It’s a good security practice to enforce password aging. This helps to prevent unauthorized system access using your credentials. Bad actors can obtain your credentials from a data dump from a previous attack on your network, or from another website or service you may have used. It’s important to note that you should never use common passwords and you should adopt the discipline of using a password management tool.
The logins.defs file
The file located at /etc/login.defs defines the default configuration for various account properties on your Linux system. Multiple user management commands such as “useradd” and others read defaults from this file.
For this example, we will add a few options to our login.defs file, which will enforce password aging.
Open your favorite editor (like vi) and drop the following lines at the bottom of the file:
The PASS_MAX_DAYS option sets the maximum time for a password to 90 days. After 90 days, the password is required to be changed. The second line, PASS_MIN_DAYS, sets the minimum days before a user can change the password again.
Please note, changing the login.defs file only impacts new user creation. To change existing users, use the chage command as outlined in How to Check (and change) User Password Expiration.
If you currently utilize password expiration that’s built in to Linux, you may have an account that’s locked out or about to be locked out. How would you check to see if a given user account is locked out?
To do this, use the chage command. This command can display information about when the password will expire as well as change the expiry time.
Checking the Expiry Information
To check the expiry information, use the chage command like this:
# chage -l username
Last password change : Aug 31, 2017
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
The output of chage shows us the last password change, when the password will expire and more.
Changing the Expiry Time
If you would like to set the expiry time of a given users password to “never”, use the following command:
To set a specific maximum days before the password is required to be changed, use the following command:
For more information about configuring password aging for all users, see How to Enable Password Aging in Linux.
ncftp is a client suite offering a command-line interface to commonly-used File Transfer Protocol (FTP).
To install it in one line simply run the below command. Substitute in the most currnet version for 3.2.3
cd ~; wget ftp://ftp.ncftp.com/ncftp/ncftp-3.2.3-src.tar.gz \
tar zxvf ncftp-3.2.3-src.tar.gz; cd ncftp-3.2.3 \
./configure && make && make install; cd ~ \
rm -rf ncftp-3.2.3-src.tar.gz ncftp-3.2.3
BIND, the Berkley Internet Name Domain service, provides forward (authoritative) and recursive (non-authoritative) DNS lookups for the majority of the internet as we know it. A security vulnerability outlined here shows that a specially crafted packet can cause the DNS daemon to stop functioning. It is imperative that all “master” DNS servers get updated immediately. More general information on BIND can be found on their site here.
CVE Information: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0696
RHEL Bug Information: https://bugzilla.redhat.com/show_bug.cgi?id=514292
The NVD at NIST reports the following overview of this issue:
The dns_db_findrdataset function in db.c in named in ISC BIND 9.4 before 9.4.3-P3, 9.5 before 9.5.1-P3, and 9.6 before 9.6.1-P1, when configured as a master server, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an ANY record in the prerequisite section of a crafted dynamic update message, as exploited in the wild in July 2009.
Updating BIND on RHEL/CentOS (4/5)
Updated packages are available to assure you are running the latest release.
Use this command to update bind on yum-based systems:
# yum –y update bind
Updating BIND on Debian / Ubuntu
<font size="1"> # apt-get update <br /> # apt-get upgrade <br /> # /etc/init.d/bind9 restart</font>
Symbolic links allow an administrator to point a link (file or directory) to another real location.
How do I create a symbolic link?
# ln –s [target file/directory] /link/location/to/file/or/directory
For example, you wish to link /etc/httpd/conf to point to the real location of /usr/local/apache/conf
The command would look like this:
# ln –s /usr/local/apache/conf /etc/httpd/conf
Assure that the destination for your link (in our example this would be /usr/local/apache/conf) does not already exist.