Taming Runaway tmux Sessions and Keeping Your Scans Smooth

This post tackles a common issue encountered during vulnerability scans with Tenable.sc (formerly Security Center). It addresses the problem of lingering tmux sessions that can hinder login attempts and system responsiveness.

The Problem

Recently, a critical plugin (21745) triggered on a Red Hat Enterprise Linux 8 (RHEL 8) system during a Tenable.sc scan. The scan user account wasn't locked out, but SSH login attempts hung indefinitely despite system logs showing a successful login. A reboot temporarily resolved the issue, but it kept reoccurring.

The Culprit: Unclosed tmux Sessions

Tenable.sc leverages tmux, a terminal multiplexer, to manage multiple connections during a scan. When a connection is established, tmux typically creates a session. The problem arose when these tmux sessions weren't being automatically closed after the scan completed. This led to a situation where the scan user ended up with thousands of orphaned sessions, causing login issues.

Fixing the Runaway Sessions

1. Automatic Cleanup

• Edit the system-wide tmux configuration file ( /etc/tmux.conf ).
• Add the line set -g destroy-unattached on to the configuration file. This instructs tmux to automatically terminate any sessions that are not actively in use.
• To implement this change:

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

2. User-Specific Control (Optional)

• This approach allows tmux usage only for the designated scan user ( scanuser ). 
• Create a custom shell script ( /etc/profile.d/custom.sh ) with the following content:

[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi 

This script checks the current user and only allows tmux execution if the user is "scanuser" and the parent process is either "sshd" (SSH daemon) or "login" (login shell).

Understanding the Tools

tmux: An open-source terminal multiplexer that allows managing multiple terminal sessions within a single window. You can split your terminal into different panes, detach from sessions, and reattach later, similar to the "screen" application.

Tenable Plugin 21745: This is an informational plugin that gathers and displays information from other plugins, triggered in this instance due to potential login failures.

Additional Resources

• Tmux Cheat Sheet & Quick Reference: https://tmuxcheatsheet.com/
• A beginner's guide to tmux: https://www.redhat.com/en/blog/introduction-tmux-linux

By implementing these solutions, you can ensure that your Tenable.sc scans run smoothly without encountering issues caused by lingering tmux sessions.

Login hangs for scanning account

The Problem

I ran into this issue the other day. Tenable.sc (formerly Security Center) was reporting a hit on plugin 21745 for a Red Hat Enterprise Linux 8 (RHEL 8) system. I checked on the account used on the systems for scanning and it wasn't locked out or anything. When I tried to SSH into the system with the credentials, it would just hang. The system logs showed "login successful". When I rebooted the system was able to login normally again, but the problem would come back eventually.

The Cause

When the Nessus scanner connects to a system, it's scanning, it makes several connections to the host. Each connection starts a TMUX session. The problem is the TMUX sessions where not being closed after the Nessus scanner disconnected from the system. It turned out that the account used for security scanning had around 2,000 TMUX sessions running.

The Fix

Add "set -g destroy-unattached on" to the /etc/tmux.conf file.

scanuser@remotesystem> sudo echo "set -g destroy-unattached on" >> /etc/tmux.conf

This will append this line "set -g destroy-unattached on" into the /etc/tmux.conf configuration file. This will auto close sessions not being actively used.

Anther Fix

Set system wide rules for TMUX on the effected systems so only the account used by the Nessus scanner will have use of the TMUX terminal multiplexer. /etc/profile.d/custom.sh

[ "$USER" != "scanuser" ]
 then if [ "$PS1" ]
   then parent=$(ps -o ppid= -p $$)
        name=$(ps -o comm= -p $parent) 
        case "$name" in (sshd|login) exec tmux
        esac 
 fi 
fi 

Defs

TMUX is an open-source terminal multiplexer for Unix type systems. Multiple terminal sessions can be accessed simultaneously by splitting the terminal into different screens. Can also detach remote sessions and reattach later, similar to what the screen application can do.

