cracklib
).root@heimdall:~# apt-get install libpam-cracklib [...]
/etc/pam.d/common-password
, man pam_cracklib
, /examples):man pam_cracklib
, /minlen)man pam_cracklib
, /dcredit)man pam_cracklib
, /ucredit)man pam_cracklib
, /lcredit)man pam_cracklib
, /ocredit)root@heimdall:~# cat /etc/pam.d/common-password | grep cracklib password requisite pam_cracklib.so retry=3 difok=3 minlen=12 dcredit=-3 ucredit=-2 lcredit=-4 ocredit=-3
student@heimdall:~$ passwd Changing password for student. (current) UNIX password: New password: BAD PASSWORD: it is WAY too short New password: BAD PASSWORD: is too simple New password: Retype new password: passwd: password updated successfully
libpam-modules
).root@heimdall:~# apt-get install libpam-modules [...]
man pam_mkhomedir
)root@heimdall:~# cat /etc/pam.d/common-session| grep session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
root@heimdall:~# groupadd jonas.quinn root@heimdall:~# useradd -d /home/jonas.quinn -g jonas.quinn -s /bin/bash jonas.quinn root@heimdall:~# ls -l /home total 8 drwxr-xr-x 3 nrush nrush 4096 Nov 16 21:53 nrush drwxr-xr-x 3 student student 4096 Oct 18 19:15 student root@heimdall:~# su - jonas.quinn Creating directory '/home/jonas.quinn'. jonas.quinn@heimdall:~$ pwd /home/jonas.quinn jonas.quinn@heimdall:~$ logout root@heimdall:~# ls -l /home total 12 drwxr-xr-x 2 jonas.quinn jonas.quinn 4096 Nov 16 22:13 jonas.quinn drwxr-xr-x 3 nrush nrush 4096 Nov 16 21:53 nrush drwxr-xr-x 3 student student 4096 Oct 18 19:15 student
gpg –list-keys
pentru a lista cheile GPG curente ale utilizatorului student.~/.gnupg
.student@mjolnir:~$ gpg --list-keys gpg: directory `/home/student/.gnupg' created gpg: new configuration file `/home/student/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/student/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/student/.gnupg/pubring.gpg' created gpg: /home/student/.gnupg/trustdb.gpg: trustdb created
Operații uzuale cu chei GPG:
gpg --gen-key
gpg --edit-key <user-id>
gpg --delete-keys <user-id> gpg --delete-secret-keys <user-id> gpg --delete-secret-and-public-keys <user-id>
gpg --list-keys gpg --list-public-keys gpg --list-secret-keys
gpg --export --armor --output my.pub <keyid> gpg --export-secret-keys ...
gpg --import my.pub
gpg --encrypt -r "Gogu <gogu@gogu.com>" --output info.dat.enc info.dat gpg --encrypt -r "Gogu <gogu@gogu.com>" --armor --output info-armor.dat.enc info.dat
gpg --decrypt -r "Gogu <gogu@gogu.com>" --output info.dat.dec info.dat.enc
gpg --sign -r "Gogu <gogu@gogu.com>" info.dat gpg --sign --armor -r "Gogu <gogu@gogu.com>" info.dat
gpg --verify -r "Gogu <gogu@gogu.com>" info.dat.gpg gpg --verify -r "Gogu <gogu@gogu.com>" info.dat.asc
laurentiu
și mihai
.root@mjolnir:~# groupadd laurentiu root@mjolnir:~# useradd -d /home/laurentiu -m -g laurentiu -s /bin/bash laurentiu root@mjolnir:~# echo "laurentiu:gsr" | chpasswd root@mjolnir:~# groupadd mihai root@mjolnir:~# useradd -d /home/mihai -m -g mihai -s /bin/bash mihai root@mjolnir:~# echo "mihai:gsr" | chpasswd
laurentiu
:–gen-key
) cu opțiunile implicite (2048 biți, cheia nu expiră, un nume/e-mail la alegere, un passphrase la alegere). (Hint: gpg –gen-key
