Enhancing Linux & Solaris Security
Password lockout after 3 failed Login attempts
Follow these process
# make the log file for faillog reporting
touch /var/log/faillog
# allowing only the root to read the faillog account
chown root:root /var/log/faillog #
# set the permission
chmod 600 /var/log/faillog
make the changes to the following files
#/etc/pam.d/system-auth
Accounts are locked out after 3 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication .
auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
account required /lib/security/$ISA/pam_tally.so deny=3 no_magic_root reset
Password Length and Complexity
Require a minimum password length of 10 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.
Make changes to the following files
/etc/pam.d/system-auth:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 minlen=10 lcredit=1 ucredit=1 dcredit=1 ocredit=0
Password History
To avoid using the same password Create these files
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
Make changes to the following files
/etc/pam.d/system-auth
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=12
--------------------------------------------------------------------------------
Solaris 5.8 Settings
Password History
/etc/pam.conf
other password requisite pam_history.so.1 history=24 func=$1$
Account Lockout
/etc/pam.conf
login auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800
other auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800
other account required pam_login_limit.so.1 count_limit=5 timeout_account=1800
Password Length and Complexity
/etc/default/passwd
NAMECHECK=NO
HISTORY=5
MINDIFF=3
MINALPHA=2
MINNONALPHA=1
MINUPPER=0
MINLOWER=0
MAXREPEATS=0
MINSPECIAL=0
MINDIGIT=0
Friday, January 29, 2010
Friday, January 22, 2010
Nipper -- Audit and Analyze network devices
Network infrastructure configuration parse
If you are security administrator you may need to find vulnerabilities and configuration flaws in the configuration of your network devices.
Network Infrastructure Parser software that can assist during firewall and router security configuration reviews and Documentation. The software will identify security weaknesses in device configurations and highlight configuration settings and create a report in HTML providing a detail overview of the flaws and whats the best practice suggest.
Attending the need for industry standards and compliance controls such as PCI, HIPAA, ISO and BITS, and the best part of using Nipper is the fact that this tool is absolutely free.
Nipper supports a wide range of Devices like Cisco,Juniper,Nokia,Nortel,Sonicwall,3com,HP,Brocade,CheckPoint Etc..
Download Nipper from Here.
Using Nipper
1. Download Nipper and extract it to a folder.
2. Copy Device config to a text file.
3. Based on the device use the correct switch and use the following command syntax.
c:\>nipper.exe --ios-switch= –input=devieconfig.txt –output=devicename.html
If you are security administrator you may need to find vulnerabilities and configuration flaws in the configuration of your network devices.
Network Infrastructure Parser software that can assist during firewall and router security configuration reviews and Documentation. The software will identify security weaknesses in device configurations and highlight configuration settings and create a report in HTML providing a detail overview of the flaws and whats the best practice suggest.
Attending the need for industry standards and compliance controls such as PCI, HIPAA, ISO and BITS, and the best part of using Nipper is the fact that this tool is absolutely free.
Nipper supports a wide range of Devices like Cisco,Juniper,Nokia,Nortel,Sonicwall,3com,HP,Brocade,CheckPoint Etc..
Download Nipper from Here.
Using Nipper
1. Download Nipper and extract it to a folder.
2. Copy Device config to a text file.
3. Based on the device use the correct switch and use the following command syntax.
c:\>nipper.exe --ios-switch=
Sunday, January 17, 2010
Send As permission behavior change in Exchange 2003
While doing a security audit on the Exchange Server I came under one scenario if the user has full mailbox rights he is by default given access to Send As the mailbox Owner . There is a Microsoft Kb Hotfix for the same.
"A fix has been released that changes the behavior of the "Full Mailbox Access" feature in Microsoft Exchange Server 2003. Prior to this change, any user with the “Full Mailbox Access” permission for a mailbox also had the ability to “Send As” the mailbox owner. "
Microsoft Kb : http://support.microsoft.com/kb/89594
"A fix has been released that changes the behavior of the "Full Mailbox Access" feature in Microsoft Exchange Server 2003. Prior to this change, any user with the “Full Mailbox Access” permission for a mailbox also had the ability to “Send As” the mailbox owner. "
Microsoft Kb : http://support.microsoft.com/kb/89594
Thursday, January 14, 2010
Outlook 2007 Certificate Error
I was working with this issue and found a great article about fixing this issue :
Please find the blog of Elan Shudnow's Blog Here .
Please find the blog of Elan Shudnow's Blog Here .
Saturday, January 2, 2010
Active Directory Documentation
Active Directory Documentation
I was doing a audit and need to get a Visio architecture for the Active Directory Architecture to understand the overall design and implementation and it was a painful by looking into location segmented AD architecture ( if you are a network administrator or Security Administrator you can really understand my pain) , i came across this tool from Microsoft called Active Directory Topology Diagrammer which did a awesome job for documenting Active directory and I ran the tool first on a Active Directory Vmware workstation image on my laptop and WOH it does what needs to be presented ( my work has become easy now just write up & add details)
This tool automates Microsoft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.
You can download the tool from Here.
I was doing a audit and need to get a Visio architecture for the Active Directory Architecture to understand the overall design and implementation and it was a painful by looking into location segmented AD architecture ( if you are a network administrator or Security Administrator you can really understand my pain) , i came across this tool from Microsoft called Active Directory Topology Diagrammer which did a awesome job for documenting Active directory and I ran the tool first on a Active Directory Vmware workstation image on my laptop and WOH it does what needs to be presented ( my work has become easy now just write up & add details)
This tool automates Microsoft Office Visio to draw a diagram of the Active Directory Domain topology, your Active Directory Site topology, your OU structure or your current Exchange 200X Server Organization. With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.
You can download the tool from Here.
Friday, January 1, 2010
Blog for System ,Security ,Data Center Administrators , PeopleSoft HCM Technical & Functional , Oracle
Blog for System ,Security ,Data Center Administrators , PeopleSoft HCM Technical & Functional , Oracle. I will moving all my old stuff from http://vaibbhav.netfirms.com/ to here.
Subscribe to:
Posts (Atom)