
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

214 Part II . Running the Show Choosing Strong Passwords A strong password is one that is not easily guessed. It should contain a mixture of uppercase and lowercase letters, numbers, and possibly even punctuation, yet still be something you can remember. A good way to choose a strong password is to take the first letter from each word of an easily remembered sentence. The password can be made even better by adding numbers, punctuation, and varied case. The sentence you choose should have meaning only to you, and should not be publicly available (choosing a sentence on your personal Web page is a bad idea). Table 6-4 lists examples of strong passwords and the tricks used to remember them. Table 6-4 Ideas for Good Passwords Password How to Remember It Mrci7yo! My rusty car is 7 years old! 2emBp1ib 2 elephants make BAD pets, 1 is better ItMc?Gib Is that MY coat? Give it back The passwords look like gibberish, but are actually rather easy to recall. Placing emphasis on words that stand for capital letters, for example, make them simple to remember. Use the passwd command to change your password. Type passwd in a command shell; you re prompted to enter your old password. To protect against someone shoulder surfing and learning your password, the password is not displayed as you type. If you typed your old password correctly, you are prompted to type in your new password. The passwd command checks the new password against cracklib to determine if it is a good or bad password. Non-root users are required to try a different password if the one they have chosen is not a good password. The root user is the only user who is permitted to assign bad passwords. Once the password has been accepted by cracklib, the passwd command will ask you to enter the new password a second time to make sure there are no typos (which are hard to detect when you can t see what you are typing). When running as root, it is possible to change a user s password by supplying that user s login name as a parameter to the passwd command. For example, typing # passwd joe
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.

Chapter 6 . Securing Linux 213 . The program or service name to which the message pertains. . The process number (enclosed in square brackets) of the program sending the message. . The actual text message. Take another look at the preceding file snippet. In the first two lines, you can see that the network was restarted. The next line shows that the user named chris tried and failed to get to the FTP server on this system from a computer at address 10.0.0.5 (he typed the wrong password and authentication failed). The last line shows chris using the su command to become root user. By occasionally reviewing the messages and secure files, it s possible to catch a cracking attempt before it is successful. If you see an excessive number of connection attempts for a particular service, especially if they are coming from systems on the Internet, you may be under attack. Using Password Protection Passwords are the most fundamental security tool of any modern operating system and consequently, the most commonly attacked security feature. It is natural to want to choose a password that is easy to remember, but very often this means choosing a password that is also easy to guess. Crackers know that on any system with more than a few users, at least one person is likely to have an easily guessed password. By using the brute force method of attempting to log in to every account on the system and trying the most common passwords on each of these accounts, a persistent cracker has a good shot of finding a way in. Remember that a cracker can automate this attack, so thousands of login attempts are not out of the question. Obviously, choosing good passwords is the first and most important step to having a secure system. Here are some things to avoid when choosing a password: . Do not use any variation of your login name or your full name. Even if you use varied case, append or prepend numbers or punctuation, or type it backwards, this will still be an easily guessed password. . Do not use a dictionary word, even if you add numbers or punctuation to it. . Do not use proper names of any kind. . Do not use any contiguous line of letters or numbers on the keyboard (such as qwerty or asdfg ).
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

212 Part II . Running the Show The lines beginning with a # character are comments. Other lines contain two columns of information. The left field is a semicolon-separated list (spaces won t work) of message types and message priorities. The right field is the log file to which those messages should be written. To send the messages to another computer (the loghost) instead of a file, simply replace the log filename with the @ character followed by the name of the loghost. For example, to redirect the output normally sent to the messages, secure, and maillog log files, make these changes to the preceding file: # Log anything (except mail) of level info or higher. # Don t log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none @loghost # The authpriv file has restricted access. authpriv.* @loghost # Log all the mail messages in one place. mail.* @loghost The messages will now be sent to the syslogd running on the computer named loghost. The name loghost was not an arbitrary choice. It is customary to create such a host name and make it an alias to the actual system acting as the loghost. That way, if you ever need to switch the loghost duties to a different machine, you only need to change the loghost alias; you do not need to reedit the syslog.conf file on every computer. Understanding the messages Log File Because of the many programs and services that record information to the messages log file, it is important that you understand the format of this file. You can get a good early warning of problems developing on your system by examining this file. Each line in the file is a single message recorded by some program or service. Here is a snippet of an actual messages log file: Feb 25 11:04:32 toys network: Bringing up loopback interface: succeeded Feb 25 11:04:35 toys network: Bringing up interface eth0: succeeded Feb 25 13:01:14 toys vsftpd(pam_unix)[10565]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=10.0.0.5 user=chris Feb 25 14:44:24 toys su(pam_unix)[11439]: session opened for user root by chris(uid=500) This is really very simple when you know what to look for. Each message is divided into five main parts. From left to right they are: . The date and time that the message was logged. . The name of the computer from which the message came.
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

