Hash Type in Linux Password

A reference table when you review /etc/shadow file:
$1$
md5
$2a$
Blowfish
$2y$
Blowfish, with correct handling of 8 bit characters
$5$
sha256
$6$
sha512

 

Just stick to sha512 please!

You can change the hash setting by the file: /etc/login.defs and then changing “ENCRYPT_METHOD SHA512” line.

You can also user the authconfig command to accomplish the same thing:

sudo authconfig –passalgo=sha512 –update

After implementing a strong hash setting we must also make users change/update their password in the next login using the following command:

sudo chage -d 0 username

we can also use:

sudo passwd –expire username

for more info:

https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/

 

We can update default password policy in Linux as well:

vi /etc/security/pwquality.conf

# Configuration for systemwide password quality limits
# Defaults:
#
# Number of characters in the new password that must not be present in the
# old password.
# difok = 1
#
# Minimum acceptable size for the new password (plus one if
# credits are not disabled which is the default). (See pam_cracklib manual.)
# Cannot be set to lower value than 6.
# minlen = 8
#
# The maximum credit for having digits in the new password. If less than 0
# it is the minimum number of digits in the new password.
# dcredit = 0
#
# The maximum credit for having uppercase characters in the new password.
# If less than 0 it is the minimum number of uppercase characters in the new
# password.
# ucredit = 0
#
# The maximum credit for having lowercase characters in the new password.
# If less than 0 it is the minimum number of lowercase characters in the new
# password.
# lcredit = 0
#
# The maximum credit for having other characters in the new password.
# If less than 0 it is the minimum number of other characters in the new
# password.
# ocredit = 0
#
# The minimum number of required classes of characters for the new
# password (digits, uppercase, lowercase, others).
# minclass = 0
#
# The maximum number of allowed consecutive same characters in the new password.
# The check is disabled if the value is 0.
# maxrepeat = 0
#

 

Using and Not using Shadow File in Linux

less /etc/passwd
# the command below will destroy shadow feature
# and you will be able to view the password with
# /etc/passwd file. NOT RECOMMENDED
sudo pwunconv

# we can also do the same thing for the group file
sudo grpunconv

 

# To convert the system to use shadow file again, use
# the following commands

sudo pwconv
sudo grpconv

Linux Run Level Reference

ID Name Description
0 Halt Shuts down the system.
1 Single-user mode Mode for administrative tasks.
2 Multi-user mode Does not configure network interfaces and does not export networks services.
3 Multi-user mode with networking Starts the system normally.
4 Not used/user-definable For special purposes.
5 Start the system normally with appropriate display manager (with GUI) Same as runlevel 3 
6 Reboot Reboots the system.

Visit https://en.wikipedia.org/wiki/Runlevel for more.

Adding users and groups in linux

Adding users:

# create a new user
sudo adduser wonderfulperson
sudo useradd wonderfulperson

# udpate password
sudo password wonderfulperson

# batch add users.
vi addmultipleusers

# add the test content below
# username:passwd:uid:gid:full name:home_dir:shell
user1:user1password:::User1:/home/user1:/bin/bash
user2:user2password:::User2:/home/user2:/bin/bash

 

# back to shell, type the newusers command with attribute
sudo newusers users.txt

#example output
?? $ less /etc/passwd | grep user
user1:x:1006:1006:User1:/home/user1:/bin/bash
user2:x:1007:1007:User2:/home/user2:/bin/bash

 

# look up all of the existing groups in Linux
cut -d: -f1 /etc/group

# To review which group a user belong to use:
groups <username>

 

# Add groups
sudo groupadd guestusers
sudo addgroup guestusers

# To add one user in multiple groups user the following code:
sudo usermod -a -G <group1>,<group2>,<group3> <username>
?? $ sudo usermod -a -G mysql,apache,sssd user2
?? $ groups user2
user2 : user2 sssd apache mysql

Nessus for Home Users

Nessus is one of the most well known network vulnerability tool available on the market. If you are in the field of security, you should be familiar with the tool and know how to use it well. But how to get hands on experience with the tool when you are still in school or working in your first IT job that does not directly involve network security?

I recommend that you first try the Nessus Home, which is free for home use.

  • According to their official webpage, “NessusĀ® Home allows you to scan your personal home network with the same powerful scanner enjoyed by Nessus subscribers.”

https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code

Windows installation is fairly simple. Once you install, it would let you create an web interface where you can test the tool.

Vulnerability Assessment

Vulnerability Assessment
– Find vulnerabilities in a system or network
– Better than just a port scanner.
– Generally considered to be least intrusive.
– Penetration testing / port scanning is considered more intrusive.

Example:
– One may run a password cracker on a password file to check for weaknesses in user password. This would be considered as a Vulnerability Assessment.

