Pages

Thursday, December 1, 2016

How to Reset a Nessus Scanner

The other day I installed a new Nessus Vulnerability Scanner which is a security scanner that is often controlled Security Center, both of which are Tenable products. After I finished the install and configured the Nessus scanner to be managed by Security Center.  I tried to log back into the scanner and discovered I was locked out. So I figured I could just reinstall the Nessus scanner, after all it only take a few minutes to do. I reinstalled Nessus and I was still locked out, what gives. Below are the steps used to get back into the scanner. I later found an even easier way to get back into the Nessus scanner, which I also posted below.

Follow the steps below to uninstall the Nessus scanner and remove the configuration files.

1. Optional - Stop the nessusd service
root@earth> service nessusd stop

2. To uninstall Nessus remove the Nessus package
root@earth> rpm -e nessus-package

For some reason /opt/nessus still exists after the Nessus package is removed

3. Remove the Nessus directory.
root@earth> rm -r /opt/nessus

Note- Don't worry the Nessus the files will be recreated after the reinstall.

Note- If the /opt/nessus directory is not removed, then your account will still be locked. This is because the configuration files will still exist.

4. Now install Nessus
root@earth> rpm -ivh nessus.rpm

5. Go to the Web interface to finish the configuration of the scanner
https://nessus:8834

Installing Nessus and setting it up to be managed by Security Center takes very little time, but you

Create a new user and/or set the user password.

Add user to scanner
root@earth> /opt/nessus/sbin/nessuscli  adduser  newuser

Change password on the nessus scanner
root@earth> /opt/nessus/sbin/nessuscli  chpasswd username

I showed you in a previous post "Reset Admin account on Security Center" how to do this for Security Center.

Related posts on this site:
Reset Admin account on Security Center
Manually Update Plugins for your PVS
Manually Update Plugins on a Nessus Scanner

Wednesday, September 28, 2016

Latest Scripts for finding Java


I have in the past posted my script for finding instances of Java, on the servers I manage. I have since updated the script to I posted on this blog. You can still see the old script on this blog under the title "Checking Java Versions Remotely". My method of finding all the versions of Java on all the servers, consists of running two scripts. One script called check-java acts as a manager for the other script and gathers all the data into a nice report. The other script called stig-java does the actual work of finding Java on the target system.

In order for this script to work you will need to setup your SSH clients for auto login. If you don't know how to do this please refer to my post How to setup SSH Keys. This script doesn't need the automount in order to work.

What the scripts does.

First off you need to put both scripts in the same location. I put the scripts in the home directory in a folder called scripts. The main script, check-java copies the stig-java script to /tmp on all the servers. Then logs into all the servers, one at a time, and runs the stig-java script and sends the output to a file with the server's name. The check-java script then deletes stig-java form /tmp on all the servers. All those output files are then combined into a single file with extra lines removed.

The scripts have been test on Solaris 10, Red Hat 5 & 6 (RHEL) and SLES 11 and they work fine. On the Mac the colors don't work.


The check-java script
#!/bin/bash
# This script is for running the stig-java script on the servers.

SP=$(uname -n)

### Copy files section
echo -e "\e[1m Coping files \033[0m"
for host in $(cat COOP SOL SLES )
  do if  [ $host == $SP ]
        then cp ~/scripts/stig-java3 /tmp/stig-java3 2>/dev/null
        else scp -q stig-java $host:/tmp &>/dev/null
     fi
done
for host in $(cat ACAS RHEL)
do scp -q stig-java $host:/var/tmp
done
for host in $(cat TD)
do scp -q stig-java3 $host:/tmp &>/dev/null
done
echo -e "\e[1m                 Done copying files \033[0m \n"

