Восстановление root пароля в Debian

Во время загрузки grub в параметры ядра дописать:
init=/bin/sh rw
Далее система дозагружается без запроса логина
меняем пароль и перегружаемся

IPS 4240 бекап данных

Проверка доступности удаленного сервера по ssh
[pnadmin]$ pnsshfs
usage: pnsshfs  [<username>@]<host IP>:<dir> [-v]
[pnadmin]$ pnsshfs marsuser@192.168.253.13:/
The fingerprint for RSA key sent by the remote is
23:73:6e:c7:e8:f9:84:89:47:b8:62:4f:fa:6f:9e:b9
Do you want to use this key? (yes/no) yes
Type password:
pnsshfs: check success

Далее входим в режим экспорта данных
[pnadmin]$ pnexp

Enter 'help' for a list of valid commands, 'exit' or 'quit' to exit.
pnexp>

Будем писать на 192.168.253.13, пока в домашнюю директорию (/home/marsuser)
pnexp> export config sftp:192.168.253.13:
WARNING: this will stop CS-MARS, do you wish to continue (yes/no): yes

Please enter username on 192.168.253.13: marsuser
Please enter password for marsuser:

Staging secure mounting, please be patient ...
!!! The exported config data is saved under sub-directory of sftp:192.168.253.13:/pnmars_2012-02-28-14-47-20
!!! Stopping CS-MARS processes ...
!!! Exporting config data now

Dumping configuration data, may take a while ...
Configuration dump finished.
Sanity checking for post config data export ...
Config file size check OK ...
Exported config data sanity check passed.
Configdump to /tmp/pnexport/pnmars_2012-02-28-14-47-20 finished successfully.


pnexp> exit
[pnadmin]$

Зеркалирование трафика на Debian Squeeze

Скачать xtables-addons-1.41 с их сайта http://xtables-addons.sourceforge.net/



cd  xtables-addons-1.41







Убеждаемся что параметру build_TEE выставлено значение m

cat ./mconfig
# -*- Makefile -*-
#
build_ACCOUNT=m
build_CHAOS=m
build_CHECKSUM=
build_DELUDE=m
build_DHCPMAC=m
build_DNETMAP=m
build_ECHO=
build_IPMARK=m
build_LOGMARK=m
build_RAWNAT=m
build_STEAL=m
build_SYSRQ=m
build_TARPIT=m
build_TEE=m
build_condition=m
build_fuzzy=m
build_geoip=m
build_gradm=m
build_iface=m
build_ipp2p=m
build_ipset6=
build_ipv4options=m
build_length2=m
build_lscan=m
build_pknock=m
build_psd=m
build_quota2=m


./configure
make 
make install

Сниферить трафик можно перенаправив его в другой порт
iptables -t mangle -A PREROUTING -i eth0 -j TEE --gateway 1.1.1.2

Утилита mii-tool

В инструкции написано, что утилита предназначена для просмотра и управления статусом сетевых интерфейсов. Данная утилита в принципе
должна использоваться сетевым адаптером для автоопределения скорости и режима дуплекса.

Работа с утилитой

Переключение в 10 мегабитный полнодуплексный режим:

[root@pra etc]mii-tool -F 10baseT-FD eth0

[root@pra etc]# mii-tool -v
eth0: 10 Mbit, full duplex, link ok
product info: vendor 00:10:18, model 23 rev 6
basic mode: 10 Mbit, full duplex
basic status: link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 10baseT-FD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

Переключение в 100 мегабитный полнодуплексный режим:

[root@pra etc]# mii-tool -F 100baseTx-FD eth0

[root@pra etc]# mii-tool -v
eth0: 100 Mbit, full duplex, link ok
product info: vendor 00:10:18, model 23 rev 6
basic mode: 100 Mbit, full duplex
basic status: link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising: 100baseTx-FD 10baseT-FD flow-control
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control

Debian timeout ssh session

cat /etc/profile 


....
TMOUT=600
export PATH TMOUT
....

cat /etc/sudoers

...
Defaults        env_keep+=TMOUT
...

cat /etc/ssh/sshd_config
...
ClientAliveInterval 900
ClientAliveCountMax 1
...

Отключение повторения повторяющихся ранее введенных команд
cat /etc/bash.bashrc
export HISTCONTROL=ignoreboth
export HISTSIZE=2000

Grant root access for IP Address: 192.168.1.10 ONLY

1. vi /etc/pam.d/sshd and append
account    required     pam_access.so

2. vi /etc/security/access.conf and add as shown below
#Denied ALL
- : root : ALL
# ONLY allow IP 192.168.1.10
+ : root : 192.168.1.10.

 --> 
 First step is to modify the common-{auth, account, password, session} 
 files since they are included in all specific programs PAM files.
 

 

 01- Don't accept NULL passwords in any 
 program by removing the nullok option:

 In /etc/pamd.d/common-auth 
 file: 

 auth required pam_unix.so
 

 

 02- Disallow root logins from anywhere 
 (pam.d/su will be modified not to include common-auth):

 emptying the /etc/securetty:

 $ : > /etc/securetty

 In /etc/pam.d/common-auth:

 auth requisite pam_securetty.so

 
 Note: Emptying the 
 securetty file without adding the above line will have no effect.

 

 03- Let only users set on /etc/security/access.conf 
 be able to login (assuming they already passed the above
 stacked rules).

 In /etc/security/access.conf:
 

 # Accept `root' and `ahmed' logins only 
 (till the system go mainstream)

 +:root:ALL
 

 +:ahmed:ALL

 -:ALL:ALL

 In /etc/pam.d/common-account:
 

 account required pam_access.so
 

 

 04- Enable large passwords (> 8) by using 
 MD5. Also let user chosen passwords be tested by
 cracklib which checks user desired passwords 
 against dictionaries and other common password patterns.
 

 $ # 
 Several dictionaries to be used by cracklib

 $ apt-get install wbritish wamerican 
 wfrench wdutch 

 $ # cracklib installation. If 
 PAM rules are set without it, no passwords could be changed!

 $ apt-get install cracklib2 
 

 $ # Install the pam_cracklib module

 $ apt-get install libpam-cracklib

 Add the PAM rules to satisfy the following 
 conditions in desired passwords:

 a- Minimum difference between a new and 
 old password = 4
 

 b- Minimum 
 length = 12
 

 c- Prompt user at most 4 times before 
 running with error

 d- At 
 least 2 digits,
 2 upper case letters,
 2 lower case ones and
 2 other (!#$...) letters

 In /etc/pam.d/common-password:
 

 password required pam_cracklib.so retry=4 
 minlen=12 difok=4 \ dcredit=-2 
 ucredit=-2 lcredit=-2 ocredit=-2
 

 password required pam_unix.so use_authtok md5
 

 Note: The use_authtok 
 directive is necessary to hand over the password from the previous module

 

 05- Many programs use $TMPDIR for storing 
 temporary files. Not all of them are good at 
 securing the permissions of those files. PAM tmpdir module sets $TMPDIR 
 and $TMP for PAM sessions to /tmp/user/[uid]. Permissions are tight since /tmp/user 
 is only read/write by root. /tmp/user/[uid] is only {read, write, execut}able 
 by that user.This leads to an extra layer of security, making symlink attacks 
 and other /tmp based attacks harder or impossible.
 

 $ apt-get install libpam-tmpdir

 in /etc/pam.d/common-session:

 session optional pam_tmpdir.so
 

 

 06- UMASK usage in login.conf is discouraged 
 cause it catches only entries made through login, while setting umask in shell 
 rc files will catch also logins through su, cron, ssh but not other shells. 
 At the same time, using shell rc to set umask won't catch entries which user 
 uses non-shell executables in place of login shell, like the ppp daemon. To 
 solve all of this ambiguity and
 redundancy problems, it's best to use 
 the pam_umask PAM module.

 $ apt-get install libpam-umask

 In /etc/pam.d/common-session:

 session optional pam_umask.so umask=007
 

--> Second step is to modify the pam.d/others file. if a PAM-aware service exists with no specific PAM file, the `other' file will be used. This file will deny all services but issue a warning in the logs to the sleeping admin! ( not my type, right ? ;) )

$ : > /etc/pamd.d/other
In /etc/pam.d/other:
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so

--> Third step is to modify the PAM files related to each PAM-aware app as follows:

1- Login, ssh:
01- Remove System details from login/ssh screens
In /etc/pam.d/login:
session optional pam_motd.so motd=/etc/motd
$ cat > /etc/motd.tail
If any problem is found, contact Ahmed S. Darwish - the server admin - at darwish.07 gmail com
Thanks
^D
$ # /etc/motd is a symbolic link for /var/run/motd
$ sed -i 's#uname -snrvm > /var/run/motd#: > /var/run/motd/#' /etc/init.d/bootmisc.sh
$ cat > /etc/issue
Faculity of Computer Science and Information Unix Lab
^D
In /etc/pam.d/login:
auth required pam_issue.so issue=/etc/issue

02- Passwd:
Above customized defaults in common-password are enough.

03- su:
01- Let root be able to do "su" to anything
auth sufficient pam_rootok.so

02- Let the group "wheel" (gid = 0) be the only group allowd to invoke a `su' to root.
$ groupadd wheel && usermod -G wheel ahmed
In /etc/pam.d/su:
auth required pam_wheel.so use_uid

03- Don't use the customized defaults found in common-auth since it does not allow root logins. If it's included, as in the out of the box configuration, you won't be able to access root by any means (except by using init=/bin/sh as a kernel parameter).
$ sed -i 's/@include common-auth/#@include common-auth/' /etc/pam.d/su
$ echo "auth required pam_unix.so" >> /etc/pamd.d/su


 http://www.softpanorama.org/Commercial_linuxes/Security/linux_pam.shtml

Отлючить авторизацию на console

aaa new-model
aaa authentication login CONSOLE none
aaa authorization exec CONSOLE none
enable secret cisco


aaa authorization console
line con 0
 login authentication CONSOLE
 authorization exec CONSOLE

Подробнее тут конечно... 

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080093c81.shtml