Securing FC 4
AragonX
aragonx at dcsnow.com
Mon Aug 22 21:59:17 UTC 2005
<quote who="cromworshipper-fedorastuff at yahoo.com">
>
>
> --- AragonX <aragonx at dcsnow.com> wrote:
> [...]
>> I've gotten some very good information off of the security lists though.
>> Perhaps I should copy it here so that others could benefit?
>
> Yes, please.
>
> What was the weak point that allowed an intrusion on your machine? I'd
> like
> to know what I should watch out for...
<final copy from focuslinux for today. :)>
The single most powerful thing you can do to prevent
user account compromise is a non shell.
Use tail for the noshell script. (There are NO KNOWN EXPLOITS for tail!)
You create the 'noshell' yourself like this:
As root:
add /bin/noshell to /etc/shells
~# echo '/bin/noshell' >> /etc/shells
Then:
~# touch /bin/noshell
~# chmod 755 /bin/noshell
Then insert the following script into /bin/noshell
begin script...
#!/usr/bin/tail +2
, .-'"'=;_ ,
|\.'-~`-.`-`;/|
\.` '.'~-.` './
(\`,__=-'__,'/)
_.-'-.( d\_/b ).-'-._
/'.-' ' .---. ' '-.`\
/' .' (= (_) =) '. `\
/' .', `-.__.-.__.-' ,'. `\
( .'. V V ; '. )
( |:: `-,__.-.__,-' ::| )
| /|`:. .:'|\ |
| / | `:. Security :' |`\ |
| | ( :. is .: ) | |
| | ( `:. Watching :' ) | |
| | \ :. .: / | |
| | \`:. .:'/ | |
) ( `\`:. .:'/' ) (
( `)_ ) `:._.:' ( _(` )
\ ' _) .' `. (_ ` /
\ '_) / .'"```"'. \ (_` /
`'"` \ ( ) / `"'`
___ `.`. .'.' ___
.` ``"""'''--`_) (_'--'''"""`` `.
(_(_(___...--'"'` `'"'--...___)_)_)
########################################################
# #
# Sorry, you do not have shell access #
########################################################
end script...
Then all you have to do is change bash to noshell for users in
/etc/passwd.
Modify your user adder script to use /bin/noshell too if you add users
often then you have less work to do. I'm lazy myself, you should be too. ;)
This will prevent suprises from all those scans that turn up the odd
correct
password. They get the hint when they try to ssh into the account.
"Pat Parrinello" <security at txbs.net>
More information about the fedora-list
mailing list