The other day I was trying to log in with a newly created user in CentOS Linux with the The United States Government Configuration Baseline (USGCB) security settings applied. The USGCB requires password policies to be enforced (like denying log in after 5 failed attempts). However, the login screen does not indicate why I was unable to login, other than just saying an invalid user name or password. This made understanding the problem a bit difficult, then I consulted the authentication logs found at:
I found the last few lines indicating a problem with excessive failed logins (sorry, I do not have the exact error available) and the PAM module, pam_tally2 was to blame. You can discover if this is your issue too by issuing the command:
tail -50 /etc/secure | grep pam_tally2
This will list the lines with pam_tally2 messages. Look for error indicating excessive failed logins.
You can then clear the login count (after verifying that there are no security issues with the account) by issuing the following command:
pam_tally2 -r -u USERNAME
Where USERNAME is the logon name of the user that needs his/her failed logon count reset. If you want to view the failed logon counts of the users on your system, issue the following command:
Special thanks to the (uN)Tech blog for this information: http://telinit0.blogspot.com/2009/12/pamtally2-lock-account-after-failed.html
Folks, I am a bit sick of hearing “cloud” used as the latest buzzword to describe anything from a simple website hosted on a shared server sitting in a datacenter somewhere to the ability to create virtual servers on demand. (By the Way, it is the latter definition that I would consider a cloud, but that is my own opinion.)
Remote server storage has been around for years. We just are not use to it being as easily accessible as it is today with services like Microsoft’s SkyDrive or Google Docs. Never before has it been so easy to copy a couple gigabytes of data up to a server somewhere and then be able to access it from anywhere. Prior to the technologies behind the services of Microsoft SkyDrive, you needed to have FTP software (hopefully your remote server supported SFTP or other similar secure transfer protocol) to connect to a server somewhere and dump a bunch of files. You also needed to ensure you had enough disk space and that the remote server directory was somewhat secure so the whole world could not easily view those files.
Admin Note: This post is in response to a recent posting I made regarding Google’s wireless collection activities. This “Security Short” provides some brief information on improving the security of PRIVATE wireless systems and is not intended to be used where public access is allowed (i.e. coffee shops, libraries, etc.) unless of course you want to cause havoc for your users and your helpdesk. Consult your operator’s manual for particulars on how to implement these tips, as there are hundreds of manufacturers of wireless equipment. These security tips will not stop a determined attacker. They are meant only to reduce your risk, not eliminate it. A truly secure network is a network powered off. You assume any risk by following the information contained here. Your Mileage May Vary (YMMV), Void Where Prohibited.
One of the things that was mentioned in the Google Wi-Fi incident was the fact that emails and passwords were inadvertently captured. This has me a bit concerned and upset, not at Google, but at the folks who manufacture these wireless access points. I do not want to throw the manufactures under the bus entirely; I also want to pass the blame on to the end consumer too.
Folks, you need to read the manual and want to secure your data. If you do not want to secure your data and do not take the apporiate measures to do so, you have no right to complain. YOU are the one broadcasting your data to the world, YOU are the one responsible for your actions…although many will claim they are not, but that is a discussion for another day.
Many manufactures have made it rather simple to deploy encryption on a wireless network. From hand-holding in the instructions through “press this button” on the routers to enable security. I am not quite sure what more they can do short of sending a tech to your house to configure these things when you buy them.
This incident would not have even made it to page 6 of your favorite newspaper had everyone encrypted their wireless networks. Ok, enough of my soapbox speech. Let me chat a bit about wireless encryption.
Enterprises develop policies for protecting all kinds of assets, both physical and virtual. Some of these policies cover Operations Security or OPSEC. Examples of OPSEC include not displaying your company badge in public or shredding sensitive information. Some of these same policies can be applied at home to protect yourself and family. Let’s take a look at a few OPSEC items.
1. Shred everything that contains information about you. This includes everything with your name and address on it (Personally Identifiable Information or PII). Call me paranoid, but to keep thieves and fraudsters away, you need to protect your information. Purchase and use a good cross-cut shredder as they provide a good level of security. Strip cut shredders make it too easy for the criminally minded to reassemble the pieces and view the original document. Confetti shredders are the ultimate in security. In addition, if you are permitted to burn where you live, shred your documents then burn the scrap. Never send your scraps to a recycler as a determined thief could reassemble the documents if you are a high value target. Throw the scraps in the garbage as a last resort, but make the scraps undesirable to someone wanting to go through them. You could mix them in with used pet litter, old food, or anything else. If you are creative, perhaps using the scraps as mulch would be good as well. Be careful again as scraps in a mulch bed may be a target unless made undesirable.
2. Protect your automatic garage door code while entering it. Be careful of who is around when you openly key your code into the garage door opener. This may sound strange, but “shoulder surfers” could observe your code and use it or give to someone else to use whenever they please. Whenever I am around someone entering a PIN, password, or other sensitive information, I always step back and turn away from the person. That way they know you are not observing their sensitive information. This is just courteous and should be practiced at ATMs as well. I hate it when someone is just a foot or two away when entering your PIN.
3. Keep your valuables locked up and out of site. This sounds obvious, but I could not tell you how many times I have seen things sitting in the open or even the safe sitting in some observable spot. We all like to show off, but this just tempts those who can’t help themselves. Keep your coins, watches, jewelry, and other valuables locked in a safe and keep the safe in a low traffic area, especially if you hold frequent parties or entertain. I know, this is a common sense OPSEC issue, but people forget.
These are just a few things to keep you safe. More to come in a future post.
Admin Note: This post is in response to a recent posting I made regarding Google’s wireless collection activities. This “Security Short” provides some brief information on improving the security of PRIVATE wireless systems and is not intended to be used where public access is allowed (i.e. coffee shops, libraries, etc.) unless of course you want to cause havoc for your users and your helpdesk. Consult your operators manual for particulars on how to implement these tips as there are hundreds of manufacturers of wireless equipment. These security tips will not stop a determined attacker. They are meant only to reduce your risk. A truly secure network is a network powered off. You assume any risk by following the information contained here. Your Mileage May Vary (YMMV), Void Where Prohibited.
Much of the data that was collected by Google involved the Service Set Identifier (SSID) and Media Access Control (MAC) address. The SSID is essentially the unique name of your wireless access point or hotspot. You can set it to be anything you want. It is advisable to change the default name of your access point. However, there are certain things you should not set your SSID to. For example, do not set your SSID to your last name or business name, address, or any other identifying information. Doing so allows an attacker to know exactly what their target is and the general location of their target.
After you change the SSID to something other than the default, you should disable the broadcast of the SSID. This will prevent the access point from transmitting a beacon essentially saying, “Hey, here I am and my name is…” Just ensure that you remember your SSID should Microsoft Windows or any other operating system for that matter conveniently forgets it. It should be noted that I have experienced cases where disabling the SSID causes havoc on the network and certain network devices will not find each other (including computers and access points), so use with caution. If your network comes to a grinding halt after implementing this, you may need to restart all wireless equipment and/or enable SSID broadcasting (make sure you do not do this during production hours, otherwise you will have some users very angry with you.) YMMV.
While disabling the broadcast of the SSID does not make your system immune from the determined wardriver it will at least prevent the casual person from finding the access point. (Please note, that disabling the SSID broadcast does not make your network invisible to certain tools / software packages.)
For detailed instructions on securing your wireless router by make / model, please check out this awesome site: http://portforward.com Click the OTHER GUIDES tab at the top then scroll down and find the link on the right labeled “Wireless Network Security Guides” or click here: