Linux: How to Enable Password Aging in Linux

It’s a good security practice to enforce password aging. This helps to prevent unauthorized system access using your credentials. Bad actors can obtain your credentials from a data dump from a previous attack on your network, or from another website or service you may have used. It’s important to note that you should never use common passwords and you should adopt the discipline of using a password management tool.

The logins.defs file

The file located at /etc/login.defs defines the default configuration for various account properties on your Linux system. Multiple user management commands such as “useradd” and others read defaults from this file.

For this example, we will add a few options to our login.defs file, which will enforce password aging.

Open your favorite editor (like vi) and drop the following lines at the bottom of the file:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7

The PASS_MAX_DAYS option sets the maximum time for a password to 90 days. After 90 days, the password is required to be changed. The second line, PASS_MIN_DAYS, sets the minimum days before a user can change the password again.

Please note, changing the login.defs file only impacts new user creation. To change existing users, use the chage command as outlined in How to Check (and change) User Password Expiration.

Linux: How to Check (and change) User Password Expiration

If you currently utilize password expiration that’s built in to Linux, you may have an account that’s locked out or about to be locked out. How would you check to see if a given user account is locked out?

To do this, use the chage command. This command can display information about when the password will expire as well as change the expiry time.

Checking the Expiry Information

To check the expiry information, use the chage command like this:

# chage -l username
Last password change : Aug 31, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

The output of chage shows us the last password change, when the password will expire and more.

Changing the Expiry Time

If you would like to set the expiry time of a given users password to “never”, use the following command:

# chage -M -1 username

To set a specific maximum days before the password is required to be changed, use the following command:

# chage -M 90 username

For more information about configuring password aging for all users, see How to Enable Password Aging in Linux.

Deploying a Low Latency Kernel with Ubuntu Server 16.04 LTS

Overview

In this brief article I will discuss deploying a low latency kernel for Ubuntu Server 16.04 LTS. This kernel changes the timer frequency from the default 250Hz to 1000Hz. This kernel is also called the “soft real-time kernel” and is forked (and regularly updated) from the generic kernel source tree. This kernel can be useful for all applications that require very low latency response like Asterisk. In this document, I will also describe how to set the lowlatency kernel as the primary kernel, and make sure its update and reboot “proof”. It’s also important to note that this kernel is generally updated days after the generic stock kernel. There’s no need to custom-compile a kernel to achieve higher timer frequency. This approach also assures future kernel updates are quick and painless.

Update the APT Cache

We’re starting with a fresh system, so we should first update the APT cache for good measure.

# sudo apt-get update

 

Install the “linux-lowlatency” package

Use APT to install the “linux-lowlatency” package.

# sudo apt-get install linux-lowlatency

 

Obtain the “ubuntustudio-default-settings” package from the repository – STEP 1

media_1503323148243-1.png

First, let’s visit https://packages.ubuntu.com/. This step is a little less obvious. The package “ubuntustudio-default-settings” contains a file named “09_lowlatency”. This file is a GRUB configuration file we can use to assure our lowlatency kernel is booted first and assures it will stay that way.

 

Obtain the “ubuntustudio-default-settings” package from the repository – STEP 2

media_1503323206179-1.png

Search for “ubuntustudio-default-settings” in the search field. Make sure to select “Source package names” and your distribution. Then press “Search”.

 

Obtain the “ubuntustudio-default-settings” package from the repository – STEP 3

media_1503323294187-1.png

Click on the link named “ubuntustudio-default-settings” to the right of “Binary packages”.

 

Download the compressed file to your Ubuntu server

We will now download the compressed file to our local system.

# cd /usr/src/; sudo wget -q http://archive.ubuntu.com/ubuntu/pool/universe/u/ubuntustudio-default-settings/ubuntustudio-default-settings_0.61.tar.xz

 

Extract files in the downloaded package

Extract the files in the “ubuntustudio-default-settings” file.

# sudo tar xvf ubuntustudio-default-settings_0.61.tar.xz

 

Move the 09_lowlatency GRUB configuration in to /etc/grub.d

We will now move the 09_lowlatency GRUB configuration into /etc/grub.d. This file contains configurations to assure the lowlatency kernel packaage will boot first every time and survive upgrades.