 
Tenable Plugin a plugin is a script deployed by the Nessus scanner to check for security vulnerabilities. In this case plugin 21745 is an info plugin, it displays info from other plugins. This plugin is triggered (displayed) whenever a login failure occurs.

Other useful links

Tmux Cheat Sheet & Quick Reference
https://tmuxcheatsheet.com/
A beginner's guide to tmux
https://www.redhat.com/sysadmin/introduction-tmux-linux

Setup SSH Keys with Agent

This guide for setting up SSH Keys with an SSH Agent for auto-logging into Linux based systems. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. When you set up an SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have the sshd service running on your system in order to follow along with this guide. All the examples are take from a Red Hat system. In the following examples, earth is the name on the local system and moon is the remote system. 

Create you key pair

The ssh-keygen command will generate a public and private keypair. The keys will be stored in the users home directory by default, this is the path  ~/.ssh/. The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair. This command also sets the passphrase, think of this like setting a password. Make sure you remember the  passphrase because you will use this instead of the password for logging into the remote system (moon).

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

It is import to protect your private key, so don't share it. 

Note- Do not leave the passphrase blank. Doing this is a bad security practice, because this defeats the purpose of having the extra security of SSH keys. This will make the system less secure. If you have done this just rerun the command and add a passphrase. 

Install Public Key on Remote Host

You install the public SSH key by copying or appending it to the authorized_keys file on a remote host. This file is also located in the users home directory, ~/.ssh/.  For most systems you can use the ssh-copy-id command, which I cover in Method 1.  I will show a work around if the ssh-copy-id command is not available, in Method 2 & 3.

Method 1 - Use The ssh-copy-id Command

The easiest way to install the public key to a remote SSH server is use the ssh-copy-id command. To use the command type "ssh-copy-id <remote host>". This command appends the public key to the authorized_keys file on the the remote host. If the file doesn't exist it will be created. 

In the example below "moon" is the name of the remote host.

man@earth> ssh-copy-id moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

This the best way is to copy over the public key because ssh-copy-id will create .ssh/authorized_keys file if it doesn't exist. The command also appends the public key to the authorized_keys file, whereas other methods may overwrites the file. This allows the account to use keys from more than one system.

Note- This method will not work on some systems, such as Solaris 10.

Method 2 - Manually Copy the Key File

This method uses the scp command to copy the public key to the remote server. Before the ssh-copy-id  command came about, this was way it was done. The key file will fail to copy to the system if .ssh/authorized_keys doesn't exist. If this happens just login with your password and create the file and try again. The main downside to this method is that it overwrites the authorized_keys file.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

Alternately you can get around this by doing this instead. The command below mimics what the ssh-copy-id command does. It creates the .ssh directory if it doesn't exist and appends the contents of the key to the authorized_keys file.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys

Method 3 - If You Automount Your Home Directory

If your home directory automounts across a lot of servers then you can just append the contents of the public key to the authorized_keys file. This method can be a lot faster then other methods. For example if you have 100 hosts you need to connect to, you just need to run the command once to connect to all of them. Instead of running 100 copy commands you just run one. Again this will only work if the hosts your connecting to automount the same home directory that the SSH kays are on.

You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

The other methods will still work if you prefer them to this one. 

Setting up the SSH Agent

At this point when you login to a remote host you now get prompted for the SSH passphrase instead of the password. To automate the login process it is recommended to setup an SSH Agent. Luckily setting up an SSH Agent is easy. The agent holds the passphrase for the user and then presets the passphrase when prompted. 

There are some considerations you need to consider when running an SSH Agent. If a GUI is installed on the system, such as gnome, then the window manager may run the agent for you. This is by far the easiest way to setup an agent. If the system window manager handles SSH keys then you get prompted with a GUI text box for a passphrase the 1st time you try to SSH to a remote host. If you enter the passphrase the GUI will run the SSH Agent for you system wide for the user currently logged into that account. This lasts until the system is rebooted or the user logs out.