### Running the stig-java script section
echo -e "\e[1mLooking for Java on Solaris Servers\033[0m "
echo "-------------------------------------------------"
for s in $(cat COOP SOL)
do echo -e "Checking $s "
ssh -qt $s /usr/local/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sol/$s
done
echo -e "\n\e[1mLooking Java on RHEL Servers\033[0m "
echo "-------------------------------------------------"
for r in $(cat ACAS RHEL)
do echo -e "Checking $r "
ssh -qt $r /usr/bin/sudo ~/scripts/stig-java &> ~/scripts/outputJ/rhel/$r || ssh -qt $r /usr/bin/sudo /var/tmp/stig-java &> ~/scripts/outputJ/rhel/$r
done
echo -e "\n\e[1mLooking Java on SLES Servers \033[0m "
echo "------------------------------------------------"
for l in $(cat SLES)
do echo -e "Checking $l "
  if [ $l == $SP ]
    then sudo ~/scripts/stig-java &> ~/scripts/outputJ/sles/$SP
    else
ssh -qt $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l || ssh -q $l /usr/bin/sudo /tmp/stig-java &> ~/scripts/outputJ/sles/$l
  fi
done
echo -e "\n\e[1mLooking Java on Teradata Servers \033[0m "
echo "------------------------------------------------"
for t in $(cat TD)
do echo -e "Checking $t "
ssh -qt $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t || ssh -q $t /usr/bin/sudo /tmp/stig-java3 &> ~/scripts/outputJ/td/$t
ssh -q $t rm /tmp/stig-java3
done

# Clean Up
echo "Deleting tmp files"
for host in $(cat COOP SOL ACAS RHEL SLES)
do if [ $l == $SP ]
then rm /tmp/stig-java 2>/dev/null
else
ssh -q $host rm /tmp/stig-java 2>/dev/null ||ssh -q $host rm /var/tmp/stig-java
   fi
done
echo " "

# Finishing up
cat ~/scripts/outputJ/sol/*  > ~/scripts/outputJ/solM
cat ~/scripts/outputJ/rhel/*  > ~/scripts/outputJ/rhelM
cat ~/scripts/outputJ/sles/*  > ~/scripts/outputJ/slesM
cat ~/scripts/outputJ/td/*  > ~/scripts/outputJ/tdM

echo -e "\e[1m ------------------------ Solaris Servers -------------------------  \033[0m\n" > ~/scripts/outputJ/output
cat ~/scripts/outputJ/solM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ RHEL Servers -------------------------  \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/rhelM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ SLES Servers -------------------------  \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/slesM >> ~/scripts/outputJ/output
echo -e "\e[1m ------------------------ Teradata Servers -------------------------  \033[0m\n" >> ~/scripts/outputJ/output
cat ~/scripts/outputJ/tdM >> ~/scripts/outputJ/output

egrep -v "(1.8.0_${1}|1.7.0_${2}|1.6.0_${3}|1.8.0.${4}|1.7.0.${5}|1.6.0.{6})" outputJ/output|more

The stig-java script
#!/bin/bash
# This script is for finding versions of Java on a server.
#
DATE=$(date)
echo -e "\e[1;34m <<<<<<<<<<<<<<<<<<<< $(uname -n)  >>>>>>>>>>>>>>>>>>>\e[0m "
echo -e "Last scanned on $DATE"

### Find Java Section
for s in $(find / \( -name 10_Recommended* -o -name scratch -o -name zones -o -name mnt \) -prune -o -type f -name java -print 2>/dev/null)
do ee=$($s -fullversion 2>&1 |awk '{print $4}' )
echo -e "\e[1m$ee\e[0m \t $s"
done
echo " "
### Find Packages Section
if [ SunOS == $(uname -s) ]
  then if [[ -z $(pkginfo |grep SUNWj[3-8]) ]]
then echo -e "\e[1mNo Java packages found\e[0m"
else echo -e "\e[1mPackages found:\e[0m \n$( pkginfo |grep SUNWj[3-8])"
fi
  else if [[ -z $( rpm -qa |egrep '(jdk|jre)' ) ]]
 then echo -e "\e[1mNo Java packages found\e[0m"
 else echo -e "\e[1mPackages found:\e[0m \n$( rpm -qa |grep -v SYMC|egrep '(jdk|jre)' )"
        fi
fi
### Find Directories Section
if [ SunOS != $(uname -s) ]
 then DF=$( ls -d /usr/java/j*  2>/dev/null )
if [[ -n $DF ]]
  then echo -e "\e[1mDirectories found:\e[0m\n$DF" 2>/dev/null
else echo -e  "\e[1mNo directories found\e[0m"
fi
fi