# sudo cp ubuntustudio-default-settings-0.61/etc/grub.d/09_lowlatency /etc/grub.d/

 

Update GRUB configurations

In this step, we update the grub configurations to assure all grub.cfg and related files are consistent after installation of the additional lowlatency configuration.

# sudo update-grub

 

Reboot the system

Reboot the system and check if the new lowlatency kernel is installed.

# uname -r
4.4.0-92-lowlatency

Resurrecting the tech blog!

It’s been over six years since my last technical blog post on “adamstechblog.com”. Time has really flown. Stay tuned for more!

Unstall McAfee Total Protection from Windows Home Server (WHS)

This is a quick article showing how to uninstall McAfee Total Protection from Windows Home Server (WHS). The instructions were not readily available on McAfee’s website as they have removed the KB article “KB64958” from their site.

Here is a link to the uninstaller in case the one mentioned below is not working.

Corporate KnowledgeBase

Additional information for removing Total Protection Service from Windows Home Server

Corporate KnowledgeBase ID:
KB65958

Published:
June 26, 2009

Environment

Microsoft Windows Home Server
Microsoft Windows Home Server OEM implementations
Acer Aspire easyStore
HP home Media Server

Solution

CAUTION: This article contains information about opening or modifying the registry.

  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986
  • Do not run a .REG file that is not confirmed to be a genuine registry import file.

If you have to remove Total Protection Service from a Windows Home Server (WHS), it is necessary to remove several registry keys that are removed if you use the following:

  • Add/remove programs
    IMPORTANT: Do not use Add/remove programs to remove Total Protection from WHS. See also KB66148 on severe potential issues.
  • mvsuninst.exe

To manually uninstall Total Protection from WHS:

  1. Download MVSUninst.exe from http://vs.mcafeeasap.com/MC/enu/vs45/bin/mvsuninst.exe
  2. Run mvsuninst.exe
  3. Restart your computer.
  4. Click start, run, type regedit and press ENTER.
  5. Locate and right-click the following registry key, select Delete and click Yes:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Home Server\KnownAdditions\TopWHSaddin.msi.-8589896854554775808]
  6. Repeat the previous step for the following:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Home Server\RegisteredAdditions\{cfcd4bf6-203d-4213-bab4-3c140954287b}]
  7. Restart your computer.
    You are now ready to reinstall the product via the Windows Home Server console Settings screen.

One-Line ncFTP Client Install

ncftp is a client suite offering a command-line interface to commonly-used File Transfer Protocol (FTP).

To install it in one line simply run the below command. Substitute in the most currnet version for 3.2.3

cd ~; wget ftp://ftp.ncftp.com/ncftp/ncftp-3.2.3-src.tar.gz \
tar zxvf ncftp-3.2.3-src.tar.gz; cd ncftp-3.2.3 \
./configure && make && make install; cd ~ \
rm -rf ncftp-3.2.3-src.tar.gz ncftp-3.2.3

Resize /tmp partition on cPanel

It’s quite common for a cPanel server to need a larger /tmp partition.

cPanel, by default, creates a loopback device that mounts to /tmp. The default size is only 512MB. This is quite small, especially for shared systems.

Reasons /tmp might become full:

  • MySQL operation or Repair requiring temporary space. Keep in mind the /tmp partition must be big enough to support the largest table size on your system. (8GB table would require 8+GB /tmp space)
  • PHP sessions consuming space in /tmp
  • Rogue scripts living in /tmp

To resize follow these steps:

** Note that this will stop MySQL and will cause service interruption. These commands will resize /tmp to 2GB. If you wish to resize to a greater or smaller size simply change 2048000 to your desired size in bytes.

/etc/init.d/chkservd stop
/etc/init.d/mysql stop
umount /var/tmp
umount /tmp
sed -i -e 's/512000/2048000/g' /scripts/securetmp
rm /usr/tmpDSK
/scripts/securetmp --auto
cd /tmp
ln -s /var/lib/mysql/mysql.sock
/etc/init.d/mysql start
/etc/init.d/chkservd start

If you receive errors stating that /tmp could not be unmounted simply run the following command to identify the PID (Process ID) still using /tmp

lsof /tmp

Next, kill all processes using /tmp using “kill –9 <pid>”

Virtualize Your Way to a Greener Tomorrow

image Having worked in data centers for the last four years of my life I know that most servers are grossly under utilized. Burning the power to keep servers online that are utilized, on average, five to twenty percent.