You can also run the agent from within a terminal or shell. When you run an agent from the terminal it will only work from that terminal and not system wide like does if the GUI manages the agent. 

To start an SSH Agent in a terminal run the commands show below. 

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you open a terminal emulator. 

If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminal emulators launched in your VNC session, will use the same agent.     

SSH Agent Management

One issue with agents is that sometimes you end up running a lot of agents. This is because the agent doesn't stop running when the terminal closes. You need to run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Fix RPM Database finding for UEFI file types

I ran into an issue the other day when was hardening a server. I couldn't change the file permissions on a few files to what the RPM database says is the default. This was in regard to the /boot/efi files or UEFI file types.

This is the check: rpm -Va

The security rule: RHEL-07-010010 "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." Basically the the check is to ensure the files have the default file permissions or less.
 
Also works for Red Hat 6
RHEL-06-000516, RHEL-06-000517, RHEL-06-000518, RHEL-06-000519

The Fix

Add the line below to /etc/fstab

UUID=####       /boot/efi     vfat umask=0177,shortnames=winnt  0 0

Unmount and mount /boot/efi

root@earth> umount /boot/efi
root@earth> mount /boot/efi

Some other reference materials.
Could not change permission for /boot/efi/EFI/redhat/grub.conf
Why do /boot/efi content always show up in rpm -Va output in UEFI enabled system?

How to lookup UUIDs
https://liquidat.wordpress.com/2007/10/15/short-tip-get-uuid-of-hard-disks/
https://liquidat.wordpress.com/2013/03/13/uuids-and-linux-everything-you-ever-need-to-know/

How to setup Claymore on EthOS

Today I’m showing you how to setup the Claymore dual miner on EThOS. Ethos is Linux based operating system specially designed to mine cryptocurrency. In the examples we are going to dual mine Callisto (CLO) and SmartCash (SMART), but Claymore can be used to mine any number of coins. The reason I make this video was because EthOS has changed the what configuration files you can use. The local.conf or remote.conf files are still the most important files for mining on EthOS, but we used to be able to supplement these files with stub files. I go over the new way to do things now that the stub files are no longer an option. Now we have to use the flags option to this in local.conf. I also go over some advanced settings.


Below I have included the a copy of the file I used in the video. Remember to replace my info with your info.


Example files Local.conf
---------------------------------
globalminer claymore
stratumproxy enable
proxywallet 0x33496bf2654acbdbe501accc9393790707e89ad3
proxypool1 stratum+tcp://lb.geo.callistopool.eu:8001
poolpass1 x
proxypool2 stratum+tcp://clopool.pro:2561
poolpass2 x

dualminer enabled
dualminer-coin keccak
dualminer-pool
stratum+tcp://us-mine.smartcash.cc:3008
dualminer-wallet SaMXJJ4CjFRDVwJceAEQfE2QfUMKuRpiGt
dualminer-poolpass1 x

claymore=flags -eworker trio -dcri 8,8,8 -colors 1 -allpools 1
--------------------------------------
To add failover pools for the 2nd coin edit this file: /opt/miners/claymore/dpools.txt 

Links to more info
Main Page http://ethosdistro.com/
EthOS knowledge base http://ethosdistro.com/kb/
SmartCash (SMART) https://smartcash.cc/
Callisto (CLO) https://callisto.network/

How to Reset a Nessus Scanner

The other day I installed a new Nessus Vulnerability Scanner which is a security scanner that is often controlled Security Center, both of which are Tenable products. After I finished the install and configured the Nessus scanner to be managed by Security Center.  I tried to log back into the scanner and discovered I was locked out. So I figured I could just reinstall the Nessus scanner, after all it only take a few minutes to do. I reinstalled Nessus and I was still locked out, what gives. Below are the steps used to get back into the scanner. I later found an even easier way to get back into the Nessus scanner, which I also posted below.