### STIG Java Check List Section
if [ -e /usr/java ]
   then JCKL="Passed Java Check List"
       if [ -e  /usr/java/jre/lib/deployment.properties ] &>/dev/null
           then grep deployment.security.askgrantdialog.notinca=false /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.askgrantdialog.notinca.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.crl=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.crl.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.ocsp=true /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.security.validation.ocsp.locked /usr/java/jre/lib/deployment.properties &>/dev/null || JCKL="\e[1;31mFailed Java Check List\033[0m"
           else JCKL="\e[1;31mFailed Java Check List\e[0m"
        fi
        if [ -e  /usr/java/jre/lib/deployment.config ] &>/dev/null #JRE0070 V-32901 CAT II
           then grep deployment.system.config=file:/usr/java/jre/lib/deployment.properties /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
                grep deployment.system.config.mandatory=false /usr/java/jre/lib/deployment.config &>/dev/null || JCKL="\e[1;31mFailed Java Check List\e[0m"
           else JCKL="\e[1;31mFailed Java Check List\e[0m"
        fi
   else echo -e "\e[1;34mNo System Java from Oracle Found \e[0m"
fi
echo -e "\e[1m$JCKL \e[0m"

This other script is used on the systems with spaces in the path
Put contents of files here
<<<<<<<<<<<<<<<<<<<< Linux server name  >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/bin/java
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/jre/bin/java

Linux packages:
 java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el6_8.x86_64
java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el6_8.x86_64
jdk1.8.0_101-1.8.0_101-fcs.x86_64 )
Directories found:
/usr/java/jdk1.8.0_101
Failed Java Check List

Example output
root@earth> ./check-java
<<<<<<<<<<<<<<<<<<<< Linux server name  >>>>>>>>>>>>>>>>>>>
Last scanned on Thu Sep 29 13:17:30 GMT 2016
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/bin/java
"1.8.0_101-b13"          /usr/java/jdk1.8.0_101/jre/bin/java

Linux packages:
 java-1.7.0-openjdk-devel-1.7.0.111-2.6.7.2.el6_8.x86_64
java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el6_8.x86_64
jdk1.8.0_101-1.8.0_101-fcs.x86_64 )
Directories found:
/usr/java/jdk1.8.0_101
Passed Java Check List


Let me know if this script is helpful in anyway. If you need more details or have questions let me know, by posting below

Thursday, September 22, 2016

Create user account and set password with one command

I often see forum posts where a System Administrators, wants to create local user accounts on several servers and doesn't want to have to have to set the user's password over and over again. Below I share two ways to do this. The first way creates the user account and sets the password in one command. The second method sets the password in a additional command. Ether way can be used in a script, which can speed things up if you need to create one or more accout on servel systems.

Below is an example of creating a user account.
root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash newuser
root@earth> passwd newuser
passwd: Changing password for username
New Password:
Re-enter new Password:
passwd: password successfully changed for newuser

This method can be very time consuming process and would be hard to use in script. Below is an example of how using the -p option in the useradd command, to set the user's password by setting the uses hash.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash -p '6$jbvkjjg$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/' newuser

This method works on Linux computers, such as SLES and RHEL. It however doesn't work on systems such as Solaris.

