Review
Product Description
Computer security is an ongoing process, a relentless contest between system administrators and intruders. A good administrator needs to stay one step ahead of any adversaries, which often involves a continuing process of education. If you're grounded in the basics of security, however, you won't necessarily want a complete treatise on the subject each time you pick up a book. Sometimes you want to get straight to the point. That's exactly what the new Linux Security Cookbook does. Rather than provide a total security solution for Linux computers, the authors present a series of easy-to-follow recipes--short, focused pieces of code that administrators can use to improve security and perform common tasks securely.
The Linux Security Cookbook includes real solutions to a wide range of targeted problems, such as sending encrypted email within Emacs, restricting access to network services at particular times of day, firewalling a webserver, preventing IP spoofing, setting up key-based SSH authentication, and much more. With over 150 ready-to-use scripts and configuration files, this unique book helps administrators secure their systems without having to look up specific syntax. The book begins with recipes devised to establish a secure system, then moves on to secure day-to-day practices, and concludes with techniques to help your system stay secure.
Some of the "recipes" you'll find in this book are:
- Controlling access to your system from firewalls down to individual services, using iptables, ipchains, xinetd, inetd, and more
- Monitoring your network with tcpdump, dsniff, netstat, and other tools
- Protecting network connections with Secure Shell (SSH) and stunnel
- Safeguarding email sessions with Secure Sockets Layer (SSL)
- Encrypting files and email messages with GnuPG
- Probing your own security with password crackers, nmap, and handy scripts
From the Publisher
About the Author
Dan Barrett has been immersed in Internet technology since 1985. Currently working as a software engineer, Dan has also been a heavy metal singer, Unix system administrator, university lecturer, web designer, and humorist. He has written several O'Reilly books, as well as monthly columns for Compute! and Keyboard Magazine. Dan and his family reside in Boston.
Richard E. Silverman has a B.A. in computer science and an M.A. in pure mathematics. Richard has worked in the fields of networking, formal methods in software development, public-key infrastructure, routing security, and Unix systems administration. He is the co-author of SSH, The Secure Shell: The Definitive Guide.
Excerpted from Linux Security Cookbook by Daniel J. Barrett, Richard Silverman, Robert G. Byrnes. Copyright © 2003. Reprinted by permission. All rights reserved.
Problem
You want to check that all login passwords in your system password database are strong.
Solution
Use John the Ripper, a password-cracking utility from the Openwall Project. After the software is installed, run:
# cd /var/lib/john
# umask 077
# unshadow /etc/passwd /etc/shadow > mypasswords
# john mypasswords
Cracked passwords will be written into the file john.pot. Cracked username/password pairs can be shown after the fact (or during cracking) with the -show option:
# john -show mypasswords
You can instruct john to crack the passwords of only certain users or groups with the options -users:u1,u2,... or -groups:g1,g2,..., e.g.:
# john -users:smith,jones,akhmed mypasswords
Running john with no options will print usage information.
Discussion
SuSE distributes John the Ripper, but Red Hat does not.[7.15]
Unpack the source:
$ tar xvzpf john-*.tar.gz
Prepare to compile:
$ cd `ls -d john-* | head -1`/src
$ make
This will print out a list of targets for various systems; choose the appropriate one for your host, e.g.:
linux-x86-any-elf Linux, x86, ELF binaries
and run make to build your desired target, e.g.:
$ make linux-x86-any-elf
Install the software, as root:# cd ../run
# mkdir -p /usr/local/sbin
# umask 077
# cp -d john un* /usr/local/sbin
# mkdir -p /var/lib/john
# cp *.* mailer /var/lib/john
Then use the recipe we’ve provided.
By default, Red Hat 8.0 uses MD5-hashed passwords stored in /etc/shadow, rather than the traditional DES-based crypt( ) hashes stored in /etc/passwd; this is effected by the md5 and shadow directives in /etc/pam.d/system-auth:
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
The unshadow command gathers the account and hash information together again for cracking. This information should not be publicly available for security reasons —that’s why it is split up in the first place—so be careful with this re-integrated file. If your passwords change, you will have to re-run the unshadow command to build an up-to-date password file for cracking.
In general, cracking programs use dictionaries of common words when attempting to crack a password, trying not only the words themselves but also permutations, misspellings, alternate capitalizations, and so forth. The default dictionary (/var/lib/john/password.lst) is small, so obtain larger ones for effective cracking. Also, add words appropriate to your environment, such as the names of local projects, machines, companies, and people.
Concatenate your desired word lists into a single file, and point to it with the wordlist directive in /var/lib/john/john.ini.
john operates on a file of account records, so you can gather the password data from many machines and process them in one spot. You must ensure, however, that they all use the same hashing algorithms compiled into the version you built on your cracking host. For security, it might be wise to gather your account databases, then perform the cracking on a box off the network, in a secure location.
There are other crackers available, notably Crack by Alec Muffet. [9.2] We feature John the Ripper here not because it’s necessarily better, but because it’s simpler to use on Red Hat 8.0, automatically detecting and supporting the default MD5 hashes.
