Some embarassing, minor? security holes I found in my rh installation...you should check for same

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Using kfind (file and content searching util in kde) I decided to check/scan some key directories for my root password and the password of my <primary> user account (what I use when I'm not root). I was embarassed by what I found.

I found my root password in cleartext in the following files:

/etc/lilo.conf.anaconda
/var/log/apache/httpsd_access_log
/var/log/apache/transfer_log
/var/log/webmin/miniserv.log

I found my primary user account password in:

/etc/cups/printers.conf    (for a samba-shared printer)
/etc/webmin/mysql/config
/www/html/mydomain/phpBB
/var/log/apache/httpsd_access_log
/var/log/apache/transfer_log
/var/log/webmin/miniserv.log
/var/log/webmin/webmin.log

Plus, when I ran "ps -Af" I saw several services running as root which I didn't really want running as root.

Now...the majority of these files were readable by only root (or nobody), but some weren't. Personally, I kind of hoped my only passwords were in md5/shadow and in ldap (but under very tight acls). Not the case...and they were in cleartext! Damn!

What I learned from this is the following:

1. Can't be too complacent. Besides tripwire and a few other ongoing checks, I have developed a sanity check for when things slip between the cracks. I execute this check weekly and <of course> after every software install.

2. It's good to have separate passwords...even though it means you've got to keep a piece of paper around (or computer file, etc.). Either keep this note in a locked cabinet or better yet pgp encrypt this file with a password you won't forget.

3. Have several root-level passwords. One for your actual root account...and others for lilo, passphrases required for tripwire, pgp keys, etc. Keeping this information on a smartcard or in an encrypted file on your pda is another good spot.

4. Also get into the habit of creating separate accounts for all services you run. I'm not even using nobody for this (just apache). So for mysql there's a mysql user (this is default I know), different user for jabber, one for zope, php apps, etc.

5. Create some other special accounts for things like backup/archive operator and other special tasks (like mysql guest user...selects only), etc. Many services you will add to your installation will require this kind of pattern, so get into the habit of it.

6. Install and understand! tools like tripwire, cops/satan, ssh/pptp, fwbuilder, etc.

7. Don't allow your firewall to be managed from the internet, and don't use an existing root password for this. Use/understand nat and your firewall rules (or use fwbuilder).

8. In general...keep your system updated constantly...I've never been hosed by a rhnupdate (but have had blue screens from windows updates).

9. Use a recursive find command to see what files are writable by other...shouldn't be a whole lot of these floating around. Probably none? You might've made a mistake in a chmod.

The only time I'd ever been hacked into was when I stupidly opened anonymous ftp and didn't apparently do required lockdown. There are thousands of people/assholes out on the internet running automated bot-like software looking for these common mistakes...too easy to get caught. I'd like to think the only way I could get hacked now is by a determined individual (i.e. feds)...or by a bigtime screwup on my part (not following above rules).


Take care...



-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux