Passwords

Passwords are a vital factor for the overall security of a network and a node. Even if a proper password policy is enforced, it might not hurt to check password security from time to time. In theory this sounds easy, but in practice, the hashing function used by the operating system to store passwords needs to be circumvented. For example, the /etc/ shadow file on a Linux system only contains a cryptic string instead of the real password:

root:$1$TGNtCKj0$kb9Cdbi1QCIb5N.azq35V0:13386:0:::::

A hash function is used to store passwords. This function is irreversible. Every time the user enters a password, the hash will be calculated again and compared against the stored hash value. This makes it quite difficult to check the stored passwords. The only way to reveal the stored passwords is to perform a brute-force attack against them.

To check the strength of the passwords in /etc/shadow, you can use some specialized tools like John the Ripper. Those tools generate a password hash for each word in a

File

Value

Action

sys/net/ipv4/icmp_echo_

0/1

Ignore all ICMP echo requests destined

ignore_all

for a system. Actually doesn't increase security, but may hide a system from certain scanning attempts. Also prevents Internet connectivity tests.

sys/net/ipv4/icmp_echo_

0/1

Ignore ICMP echo requests destined for

ignore_broadcasts

multicast and broadcast addresses. It's

generally a good idea to ignore them to prevent a system from participating in a DDoS attack.

sys/net/ipv4/conf/*/

0/1

Accepts source route option in IP

accept_source_route

packets. Not accepting them is generally not a good idea.

sys/net/ipv4/conf/*/

0/1

If rp_filter is enabled, answers to

rp_filter

packets need to get sent over the same interface as the one on which the origin packet arrived. This is useful on multihomed hosts to prevent IP spoofing.

sys/net/ipv4/conf/*/

0/1

Accepts ICMP redirects. In general,

accept_redirects

disabling this feature is a good idea. Properly managed networks shouldn't need ICMP redirects.

sys/net/ipv4/ip_forward

0/1

Enable forwarding of IP packets between network interfaces. In general, only machines acting as a router or firewall should have this feature enabled.

sys/net/ipv4/tcp_

0/1

Prevent DoS attacks through Syn-Flood

syncookies

through the Syn-Cookie mechanism.

Table A-3 Important /proc Settings

dictionary and try to match them against the values stored in the system's password file. They also collect available information about the user from the /etc/passwd file (comments and so on) and use that in the password combination.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment