I’m looking to create an account similar to a Domain Admin, but without access to domain controllers. In other words, this account will have full Administrator rights to any client machine in the domain, be able to add machines to the domain, but have only limited user rights to the servers.

This account will be used by a person in an end-user tech support kind of role. They should have full access to client machines for installing drivers, applications, etc… but I don’t want them on the servers.

While I could probably throw something together myself via policy, it’ll probably be messy so I figured I should ask: What’s the proper way to go about this?

We do something similar to this in our remote offices. First, create a group for the psuedo-admins in the domain. In AD, delegate control to the OU’s they may need to manage (create/delete accounts, or maybe just reset passwords, or nothing at all).

Then use Group Policy to add your group to the local administrators group on the workstations and servers using Computer\Windows Settings\Security Settings\Restricted Groups. Do not deploy this policy to the Domain Controllers OU or the OUs containing your servers.

This obviously depends on having a AD configured in a manner to separate the client systems from the servers.

Check more discussion of this question.

Is there any reason why I would want to have

iptables -A INPUT -j REJECT

instead of

iptables -A INPUT -j DROP

As a general rule, use REJECT when you want the other end to know the port is unreachable’ use DROP for connections to hosts you don’t want people to see.

Usually, all rules for connections inside your LAN should use REJECT. For the Internet, With the exception of ident on certain servers, connections from the Internet are usually DROPPED.

Using DROP makes the connection appear to be to an unoccupied IP address. Scanners may choose not to continue scanning addresses which appear unoccupied. Given that NAT can be used to redirect a connection on the firewall, the existence of a well known service does not necessarily indicate the existence of a server on an address.

Ident should be passed or rejected on any address providing SMTP service. However, use of Ident look-ups by SMTP serves has fallen out of use. There are chat protocols which also rely on a working ident service.

Check more discussion of this question.

Is it still considered a ‘port scan’ to have scripts trying to SSH in with a list of common account names or trying multiple passwords for ‘root’ or ‘mail’ (or similar)? I’m hoping to find a way to block these but I’m at a loss as to what to search for.

When I imagine the term port scan I think of using NMAP (or equivalent) to find what’s open in iptables. Just curious if this falls under the same category.

Some of my systems are logging several thousand per day. It’s annoying.

Systems are all CentOS / RHEL.

EDIT: iptables ‘limiting’ looks v promising. In the end I may have to setup a VPN for all the valid traffic and use something like ‘fail2ban’ on my public servers.

The search term you need here is probably something like “block failed ssh login attempts” or “block brute force ssh” or even “stop malicious ssh logins”.

A very popular tool to stop these is fail2ban. It can watch your logs for failed SSH login attempts and block the offending IP after a number of failures for a certain amount of time.

Some other tips to beef up your SSH security:

1. Disable direct root login if you haven’t already.
2. Disable password authentication and use public key authentication instead.
3. Use a non-standard port. You could use something like 2222 or preferably something even less obvious.
4. Block failed attempts using fail2ban.
5. Implement port knocking. This is perhaps a bit overkill but if implemented it can bring your failed login attempts down to essentially zero.

Check more discussion of this question.

A new RedHat EL5.6 server has been recently put under my care. It is immediately obvious that, for the previous 12 months, little to no attention has been given to any sort of package updates.

Typically I am of the mindset of if it isn’t broke – don’t fix it. However, after registering the server with RHN, and also using the yum-security plugin to check security updates, there are just over 1100 “security” updates available.

Has anybody had a similar situation? I am reluctant to just update everything, as I like to know what is being updated and whether or not it has the potential to impact anything running on the box (this is a production server). However, it also looks like keeping in line with this practice would require me to go through 1100 package errata line by line. Is there a more efficient solution?

Generally speaking speaking security updates are considered to be somewhat safe, particularly for a distribution with goals like RedHat. Their core focus is creating an operating environment that is consistent. As such the maintainers tend to pick versions of packages and stick with them for the long haul. To see what I mean look at the versions of such packages like kernel, python, perl, and httpd. What they also do is backport security patches from the upstream developers. So if a security vulnerability is found for all versions of Apache httpd 2.2.x then the Apache foundation may release version 2.2.40 with the fix, but RedHat will roll the patch locally and release httpd-2.2.3-80 with the fix.

Also keep in mind that you’re currently talking about a RHEL5.7 system, the current release is 5.9. Some software vendors will only support certain subreleases. I’ve recently come across one piece of software, for example, that the vendor says only works on 5.4. That doesn’t mean it won’t run on 5.9, but it may mean that they won’t provide any support it if doesn’t work.

There are also concerns with doing mass updates of a system that hasn’t been patched in such a long time. The biggest one that I’ve come across is actually more of a configuration management problem that can just be exacerbated by big updates. Sometimes a config file is changed but the administrator never restarts the service. This means that the config on disk has never been tested, and the running config may no longer exist. So if the service gets restarted, which will happen once you apply the kernel updates, it may not actually restart. Or it may act different once it restarts.

My advice, would be to do the updates, but be smart about it.