Follow the steps below to uninstall the Nessus scanner and remove the configuration files.

1. Optional - Stop the nessusd service

root@earth> service nessusd stop

2. To uninstall Nessus remove the Nessus package

root@earth> rpm -e nessus-package

For some reason /opt/nessus still exists after the Nessus package is removed

3. Remove the Nessus directory.

root@earth> rm -r /opt/nessus

Note- Don't worry the Nessus the files will be recreated after the reinstall.

Note- If the /opt/nessus directory is not removed, then your account will still be locked. This is because the configuration files will still exist.

4. Now install Nessus

root@earth> rpm -ivh nessus.rpm

5. Go to the Web interface to finish the configuration of the scanner
https://nessus:8834

Installing Nessus and setting it up to be managed by Security Center takes very little time, but you

Create a new user and/or set the user password.

Add user to scanner

root@earth> /opt/nessus/sbin/nessuscli  adduser  newuser

Change password on the nessus scanner

root@earth> /opt/nessus/sbin/nessuscli  chpasswd username

I showed you in a previous post "Reset Admin account on Security Center" how to do this for Security Center.

Related posts on this site:
Reset Admin account on Security Center
Manually Update Plugins for your PVS
Manually Update Plugins on a Nessus Scanner

Create user account and set password with one command

I often see forum posts where a System Administrators, wants to create local user accounts on several servers and doesn't want to have to have to set the user's password over and over again. Below I share two ways to do this. The first way creates the user account and sets the password in one command. The second method sets the password in a additional command. Ether way can be used in a script, which can speed things up if you need to create one or more accout on servel systems.

Below is an example of creating a user account.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash newuser
root@earth> passwd newuser
passwd: Changing password for username
New Password:
Re-enter new Password:
passwd: password successfully changed for newuser

This method can be very time consuming process and would be hard to use in script. Below is an example of how using the -p option in the useradd command, to set the user's password by setting the uses hash.

root@earth> useradd -u 25 -g staff -G ftp,users -m -d /export/home/newuser -c "newuser" -s /bin/bash -p '6$jbvkjjg$qFmFH.bQmmtXzyBY0s9v7Oicd2z4XSIecDzlB5KiA2/jctKu9YterLp8wwnSq.qc.eoxqOmSuNp2xS0ktL3nh/' newuser

This method works on Linux computers, such as SLES and RHEL. It however doesn't work on systems such as Solaris.

Alternately you can also set the users by echoing the password to standard in, as shown below. The major issue with doing it this way is that the password is recorded in the system logs and if your running the command remotely then your sending the password in the clear. So I don't recomend doing it this way.

root@earth> echo password | passwd newuser --stdin

This method works only Linux systems.

Other posts with similar info
Linux User Account Creation & Customization
Adding a new user to a UNIX based system

References pages.
Online man page - useradd
Online man page - passwd

Setting up NFS & automount on RHEL

I believe that any Linux or UNIX server should start a very minimal build. Meaning that a server should only have the programs or packages installed that are needed for the operation of the server. To make some of my servers a little more functional I decided to install NFS and automount. This is so users can automount home directories and  mount external shares.

Follow the steps below to install NFS and autofs, so you can mount the NFS shares and mount home directories. The example below is on a RHEL 6 server.


To be able to mount NFS share you will need the following packages.
autofs
nfs-utils
nfs-utils-lib

Dependencies:
Hesiod
keyutils
libgssglue
libtirpc
python-argparse
rpcbind

Install the packages

root@server> yum install autofs  nfs-utils  nfs-utils-lib

To enable NFS shares you must add them to the /etc/fstab file. Example below.