Vulnerability Scanner:
– scan for open ports
– review known software vulnerabilities

Some example of Vulnerability Assessment Tools:
– Nessus (paid with a free trial period): Nessus is a proprietary vulnerability scanner developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment. Download page: http://www.tenable.com/products/nessus-vulnerability-scanner.
– Microsoft Baseline Security Analyzer (Free)- The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations. MBSA 2.3 release adds support for Windows 8.1, Windows 8, Windows Server 2012 R2, and Windows Server 2012. Windows 2000 will no longer be supported with this release. Windows 2000, Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows XP. Download Page: https://www.microsoft.com/en-us/download/details.aspx?id=7558
– Retina (Paid with free trial option) – this tool is fast and non-intrusive, and has the most comprehensive vulnerability database. This tool can also be used for web application scanning. Download page: https://www.beyondtrust.com/products/retina-network-security-scanner/
– Even ping scan can be considered as vulnerability assessment.
– You can also use port scanner – TCP SYN scan – Half open scan

Things to remember:
– Socket: IP address + port
– nmap is a very popular port scanner
OVAL – Open Vulnerability and Assessment Language (XML): As stated in the official homepage,  “OVALĀ® International in scope and free for public use, OVAL is an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community.” 

https://github.com/OVALProject/

https://oval.mitre.org/

Set up a VM using Vagrant

# Install vagrant.

#create a directory to work on vagrant
mkdir learnPlaybooks
cd learnPlaybooks

# use vagrant to create a test virtual machine
vagrant init ubuntu/trysty64

A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.

# if the previous command ran successfully, then boot up the machine
vagrant up

Bringing machine ‘default’ up with ‘virtualbox’ provider…
==> default: Box ‘ubuntu/trusty64’ could not be found. Attempting to find and install…
default: Box Provider: virtualbox
default: Box Version: >= 0
==> default: Loading metadata for box ‘ubuntu/trusty64’
default: URL: https://vagrantcloud.com/ubuntu/trusty64
==> default: Adding box ‘ubuntu/trusty64’ (v20170619.0.0) for provider: virtualbox
default: Downloading: https://vagrantcloud.com/ubuntu/boxes/trusty64/versions/20170619.0.0/providers/virtualbox.box
default: Progress: 100% (Rate: 21.8M/s, Estimated time remaining: –:–:–)
==> default: Successfully added box ‘ubuntu/trusty64’ (v20170619.0.0) for ‘virtualbox’!
==> default: Importing base box ‘ubuntu/trusty64’…
==> default: Matching MAC address for NAT networking…
==> default: Checking if box ‘ubuntu/trusty64’ is up to date…
==> default: Setting the name of the VM: playbooks_default_1500666460505_44195
==> default: Clearing any previously set forwarded ports…
==> default: Clearing any previously set network interfaces…
==> default: Preparing network interfaces based on configuration…
default: Adapter 1: nat
==> default: Forwarding ports…
default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM…
==> default: Waiting for machine to boot. This may take a few minutes…
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: private key
default:
default: Vagrant insecure key detected. Vagrant will automatically replace
default: this with a newly generated keypair for better security.
default:
default: Inserting generated public key within guest…
default: Removing insecure key from the guest if it’s present…
default: Key inserted! Disconnecting and reconnecting using new SSH key…
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM…
default: The guest additions on this VM do not match the installed version of
default: VirtualBox! In most cases this is fine, but in rare cases it can
default: prevent things such as shared folders from working properly. If you see
default: shared folder errors, please make sure the guest additions within the
default: virtual machine match the version of VirtualBox you have installed on
default: your host and reload your VM.
default:
default: Guest Additions Version: 4.3.36
default: VirtualBox Version: 5.1
==> default: Mounting shared folders…
default: /vagrant => C:/Users/abasu/learn/playbooks

# connect to the virtual machine controlled by vagrant using the
# following command
vagrant ssh
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.13.0-125-generic x86_64)

* Documentation: https://help.ubuntu.com/

System information as of Fri Jul 21 19:48:10 UTC 2017

System load: 0.69 Processes: 81
Usage of /: 3.6% of 39.34GB Users logged in: 0
Memory usage: 25% IP address for eth0: 10.0.2.15
Swap usage: 0%

Graph this data and manage this system at:
https://landscape.canonical.com/

Get cloud support with Ubuntu Advantage Cloud Guest:
http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

New release ‘16.04.2 LTS’ available.
Run ‘do-release-upgrade’ to upgrade to it.

# Ansible needs regular SSH to connecting to nodes.
# to get SSH connection details to the machine, run:
vagrant ssh-config

Host default
HostName 127.0.0.1
User vagrant
Port 2222
UserKnownHostsFile /dev/null
StrictHostKeyChecking no
PasswordAuthentication no
IdentityFile C:/Users/abasu/learn/playbooks/.vagrant/machines/default/virtualbox/private_key
IdentitiesOnly yes
LogLevel FATAL

 

# if you are on a windows machine, at this point, you can use a SSH client such as PUTTY to connect to the VM

Git Stash Commands

Most common commands that I use. Self-explanatory.

Save and List Stash

  • git stash save “Some message”
  • git stash list # stash is available to all branches.
  • git stash show stash@{0}
  • git stash show -p stash@{0} #detailed view

Apply stash

  • git stash pop stash@{0}
  • git stash apply stash@{0}

Delete Stash

  • git stash drop stash@{0}
  • git stash clear