How to Limit user access based on timings in Linux

To limit the access to a Linux operating

system in a time range, you would like to use pam_time.so.

1.Open the file /etc/security/time.conf

Format of the file is:
Service;ttys;users;time

To limit ssh access from 23:00 PM and 08:00 AM.

sshd;*;*;!Al2300-0800

the !Al means, anything except "All the days".

To permit people from 4 to 8 PM all the days, except root:login;*;!root;!Al1600-2000

Password Policy on Linux Systems

Password policy is a part of security policy in an organization.It focuses mainly on below areas

1.Password aging information.
2.Password strength.
3.Monitoring failed login attempts.

How to configure IP-address and user account in Sun ALOM SC from OS

Step 1: Login to the system using root account.
Step 2: Change to the directory /usr/platform/`uname –i`/sbin

# cd /usr/platform/`uname –i`/sbin

Step 3: Set the IP address for the remote console using the following scadm command.

# ./scadm set netsc_ipaddr 172.16.1.100

Step 4: Set the subnet mask for the remote console using the following scadm command.

# ./scadm set netsc_ipnetmask 255.255.224.0

Step 5: Set the default gateway for the remote console using the following scadm command.

# ./scadm set netsc_ipgateway 172.16.0.1

Step 6: Enable the remote console network interface using the following scadm command.

# ./scadm set if_network true

Step 7: Verify whether the entered values are correct by running the following scadm command.

# ./scadm shownetwork

Step 8: Add a user called “admin” using the following scadm command.

# ./scadm useradd admin

Step 9: Set the permission for “admin” user, using the following scadm command..

# ./scadm userperm admin cuar

Step 10: Set the password for “admin” user using the following scadm command.

# ./scadm userpassword admin

Password:

Re-enter Password:

Step 11: Reset the system controller to activate the network for remote console by running the following scadm command

# ./scadm resetrsc

Step 12: From the host, ping to the newly configured IP address of the SC and see if it is alive on the network.

Format of /etc/shadow file

/etc/shadow file stores actual password in encrypted format and password aging information for user's account.

test1:$1$zT1YmCtj$NL67d.yN/gL9eVgyimhL./:13899:20:30:7:::

All fields are separated by a colon(:) symbol

1. User name : It is your login name
2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
7. Inactive : The number of days after password expires that account is disabled
8. Expire : Days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

The last 6 fields provides password aging and account lockout features.Password field must be filled. The encrypted password consists of 13 to 24 characters from the 64 character alphabet a through z, A through Z, 0 through 9, \. and /. Optionally it can start with a “$” character. This means the encrypted password was generated using another (not DES) algorithm. For example if it starts with “$1$” it means the MD5-based algorithm was used.

Output of chage command:
# chage -l test1
Minimum: 20
Maximum: 30
Warning: 7
Inactive: -1
Last Change: Jan 21, 2008
Password Expires: Feb 20, 2008
Password Inactive: Never
Account Expires: Never

How to block mp3, mpg, mpeg, exe files in Squid proxy server

1.Open the squid configuration file in /etc/squid/squid.conf

2.Add a acl to block the required filetypes

acl blockfileset urlpath_regex "/etc/squid/block.acl"
http_access deny blockfileset


3.Create the file block.acl and update the below contents

\.[Ee][Xx][Ee]$
\.[Aa][Vv][Ii]$
\.[Mm][Pp][Gg]$
\.[Mm][Pp][Ee][Gg]$
\.[Mm][Pp]3$

Limit number of simultaneous connections for a single IP address in VSFTPD

1.Open the vsftpd configuration file in /etc/vsftpd/vsftpd.conf

2.Setup the limitation

max_per_ip=4

This will limit to 4 simultaneous connection per IP.

3.Restart the vsftpd daemon.

Set default password expiry policy for all users in Linux

The /etc/login.defs file defines the site-wide configuration for password expiry.

Each line of the file describing one configuration parameter.The lines consist of a configuration name and value, separated by whitespace.
We need to set default password expiry using /etc/login.defs file:

1. PASS_MAX_DAYS : Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
2. PASS_MIN_DAYS : Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
3. PASS_WARN_AGE : Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.

E.g.,

PASS_MAX_DAYS 30
PASS_MIN_DAYS 15
PASS_WARN_AGE 7

HP-UX: Patch naming convention

A patch name consists of the characters "PH" (Patch HP-UX), followed by a two-character type-identifier, followed by an underscore,
followed by a four or five-digit number.

The currently defined patch types are:

CO - COmmands & libraries
KL - KerneL
NE - NEtworking
SS - SubSystems

An example name of a Kernel patch name would be "PHKL_23507"

Kernel patches always require a system reboot, so that the newly updated kernel can be loaded. Many Networking patches (PHNE*) also
make modifications to the kernel, and hence require a reboot.

Note that the numerical portion of any given patch name is unique, among ALL patches.

