Thursday, December 17, 2009

SED-Replace multiple lines with a single line

A useful option of sed command to replace multiple lines with a single line upon matching a given string.

$ cat -n file.txt
Hello world
Hello nobody

If you want to replace the lines 2 and 3 with another line "Hello everybody" the below command will help.

$ sed '/nobody$/{N;s/Hello nobody\nnobody/Hello everybody/}' file.txt

$ cat -n file.txt
1 hello world
2 Hello everybody
3 Somebody
4 anybody

SMTP authentication through TELNET

It's common that we use TELNET to port 25 of Mail server to check the connectivity and to ensure the Mail flow.

It's also possible to perform SMTP authentication in TELNET session

$ telnet yourmailserver 25
type “HELO”, hit Enter.

Now you have to enter your email ID and then your password encoded in BASE64.
For converting your email and password to Base64 use the conversion tools at WebPan or Ostermiller


echo colourfully

# for i in `cat num.txt`; do echo -en '\E[3'$i'm'"\033[1mPsycho Tux\033[0m " ; done;
# for i in `cat num.txt`; do echo -en '\E[47;3'$i'm'"\033[1mPsycho Tux\033[0m " ; done;

# cat num.txt

Block direct SSH to root, but not to root equivalent

The PermitRootLogin no option of /etc/ssh/sshd_config will block all the users with UID 0. Below is an option to overcome this.

# vi /etc/ssh/sshd_config

###PermitRootLogin no
AllowUsers newuser guest psychotux hari
DenyUsers root

# /etc/init.d/sshd restart

Here users listed along with AllowUsers can be normal user or root equivalent.

Thursday, December 10, 2009

Hardware clock failure in ISA system

In ISA systems /sbin/hwclock will fail to fetch the Hardware clock and will throw an error similar to below.
# hwclock
select() to /dev/rtc to wait for clock tick timed out

# hwclock --show
select() to /dev/rtc to wait for clock tick timed out

But the --directisa option of hwclock will work here.
# /sbin/hwclock --directisa

So as a permanent solution we can rename the existing binary /sbin/hwclock and create a new Wrapper as below

1. Find the version of hwclock
# hwclock --version
2. Rename the binary by suffixing the version number
# cd /sbin
# mv hwclock hwclock-x.y
3. Create a wrapper for the hwclock-x.y named hwclock
# cat > hwclock << HERE
/sbin/hwclock-x.y --directisa \$@

4. Give necessary execute permission and reboot the server
# chmod +x hwclock
5. Check the hardware clock, System Time, NTP, etc.
To synchronize system time with Hardware clock we can use hwclock --hctosys

And an optional reboot
# reboot

If your system is not ISA the we can try the RTC driver as well. The first thing we have to ensure is the RTC driver is loaded using the below steps.
# lsmod|grep rtc
This will show something like below
rtc 15329 0

If you are not getting any, then the rtc driver has not loaded. You need to load it

# modprobe rtc

Monday, April 27, 2009

Basic Linux Configuration backup

# Title: Linux Primary Configuration Backup
# Version: 1.5
# Last update: 06-08-2012
# Author: Hareesh V V
# E Mail:
# Web:

DATE=`date +%d%m%y`
/bin/mkdir -p $BKP

tar -cjf $BKP/etc_$DATE.tar.bz2 /etc
/sbin/ifconfig > $BKP/ifconfig
/sbin/route -n > $BKP/route
/sbin/runlevel > $BKP/runlevel
/sbin/chkconfig --list | grep 3:on > $BKP/chkconfig_init_3
/sbin/chkconfig --list | grep 5:on > $BKP/chkconfig_init_5
/bin/hostname > $BKP/hostname
lsmod > $BKP/lsmod
cat /etc/hosts > $BKP/etc_hosts
cat /etc/resolv.conf > $BKP/etc_resolv 
cat /etc/grub.conf > $BKP/grub_conf 
#crontab -l > $BKP/crontab
/sbin/iptables -L  > $BKP/iptables_filter
/sbin/iptables -t nat -L > $BKP/iptables_nat
/sbin/iptables-save > $BKP/iptables
cat /etc/sysconfig/iptables-config > $BKP/iptables-config

