Linux Password strength

It’s a pain to enforce password length it always causes you to reset passwords over and and over again but it does provide better security. So here is how you enforce it in Linux. Inside the /etc/pam.d/system-auth file you modify the pam_cracklib.so line:

pam_cracklib.so retry=3 minlen=10 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1

So these settings are: (retry=3) allow 3 login trys, (minlen=10) minimum password length 10, (lcredit=-1) Minimum number of lower case letters is 1, (ucredot=-1) Minimum upper case is 1, (dcredit=-1) Minimum number of digits is 1, (ocredit=-1) Minimum number of other characters is 1.

To remember old passwords then add a line to pam_unix.so (this will remember 10 past passwords and they cannot be used sooner than minimum password change length times passwords to remember.)

pam_unix.so remember=10

If you want to enforce that the new password has different characters than previous remembered ones then add the following to pam_cracklib.so. At least 2 characters

pam_cracklib.so difok=2

Locking Linux Accounts

In order to lock a linux account a change of the password is the best option. Linux provides an automated method for locking accounts. To Lock an account (change password to something that is not typeable puts a ‘!!’ in front of the password)

passwd -l username

To unlock the account (change the password back to original value)

passwd -u username

To display password information on user (root only) This will display seven fields (username, status, date of creation, minimum password age, maximum password age, Number of days before password expires, minimum password length) in addition RHEL adds a translation for status after the seventh field.

passwd -S username

jacko LK 2010-01-30 0 99999 7 -1 (Password locked.)

Linux password expiration and warnings

We all know changing your password every so often is a good idea. Along with the idea of changing your password come the idea of forcing users to change their password, because unless you force it they will never change it. In linux (redhat) this is handled by the chage command.

To set the minimum life of a password in days:

chage -m days username

To set the maximum life of a password to days:

chage -M days username

To set the number of days an account can be inactive (after password expire) before it’s locked:

chage -I days username

To set the date after which an account is inaccessable:

chage -E date username

To set an advanced warning, in days, of an upcomming password change:

chage -W days username

To display current expiration information (can be done by users)

chage -l username

All of this information is also stored inside /etc/login.defs for example a default file looks like:

# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7

Find Linux WWID’s and Fiber Channel Storage

Enterprise Linux the very term usually refers to some type of storage area network normally fiber channel.   In all my experience I have not yet met a storage administrator who went to formal storage training.  So it’s no doubt that there are some weaknesses when it comes to storage with linux.  Here are some of the storage basics.    This article assumes you already have a working knowledge of WWID’s, WWN’s and fiber channel storage.

There are multiple WWID’s involved in the process here are a few:

How many WWID's do we need

As you can see we need a lot of WWID’s to make fiber channel storage work.  This article will focus on getting the Storage LUN WWID from the server.  This will allow us to identify our mount points to storage LUN’s.

First thing to identify is the SCSI WWID this is used by Linux Native Multipathing (MPIO) this is found by using the following command (for device sda):

scsi_id -g -u -s /block/sda
38001438005dea3760000700002660000

This will return the SCSI device WWID not to be confused with any other WWID’s.  If you want to know more information about the device you can get a manufactures label by using:

scsi_id -g -u /dev/sda

A lot of this information is stored in /dev/disk in various directories:

[table id=3 /]

The information we want is inside /dev/disk/by-path which looks like this:

lrwxrwxrwx 1 root root   10 Jan 22 13:48 scsi-38001438005dea3760000700002660000 -> ../../sdfj

So in this case the SCSI WWID is 38001438005dea3760000700002660000 while the LUN WWID is :
8001-4380-05de-a376-0000-7000-0266-0000

That’s about it. Now just tie that to your storage system.

iptables Block all outgoing traffic

What is the use of blocking out going traffic?  Imagine if you have a web server and you want to allow customers to access your webserver but you do not want to allow rogue software to send message from yoru web server to other people.  This rule is for you.

iptables -A OUTPUT -m state –state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -j REJECT

iptables Personal PC Firewalls

The average personal PC has need to be able to reach out into the internet and communicate but no need for people to reach from the internet to your PC.  This set of rules takes advantage of the stateful nature of iptables to allow incomming messages on ESTABLISHED (prevously set by OUTPUT) connections.

iptables -A input -m state –state ESTABLISHED -j ACCEPT

iptables -A input -j REJECT

Quick Script to identify WWID on New Lun’s in Linux when using MPIO

Well the other day I had to add a lot of LUN’s to a new system and one of the key elements is writting down the SCSI WWID when I add a LUN so I can tie that back to the storage.   So i wrote a simple script to scan the SCSI bus identify new lun’s and provide their WWID via multipath.   This will only work with some HBA’s and if your using Linux MPIO.

#!/bin/bash
echo "- - -" > /sys/class/scsi_host/host0/scan
echo "- - -" > /sys/class/scsi_host/host1/scan
echo "- - -" > /sys/class/scsi_host/host2/scan
echo "- - -" > /sys/class/scsi_host/host3/scan
ls -altr /dev/sd* | tail -n1 | awk '{ print $10 }' \
| sed 's/\/dev\///g' | awk '{print "/sbin/multipath -v3 \
| grep " $1 " | grep undef"}' > out
chmod 755 out
./out 
rm -f out

MythTV Automatic Email of new Pilots Report

Over the years I have written a ton of reports for MythTV.  This particular report sends an email using an smtp email account with all the new shows with pilot as a subtitle.  This allows me to quickly scan new shows for things I want to record.  I wrote it in php since most Myth systems are running php for MythWeb.    I know it’s not the cleanest code but it works for me.  I have bolded items that you need to customize for your environment.  I load it in as a weekly cron job and it’s good to go:

new_pilot.php

MythTV Automatic Email of TV pilots

Over the years I have written a ton of reports for MythTV.  This particular report sends an email using an smtp email account with all the Shows with pilot as a subtitle.  This allows me to quickly scan new shows for things I want to record.  I wrote it in php since most Myth systems are running php for MythWeb.    I know it’s not the cleanest code but it works for me.  I have bolded items that you need to customize for your environment.  I load it in as a weekly cron job and it’s good to go:

all_pilots.php