)laurentiu@mjolnir:~$ gpg --gen-key gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory `/home/laurentiu/.gnupg' created gpg: new configuration file `/home/laurentiu/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/laurentiu/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/laurentiu/.gnupg/secring.gpg' created gpg: keyring `/home/laurentiu/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Laurentiu Email address: laurentiu@gsr.cs.pub.ro Comment: You selected this USER-ID: "Laurentiu <laurentiu@gsr.cs.pub.ro>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 59 more bytes) +++++ ....+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .......+++++ ....+++++ gpg: /home/laurentiu/.gnupg/trustdb.gpg: trustdb created gpg: key 6F2EB1B5 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/6F2EB1B5 2011-11-16 Key fingerprint = E465 241F FBE9 36A2 4E8E 4E0D E73F 2C5A 6F2E B1B5 uid Laurentiu <laurentiu@gsr.cs.pub.ro> sub 2048R/2DFDA0A8 2011-11-16
gpg –list-keys
)laurentiu@mjolnir:~$ gpg --list-keys /home/laurentiu/.gnupg/pubring.gpg ---------------------------------- pub 2048R/6F2EB1B5 2011-11-16 uid Laurentiu <laurentiu@gsr.cs.pub.ro> sub 2048R/2DFDA0A8 2011-11-16
laur.pub
. (Hint: gpg –export
)laurentiu@mjolnir:~$ gpg --export --armor --output laur.pub 6F2EB1B5 laurentiu@mjolnir:~$ ls -l total 4 -rw-r--r-- 1 laurentiu laurentiu 1723 Nov 16 22:21 laur.pub
mihai
:laur.pub
din home-ul utilizatorului laurentiu
în home-ul propriu.mihai@mjolnir:~$ cp /home/laurentiu/laur.pub .
laurentiu
.mihai@mjolnir:~$ gpg --import laur.pub gpg: directory `/home/mihai/.gnupg' created gpg: new configuration file `/home/mihai/.gnupg/gpg.conf' created gpg: WARNING: options in `/home/mihai/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/home/mihai/.gnupg/secring.gpg' created gpg: keyring `/home/mihai/.gnupg/pubring.gpg' created gpg: /home/mihai/.gnupg/trustdb.gpg: trustdb created gpg: key 6F2EB1B5: public key "Laurentiu <laurentiu@gsr.cs.pub.ro>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
mihai
.mihai@merlin:~$ gpg --list-keys mihai@mjolnir:~$ gpg --list-keys /home/mihai/.gnupg/pubring.gpg ------------------------------ pub 2048R/6F2EB1B5 2011-11-16 uid Laurentiu <laurentiu@gsr.cs.pub.ro> sub 2048R/2DFDA0A8 2011-11-16
dd
pentru a genera fișierul gpg-test.dat
cu dimensiunea de 1KB. Folosiți /dev/urandom
pentru input.mihai@mjolnir:~$ dd if=/dev/urandom of=gpg-test.dat bs=1K count=1 1+0 records in 1+0 records out 1024 bytes (1.0 kB) copied, 0.000195263 s, 5.2 MB/s
gpg-test.dat
în fișierul de ieșire gpg-test.enc
. Folosiți cheia/UID-ul utilizatorului laurentiu
.mihai@mjolnir:~$ gpg --encrypt -r "Laurentiu <laurentiu@gsr.cs.pub.ro>" --output gpg-test.enc gpg-test.dat gpg: 2DFDA0A8: There is no assurance this key belongs to the named user pub 2048R/2DFDA0A8 2011-11-16 Laurentiu <laurentiu@gsr.cs.pub.ro> Primary key fingerprint: E465 241F FBE9 36A2 4E8E 4E0D E73F 2C5A 6F2E B1B5 Subkey fingerprint: FFF4 0D0A 97E8 46D6 7625 AC3F 4EEA 38B4 2DFD A0A8 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y mihai@mjolnir:~$ ls -l total 12 -rw-r--r-- 1 mihai mihai 1024 Nov 16 22:25 gpg-test.dat -rw-r--r-- 1 mihai mihai 1373 Nov 16 22:25 gpg-test.enc -rw-r--r-- 1 mihai mihai 1723 Nov 16 22:23 laur.pub
