Linux: How to Enable Password Aging in Linux

It’s a good security practice to enforce password aging. This helps to prevent unauthorized system access using your credentials. Bad actors can obtain your credentials from a data dump from a previous attack on your network, or from another website or service you may have used. It’s important to note that you should never use common passwords and you should adopt the discipline of using a password management tool.

The logins.defs file

The file located at /etc/login.defs defines the default configuration for various account properties on your Linux system. Multiple user management commands such as “useradd” and others read defaults from this file.

For this example, we will add a few options to our login.defs file, which will enforce password aging.

Open your favorite editor (like vi) and drop the following lines at the bottom of the file:

PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_WARN_AGE 7

The PASS_MAX_DAYS option sets the maximum time for a password to 90 days. After 90 days, the password is required to be changed. The second line, PASS_MIN_DAYS, sets the minimum days before a user can change the password again.

Please note, changing the login.defs file only impacts new user creation. To change existing users, use the chage command as outlined in How to Check (and change) User Password Expiration.

Linux: How to Check (and change) User Password Expiration

If you currently utilize password expiration that’s built in to Linux, you may have an account that’s locked out or about to be locked out. How would you check to see if a given user account is locked out?

To do this, use the chage command. This command can display information about when the password will expire as well as change the expiry time.

Checking the Expiry Information

To check the expiry information, use the chage command like this:

# chage -l username
Last password change : Aug 31, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

The output of chage shows us the last password change, when the password will expire and more.

Changing the Expiry Time

If you would like to set the expiry time of a given users password to “never”, use the following command:

# chage -M -1 username

To set a specific maximum days before the password is required to be changed, use the following command:

# chage -M 90 username

For more information about configuring password aging for all users, see How to Enable Password Aging in Linux.

One-Line ncFTP Client Install

ncftp is a client suite offering a command-line interface to commonly-used File Transfer Protocol (FTP).

To install it in one line simply run the below command. Substitute in the most currnet version for 3.2.3

cd ~; wget ftp://ftp.ncftp.com/ncftp/ncftp-3.2.3-src.tar.gz \
tar zxvf ncftp-3.2.3-src.tar.gz; cd ncftp-3.2.3 \
./configure && make && make install; cd ~ \
rm -rf ncftp-3.2.3-src.tar.gz ncftp-3.2.3

BIND 9 DoS Update: CVE-2009-0696

image BIND, the Berkley Internet Name Domain service, provides forward (authoritative) and recursive (non-authoritative) DNS lookups for the majority of the internet as we know it. A security vulnerability outlined here shows that a specially crafted packet can cause the DNS daemon to stop functioning. It is imperative that all “master” DNS servers get updated immediately. More general information on BIND can be found on their site here.

CVE Information: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0696

RHEL Bug Information: https://bugzilla.redhat.com/show_bug.cgi?id=514292

 

The NVD at NIST reports the following overview of this issue:

The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.

 

Updating BIND on RHEL/CentOS (4/5)

Updated packages are available to assure you are running the latest release.

Use this command to update bind on yum-based systems:

# yum –y update bind

Updating BIND on Debian / Ubuntu

1
<font size="1"> # apt-get update       <br /> # apt-get upgrade        <br /> # /etc/init.d/bind9 restart</font>

 

 

Basic Commands: Symbolic Links

Symbolic links allow an administrator to point a link (file or directory) to another real location.

 

How do I create a symbolic link?

# ln –s [target file/directory] /link/location/to/file/or/directory

 

For example, you wish to link /etc/httpd/conf to point to the real location of /usr/local/apache/conf

The command would look like this:
# ln –s /usr/local/apache/conf /etc/httpd/conf

 

Assure that the destination for your link (in our example this would be /usr/local/apache/conf) does not already exist.

Linux CLI (Command Line Interface) Tricks

Here is a small(ish) list of Linux CLI tips and tricks I have learned and researched over the years. This list is by no means completely comprehensive but contains a list of some of the tricks I use on an everyday basis. Living your life “in the shell” can be very cumbersome if you aren’t using the tricks outlined below. Good luck and happy Linuxing.

 

I will say this: Do not give in and use all the tricks all the time if you are just starting with Linux. It’s always best (in my opinion) to learn the ropes and background to everything before using the GUI or any related tricks. I believe this is true with almost any learning process – technology-based or not.

Command Line File Name Completion

Tired of typing the whole path to a single command? Some commands can be very large and cumbersome. Try “tabbing it out”.

Try for example: where<tab>

The above should return whereis. If you have more than one binary in your path that contains the word where you may not get a result. In this case hit tab again and you’ll be presented with all options.

 

Print Working Directory (pwd)

imageThe pwd command is useful to tell you what directory you are currently in. Depending on your shell configuration, you will be presented with your full working directory in the title of your shell program. For instance, I use putty and it always shows my Current Working Directory (CWD).

 
Command History

Forget what the last few commands you completed were? Want to diagnose a system and you have no idea what the person before you executed? Try the “history” command in Linux.

Type “history”. This provides a list of all recently entered commands and can be very large. If you type “history 10” it works much like the tail command and shows the last 10 commands in history.

Type “history –c” to clear your command history.

 

Output Redirection

Tons of information from the command you just executed? Redirect the output to a file or another program.

> – Output Redirection >> – Append to EOF (end of file)  
1> – Redirect STDOUT (Standard Out) < – Input Redirection  
2> – Redirect STDERR (Standard Error)    
&> – Redirect all    

 

Examples:

# echo “foo” > bar (this example will echo the text “foo” to the file called “bar”)

# echo “foo2” >> bar (this example will echo the text “foo2” to the end of the file “bar”)

# wc –l < bar (this example will do a line count on the file bar)

Typically commands read, by default from STDIN. For instance I could also run wc like this:

# wc -l bar

I would still obtain the same results as explicitly telling the CLI to use STDIN (<).

 

Aliases

Using aliases is another way to make entering common commands easier. Think of an alias as a simple shortcut to a longer command. Let’s say you want to remove a directory and you’re tired of always typing “rm –rf <directory”. You can make an alias by typing “alias rmdir=’rm –rf’. Now you can type “rmdir <directory>” on the CLI and achieve the same result.

 

Symbolic Links

A symbolic link is simply a pointer to another file/directory. To make a shortcut to a program shorter or as a link inside your home directory use a command like this:

# ln –s /usr/local/program/bin/program ~/program

– or to link an entire directory –

# ln –s /usr/local/program ~/program

Symbolic links appear when performing an ls –lt like this:
image

 

apropos Search Whatis Database

Ever wanted to find a command but never knew the name? Do you know what the command does or a description but can’t put your finger on it? Use the command apropos to search the whatis database.

Just type apropos “string to search for”

image

 

Whereis – Find a binary or man page

Ever needed to find the location of a binary easily? Try “whereis”. Simply type whereis “binary” and you will be presented with a location to the binary and/or manpage for the given binary.

image

 

There are a ton of other shortcuts I am missing but this is just a small list. Have a great day!

5 Useful Linux Performance Utilities

Ever wondered what was going on with a server or desktop that just wasn’t performing “right”? Sure the load average is a good representation of the overall load as described here, but, how do you track down the actual source of the issue? Try out these five utilities to help you track down any load-related issues with your Linux-based installation.

 

  1. top

    image

    Yes, that’s right, good ol’ fashioned “top”. If you haven’t already used the top command then you may not have been using Linux that much. Top provides a real-time look at processor time, processes that are using high amounts of memory/CPU and also an overview of physical and swap memory.  A preview of top can be seen to the right. Press “1” to show all CPU’s available (if running multiple-core processors or HT-enabled processors).