10.12.12.8:/share /export/share  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
10.12.12.6:/cifs  /export/cifs  nfs noauto,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0
repos:/linux_repos /export/repos   nfs auto,ro,nosuid,nodev,noguid,noxattr,timeout,sloppy 0 0

To setup the automount funtion you need to edit the auto.home and auto.master files.
 Add the hostname or IP address line to /etc/auto.home

*             10.10.10.2:/home/&

Add this line to /etc/auto.master

/export/home /etc/auto.home -nolock,nosuid,noguid,nodev,nobrowse,noxattr --timeout 10

Restart services

root@server> service autofs restart
root@server> service rpcbind start
root@server> service nfs start

Ensure that autofs starts at boot

root@server> chkconfig –list autofs

Make mount points
Make the mount pint for all the mount points listed in the /etc/fstab file..

root@server> mkdir /export/share
root@server> mkdir /export/cifs
root@server> mkdir /export/repos

Note- make sure any host names used are added to the /etc/hosts file.

After following the steps above evey should be working. test the configuration by loggingin or becoming a user with a non local home directory. Also try to mount the shares.

root@server> mount /export/share

Check to see if the mount was successful.

root@server> df -h | grep share
Filesystem            Size  Used Avail Use% Mounted on
10.12.12.8:/share  9.8G  1.9G  7.5G  20%   /export/share

Please let me know if you have any questions.

How to install or upgrade Java in Linux (Updated)

In this blog post I show how to install or update Java from Oracle on a Linux server. Many Linux distros use the OpenJDK version of Java in their operating systems and in their repository. Although the instructions below will still work to install OpenJDK, the focus is on Oracle's version of Java.

When using the Java provided by Oracle, you can download it from Oracle's website or from java.com. From there they give you a choice of downloading rpm or tar files. I prefer to use Red Hat Package Manager (RPM) files instead of the tar files when installing any program.

You can download Java here: www.java.com

Find Java on the system.

root@earth> find / -name java -type f
/usr/java/jre1.7.0_101/bin/java

Note - If you use which or java -version commands to find Java on your system. This will only show your the system's main java. You may have additional versions installed.

Now take each line of output and paste it at the end of the rpm -qf command. This gives you the name of the rpm package that installed that instance of Java.

root@earth> rpm -qf   /usr/java/jre1.7.0_101/bin/java
jre-1.7.0_101s

If the Java found on the system was not installed via a package, then Java was installed via a tar file. At this point you must decide whether to install the new version of Java with an rpm or a tar file. I recommend the use of the rpm packages to install any programs. If you are installing with a rpm then go to the section titled Installing Java using RPM. If you are use the tar file then skip to the section titled Install Java using a tar file.

Installing Java using RPM
The rpm command can either update an existing package or install a new one.

The documentation on the Java website says to remove/uninstall the old version of Java and then install the new one. I prefer to install or upgrade though. This is because if there are any symlinks or application settings that use the systems' Java, will be updated to use the newer Java. Then you can remove the old version if needed after the fact. Otherwise you would have to recreate these items after the install.

Updating Java using RPM 
If you update Java as shown below then you will not need to remove the old version. Unless you are installing a different version of Java. For exampe If you have Java 7 installed and then you install Java 8

root@earth> rpm  -Uvh   jre-7u111-linux-x64.rpm

You can alternately install Java instead.

root@earth> rpm  -ivh   jre-7u111-linux-x64.rpm

Uninstall the old package.
Take the output from the last command and use the rpm command with the -e option to remove the package.

root@earth> rpm -e  jre-1.7.0_65cs

Note- Do not run the above command for java that is part of an application. If the file was in /usr/bin/ you should be fine.

Install Java using a tar file
Change directory to where Java is going to be installed. Usually it will be /user/java.

root@earth> cd  /usr/java

Note - If your upgrading Java with a tar file, it is advised to backup the old installation and to remove the previous version. If the old version was installed via a tar then remove the directory. If it was installed with a rpm file use the rpm or yum command to remove the package. 

Move the tar file to /usr/java and unpack the tarball to install Java

root@earth> tar  zxvf   jre-7u111-linux-i586.tar.gz

Delete the tar file after you test Java and your done.

Reference:
Java.com

Related posts on this Blog
How to install or upgrade Java in Linux
How to install Java 7 & 8 on Solaris
Access the Java Control Panel
Updating Java on Solaris

If you have any questions or comments please post them below.

Linux User Account Creation & Customization

A Systems Administrator must be able to manage user accounts by adding users, removing users, modifying accounts and setting passwords. In this tutorial, I will be giving you instructions on how to properly create user accounts on Linux operating systems. Creating a user account can be simple, but there are a few complexities to note. As opposed to a graphical user interface (GUI), these instructions use the command line to create the user accounts.

The command line provides an ideal method for account management, because it provides faster account creation, especially when you are creating several accounts on one more computers. The graphical user interface or GUI on Linux Systems can vary greatly from system to system, but the one constancy on all Linux operating systems is the command line. The command line (CLI) is a text based user interface used for entering commands for the operating system to decipher. So I will be showing the use of the useradd command which creates the user accounts, and the passswd command which sets or changes the user accounts password.

Typographical conventions.
The typographic convection section is meant to help readers better understand what it is their seeing. Please carefully read the instructions before continuing.

The courier font is used for names of commands, files, directories, user names, and on-screen computer output; for example:
Use the useradd command to add users to the computer.

The courier bold font is used for characters and numbers you type; for example:

whoami

Courier bold italic is used to represent variables that can change; for example:

passwd bob

Instructions
After each line you type into the command line press the enter key. As explained in the above typographical conventions section, anything displayed in courier bold is typed in the command line and if it is displayed in courier it is the output of the line above. To follow this tutorial open the terminal or xterm program to access the command line. Please refer to the Command & Term Reference guide, for information on commands and terms.

Note - If you don't have access to a Linux computer you can still follow along, using the Linux emulator at, "http://www.tutorialspoint.com/execute_bash_online.php" . Type the commands into the green box on the right.

Method One: Create a user, using default settings.
If you are creating a user account on just one computer, the steps below will work, but if you are creating a user account on more than one computer, use method two or three instead. If the Linux computer is not connected to any other Linux computers on the network then the method shown below will work. This the best method to of users who are novices at using the command line.

Follow the steps below to create a user account for Bob.
1) Create user account for bob

useradd bob

2) Create a password for user account bob.

passwd bob
passwd: Changing password for bob
New Password:
Re-enter new Password:
passwd: password successfully changed for bob

The passwd command sets user account passwords. In the example above it sets the password for user account bob.

Note - If you don't set the password, the user will not have a password and will not be able to log in.

3) Test user account by logging into the computer with the new user account.

su – bob

The su command stands for switch user, and it is used to switch from one user account to another. The – is an option used with the su command, it allows you to fully switch to the new user account. In order to fully test the newly created user account you must use the su command with the – option, as shown.

4) Verify you are logged in as new user.

whoami
bob

The whoami command displays the name of user currently logged in on the command line. The result of the command should be bob as shown above.

Fun Fact: The whoami command also works on Windows computers.

Creating a user account using this method was pretty easy right? This method is perfect for home users who want to add user accounts to their home PC, for their family and friends. This method is not the way to add users on a corporate network.

Method Two: Creating a user with custom setting.
This method is all about control, and is used when creating user accounts on corporate networks. One positive thing about this method is that you know exactly what is being set. The downside to the method is the high probability of making a typo. This method can be too complicated for less knowledgeable users.