Alternately you can also set the users by echoing the password to standard in, as shown below. The major issue with doing it this way is that the password is recorded in the system logs and if your running the command remotely then your sending the password in the clear. So I don't recomend doing it this way.
root@earth> echo password | passwd newuser --stdin

This method works only Linux systems.

Other posts with similar info
Linux User Account Creation & Customization
Adding a new user to a UNIX based system

References pages.
Online man page - useradd
Online man page - passwd

Thursday, September 15, 2016

Setting up NFS & automount on RHEL


I believe that any Linux or UNIX server should start a very minimal build. Meaning that a server should only have the programs or packages installed that are needed for the operation of the server. To make some of my servers a little more functional I decided to install NFS and automount. This is so users can automount home directories and  mount external shares.

Follow the steps below to install NFS and autofs, so you can mount the NFS shares and mount home directories. The example below is on a RHEL 6 server.


To be able to mount NFS share you will need the following packages.
autofs
nfs-utils
nfs-utils-lib

Dependencies:
Hesiod
keyutils
libgssglue
libtirpc
python-argparse
rpcbind

Install the packages
root@server> yum install autofs  nfs-utils  nfs-utils-lib

To enable NFS shares you must add them to the /etc/fstab file. Example below.
10.12.12.8:/share /export/share  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
10.12.12.6:/cifs  /export/cifs  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
repos:/linux_repos /export/repos   nfs auto,ro,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0

To setup the automount funtion you need to edit the auto.home and auto.master files.
 Add the hostname or IP address line to /etc/auto.home
*             10.10.10.2:/home/&

Add this line to /etc/auto.master
/export/home /etc/auto.home -nolock,nosuid,noguid,nodev,nobrowse,noxattr --timeout 10

Restart services
root@server> service autofs restart
root@server> service rpcbind start
root@server> service nfs start

Ensure that autofs starts at boot
root@server> chkconfig –list autofs

Make mount points
Make the mount pint for all the mount points listed in the /etc/fstab file..
root@server> mkdir /export/share
root@server> mkdir /export/cifs
root@server> mkdir /export/repos


Note- make sure any host names used are added to the /etc/hosts file.

After following the steps above evey should be working. test the configuration by loggingin or becoming a user with a non local home directory. Also try to mount the shares.
root@server> mount /export/share

Check to see if the mount was successful.
root@server> df -h | grep share
Filesystem            Size  Used Avail Use% Mounted on
10.12.12.8:/share  9.8G  1.9G  7.5G  20%   /export/share

Please let me know if you have any questions.


Friday, May 20, 2016

Getting Cut & Paste to work in VNC

Sometimes the ability to use cut and paste stops working between your VNC session and the your computer. To get cut and paste to work again just run the following command on the terminal. 

root@earth> vncconfig &

The vncconfig command lunches the vncconfig utility which controls the clipboard function needed for cut & paste to work. Just make sure all the check boxes are checked when the vncconfig utility comes up and cut & paste should start working again.

Tuesday, May 17, 2016

Reset Admin account on Security Center


The other day I got locked out of my admin account for the Security Center 5 from Tenable. In order to get back into the system I needed to reset the admin password. Below I show how to reset the admin password on Security Center 5. For this to work you must have elevated privileges, such as root.

Reset the admin account password
root@earth> sqlite3 /opt/sc/application.db "update userauth set password = 'bbd29bd33eb161d738536b59e37db31e' where username='admin';"
This command sets the admin password to password

Clear login failures.
root@earth> sqlite3 /opt/sc/application.db "update userauth set failedLogins='0' where username='admin';"

Unlock the admin account
root@earth> sqlite3 /opt/sc/application.db "update userauth set locked='0' where username='admin';"

After following these steps you will be able to login to the admin account with the password set to password. If you have any questions or comments please post them below.

Thursday, April 28, 2016

Make Money While You Sleep

There are a lot of apps for making money with your smartphone or tablet. It doesn't matter whether you use iOS or Android. Money Making Apps are almost everywhere. Today I want to tell you about an app called Swagbucks TV from Swagbucks. The Swagbucks TV app which pays you for watching videos and is available on both iOS or Android.

Well how does it work?
In order to start earning money you need to signup for an account with Swagbucks. You can use the app to to create an account, but I would sign up for an account on the Swagbucks website, because it is easier. The app plays an ad and then plays a video. This continues until you stop the player. The app sometimes puts a cap on how much you can earn a day or in one sitting. After you're signed in your account you select a category and start a video. The categories are Featured Videos, Recipes (cooking), Entertainment, Fashion, Health, Home and Garden, Music, News, Travel, and Celebrity. If you like any the watching videos for the above mentioned, great enjoy making little money with this app.

How do you make money while sleeping?
Before you go to sleep start playing videos with the app. Turn off the sound and turn down the screen brightness. When you wake up you earned some coin. You can also play some videos on your computer from the Swagbucks website as well, if you really want to milk this thing.

Links to apps

Swagbuck TV for iOS
Swagbuck for iOS


Swagbuck TV at Google Play
Swagbuck app at Google Play



Wednesday, April 27, 2016

How to install or upgrade Java in Linux (Updated)

In this blog post I show how to install or update Java from Oracle on a Linux server. Many Linux distros use the OpenJDK version of Java in their operating systems and in their repository. Although the instructions below will still work to install OpenJDK, the focus is on Oracle's version of Java.

When using the Java provided by Oracle, you can download it from Oracle's website or from java.com. From there they give you a choice of downloading rpm or tar files. I prefer to use Red Hat Package Manager (RPM) files instead of the tar files when installing any program.

You can download Java here: www.java.com

Find Java on the system.
root@earth> find / -name java -type f
/usr/java/jre1.7.0_101/bin/java

Note - If you use which or java -version commands to find Java on your system. This will only show your the system's main java. You may have additional versions installed.

Now take each line of output and paste it at the end of the rpm -qf command. This gives you the name of the rpm package that installed that instance of Java.

root@earth> rpm -qf   /usr/java/jre1.7.0_101/bin/java
jre-1.7.0_101s

If the Java found on the system was not installed via a package, then Java was installed via a tar file. At this point you must decide whether to install the new version of Java with an rpm or a tar file. I recommend the use of the rpm packages to install any programs. If you are installing with a rpm then go to the section titled Installing Java using RPM. If you are use the tar file then skip to the section titled Install Java using a tar file.

Installing Java using RPM
The rpm command can either update an existing package or install a new one.

The documentation on the Java website says to remove/uninstall the old version of Java and then install the new one. I prefer to install or upgrade though. This is because if there are any symlinks or application settings that use the systems' Java, will be updated to use the newer Java. Then you can remove the old version if needed after the fact. Otherwise you would have to recreate these items after the install.

Updating Java using RPM 
If you update Java as shown below then you will not need to remove the old version. Unless you are installing a different version of Java. For exampe If you have Java 7 installed and then you install Java 8
root@earth> rpm  -Uvh   jre-7u111-linux-x64.rpm

You can alternately install Java instead.
root@earth> rpm  -ivh   jre-7u111-linux-x64.rpm

Uninstall the old package.
Take the output from the last command and use the rpm command with the -e option to remove the package.
root@earth> rpm -e  jre-1.7.0_65cs

Note- Do not run the above command for java that is part of an application. If the file was in /usr/bin/ you should be fine.

Install Java using a tar file
Change directory to where Java is going to be installed. Usually it will be /user/java.
root@earth> cd  /usr/java

Note - If your upgrading Java with a tar file, it is advised to backup the old installation and to remove the previous version. If the old version was installed via a tar then remove the directory. If it was installed with a rpm file use the rpm or yum command to remove the package. 

Move the tar file to /usr/java and unpack the tarball to install Java
root@earth> tar  zxvf   jre-7u111-linux-i586.tar.gz

Delete the tar file after you test Java and your done.

Reference:
Java.com

Related posts on this Blog
How to install or upgrade Java in Linux
How to install Java 7 & 8 on Solaris
Access the Java Control Panel
Updating Java on Solaris

If you have any questions or comments please post them below.

Tuesday, April 26, 2016

Manually Update Plugins for your PVS

I had an issue the other day with one of my Passive Vulnerability Scanners (PVS) which is being managed by Security Center. In Security Center the status of one of the PVS scanners showed "Plugin Out of Sync". I tried to push the plugins to the PVS scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The PVS scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this PVS scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the PVS scanner. Then I manually loaded the plugins into the PVS scanner. After I did this, I have not had this issue again.

Follow the instructions below to manually install plugins for the PVS scanner.

1. Login to the PVS scanner.
root@earth> ssh pvs

2. Stop the PVS service.
root@nessus> service pvs stop

3. Load the plugins into PVS.
root@nessus> /opt/pvs/var/pvs --update-plugins  plugins_file.tar.gz 

4. Start the PVS service
root@nessus> service pvs start

5. Login with an admin account to the web interface for the Security Center and check the status of the PVS.

You're done.

If you have any questions or comments please post them below.

Related post on this Blog
Manually Update Plugins on a Nessus Scanner
Reset Admin account on Security Center
How to Reset a Nessus Scanner

Friday, April 22, 2016

Linux User Account Creation & Customization

A Systems Administrator must be able to manage user accounts by adding users, removing users, modifying accounts and setting passwords. In this tutorial, I will be giving you instructions on how to properly create user accounts on Linux operating systems. Creating a user account can be simple, but there are a few complexities to note. As opposed to a graphical user interface (GUI), these instructions use the command line to create the user accounts.

The command line provides an ideal method for account management, because it provides faster account creation, especially when you are creating several accounts on one more computers. The graphical user interface or GUI on Linux Systems can vary greatly from system to system, but the one constancy on all Linux operating systems is the command line. The command line (CLI) is a text based user interface used for entering commands for the operating system to decipher. So I will be showing the use of the useradd command which creates the user accounts, and the passswd command which sets or changes the user accounts password.

Typographical conventions.
The typographic convection section is meant to help readers better understand what it is their seeing. Please carefully read the instructions before continuing.

The courier font is used for names of commands, files, directories, user names, and on-screen computer output; for example:
Use the useradd command to add users to the computer.

The courier bold font is used for characters and numbers you type; for example:
whoami

Courier bold italic is used to represent variables that can change; for example:
passwd bob


Instructions
After each line you type into the command line press the enter key. As explained in the above typographical conventions section, anything displayed in courier bold is typed in the command line and if it is displayed in courier it is the output of the line above. To follow this tutorial open the terminal or xterm program to access the command line. Please refer to the Command & Term Reference guide, for information on commands and terms.

Note - If you don't have access to a Linux computer you can still follow along, using the Linux emulator at, "http://www.tutorialspoint.com/execute_bash_online.php" . Type the commands into the green box on the right.


Method One: Create a user, using default settings.
If you are creating a user account on just one computer, the steps below will work, but if you are creating a user account on more than one computer, use method two or three instead. If the Linux computer is not connected to any other Linux computers on the network then the method shown below will work. This the best method to of users who are novices at using the command line.

Follow the steps below to create a user account for Bob.
1) Create user account for bob
useradd bob

2) Create a password for user account bob.
passwd bob
passwd: Changing password for bob
New Password:
Re-enter new Password:
passwd: password successfully changed for bob

The passwd command sets user account passwords. In the example above it sets the password for user account bob.

Note - If you don't set the password, the user will not have a password and will not be able to log in.

3) Test user account by logging into the computer with the new user account.
su – bob

The su command stands for switch user, and it is used to switch from one user account to another. The is an option used with the su command, it allows you to fully switch to the new user account. In order to fully test the newly created user account you must use the su command with the option, as shown.

4) Verify you are logged in as new user.
whoami
bob

The whoami command displays the name of user currently logged in on the command line. The result of the command should be bob as shown above.

Fun Fact: The whoami command also works on Windows computers.

Creating a user account using this method was pretty easy right? This method is perfect for home users who want to add user accounts to their home PC, for their family and friends. This method is not the way to add users on a corporate network.

Method Two: Creating a user with custom setting.
This method is all about control, and is used when creating user accounts on corporate networks. One positive thing about this method is that you know exactly what is being set. The downside to the method is the high probability of making a typo. This method can be too complicated for less knowledgeable users.

1) Create the user account.
Type the entire line out before you press enter.
useradd -u 900 -g users -G video  -c “user account, Jill” -m -d /export/home/jill -s /bin/bash jill

Command Options Explained
-u        Sets user’s UID (Unique Identification Number) to 900
-g        Sets user’s primary group to users
-G        Sets user’s secondary groups to video
-c        Sets a comment for the user. Puts a comment into the /etc/passwd file.
-m        Makes the user’s home directory
-d        Sets the path to the user’s home directory
-s        Sets the user’s shell

One reason to use useradd with all the options listed above is because computers see user accounts as numbers. When we created Jill’s user account we see the account’s name as being jill, but the computer sees the account’s name as 900 or UID (Unique Identification Number) 900. Unless you set the UID by using the –u option the computer will assign the next available UID number which could result in a user having different UID numbers on different computers. This can cause issues with permissions, for example if user Bob has UID 900 on PC number one and Jill has the same UID on PC number two. Jill creates a document and stores it on the network. PC one will see that file is owned by UID 900 and so it will show Bob as the owner. Then Bob can do anything he wants to Jill’s document, including deleting it.

Note: For more information on the useradd command and it options, type man useradd into the command line. To exit the man page


2) Set Jill’s password. 
echo jillspassword | passwd -e jill –stdin

In the above series of commands, the echo command sends the word jillsmypassword to the passwd command, then the passwd command sets the user’s password to jillsmypassword. The –e shown in the above example, expires the user’s password, making the user have to change their password when they attempt to login.

Why set the password in this way, the way shown in Method one was easier? This method is a more advanced way to set a user’s password. For example, let’s say you need create ten user accounts. If you do what we did in Method one, you will need to type the new user’s password in twenty times, two times for each user. On the other hand if you use the method show here, then you only need to change the username ten times. To save on typing, the rest of the command shown above can be pasted into the command line. This method can also be used in a script, since it doesn’t require any additional input from you after you run the command.

3) Repeat steps 3 &4 from Method one to test the account.

Method Three: Configuring system settings for easier user creation.
In Method three, I will be combining the ease of use of the first method and the completeness of the second. In Method one we ran the useradd command with no options set. The Linux system still used many of the options used in Method two, but set them using system defined defaults. To see these defaults for the useradd command with the –D option; for example:
useradd -D
GROUP=2001
HOME=/home
INACTIVE=35
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

To change the default system setting run useradd –D followed by the setting you want to change. In the example below, the default shell is being changed to /bin/ksh from /bin/bash.
useradd –D –s /bin/ksh

To see if the changes took effect, run the useradd –D command again.

Note: The most common things to set is the home directory, and the shell.

1) Create user account for Sam
useradd -u 1010 -G 10 -c “user account, Sam” -m sam

Here we have the best of both words, the less typing of Method 1 and the precise settings from Method two. Setting the system defaults will allow much less of a chance of making mistakes. Now only the setting that are unique to the user will have to be set.

2) Set Sam’s password, choose the approach used in Method one or Method two.

3) Repeat steps 3 & 4 from Method one to test the account.