So there would never be a patch named "PHCO_23507", in addition to a patch named "PHKL_23507." This lends itself nicely to
grepping for a particular patch (ie - to see if "PHKL_23507" is installed, one could use "swlist -l product | grep 23507"

SUDO

sudo is a package which will allow priveleged users to run commands as other users. This is sort of like assigning users(delegation) to different groups to give them special permissions to files. However, this can allow users acccess to specific commands on specific machines, making it a more effective and more organized way of giving special priveleges to users.

It is often a server needs to be administered by a number of people and it is not a good idea for all them to use root account.This is because it becomes difficult to determine exactly who did what,when and where if everyone logs in with the same credentials.The sudo utility was designed to overcome this facility.

The /etc/sudoers file contains all the configuration and permission parameters needed for sudo to work.
Format of /etc/sudoers file
"usernames/group" "Run on Host" = "Run command as" "Comma separated list of commands"
There are some general guidelines when editing this file:

• Groups are the same as user groups and are differentiated from regular users by a % at the beginning. E.g., Linux user group "users" would be represented by %users.
• You can have multiple usernames per line separated by commas.
• Multiple commands also can be separated by commas. Spaces are considered part of the command.
• Keyword ALL can mean all usernames, groups, commands and servers.
• If you run out of space on a line, you can end it with a back slash (\) and continue on the next line.
• sudo assumes that the sudoers file will be used network wide, and therefore offers the option to specify the names of servers which will be using it in the "Run on Host" position. In most cases, the file is used by only one server and the keyword ALL suffices for the Host name.
• The NOPASSWD keyword provides access without prompting for your password.

Granting All Access to Specific Users

You can grant users bob and bunny full access to all privileged commands, with this sudoers entry.

bob, bunny  ALL=(ALL) ALL

This is generally not a good idea because this allows bob and bunny to use the su command to grant themselves permanent root privileges thereby bypassing the command logging features of sudo. The example on using aliases in the sudoers file shows how to eliminate this prob

Granting Access To Specific Users To Specific Files

This entry allows user peter and all the members of the group operator to gain access to all the program files in the /sbin and /usr/sbin directories, plus the privilege of running the command /usr/local/apps/check.pl. Notice how the trailing slash (/) is required to specify a directory location:

peter, %operator ALL= /sbin/, /usr/sbin, /usr/local/apps/check.pl

Notice also that the lack of any username entries within parentheses () after the = sign prevents the users from running the commands automatically masquerading as another user. This is explained further in the next example.

Granting Access to Specific Files as Another User

The sudo -u entry allows allows you to execute a command as if you were another user, but first you have to be granted this privilege in the sudoers file.
This feature can be convenient for programmers who sometimes need to kill processes related to projects they are working on. For example, programmer peter is on the team developing a financial package that runs a program called monthend as user accounts. From time to time the application fails, requiring "peter" to stop it with the /bin/kill, /usr/bin/kill or /usr/bin/pkill commands but only as user "accounts". The sudoers entry would look like this:

peter ALL=(accounts) /bin/kill, /usr/bin/kill, /usr/bin/pkill

User peter is allowed to stop the monthend process with this command:

[peter@bigboy peter]# sudo -u accounts pkill monthend

Granting Access Without Needing Passwords

This example allows all users in the group operator to execute all the commands in the /sbin directory without the need for entering a password. This has the added advantage of being more convenient to the user:

%operator ALL= NOPASSWD: /sbin/

Using Aliases in the sudoers File

Sometimes you'll need to assign random groupings of users from various departments very similar sets of privileges. The sudoers file allows users to be grouped according to function with the group and then being assigned a nickname or alias which is used throughout the rest of the file. Groupings of commands can also be assigned aliases too.
In the next example, users peter, bob and bunny and all the users in the operator group are made part of the user alias ADMINS. All the command shell programs are then assigned to the command alias SHELLS. Users ADMINS are then denied the option of running any SHELLS commands and su:

Cmnd_Alias    SHELLS = /usr/bin/sh,  /usr/bin/csh, \
                       /usr/bin/ksh, /usr/local/bin/tcsh, \
                       /usr/bin/rsh, /usr/local/bin/zsh
 
 
User_Alias    ADMINS = peter, bob, bunny, %operator
ADMINS        ALL    = !/usr/bin/su, !SHELLS

This attempts to ensure that users don't permanently su to become root, or enter command shells that bypass sudo's command logging. It doesn't prevent them from copying the files to other locations to be run. The advantage of this is that it helps to create an audit trail, but the restrictions can be enforced only as part of the company's overall security policy.

How to restrict users to SFTP only instead of SSH?

Scenarios:

* You want to give file upload/download access to your users.
* You don't want to give shell access to your users.

For the above scenarios,

Method 1:

To give a user account SFTP access without SSH access,set the user shell to /usr/libexec/openssh/sftp-server instead of /bin/bash.


Method 2:

Restrict the shell access by rssh.