Friday, January 29, 2010

Enhancing Linux & Solaris Security

Enhancing Linux & Solaris Security

Password lockout after 3 failed Login attempts


Follow these process


# make the log file for faillog reporting
touch /var/log/faillog

# allowing only the root to read the faillog account
chown root:root /var/log/faillog #

# set the permission
chmod 600 /var/log/faillog

make the changes to the following files
#/etc/pam.d/system-auth


Accounts are locked out after 3 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication .


auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root

account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset




Password Length and Complexity




Require a minimum password length of 10 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.


Make changes to the following files
/etc/pam.d/system-auth:



password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 lcredit=1 ucredit=1 dcredit=1 ocredit=0




Password History

To avoid using the same password Create these files



touch /etc/security/opasswd

chown root:root /etc/security/opasswd

chmod 600 /etc/security/opasswd




Make changes to the following files
/etc/pam.d/system-auth



password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12


--------------------------------------------------------------------------------
Solaris 5.8 Settings


Password History



/etc/pam.conf



other password requisite pam_history.so.1 history=24 func=$1$


Account Lockout

/etc/pam.conf



login auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800

other auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800

other account required pam_login_limit.so.1 count_limit=5 timeout_account=1800


Password Length and Complexity


/etc/default/passwd


NAMECHECK=NO

HISTORY=5

MINDIFF=3

MINALPHA=2

MINNONALPHA=1

MINUPPER=0

MINLOWER=0

MAXREPEATS=0

MINSPECIAL=0

MINDIGIT=0

Friday, January 22, 2010

Nipper -- Audit and Analyze network devices

Network infrastructure configuration parse

If you are security administrator you may need to find vulnerabilities and configuration flaws in the configuration of your network devices.

Network Infrastructure Parser software that can assist during firewall and router security configuration reviews and Documentation. The software will identify security weaknesses in device configurations and highlight configuration settings and create a report in HTML providing a detail overview of the flaws and whats the best practice suggest.

Attending the need for industry standards and compliance controls such as PCI, HIPAA, ISO and BITS, and the best part of using Nipper is the fact that this tool is absolutely free.

Nipper supports a wide range of Devices like Cisco,Juniper,Nokia,Nortel,Sonicwall,3com,HP,Brocade,CheckPoint Etc..

Download Nipper from Here.

Using Nipper

1. Download Nipper and extract it to a folder.
2. Copy Device config to a text file.
3. Based on the device use the correct switch and use the following command syntax.
c:\>nipper.exe --ios-switch= –input=devieconfig.txt –output=devicename.html

Sunday, January 17, 2010

Send As permission behavior change in Exchange 2003

While doing a security audit on the Exchange Server I came under one scenario if the user has full mailbox rights he is by default given access to Send As the mailbox Owner . There is a Microsoft Kb Hotfix for the same.

"A fix has been released that changes the behavior of the "Full Mailbox Access" feature in Microsoft Exchange Server 2003. Prior to this change, any user with the “Full Mailbox Access” permission for a mailbox also had the ability to “Send As” the mailbox owner. "

Microsoft Kb : http://support.microsoft.com/kb/89594

Thursday, January 14, 2010

Outlook 2007 Certificate Error

I was working with this issue and found a great article about fixing this issue :

Please find the blog of Elan Shudnow's Blog Here .

Saturday, January 2, 2010

Active Directory Documentation

Active Directory Documentation

I was doing a audit and need to get a Visio architecture for the Active Directory Architecture to understand the overall design and implementation and it was a painful by looking into location segmented AD architecture ( if you are a network administrator or Security Administrator you can really understand my pain) , i came across this tool from Microsoft called Active Directory Topology Diagrammer which did a awesome job for documenting Active directory and I ran the tool first on a Active Directory Vmware workstation image on my laptop and WOH it does what needs to be presented ( my work has become easy now just write up & add details)

This tool automates Microsoft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.

You can download the tool from Here.

Friday, January 1, 2010

Blog for System ,Security ,Data Center Administrators , PeopleSoft HCM Technical & Functional , Oracle

Blog for System ,Security ,Data Center Administrators , PeopleSoft HCM Technical & Functional , Oracle. I will moving all my old stuff from http://vaibbhav.netfirms.com/ to here.