• Plan it out during a maintenance window. If nothing else the server will require restarting, there have been a number of kernel updates and you will have to reboot to apply them.
• Make sure to take a full backup before doing anything. This could be snapshotting, if this is a VM, triggering a full backup on whatever your tool is, tarring up / (to another system), taking a dd image of the drives, whatever. Just so long as it’s something you can restore from.
• Plan out how you apply the updates. You don’t want to just throw a yum update -y at it and walk away. For all of the good things that yum does do it does not order when it applies updates according to the dependencies. This has caused problems in the past. I always run yum clean all && yum update -y yum && yum update -y glibc && yum update. That tends to take care of most of the potential ordering issues.

This may also be a great time to replatform. We’ve had RHEL6 for quite a while now. Depending on what this server does, it may make sense to just let this one run as is while you bring up a new instance in parallel. Then once it’s installed you can copy all the data over, test the services, and perform the cut over. This will also give you the chance to know, from the ground up, that the system is standardized, clean, well documented, and all that jazz.

No matter what you do, I feel it’s pretty important that you get yourself up to a current system. You just need to make sure to do it in a way that lets you trust your work and the finished product.

Check more discussion of this question.

I am a programmer, but the company I am working for has been growing and has outgrown the 2 man IT contractor team that has been servicing us.

We are looking into several different solutions for our IT needs now (smallish company 30 computers, 3 servers).

I have been presented with a proposal from an IT company for a Tech Audit. The problem is I don’t know if they are covering all of the bases that they should, and if they are quoting us a reasonable price.

Here is a list of what they say is included in their tech audit:

IT Roadmap and Budget Plan

• Immediate needs
• Short term needs
• Long term needs

Network information

• Visio diagram of complete network
• IP addresses
• DHCP
• Router
• Firewall
• Switches
• Server Access
• VPN / Remote Access
• DNS
• Wireless Connectivity
• Website

Asset Inventory

• Server (Warranty)
• Application (email, line of business applications databases, accounting
• Desktops
• Storage
• Software licensing and renewals
• Printers / Toner

Security

• Compliant with IT standards
• Antivirus
• Password Policies
• Windows updates
• Encryption
• Physical Access
• Content Filter

Backups and Disaster Recovery

• Backup System
• Test / restore
• Recovery point Objectives
• Recovery time objectives
• UPS / battery backups

Telco and Phone System

• Internet Provider
• Bandwidth speed
• Phone system

I know what most of those are and I think they need to be checked but some of them I’m sorta in the dark on. Like ‘Compliant with IT standards’ — what IT standards? Where would be best to look those up?

Finally they say that to do this they will charge us $3500. That’s a decent amount of change for a company our size.

So is that a fair price for the services listed?

Are there any glaring omissions from this list that should be included?

Is there anything that I should be aware of when determining if this company would be a good fit for our IT needs?
(The tech audit would be a precursor for them becoming our permanent IT provider.)

I suspect this question is out-of-scope for Server Fault, since it’s really about scoping the delivery of IT services. Having said that, the scope seems reasonable (if a little “sales-ey”– “IT Standards”… heh heh). The scope seems inclusive enough to show that this isn’t this company’s first rodeo (or, alternatively, that they bought some rather inclusive sales template documents).

I couldn’t comment on pricing w/o knowing more about the metes and bounds of your infrastructure. It doesn’t seem out of line, just off the cuff. It depends on how much “stuff” you have and how thorough they’re going to be. Whether or not the report will be of use to you is probably more of a good factor to assess the value for the price paid.

I would ask to see a sample report that has coverage for all of the areas they intend to cover for you. (I prepare a sample for every type of report / audit that I provide as part of developing the “product” and I find it to be a handy “sales” tool.) This will give you an idea of how thorough they’re planning on being (and gives you a standard to hold them to when you get your report).

I would evaluate the sample report to see if it is helpful as a standalone resource. If it doesn’t provide sufficient detail to be worth the cost then I’d be wary of purchasing the offering they’re proposing. I don’t think it’s sensible to pay them for delivering a service if, ultimately, the service only helps them scope the “opportunity” with you and doesn’t give you an actionable resource. I’ve seen “managed IT services” firms use reports like this as a way to start a contractual service arrangement. If it’s being “sold” as a report to you with usefulness that stands on its own, and not as just part of the contract fees for starting an IT support contract with this provider, I’d be very, very sure that the sample report stands up as being a useful resource on its own (and, if it doesn’t, I would immediately be suspicious of the “character” of the provider).

When I prepare audits for prospective Customers I impress upon them that my report can be taken to any vendor of IT services as part of a Request for Proposal. I think that’s the only honest way to do it. I write my report hoping that I’m going to be the future vendor to act on the report’s recommendations, but I don’t assume it. I prepare most of my reports as work-for-hire, with the Customer “owning” the report’s “intellectual property” after they pay for the report. You should find out what the license you’re going to receive is like to determine if you can redistribute, “remix”, or otherwise make use of the report for your own purposes.