Chapter 6 . Securing Linux 211 are not, by default, encrypted. Anyone tapping into your local network can eavesdrop on those messages as they pass from one machine to another. Also, although the cracker may not be able to change old log entries, he can affect the system such that any new log messages should not be trusted. It is not uncommon to run a dedicated loghost, a computer that serves no other purpose than to record log messages from other computers on the network. Because this system runs no other services, it is unlikely that it will be broken into. This makes it nearly impossible for a cracker to erase his or her tracks, but it does not mean that all of the log entries are accurate after a cracker has broken into a machine on your network. Redirecting Logs to a Loghost with syslogd To redirect your computer s log files to another computer s syslogd, you must make some changes to your local syslogd s configuration file, /etc/syslog.conf. Become root using the su - command and then load the /etc/syslog.conf file in a text editor (such as vi). You should see something similar to this: # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don t log private authentication messages! *.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log # # INN # news.=crit /var/log/news/news.crit news.=err /var/log/news/news.err news.notice /var/log/news/news.notice
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

210 Part II . Running the Show Table 6-3 (continued) System Logs Filename Description Name Security Log secure Records the date, time, and duration of login attempts and sessions. System Log messages A general-purpose log file to which many programs record messages. Update Agent up2date Contains messages resulting from actions by the Log Red Hat Update Agent. X.Org X11 Log Xorg.0.log Includes messages output by the X.Org X server. * gdm/:0.log Holds messages related to the login screen (GNOME display manager). * samba/log.smbd Shows messages from the Samba SMB file service daemon. * squid/access.log Contains messages related to the squid proxy/caching server. * vsftpd.log Contains messages relating to transfers made using the vsFTPd daemon (FTP server). * sendmail Shows error messages recorded by the sendmail daemon. * uucp Shows status messages from the UNIX to UNIX Copy Protocol daemon. * Indicates a log file that is not contained in the System Logs window. Access these files directly from /var/log. The Role of Syslogd Most of the files in the /var/log directory are maintained by the syslogd service. The syslogd daemon is the System Logging Daemon. It accepts log messages from a variety of other programs and writes them to the appropriate log files. This is better than having every program write directly to its own log file because it enables you to centrally manage how log files are handled. It is possible to configure syslogd to record varying levels of detail in the log files. It can be told to ignore all but the most critical messages, or it can record every detail. The syslogd daemon can even accept messages from other computers on your network. This is particularly handy because it enables you to centralize the management and reviewing of the log files from many systems on your network. There is also a major security benefit to this practice. If a system on your network is broken into, the cracker cannot delete or modify the log files because those files are stored on a separate computer. It is important to remember, though, that those log messages
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

Chapter 6 . Securing Linux 209 To view a particular log file, click the log name in the left column. If you are looking for a particular message or problem, type a keyword into the Filter For box, and click Filter. Only lines containing that keyword are displayed. Case matters, so searching for Mem won t find mem when you use the filter. Click Reset to display the whole file again. Table 6-3 contains a listing of log files displayed in the System Logs window, along with other files in the /var/log directory that may interest you. Many of these files are included with most Linux systems. Table 6-3 Log Files in the /var/log Directory System Logs Filename Description Name Boot Log boot.log Contains messages indicating which systems services have started and shut down successfully and which (if any) have failed to start or stop. The most recent bootup messages are listed near the end of the file. Cron Log cron Contains status messages from the crond, a daemon that periodically runs scheduled jobs, such as backups and log file rotation. Kernel Startup dmesg A recording of messages printed by the kernel Log when the system boots. FTP Log xferlog Contains information about files transferred using the wu-ftpd FTP service. Apache Access httpd/access_log Logs requests for information from your Apache Log Web server. Apache Error httpd/error_log Logs errors encountered from clients trying to Log access data on your Apache Web server. Mail Log maillog Contains information about addresses to which and from which e-mail was sent. Useful for detecting spamming. MySQL Server mysqld.log Includes information related to activities of the Log MySQL database server (mysqld). News Log spooler Directory containing logs of messages from the Usenet News server if you are running one. RPM Packages rpmpkgs Contains a listing of RPM packages that are installed on your system. Continued
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision J2ee Web Hosting services.

208 Part II . Running the Show to grant universal access to a particular service may be easier than typing in a long list of subnets or domains, but better a few minutes spent on proper security measures than many hours recovering from a break-in. You can further restrict access to services by using various options within the /etc/ xinetd.conf file, even to the point of limiting access to certain services to specific times of the day. Read the manual page for xinetd (by typing man xinetd at a command prompt) to learn more about these options. Detecting Intrusions from Log Files If you make use of good firewalling practices as described in Chapter 17, you will be well prepared to mitigate and prevent most cracker attacks. If your firewall should fail to stop an intrusion, you must be able to recognize the attack when it is occurring. Understanding the various (and numerous) log files in which Linux records important events is critical to this goal. The log files for your Linux system can be found in the /var/log directory. Most Linux systems make use of log-viewing tools, either provided with the desktop environment (such as GNOME) or as a command you can execute from a terminal window. Fedora Core and Red Hat Enterprise Linux come with a System Logs window (system-logviewer command) that you can use to view and search critical system log files from the GUI. To open the System Logs window in Fedora, from the main desktop menu, select System Tools.System Logs. Figure 6-1 shows an example of the System Logs window. Figure 6-1: Display system log files in the System Logs window. Tip
Note: In case you are looking for affordable and reliable webhost to host and run your j2ee application check Vision J2ee Web Hosting services.