Economics, the way they are today, constantly challenges us and pushes us to find new and creative ways to solve problems. Virtualization allows us to provide consolidation for under utilized servers and “pools” resources to allow systems to burst when they need it. Virtualization, in my opinion, is a very green initiative. In this article I will talk mainly about VMware based virtualization technologies.

image

So what are the benefits of virtualizing your servers?

  • Instant ROI – Servers which were underutilized no longer consume power.
  • Ease of Management – Restart systems from a central management location
  • Dynamic Resource Scheduler (DRS) – VMware technology provides the capability to VMotion servers from one physical system to another when extra resources are needed. DRS even weighs the “cost” of moving the machine to another host machine.
  • Capacity Planner – VMware also has utilities to help you plan your virtual environment based on your site’s resource needs. Simply install a utility and let it run for about 30 days. Once the utility has gathered enough data, you will be presented with suggestions
  • High Availability (HA) – VMware offers highly-available services. All of your systems will now have the added benefit of HA at the virtualization layer

So, if Virtualization is so GREEN then what are the downsides?

  • Initial equipment cost is high
  • Use of fast centralized storage (SAN, NAS) is needed; very expensive
  • Systems must match architectures (AMD, Intel) to allow VMotion/HA
  • Systems must support Virtualization Technology (VT)
Conclusion

If you can afford the initial expense, virtualization will save you money in cooling, power and equipment maintenance costs in the long run. I believe virtualization is a great tool to help reduce datacenter costs. Please remember there are things that should not be virtualized: large database servers, exchange servers and some application servers may be too disk intensive for your environment’s abilities. Consider keeping these systems as physical servers.

VPS (Parallels) or VM (VMware ESX)

Ever heard someone use the term VM or VPS? About the only thing they have in common is the V in their name.

A VPS (commonly OpenVZ or Parallels Containers) is a Virtual Private Server and usually runs on what is referred to as a “host node” or the main hardware node. VPS systems allow you to dynamically adjust resources without a restart.

A VM (commonly VMware ESX) is a fully paravirtualized system which all hardware is also virtualized. Many operating systems seem to work the best with paravirtualized systems as the hardware is presented as regular physical hardware.

VMware Pro’s
  • Full Paravirtualazation
  • imageVirutualizes at the hardware level- most compatible
  • Flexibility
  • Industry Standard
  • Can run Windows/Linux/Suse/Novell/OSX all on the same host
VMware Con’s
  • Cannot dynamically scale resources, VM’s must be rebooted to apply new allocations
  • Slightly slower than software-level virtualization
  • Cost, expensive

imageParallels Pro’s
  • OS level virtualization
  • Fast provisioning
  • Dynamic resource allocation, no reboots
  • Tighter control of space and inode allocations
  • Burstable RAM settings
Parallels Con’s
  • Only Linux or Windows VPS systems may exist on a single hardware node
  • Price, although cheaper than vmware, still pricey. OpenVZ is a safe free version.

Conclusion

There are many different solutions to virtualizing or “chopping” up the resources for a single, large host system. Our winner was Parallels for their ease of installation, dynamic resource allocation and faster performance. Also keep in mind that if you are virtualizing systems make sure to have a good backup plan and spare parts or on-site warranty. One large host system may provide 20-50 virtual systems. An outage is now multiplied by the systems you have running on top of your hardware node.

See Why Postini Marked Your Message as SPAM

Ever wondered why Postini blocked your email? Luckily Postni provides their “Postini Message Analysis” tool to assist in tracking down pesky false positives.

Here’s how to run your message through their analysis tool:

Step One

Login to Google Postini’s web interface at https://login.postini.com/ and release your quarantined message.

Step Two

Open your message in your favorite email client. View your message headers and copy everything from the top down to (and including) the line starting with “X-pstn-addresses:”

Step Three

Visit the Postini Message Analysis Tool page and paste in the content we copied in Step Two. Press “Analyze Message”

Step Four

Review your results and see why the message was counted as SPAM.

Another helpful page is Google’s description for what each custom header tag (added by Postini) represents. See this page for more information.