/bin/netstat -ntpl > $BKP/netstat
mount > $BKP/mount
fdisk -l > $BKP/fdisk
cat /etc/rc.local > $BKP/rc_local
cat /proc/sys/net/ipv4/ip_forward > $BKP/proc_ip_forward
cat /proc/cpuinfo > $BKP/proc_cpuinfo
getenforce > $BKP/getenforce
cat /etc/fstab > $BKP/fstab
cp -r /etc/sysconfig/network-scripts $BKP/
cat /etc/sysconfig/network > $BKP/network
echo $PATH > $BKP/path

## Hardware

/sbin/lspci > $BKP/lspci
/usr/bin/lsb_release > $BKP/lsb_release
/usr/sbin/dmidecode > $BKP/dmidecode
/usr/bin/getconf LONG_BIT > $BKP/getconf
/usr/bin/systool > $BKP/systool
/usr/bin/lshal > $BKP/lshal
/sbin/lsusb -t > $BKP/lsusb
/usr/sbin/biosdecode > $BKP/biosdecode
lshw > $BKP/lshw
cat /proc/version > $BKP/version
cat /etc/printcap > $BKP/printcap
dmesg > $BKP/dmesg
cat /etc/sysconfig/hwconf > $BKP/hwconf

## CRON Backup
mkdir $BKP/`hostname`_crons
cd $BKP/`hostname`_crons
> crons.txt
> $OUT/cronlist
for i in `ls /var/spool/cron/`
   grep $i /etc/passwd
   if [ $? = 0 ]
                 crontab -u $i -l >> $OUT/$i.cron
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $6'} >> crons.txt
crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $7'} >> crons.txt
                 crontab -u $i -l | grep -v "^#" | sort | uniq | awk {'print $8'} >> crons.txt

for i in `cat crons.txt`
  cp $i $OUT 2> /dev/null
tar -cjf $OUT.tar.bz2 $OUT
tar -cjf $BKP.tar.bz2 $BKP
cd $BKP/`hostname`_crons
rm -rf crons.txt $OUT
rm -rf $BKP

Sunday, March 8, 2009

Script to find normal users above UID 500

Script to find normal users above UID 500 and their Shell History. This works in Linux. Other NIXes may require modification.

USERS=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $1}'`
HOME=`grep ":5*:*:" /etc/passwd | grep "/bin/bash" | awk -F: '{print $6}'`
for i in $USERS
egrep -i "reboot|init|shutdown|halt|poweroff" `grep $i: /etc/passwd | cut -f6 -d:`/.bash_history

Sunday, March 1, 2009

Ever alive SSH session

If you are facing Session timeout issue whenever you are leaving an open session idle for some time you can make use of TCP Keepalive option in putty.

1. Open Putty
2. Go to Connection->Seconds between keepalives(0 to turn off). Give a keepalive value here in seconds, preferably 120 or above.

1. If you are using portaputty you can set it in config file .\putty\sessions\Default%20Settings. Set TCPKeepalives=120.
2. Right inside Linux or any other UNIX we can use /etc/ssh/ssh_config. Set the variable ServerAliveInterval 60.
3. We can use screen command also. ssh host -t screen -xRe^oo.
4. Screen can exist with Putty as well. Go to Connections -> SSH -> Remote command. Then specify screen -xRe^oo

Further Readings

Tuesday, February 10, 2009

VSFTPD-chrooted user with limited directory access

Create a user with home directory /foo. Otherwise we can create a normal user and then edit /etc/passwd to change the home directory (useradd hari -d /foo).

Here we chose the latter option since it's a sensible directory and we don't wnat to take risk by putting .bash files.

