I’ve put together a quick video to show how to setup winscp so that you can log into a Linux server and change to the root user. This is the GUI equivelent of doing a ‘sudo -s’, ‘sudo su -’, or ‘su -’ as a wheel user if you’ve setup your SSHD service to deny direct root log ins by setting ‘PermitRootLogin’ to ‘no’. Every so often I will have a developer ask for escalated privileges through a GUI and this is a nice alternative in lieu of cheaply enabling root access.
While the WinSCP documentation does explains how to do this I’m hoping the video will help make setting this up a little bit easier.
One of my favorite and most often used services is openSSH. While openSSH is generally known as being secure it never hurts to tweak a few extra settings.
Here are a few changes I generally do to help ensure openSSH is in tip top shape.
- Use a strong password. My preference is to use randomly generated passwords of 20 plus alphanumeric characters with their own special blend of special characters. That should thwart most password crackers.
- Change the port sshd listens on. Using port 22 hangs a sign out on your server saying I use sshd. While changing the port won’t stop anyone from figuring out you are running the service it will make them work harder. You can do this by changing the following in /etc/ssh/sshd_config:
- Get rid of root logins. There is absolutely no reason to log in as root when you can use ‘sudo’ or ‘su’ to elevate a wheel user to root privileges. To set this change the following line in /etc/ssh/sshd_config:
- Disable the antiquated Protocol 1 by changing to the Protocol line in /etc/ssh/sshd_config from ‘Protocol 1,2′ to the following:
- Another option would be to block lame dictionary attacks with denyhosts or ConfigServer Firewall/Login Failure Dameon. ConfigServer firewall has the added benefit of adding a friendly interface to help managing IPtables. Blocking login failures can sometimes be overkill if you are already have other restrictions in place like using keys only or using the AllowUsers directive in your /etc/ssh/sshd_config
- If you prefer to use keys instead of password the following changes to /etc/ssh/sshd_config are a good start in tightening things up. If you are going to have any accounts that use password authentication you’ll be locked out of the server making these changes. So only do so if you are using keys to log in:
- If you prefer to leave password authentication on then the AllowUser directive is for you. Below are a few examples this directive in play.
If anyone has further suggestions on securing openSSH please let me know.
Later I plan on doing posts on creating and using ssh keys, setting up DenyHosts, and setting up ConfigServer Firewall in future.
Having intermittent problems hitting your favorite UNC path over openvpn? Does your Domain Controller turn it’s back on you randomly over the tunnel asking for authentication as if it no longer knows who you are?
If you have been plagued by any of the above anomalies you are not alone! Unfortunately hair loss products, Viagra, those vitamins you bought from GNC, or any other magical elixir of some unknown origin will not help.
You may even find yourself going down the same foolhardy path as yours truly. Thinking that editing %SystemRoot%\System32\Drivers\etc\hosts with the FQDN and NetBIOS names of all your favorite hosts will suffice only to be greeted with the grotesqueness of an authentication prompt repeatedly prompting you for information it should already know until you become mad. Finding yourself breaking out those emergency cyanide pills and washing them down with a flask of hemlock.
Wait friend! No need for such drastic measures yet. Simply edit your servers config file to include the following:
push "dhcp-option DNS ip.of.dc"
Make sure your client config allows pushing by having the following cleverly named setting of:
Now once you’ve restarted your server and client you should see your DC IP set as the default name server when typing ‘nslookup’ at the command line.
Yes a simply fix but still worthy enough to stop any self mutilation.
This tutorial will show you how to do a password audit on your Samba PDC on FreeBSD in the copy-paste howto style.This tutorial will also go into how to use john the ripper to accomplish this task.
We will start off by dumping our hashes into a file. This is done w/ the following command as root: on the command line
pdbedit -L -w > dump.txt
Using John the Ripper
- Lets first start by getting back at the command-line and start downloading jtr from http://openwall.com.
- Next we will need the NTLM patch.
- Let’s extract our files.
tar zxvf john-1.7.2.tar.gz
- Now lets patch our source code w/ the NTLM diff file we downloaded.
patch < ../../john-ntlm-v03.diff
- With the source code now patched all that is left is to build the binary. typing “make” in the src directory will give you a very thorough list of supported architecures that jtr can be built on. I’m building mine on a FreeBSD box.
- We are now ready to start cracking on our hash dump. Let’s move the dump file to the “run” directory and get started on cracking those week passwords. The default word list that comes with jtr will work just fine for the demonstartion. I’ll include links at the end of the howto for other wordlist resources and related software.change to run directory. this is were the binary is at.
cd ../run/ && mv ../../dump.txt .Let’s make our dump file look more like a pwdump.exe file.
cat dump.txt | sed -e '/[X]/d' -e 's/\[.*/::/'>>pwdump.txt
run jtr w/ the simple ruleset
./john -f:NT -si pwdump.txt
run jtr w/ rules and dictionary
./john -f:NT -w:theGiant.dic --rules pwdump.txt
run jtr w/ incremental all. break for coffee, dinner, & a movie.
./john -f:NT -in:all pwdump.txt
That’s all. Hope this is useful.