1) Create the user account.
Type the entire line out before you press enter.

useradd -u 900 -g users -G video  -c “user account, Jill” -m -d /export/home/jill -s /bin/bash jill

Command Options Explained
-u        Sets user’s UID (Unique Identification Number) to 900
-g        Sets user’s primary group to users
-G        Sets user’s secondary groups to video
-c        Sets a comment for the user. Puts a comment into the /etc/passwd file.
-m        Makes the user’s home directory
-d        Sets the path to the user’s home directory
-s        Sets the user’s shell

One reason to use useradd with all the options listed above is because computers see user accounts as numbers. When we created Jill’s user account we see the account’s name as being jill, but the computer sees the account’s name as 900 or UID (Unique Identification Number) 900. Unless you set the UID by using the –u option the computer will assign the next available UID number which could result in a user having different UID numbers on different computers. This can cause issues with permissions, for example if user Bob has UID 900 on PC number one and Jill has the same UID on PC number two. Jill creates a document and stores it on the network. PC one will see that file is owned by UID 900 and so it will show Bob as the owner. Then Bob can do anything he wants to Jill’s document, including deleting it.

Note: For more information on the useradd command and it options, type man useradd into the command line. To exit the man page

2) Set Jill’s password. 

echo jillspassword | passwd -e jill –stdin

In the above series of commands, the echo command sends the word jillsmypassword to the passwd command, then the passwd command sets the user’s password to jillsmypassword. The –e shown in the above example, expires the user’s password, making the user have to change their password when they attempt to login.

Why set the password in this way, the way shown in Method one was easier? This method is a more advanced way to set a user’s password. For example, let’s say you need create ten user accounts. If you do what we did in Method one, you will need to type the new user’s password in twenty times, two times for each user. On the other hand if you use the method show here, then you only need to change the username ten times. To save on typing, the rest of the command shown above can be pasted into the command line. This method can also be used in a script, since it doesn’t require any additional input from you after you run the command.

3) Repeat steps 3 &4 from Method one to test the account.

Method Three: Configuring system settings for easier user creation.
In Method three, I will be combining the ease of use of the first method and the completeness of the second. In Method one we ran the useradd command with no options set. The Linux system still used many of the options used in Method two, but set them using system defined defaults. To see these defaults for the useradd command with the –D option; for example:

useradd -D
GROUP=2001
HOME=/home
INACTIVE=35
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

To change the default system setting run useradd –D followed by the setting you want to change. In the example below, the default shell is being changed to /bin/ksh from /bin/bash.

useradd –D –s /bin/ksh

To see if the changes took effect, run the useradd –D command again.

Note: The most common things to set is the home directory, and the shell.

1) Create user account for Sam

useradd -u 1010 -G 10 -c “user account, Sam” -m sam

Here we have the best of both words, the less typing of Method 1 and the precise settings from Method two. Setting the system defaults will allow much less of a chance of making mistakes. Now only the setting that are unique to the user will have to be set.

2) Set Sam’s password, choose the approach used in Method one or Method two.

3) Repeat steps 3 & 4 from Method one to test the account.

I showed you three variations, on using the passwd command to create user accounts. For new users on Linux, I suggest they use Method one. Intermediate to advance users should use Method two or three, though Method three is the preferred method. I hope this tutorial was informative and you learned something new.

Command & Term Reference Guide

Commands
useradd – command used to create user accounts.
passwd – command used to set user account passwords.
whoami – informs user who they are logged in as. Can also use the command id to do the same thing.
su – stands for switch user, and is used to switch between users.
man – stands for manual, used to view system manuals. The manuals are referred to as man pages.
echo – displays whatever you type on the next line.
|  - This is called a pipe, it takes the output of the command on the left and sends (pipes) it to the input of the command on the right.

Terms
Terminal and xterm: are programs that display the command line. The terms xterm, terminal and command line can, for the most part, be interchangeable.
Shell: is a customized command line environment. Examples of shells are BASH, SH, KSH and CSH.

Conclusion
Well what did you think? This post is written at a lower level than most of my other posts, because this was originally a paper I wrote for a college class. Method 3 needs a little more info, so I will write a follow on post with a little more detail on how to set the system defaults. Anyway let me know what you think and if you have any questions by posting below.

