Securing FC 4

AragonX aragonx at dcsnow.com
Mon Aug 22 21:59:17 UTC 2005 

<quote who="cromworshipper-fedorastuff at yahoo.com">
>
>
> --- AragonX <aragonx at dcsnow.com> wrote:
> [...]
>> I've gotten some very good information off of the security lists though.
>> Perhaps I should copy it here so that others could benefit?
>
> Yes, please.
>
> What was the weak point that allowed an intrusion on your machine?  I'd
> like
> to know what I should watch out for...

<final copy from focuslinux for today.  :)>

  The single most powerful thing you can do to prevent
  user account compromise is a non shell.

  Use tail for the noshell script. (There are NO KNOWN EXPLOITS for tail!)

  You create the 'noshell'  yourself like this:

  As root:

  add /bin/noshell to /etc/shells

~# echo '/bin/noshell' >> /etc/shells

  Then:

~# touch /bin/noshell
~# chmod 755 /bin/noshell

   Then insert  the following script  into /bin/noshell
begin script...
#!/usr/bin/tail +2

                   ,   .-'"'=;_  ,
                   |\.'-~`-.`-`;/|
                   \.` '.'~-.` './
                   (\`,__=-'__,'/)
                _.-'-.( d\_/b ).-'-._
              /'.-'   ' .---. '   '-.`\
            /'  .' (=    (_)    =) '.  `\
           /'  .',  `-.__.-.__.-'  ,'.  `\
          (     .'.   V       V  ; '.     )
          (    |::  `-,__.-.__,-'  ::|    )
          |   /|`:.               .:'|\   |
          |  / | `:.   Security   :' |`\  |
          | |  (  :.      is     .:  )  | |
          | |   ( `:.  Watching  :' )   | |
          | |    \ :.           .: /    | |
          | |     \`:.         .:'/     | |
          ) (      `\`:.     .:'/'      ) (
          (  `)_     ) `:._.:' (     _(`  )
          \  ' _)  .'           `.  (_ `  /
           \  '_) /   .'"```"'.   \ (_`  /
            `'"`  \  (         )  /  `"'`
        ___        `.`.       .'.'        ___
      .`   ``"""'''--`_)     (_'--'''"""``   `.
     (_(_(___...--'"'`         `'"'--...___)_)_)
  ########################################################
  #                                                      #
  #   Sorry, you do not have shell access                #
  ########################################################
end script...

   Then all you have to do is change bash to noshell for users in
/etc/passwd.

   Modify your user adder script to use /bin/noshell too if you add users
often then you have less work to do. I'm lazy myself, you should be too. ;)

  This will prevent suprises from all those scans that turn up the odd
correct
  password. They get the hint when they try to ssh into the account.

"Pat Parrinello" <security at txbs.net>

More information about the fedora-list mailing list