Prefetch Technologies // Keeping your cache lines cozy

Archive

Posts in Security

Securing CentOS Linux installations by disabling unneeded services

securityDec 27, 2006 3 min read

To ensure that my CentOS machines run as efficiently and securely as possible, I disable a number of services after each installation. The end result is a system that accepts ssh connections on TCP port 22, and on one or more service ports that are in use by the applications hosted on the platform. To get to this state, I go through and disable numerous services that come enabled by default. Here is the default list of services that are enabled after a CentOS 4.4 installation: Several of these services are required, but several others serve no purpose in my environment, and use CPU and memory resources that would be better allocated to my applications…

$ read more →
earlier

Viewing the last time a Centos Linux user changed their password

securityDec 24, 2006 1 min

I often forget about the Centos Linux chage utility, and it's ability to manage the expiration data in /etc/shadow. In addition to being able to manage password policies, chage can be be run with the "-l" option to view the policy set for a user, and the date when a users password was last changed: If you have a security organization, 'chage -l' is a great command to allow them to run through sudo.

$ read more →

Setting up password policies on Centos Linux hosts

securityDec 24, 2006 1 min

I needed to setup password policies on a few CentOS 4.4 machines last week. The password policy needed to define the minimum length of a password, the number of days a password is valid, the strength of a password, and a warning period to alert individuals that their password is about to expire. Expiration data for each user is stored in their entry in /etc/shadow, and is initially populated based on the password policies in /etc/logins.defs. Here is a list of password policies that I typically set in /etc/logins.defs: For accounts that were created without a password policy, the chage command can be used to create one…

$ read more →

Limiting access to OpenSSH features with the Match keyword

securitySep 5, 2006 1 min

With the introduction of OpenSSH 4.3p2, Darren Tucker introduced the "Match" keyword. This super nifty keyword can be used to limit features to specific users, hosts and groups, and allows administrators to enforce granular feature access (e.g., key-based authentication can only be used from specific hosts or subnets). To use the Match feature, the Match directive needs to added to the sshd_config configuration file with a criteria to enforce, and a set of directives to allow or deny. The Criteria can be either "User," "Group," "Address," or "Host," and wildcards are supported when the Host criteria is used…

$ read more →

Checking the integrity of Solaris binaries

securityAug 15, 2006 1 min

One new feature in Solaris 10 that doesn't get much press is the basic auditing and reporting tool (bart). Bart allows you to generate integrity checks for one or more files on a server. This allows you to compare two groups of file integrity checks (groups of file integrity checks are referred to as manifests in the bart documentation) to see what changed on a server. Bart is super easy to use, and comes with just two options, "create" and "compare." The "create" option can be used to create a new manifest, and the "compare" option can be used to compare the contents of two manifests…

$ read more →