Linux Road

Easy to remember is easy to steal, it is as simple as that. Many people think that it is OK to have a simple and easy password, not even thinking a way to choose a safe password. Having as easy password is risky especially when your password protects some sensitive information like credit card number, account number, etc.

A large number of security attacks start with a stolen password. Which makes it extremely important for a user to know how to set a safe password. From security point of view a safe password is a combination of random numbers, letters, and other characters. Passwords like these can be hard to remember so people write them down, which is a bad habit (as bad as a weak password). So, it is important to have a password that can be remembered and can be categorized as a safe password and this tutorial will show you how.

How not to choose a password

People make some very common mistakes while choosing their passwords and end up with some pretty weak passwords that are easy to hack. Before going any further I think it is important to describe some common mistakes that should be avoided while choosing a password.

• Never use your own name (or username) as password.
• Name of a relative, friend, pet, actor, or some other name should not be chosen. As, they are easy to guess when a person is going for a targeted attack.
• Don't use the name of your favorite book, movie, play, location, etc. These are the first obvious guess of a hacker when they are trying to break into the account of someone that they know.
• Any information that is personally relevant to you is again easy to guess. So, things such as address, SSN (Social Security Number), etc. should never be used.
• Any single word in a language is vulnerable even spelled backwards.
• An obvious misspelling like, f00tball (where number 0 is replace by letter o) or any similar can be guess specially in dictionary-attacks.
• Never write down your password, specially for root accounts.
• A name that appears or is near the monitor of the system falls in the category of don't do while selecting a safe password.
• Ascending or descending order of numbers are fairly weak.
• A string of same characters or characters that appear in the same row of a keyboard should never be user.

How to choose a safe password

Now that we know what not to do, lets move on what to do when choosing a good password. I'll use a two step process that will involve selecting a base for the password that will make it easy to remember and in step two I will modify it making hard for password cracking tools to crack it. Passwords created in this way are extremely safe and can't be hacked easily, so the following method is advised.

Step 1: Selecting a good base

First step is selecting a good base that is a string of characters that are easy to remember and must not appear in any language's dictionary. You can start with choosing a sentence and then combining the first letter of each word for example you can use sibfhh using smoking is bad for human health.

Another way of selecting a base is to combine two different words making a single word that does not appear in the dictionary for example you can use ruitpunc (by combining Fruit and Punch), now ruitpunc is not a part of dictionary so it a good choice and it is easy to remember too. So, it is also a good base.

Step 2: Modifying the base

Once you have selected a strong base using the method given in the first step now it time to make it more hard for the cracker to crack in. The aim of these modifications it to make the password move away from the original base. You can try one of the following modifications:

• Add random punctuations, number, or control characters

  Start modifying the base by adding punctuations, number, or even control characters to it. We can modify our initial base sibfhh as si#bfh@h. Make sure to use the modification in between the base rather than at the end or start.

• Change case at random

  This modification may not be all that effective on some systems which don't support case-sensitive passwords. But most of the system do, and it is important enough to employ it. In this way we can further modify the base as sI#bfH@h.

• Reverse order of one base word

  If pair of words are used, you can reverse the order of anyone of them or you can change the order of any two letters at random for example we can modify sI#bfH@h as sI#fbH@h. Again it is not that effective but it will increase the search time of the cracker.

Once you are done with all these steps you will be left with a very very strong and safe password (sI#fbH@h in this case). This password is easy enough to remember and is hard for a cracker to crack. But, remember not to make password too hard to remember for yourself and you will be fine.

When someone from outside your network or system attempt to enter your system without permission he has to deal with your firewall first. If the firewall is not strong enough the intruder can have an easy time attacking your system. Even on home computers that are not connected to public networks can become a victim of unwanted intrusion.

Linux systems come built-in with a fine firewall with-in the Kernel. The firewall can be configured by the superuser using an interface. Two available interfaces are called ipchains and iptables. ipchains uses a stateless packet filter, meaning that package will be filtered against the set of pre-defined rules but the decision taken against the package won't be influenced by the previous packages.

While ipchains benefits from stateless model, iptables uses the stateful package model. The decisions to accept, reject, or forward a package are influenced by the previous packages in iptables. Only one of the two interfaces can be used at a time and this decision can only be made at kernel compile time.

So, if you haven't compiled your own kernel (you wouldn't have, if you are using a distribution released by someone other than you), then you would have to find out what interface the kernel of your distribution uses.

Block incoming network traffic

If you block incoming network traffic from your system the outgoing network traffic won't be affected by it. Using this method the firewall will block all traffic that is not sent by your system. You can use the following commands to block incoming network traffic:

For iptables

# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT

For ipchains

# ipchains -F input
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -p tcp --syn -j REJECT
# ipchains -A input -p udp --dport 0:1023 -j REJECT

Block outgoing network traffic

For iptables

The following commands will block all the outgoing signals from your system. This won't affect any of the incoming traffic on your network:

# iptables -F OUTPUT
# iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT

For ipchains

# ipchains -F output
# ipchains -A output -p tcp ! --syn -j ACCEPT
# ipchains -A output -j REJECT

Block all network traffic

The easiest way to block all network traffic is to stop your network device or may be a simple act of unplugging the network cable can do. But, if you want to do it using the firewall you will have to enter the following commands:

For iptables

# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECT

For ipchains

# ipchains -F
# ipchains -A input -j REJECT
# ipchains -A output -j REJECT
# ipchains -A forward -j REJECT

Linux systems vary greatly in how they operate. One system might normally run with a high CPU load, whereas another might normally run with little or no load. One computer might normally see little network traffic, whereas another might regularly transfer gigabytes of data every day. As a system administrator you should be aware how your system normally behaves.

One method of detecting intruders is to be aware of normal operations of your system and then detecting any deviations from that standard. Even simple signs like higher-than-normal system load, unusual files or changes to configuration files can indicate an intrusion. Looking for odd system behaviors can help you find intruders in the system. Even if the odd behavior is not due to a system intrusion, still it points to a problem that needs fixing.

Unusual Load Averages

A load average is a measure of the demand for CPU time placed on the system by all the programs it runs. Load average can be checked with uptime or top. Many GUI environments now also provide load average meters. Check if the load average changes from its usual range, if it does it might be an indication that a cracker could have broken into the system and is using some CPU-intensive programs or is causing the programs to crash. But, there may also be a possibility that legitimate users are demanding more CPU time for normal reasons or the CPU-intensive programs are crashing for other reasons.

Unusual Network Traffic

Similar to load averages, a system normally sees a certain range of network traffic. One possible cause of changes in network traffic patterns can be an intrusion. A cracker might be using your system as a node in a distributed denial-of-service (DDoS) attack, for instance, chewing up your network bandwidth. On the other hand, you could be seeing an innocent spike in demand for a server's services, or a user could be downloading unusually large files for legitimate reasons. One way to monitor network traffic is to watch the activity LEDs on a NIC, hubs, switches, telephone modems, and broadband modems. Typing ifconfig eth0 (or a similar command for an interface other than eth0) produces a measure of transmitted (TX) and received (RX) packets.

Strange Running Processes

Process monitoring tools (such as ps or top) show the currently running processes. If you see a process that you are not familiar with, take it as a sign of problems or it may be some user running a harmless process. So, you should make sure that you spend enough time with the processes to determine what processes are normal for your system.

Odd Program Crashes

Programs crash, even on Linux. After you have spend sometime with Linux you would be able to notice which programs crash on your system and which don't. If another program starts crashing, it could be that an intruder has changed a configuration file, support libraries, or even the program executable file itself, thereby causing the crashes. Alternatively, it could be that a routine system upgrade or an error on your part caused these problems. Program crashes can also be early signs of deteriorating hardware, such as RAM or a hard disk starting to go bad.

Changes in Program Behavior

n most cases, programs should behave in a very predictable manner. For instance, if your bash shell presents a plain dollar sign ($) prompt today, it should do the same tomorrow unless you change the configuration file. If a program's behavior changes suddenly and without your having updated it or changed its configuration file, an intruder might have fumbled a takeover by inadvertently altering a configuration file detail or by changing a program file. On the other hand, you might have forgotten a legitimate upgrade or change, or the program might be responding to some other change in the system that you don't realize is related. If you share administrative responsibility for the system, perhaps another administrator has made a change.

Peculiar Log Entries

All Linux systems maintain log files, most of which reside in /var/log and its subdirectories. These log files may contain clues concerning an attempted or successful intrusion, such as repeated login failures or reports of unusual server stop/start cycles. Crackers often try to cover their tracks by editing or deleting log files, so even missing log files or gaps in log files can be signs of trouble.

Filled Filesystems

If you notice that a filesystem has filled up, you should investigate the matter. Even if it's due to innocent causes, such as increased user demand for storage space, you must correct the problem. Sometimes an intruder might inadvertently or intentionally fill a filesystem. One type of DoS attack involves causing your system to create huge log files, filling your log file partition. Such attacks aren't intrusions per se, but they do require your attention.

Complaints from Other System Administrators

If you notice unfamiliar usernames in ps or top listings or in /etc/passwd or other system configuration files, investigate immediately. Some servers require special accounts to operate correctly, but for the most part, if an account wasn't present when you installed the system and wasn't added by you or another authorized administrator, it's suspect. Make a backup of /etc/passwd right after you install the system, and keep it for reference.

Strange Running Processes

In many ways the worst-case scenario is receiving a complaint from another system administrator. You might receive a phone call or e-mail complaining of suspicious access attempts from your computer. Another common complaint concerns spam originating from your system. Sometimes these complaints are signs of an intrusion; the intruder is using your system to attack others. Other times these complaints indicate that you have a local user who's a "bad apple" and is attacking others. Sometimes (particularly with spam and e-mail worms) the complaint is spurious; it's easy to forge e-mail headers to indicate a false return address, and a spammer may be attacking you indirectly in this way.

All of the about events demand that you do further investigation of the problem. But looking for above suspicious events you can see if your system is vulnerable or not.