gpg-test-armor.enc
. Folosiți cheia/UID-ul utilizatorului laurentiu
.mihai@mjolnir:~$ gpg --encrypt -r "Laurentiu <laurentiu@gsr.cs.pub.ro>" --armor --output gpg-test-armor.enc gpg-test.dat gpg: 2DFDA0A8: There is no assurance this key belongs to the named user pub 2048R/2DFDA0A8 2011-11-16 Laurentiu <laurentiu@gsr.cs.pub.ro> Primary key fingerprint: E465 241F FBE9 36A2 4E8E 4E0D E73F 2C5A 6F2E B1B5 Subkey fingerprint: FFF4 0D0A 97E8 46D6 7625 AC3F 4EEA 38B4 2DFD A0A8 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y mihai@mjolnir:~$ ls -l total 16 -rw-r--r-- 1 mihai mihai 1957 Nov 16 22:26 gpg-test-armor.enc -rw-r--r-- 1 mihai mihai 1024 Nov 16 22:25 gpg-test.dat -rw-r--r-- 1 mihai mihai 1373 Nov 16 22:25 gpg-test.enc -rw-r--r-- 1 mihai mihai 1723 Nov 16 22:23 laur.pub
laurentiu
:gpg-test.dat
, gpg-test.enc
și gpg-test-armor.enc
din home-ul utilizatorului mihai
.laurentiu@mjolnir:~$ cp /home/mihai/gpg-test* .
gpg-test.enc
în fișierul de ieșire gpg-test.dec
folosind cheia/UID-ul creat. Comparați (folosind diff
sau cmp
) fișierul gpg-test.dec
și gpg-test.dat
.laurentiu@mjolnir:~$ gpg --decrypt -r "Laurentiu <laurentiu@gsr.cs.pub.ro>" --output gpg-test.dec gpg-test.enc You need a passphrase to unlock the secret key for user: "Laurentiu <laurentiu@gsr.cs.pub.ro>" 2048-bit RSA key, ID 2DFDA0A8, created 2011-11-16 (main key ID 6F2EB1B5) gpg: encrypted with 2048-bit RSA key, ID 2DFDA0A8, created 2011-11-16 "Laurentiu <laurentiu@gsr.cs.pub.ro>" laurentiu@mjolnir:~$ ls -l total 20 -rw-r--r-- 1 laurentiu laurentiu 1957 Nov 16 22:27 gpg-test-armor.enc -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 16 22:27 gpg-test.dat -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 16 22:28 gpg-test.dec -rw-r--r-- 1 laurentiu laurentiu 1373 Nov 16 22:27 gpg-test.enc -rw-r--r-- 1 laurentiu laurentiu 1723 Nov 16 22:21 laur.pub laurentiu@mjolnir:~$ diff gpg-test.dat gpg-test.dec laurentiu@mjolnir:~$ cmp gpg-test.dat gpg-test.dec
gpg-test-armor.enc
cu ieșirea în fișierul gpg-test-armor.dec
.laurentiu@mjolnir:~$ gpg --decrypt -r "Laurentiu <laurentiu@gsr.cs.pub.ro>" --armor --output gpg-test-armor.dec gpg-test-armor.enc You need a passphrase to unlock the secret key for user: "Laurentiu <laurentiu@gsr.cs.pub.ro>" 2048-bit RSA key, ID 2DFDA0A8, created 2011-11-16 (main key ID 6F2EB1B5) gpg: encrypted with 2048-bit RSA key, ID 2DFDA0A8, created 2011-11-16 "Laurentiu <laurentiu@gsr.cs.pub.ro>" laurentiu@mjolnir:~$ ls -l total 24 -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 16 22:30 gpg-test-armor.dec -rw-r--r-- 1 laurentiu laurentiu 1957 Nov 16 22:27 gpg-test-armor.enc -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 16 22:27 gpg-test.dat -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 16 22:28 gpg-test.dec -rw-r--r-- 1 laurentiu laurentiu 1373 Nov 16 22:27 gpg-test.enc -rw-r--r-- 1 laurentiu laurentiu 1723 Nov 16 22:21 laur.pub laurentiu@mjolnir:~$ diff gpg-test-armor.dec gpg-test.dat laurentiu@mjolnir:~$ cmp gpg-test-armor.dec gpg-test.dat