I showed you three variations, on using the passwd command to create user accounts. For new users on Linux, I suggest they use Method one. Intermediate to advance users should use Method two or three, though Method three is the preferred method. I hope this tutorial was informative and you learned something new.

Command & Term Reference Guide

Commands
useradd – command used to create user accounts.
passwd – command used to set user account passwords.
whoami – informs user who they are logged in as. Can also use the command id to do the same thing.
su – stands for switch user, and is used to switch between users.
man – stands for manual, used to view system manuals. The manuals are referred to as man pages.
echo – displays whatever you type on the next line.
|  - This is called a pipe, it takes the output of the command on the left and sends (pipes) it to the input of the command on the right.

Terms
Terminal and xterm: are programs that display the command line. The terms xterm, terminal and command line can, for the most part, be interchangeable.
Shell: is a customized command line environment. Examples of shells are BASH, SH, KSH and CSH.

Conclusion
Well what did you think? This post is written at a lower level than most of my other posts, because this was originally a paper I wrote for a college class. Method 3 needs a little more info, so I will write a follow on post with a little more detail on how to set the system defaults. Anyway let me know what you think and if you have any questions by posting below.

Related posts on this Blog
Adding a new user to a UNIX based system

References
Man pages: useradd, passwd
My Collage paper
The Ultimate Guide to Create Users in Linux / Unix


Tuesday, April 12, 2016

A Better Way to Setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a Linux based user account. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. Not to mention if you set up a SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have sshd service running on your servers in order to get your SSH to work. All the examples are take from a Red Hat or Suse servers. The ssh-copy-id command will not work on Solaris servers but all other commands should work file.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.
man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.


The old way of transferring the public key to the remote sytem.
man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

New way
man@earth> ssh-copy-id user@moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.
The reason the new way is better then the old way is that the ssh-copy-id appends the public key to the authorized_keys file. Where as the old way overwrites the authorized_keys file. This allows the account to use keys from more than one server.

Note- This method will not work on Solaris 10


If your home directory automounts across a lot of servers. You can copy it over with the cat command.
man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys


You can also use this method if the ssh-copy-id command is not available to you.
man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys"

Setting up the SSH Agent.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you login to a server. 

There are other ways to set up the agent, such as using the gnome GUI for example. If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminals launched in your VNC session, will use the same agent.

SSH Agent Management
One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent
If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent
This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Related posts on this site.
How to setup SSH Keys
http://rich-notes.blogspot.com/2013/09/how-to-setup-ssh-keys.html

If you have any questions or comments please post below.

Friday, March 25, 2016

Manually Update Plugins on a Nessus Scanner (Linux)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Linux server. To do this on a Windows computer go here.

1. Login to the Nessus scanner.
root@earth> ssh nessus

2. Stop the Nessus service.
root@nessus> service nessusd stop

3. Remove the scanner from Security Center.

4. Reset the scanner
root@nessus> /opt/nessus/sbin/nessuscli fix --reset
Resetting Nessus configuration will permanently erase all your settings and causes Nessus to become unregistered.
Do you want to proceed? (y/n) [n]: y
Successfully reset Nessus configuration.

5. Connect the Nessus scanner.
root@nessus> /opt/nessus/sbin/nessuscli fetch --security-center
nessud can now be started, SeccrityCenter will upload the plugins

6. Manually copy over the plugins file.
    Copy the file tar.gz file from Security Center to or download latest plugins from Tenable.
Note - In Security Center The plugins are located here: /opt/sc/data/plugins

7. Load the plugins into Nessus.
root@nessus> /opt/nessus/sbin/nessuscli update plugins_file.tar.gz

* Update successful. The changes will be automatically processed by Nessus 

8. Start the Nessus service
root@nessus> service nessusd start

9. Login to the web interface for Nessus and wait for the bar to complete.
root@nessus> firefox https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

You're done.

If you have any questions or comments please post them below.

Related posts
Manually Update Plugins for your PVS
Reset Admin account on Security Center