IT services is a largely unregulated industry, and although there have been various attempts at “standardizing” the methodology and delivery of IT service provision (ITIL, etc), there is really no guarantee that any provider is going to follow any particular methodology or reporting standard. The onus is on you, as a consumer of IT services, to assess how applicable the services are to your needs.

Check more discussion of this question.

I used:

usermod -L myUser

to disable the password for this account. Assuming that I don’t know the password how do I check that it has been disabled.

According to the man page it places ! in the front of the encrypted password, but I don’t know how to check that either.

You can use the passwd utility to look at the status of the user’s password entry

passwd -S user
user LK 2012-11-06 0 99999 7 -1 (Password locked.) (CentOS)
user L 01/22/2013 0 99999 7 -1 (Ubuntu)

The LK as well as the (Password Locked) text indicate a locked password entry on CentOS and L indicates a locked password entry on Ubuntu.

You can also use getent to read the shadow database

getent shadow user
user:!$6$ic7iX.Q2$q9K5gi5pOb...TJlhAIoKVJfAybADtv80:15650:0:99999:7:::

or you can just look at the shadow file yourself

grep user /etc/shadow
user:!$6$ic7iX.Q2$q9K5gi5pOb...TJlhAIoKVJfAybADtv80:15650:0:99999:7:::

Check more discussion of this question.

When checking the logfiles of some of my customers I found this as username for authenticated users. We have a .htusers file used for basic web auth, all other users in the serverlog I found in the .htusers, but not the @^Y@.@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* user.

Server version is 2.2.22 on 64b Opensuse 12

First question: was this user able to receive the content protected by the .htusers file?

Next one: anyone having more information about this break-in attempt? I found nothing on Google except lots of access-logs from all over the world.

Edit:
Just to add the logentries:

x.y.z.x - @^Y@.@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* [06/Jan/2013:16:53:16 +0000] "GET xxxxxxxxxxxxxxx HTTP/1.1" 200 676 "xxxxxxxxxxxxxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"

x.y.z.x - @^Y@.@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* [06/Jan/2013:16:53:16 +0000] "GET xxxxxxxxxxxxxxx HTTP/1.1" 200 523 "xxxxxxxxxxxxxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"

x.y.z.x - @^Y@&@{phqsp~{2'/2|pq{jvk@-1('@lvo)&1--1.(/1)'@./* [06/Jan/2013:16:57:47 +0000] "GET xxxxxxxxxxxxxxx HTTP/1.1" 200 11 "xxxxxxxxxxxxxxx" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"

I think there’s some bad news if the xxxxxx’ed-out ressources are located in the protected area. The http status code 200 in your logs tells that your server has happily sent out the ressource to the client x.y.z.x. If basic-auth had failed in any way, a 401 (forbidden) would have been returned instead.

The number next to the 200 tells you how many bytes have been sent in the answer. Check if the ressources behind the xxxxxx’es are actually 676, 523 and 11 bytes in size for another hint if the data was successfully accessed.

Update / Solution:

As it turned out in the comments, the mentioned accesses were to ressources in unprotected areas, thus resulting in http status code 200 (OK). The confusing fact that a unknown user name is shown in the logs is due to the possibilty to set the “Authorization” header in a http request regardless of whether authorization was requested by the server at all or whether the username is known on the server. So apparently this is the work of some webcrawler or bot having set the auth header by default. Maybe innocent, maybe not, but obviously not as harmful as it seems at a first glance to the logfile.

Check more discussion of this question.

ls -l /etc/passwd

gives

$ ls -l /etc/passwd
-rw-r--r-- 1 root root 1862 2011-06-15 21:59 /etc/passwd

So an ordinary user can read the file. Is this a security hole?

Actual password hashes are stored in /etc/shadow, which is not readable by regular users. /etc/passwd holds other information about user ids and shells that must be readable by all users for the system to function.

Check more discussion of this question.

I have a server running Debian 6.0 with logcheck installed.
Yesterday ago, I received this message:

Jan 19 19:15:10 hostname sshd[28397]: Authentication tried for root with correct key but not from a permitted host (host=4.red-2-140-77.dynamicip.rima-tde.net, ip=2.140.77.4).

I don’t know who this is and I doubt he was there by accident.

Now, what should I do?

First thing I done was disable ssh password authentication and switched to public/private key. I also check the authorized_keys file and saw only my public key

What next?

How can I know what the other guy did on my machine?

I believe this is a bug That has been hanging around for far too long which is fixed in later versions (6.0p1).

It should be fairly easy to verify this by trying to connect to the system yourself from a host that would be restricted, using a different key and seeing what messages you get.

Check more discussion of this question.

I’m trying to find a sendmail.mc that allows open relaying without username/password to any system (im testing some code that uses SMTP).

Google’d, could not find and it has been a long while since I modified sendmail config!

(it’s a private system for temporary use)

Thanks in advance

Try

FEATURE(promiscuous_relay)

According to the doco,

By default, the sendmail configuration files do not permit mail
relaying (that is, accepting mail from outside your local host (class
{w}) and sending it to another host than your local host). This
option sets your site to allow mail relaying from any site to any
site.

Check more discussion of this question.