gpg-test.dat
în format armor folosind cheia/UID-ul creat. Fișierul de ieșire va fi gpg-test.dat.asc
.laurentiu@mjolnir:~$ gpg --sign -r "Laurentiu <laurentiu@gsr.cs.pub.ro>" --armor --output gpg-test.dat.asc gpg-test.dat gpg: WARNING: recipients (-r) given without using public key encryption You need a passphrase to unlock the secret key for user: "Laurentiu <laurentiu@gsr.cs.pub.ro>" 2048-bit RSA key, ID 6F2EB1B5, created 2011-11-16 laurentiu@merlin:~$ ls -l total 28 -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 17 22:19 gpg-test-armor.dec -rw-r--r-- 1 laurentiu laurentiu 1957 Nov 17 22:15 gpg-test-armor.enc -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 17 22:15 gpg-test.dat -rw-r--r-- 1 laurentiu laurentiu 1933 Nov 17 22:23 gpg-test.dat.asc -rw-r--r-- 1 laurentiu laurentiu 1024 Nov 17 22:17 gpg-test.dec -rw-r--r-- 1 laurentiu laurentiu 1373 Nov 17 22:15 gpg-test.enc -rw-r--r-- 1 laurentiu laurentiu 1719 Nov 17 21:58 laur.pub
mihai
:gpg-test.dat.asc
din home-ul utilizatorului laurentiu
.mihai@mjolnir:~$ cp /home/laurentiu/gpg-test.dat.asc .
mihai@mjolnir:~$ gpg --verify -r "Laurentiu <laurentiu@gsr.cs.pub.ro>" --armor gpg-test.dat.asc gpg: Signature made Wed 16 Nov 2011 10:31:09 PM EET using RSA key ID 6F2EB1B5 gpg: Good signature from "Laurentiu <laurentiu@gsr.cs.pub.ro>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: E465 241F FBE9 36A2 4E8E 4E0D E73F 2C5A 6F2E B1B5
fail2ban
.root@heimdall:~# apt-get install fail2ban [...]
/etc/fail2ban/jail.conf
, bantime
root@heimdall:~# cat /etc/fail2ban/jail.conf [...] [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = 1200 [...] root@heimdall:~# /etc/init.d/fail2ban restart Restarting authentication failure monitor: fail2ban.
root@heimdall:~# cat /etc/ssh/sshd_config | grep PasswordAuthentication | head -n 1 PasswordAuthentication yes root@heimdall:~# cat /etc/ssh/sshd_config | grep AllowUsers root@heimdall:~# /etc/init.d/ssh restart Restarting OpenBSD Secure Shell server: sshd.
student@mjolnir:~$ ssh nrush@heimdall.local nrush@heimdall.local's password: Permission denied, please try again. nrush@heimdall.local's password: Permission denied, please try again. nrush@heimdall.local's password: Permission denied (publickey,password).
student@mjolnir:~$ ssh nrush@heimdall.local -vvv OpenSSH_5.9p1 Debian-1, OpenSSL 1.0.0e 6 Sep 2011 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to heimdall.local [192.168.48.128] port 22.
iptables
existente în acest moment. Hint: iptables -L
.root@heimdall:~# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-ssh (1 references) target prot opt source destination DROP all -- mjolnir.local anywhere RETURN all -- anywhere anywhere
iptables -D fail2ban-ssh 1
root@heimdall:~# iptables -D fail2ban-ssh 1
student@mjolnir:~$ ssh nrush@heimdall.local nrush@heimdall.local's password: Linux heimdall 3.0.0-1-686-pae #1 SMP Sat Aug 27 16:41:03 UTC 2011 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/ * /copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Nov 16 21:40:02 2011 from mjolnir.local