  2. htop

    There are also other top variants out there which can provide more information in the same “top-like” format. Enter htop. Htop has been around for quite imagesome time and has, as far as I know, gone generally unknown around the Linux world. htop provides colorful (who doesn’t like colors?) views of the system state and shows tree views for processes that provide even more detail. A screenshot of the htop interface can be seen on the right. Obtain more information about htop here.

  3. iostat

    Got disk performance issues? Find out with iostat! iostat is used for monitoring speed, ops/sec and cpu time spent waiting on input/output devices to respond. This command is quite useful when attempting to see what is causing your load averages to spike. If your system has high i/o wait times you may consider purchasing faster disks or tuning the performance of your application to be less disk-intensive. Performance tuning, for instance, image of a MySQL database can greatly decrease the amount of disk i/o needed. Adding indexes and re-constructing queries can speed up MySQL systems that have high i/o wait times. Of course, you can always throw hardware at the issue as well. For more information on iostat see this article.

  4. vmstat
     

    Direct from the vmstat man page: “vmstat reports information about processes, memory, paging, block IO, traps, and cpu activity.” The data shown in vmstat is the average since last reboot.
    image 
    Direct from man page:

    Procs
           r: The number of processes waiting for run time.
           b: The number of processes in uninterruptible sleep.

    Memory
           swpd: the amount of virtual memory used.
           free: the amount of idle memory.
           buff: the amount of memory used as buffers.
           cache: the amount of memory used as cache.
           inact: the amount of inactive memory. (-a option)
           active: the amount of active memory. (-a option)

    Swap
           si: Amount of memory swapped in from disk (/s).
           so: Amount of memory swapped to disk (/s).

    IO
           bi: Blocks received from a block device (blocks/s).
           bo: Blocks sent to a block device (blocks/s).

    System
           in: The number of interrupts per second, including the clock.
           cs: The number of context switches per second.

    CPU
           These are percentages of total CPU time.
           us: Time spent running non-kernel code. (user time, including nice time)
           sy: Time spent running kernel code. (system time)
           id: Time spent idle. Prior to Linux 2.5.41, this includes IO-wait time.
           wa: Time spent waiting for IO. Prior to Linux 2.5.41, shown as zero.

  5. ps

    Although the ps “process list” command does not show real-time updates it can provide useful information as to why your system may be slow. I typically use the “aux” options that shows enough detail but also adding “ww” to the end of “aux” yeilds good results for long commands. Run “ps aux” and look for multiple processes. This is good for troubleshooting if a process like Apache or Exim have spawned many children and caused the system to slow. Use the “e” flag to show children in a tree format.

    image 

IBM Brings new Power 560 Express to Market

"A new server for mid-size companies, the Power 560 Express, is due on Nov. 21. It uses a 3.6Ghz Power6 processor, comes in four-, eight- and 16-node configurations, and packs a hefty 384GB of memory. It’s designed for companies looking to run multiple applications on a virtualized system. It will be offered with Linux, AIX or i."

IBM brings a new line of processors and machines to the market with unreal memory capacities.

Linus Torvalds has a Blog

Linux Trovalds is the father of Linux. He has been very active in the development of the Linux kernel and recently decided to start a blog. Read his blog here.

 

It will be interesting if he keeps the blog updated or if he posts a lot at the beginning then tapers off.

 

So, having avoided the whole blogging thing so far, yesterday Alan DeClerck sent a pointer to his family blog with pictures of the kids friends, and I decided that maybe it’s actually worth having a place for our family too that we can do the same on.
Of course, I’ll need to see what Tove wants to do, but in the meantime, here’s a trial blog.

Good Information on Linux Semaphores

What is a Semaphore? An article I found here is very useful. It says that “Semaphores can be thought of as simple counters that indicate the status of a resource. This counter is a protected variable and cannot be accessed by the user directly.

This recently came up when the Dell OpenManage storage service would not start on a Linux system. It complained that there were no more Linux semaphores available. Check out the article for more information.