Issue / Question
Some more things to think about for maintaining your server's user and passwords
Environment
Linux
Update your package list and upgrade your OS
Software updates and patches are often distributed to fix security vulnerabilities as they’re discovered. Running outdated software puts you at risk as soon as the details of the vulnerability are published. For that reason, it’s vital to make sure your packages and OS are constantly updated and as secure as they can be.
To do this:
apt-get update && apt-get upgrade
The update part updates your package list, and the upgrade part actually downloads and installs them.
To do this periodically, you can install the unattended-upgrades package.
apt-get install unattended-upgrades
In the package’s config file, located at/etc/apt/apt.conf.d/50unattended-upgrades, you can enable or disable automatic updates for certain groups of packages. For example, you can just get security patches automatically by uncommenting "${distro_id}:${distro_codename}-security"; in the config file.
Remove unnecessary packages
Packages that you don’t need are a useless security liability on your system. They’re one extra entry point for attacks that you can do without. To keep your server as lean as possible, you can either manually check through a list of packages and delete anything you don’t need, or use a tool that checks for you.
Do apt-get autoremove to remove any uninstalled packages. Next, check apt-cache pkgnames and delete anything you don’t need with
sudo apt-get purge --auto-remove [packagename]
Detect weak passwords with John the Ripper
If you can easily manage to brute-force the passwords on your server, there’s a good chance a malicious user could do the same if they find a gap in your security defenses. To protect against this, you run a password cracking attempt on your own server to find easily guessed passwords.
First, install john: apt-get install john
Next, merge your shadow and passwd files with: sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db
This will create a temporary database of passwords that you can now run john on.
john /tmp/crack.password.db
Brute-forcing passwords is an intensive task, but it will eventually provide you with a log file that shows the passwords john managed to crack, accessible with john -show /tmp/crack.password.db.
Verify no accounts have empty passwords
Accounts without passwords are vulnerable because the only thing a hacker that slipped through your defenses would need to do is key ‘enter’ along with the username, and they’d be in.
Empty passwords are easily detected; just run awk -F: '($2 == "") {print}' /etc/shadow — this checks the whether the second element (encrypted password) is blank in your shadow file, and if it is it returns the username so you can go and give them a strong password.
To prevent this from happening again, you should set password rules for users.
Set password rules
Allowing users to set passwords like “password” or “1234” is a hazard, and you want to make sure you have control over the passwords users set by enforcing rules.
The password rules config file is located at etc/pam.d/common-password. Edit that file to include, for example, the following line:
password requisite pam_cracklib.so minlength=12 lcredit=1 ucredit=1 dcredit=1 ocredit=1 difok=4
To break that down:
- minlength sets the minimum amount of characters a user must use in their passwords
- lcredit, ucredit, dcredit, and ocredit refer to the minimum number of lowercase, uppercase, digit, and other characters respectively
- difok sets the number of characters that must be different between a new password and a previous.
Set password expiration in login.defs
To ensure your users are regularly setting strong, unique passwords, now make sure to configure how often passwords expire.
The login.defs file — /etc/login.defs — is where a big chunk of the password configuration rules live. Open it in a text editor, and look for the password aging control line. You’ll see three parameters:
- PASS_MAX_DAYS: Maximum number of days a password may be used. If the password is older than this, a password change will be forced.
- PASS_MIN_DAYS: Minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected
- PASS_WARN_AGE: Number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.
It is recommended that password changes should be enforced at least every 90 days because if old backups are lost or misfiled you wouldn’t want the password file data on them to be still valid and able to be used to get into your server.