# useradd hari
# grep hari /etc/passwd


Now change the home directory to /foo

# vi /etc/passwd

# grep hari /etc/passwd

Note that we have changed the home directory from /home/hari to /foo and the shell from /bin/bash to /sbin/nologin

Added the below two lines in /etc/vsftpd/vsftpd.conf for enabling chroot functionality.
# vi /etc/vsftpd/vsftpd.conf

Now add the user hari to Chroot List file.

# echo hari >> /etc/vsftpd.chroot_list

Now verify the permission of /foo, /foo/tux and /foo/beastie

[root@psycho ~]# ls -ld /foo/
drwxrwx--- 17 root ftpuser 4096 Feb 6 19:58 /foo/

[root@psycho ~]#
[root@psycho ~]# ll /foo/
total 81652
drwxr-xr-- 2 tiger ftpuser 4096 Sep 18 2007 alert
drwxr-xr-x 14 root root 4096 Jan 18 2008 tux
drwxr-xr-x 2 root root 4096 Jan 11 2008 log
drwx------ 2 root root 16384 Sep 6 2007 lost+found
drwxrwxr-x 4 giraffe ftpuser 048000 Feb 9 23:51 beastie
[root@psycho ~]#

/foo/tux and /foo/beastie are having read-access to all. But /foo will not be readable since the permission is 770.

So add the user "hari" to the group "ftpuser", which is the Group for /foo.

# grep ftpuser /etc/group

# vi /etc/group

Now take the list of files/directories under /foo except tux and beastie. These are the only directories user needs access.

# ls /foo | grep -v tux | grep -v beastie

Add these to /etc/vsftpd_user_conf/hari for restricting access by the FTP user. We have already mentioned the below in /etc/vsftpd/vsftpd.conf

# vi /etc/vsftpd_user_conf/hari

write_enable=NO is to restrict the user from changing the files/directories

Restart VSFTPD service.

/etc/init.d/vsftpd restart

That's it. Now the conditions satisfied are as below

1. User will be able to login through FTP protocol.
2. Default login directory will be a "chrooted HOME- /foo". User will not be able to access any other directory other than /foo.
3. User can access "tux" and "beastie" directories right from the home directory.
4. These two directories will be "read-only". User can't write/change any files/directories.
5. User cannot access any other directories under /foo except tux and beastie.
6. User will not be able to login directly to system.

Wednesday, January 21, 2009

Restricting su Access to System and Shared Accounts

This chapter shows how to restrict people from su-ing to system and shared accounts even if they know the passwords.
Example for Restricting su Access to root
Create a new group for each set of users that are allowed to su to the root
# groupadd rootmembers
Add all users who are allowed to su to the root account to the new member groups created above.
The following requirement will be configured:
- Only the user named hari should be able to su to root
# usermod -G rootmembers hari
Next add the three authentication lines highlighted in bold to the /etc/pam.d/su file as shown below:
auth sufficient /lib/security/$ISA/
auth required /lib/security/$ISA/ service=system-auth
auth sufficient /lib/security/$ISA/ service=su-root-members
auth required /lib/security/$ISA/
account required /lib/security/$ISA/ service=system-auth
password required /lib/security/$ISA/ service=system-auth
session required /lib/security/$ISA/ close
session required /lib/security/$ISA/ service=system-auth
session required /lib/security/$ISA/ open multiple
session optional /lib/security/$ISA/

These additional authentication lines specify that nobody should be able to su to any account unless at least one of the PAM services or su-root-members returns
Success. The control flag sufficient means that a Success will bypass the remaining
authentication modules and overall Success is returned for the authentication part. Failure means that the failed authentication PAM service is ignored. If both authentication PAM services fail, then the last authentication module pam_deny is invoked which will deny all requests for any available authentication module. This will cause the authentication part to fail for the su command.

Next the new authentication PAM service configuration file /etc/pam.d/su-root-members needs to be created. The file /etc/pam.d/su-root-members referenced in /etc/pam.d/su should read like:

auth required /lib/security/ use_uid group=rootmembers
auth required /lib/security/ item=user sense=allow onerr=fail

The file /etc/security/su-rootmembers-access referenced in /etc/pam.d/su-root-members should read like:
# cat /etc/security/su-rootmembers-access

The control flag required which is specified for both modules means that both modules have to return Success. Otherwise this PAM service will return Failure to the "su" PAM service configured in /etc/pam.d/su. The first line returns Success only if the user is in the rootmembers groups.
second line allows only access (sense=allow) to those users specified in
/etc/security/rootusername, which is root, oracle, and postgres - these are the only users that will be accepted as a user argument to su. The item=user argument instructs pam_listfile that the entries in /etc/security/rootusername are usernames. If an error occurs, such as an unreadable configuration file, access is denied (onerr=fail).
NOTE: Once su access to root is working for users in the rootmembers, I recommend to avoid making any changes to the /etc/pam.d/su-root-members file in the future. Making a mistake in this file could revoke access to root for all users on the system. That's the reason why I created two PAM service files, /etc/pam.d/su-root-members for people in the rootmembers group, and /etc/pam.d/su-other-members (see below) for all other member groups since you will most probably add more member groups to this file in the future.
Now verify that user hari can su to root. No one else on the system should be able su to root even if they know the password.

Lock user account on frequent login failures

Add the following two lines highlighted in blue to the /etc/pam.d/system-auth file as shown below:
auth required
auth required onerr=fail per_user deny=3 reset
auth required
auth sufficient likeauth nullok try_first_pass
auth requisite uid >= 500 quiet
auth required
account required
account required
account sufficient uid < 500 quiet
account required
password requisite try_first_pass retry=3
password sufficient md5 shadow nullok try_first_pass use_authtok
password required
session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required

The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded.
But you don't want system or shared accounts to be locked after too many login failures (denial of service attack). To exempt system and shared accounts from the deny=n parameter. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly. For example:
# faillog -u root -m -1
# faillog -u root
Username Failures Maximum Latest
oracle 0 -1 Fri Dec 10 23:57:55 -0600 2005 on unknown
The faillog command with the option "-m -1" has the effect of not placing a limit on the number of failed logins. To instruct the module to activate the deny=n limit for this account again, run:
# faillog -u -m 0
To see failed login attempts, run:
# faillog
To unlock an account after too many login failures, run:
# faillog -u -r
Make sure to test these changes thoroughly on your system using e.g. ssh and su, and make sure root does not get locked!
To lock/unlock accounts manually, you can run one of the following commands:
# passwd -l
# usermod -L
# passwd -u
# usermod -U

Enforce stronger password in Linux

The pam_cracklib module checks the password against dictionary words and other constraints.
E.g. if you define password length minlen=10, then you will get 1 credit for e.g. using a single digit number in your password if you defined dredit=1. This means that pam_cracklib will accept a password of the length of minlen-credit. If you don't use a digit number, then the minimum length of the password would be minlen. There was no way to tell the module that a password _must_include a digit number.

The following example shows how to enforce the following password rules: minlen=8 Minimum length of password is 8 lcredit=-1 Minimum number of lower case letters is 1 ucredit=-1 Minimum number of upper case letters is 1 dcredit=-1 Minimum number of digits is 1 ocredit=-1 Minimum number of other characters is 1

To setup these password restrictions, edit the /etc/pam.d/system-auth file and add/change the following pam_cracklib arguments

auth required /lib/security/$ISA/
auth sufficient /lib/security/$ISA/ likeauth nullok
auth required /lib/security/$ISA/
account required /lib/security/$ISA/
account sufficient /lib/security/$ISA/ uid < 100 quiet
account required /lib/security/$ISA/
password requisite /lib/security/$ISA/ retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/ nullok use_authtok md5 shadow
password required /lib/security/$ISA/
session required /lib/security/$ISA/
session required /lib/security/$ISA/