Related posts on this Blog
Adding a new user to a UNIX based system

References
Man pages: useradd, passwd
My Collage paper
The Ultimate Guide to Create Users in Linux / Unix

A Better Way to Setup SSH Keys

Note - I have a newer version of this how-to. Please click here 

This is a guide on setting up SSH Keys for a Linux based user account. Why set up SSH keys, why not just use your password? SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted. This works by identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. Not to mention if you set up a SSH agent then the agent will handle the challenge-response authentication for you.

This guide is not for installing or setting up a SSH server. You must have sshd service running on your servers in order to get your SSH to work. All the examples are take from a Red Hat or Suse servers. The ssh-copy-id command will not work on Solaris servers but all other commands should work file.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.

man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.


The old way of transferring the public key to the remote sytem.

man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

New way

man@earth> ssh-copy-id user@moon
Now try logging into the machine, with "ssh 'remote-host'", and check in:

.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

The reason the new way is better then the old way is that the ssh-copy-id appends the public key to the authorized_keys file. Where as the old way overwrites the authorized_keys file. This allows the account to use keys from more than one server.

Note- This method will not work on Solaris 10

If your home directory automounts across a lot of servers. You can copy it over with the cat command.

man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

You can also use this method if the ssh-copy-id command is not available to you.

man@earth> cat ~/.ssh/id_rsa.pub | ssh man@moon "mkdir -p ~/.ssh  &&  cat   >>  ~/.ssh/authorized_keys"

Setting up the SSH Agent.

man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/man/.ssh/id_dsa (/home/man/.ssh/id_rsa)

Note- Add these commands to the .bashrc file to start an agent automatically when you login to a server. 

There are other ways to set up the agent, such as using the gnome GUI for example. If you use VNC, just start your VNC server session in the same terminal you used to starting your agent. This way all your terminals launched in your VNC session, will use the same agent.

SSH Agent Management
One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using.

man@earth> ps aux | grep agent

If there is more than one agent running then you should kill the additional ssh-agent.

man@earth> pkill ssh-agent

This will only kill agents owned by the user running the command in.

One way to kill your ssh-agents is to add a kill statement to the .bash_logout file.

Reference Section
Manpage ssh-copy-id

Related posts on this site.
How to setup SSH Keys
http://rich-notes.blogspot.com/2013/09/how-to-setup-ssh-keys.html

If you have any questions or comments please post below.

Manually Update Plugins on a Nessus Scanner (Linux)

I had an issue the other day with one of my Nessus Vulnerability Scanners which is being managed by Security Center. In Security Center the status of one of the Nessus scanners showed "Plugin Out of Sync". I tried to push the plugins to the Nessus scanner from the Security Center, but I was getting a status error of "Connection timed out".  So basically I was getting a latency issue on the connection. The Nessus scanner and the Security Center are in different states, so this may be why there is so much latency. I just built this Nessus scanner, so there were just too many plugins to be pushed over the wire by Security Center. To fix this issue, I just manually copied the plugins to the Nessus scanner. Then I manually loaded the plugins into the Nessus scanner. After I did this, I have not had this issue again.

Manually updating the Plugins can sometimes fix error or scanner status of "Protocol error". These instructions work on Nessus 5x and 6x, when managed by Security Center 4x or 5x.

Follow the instructions below to manually install plugins for the Nessus scanner on a Linux server. To do this on a Windows computer go here.

1. Login to the Nessus scanner.

root@earth> ssh nessus

2. Stop the Nessus service.

root@nessus> service nessusd stop

3. Remove the scanner from Security Center.

4. Reset the scanner

root@nessus> /opt/nessus/sbin/nessuscli fix --reset
Resetting Nessus configuration will permanently erase all your settings and causes Nessus to become unregistered.
Do you want to proceed? (y/n) [n]: y
Successfully reset Nessus configuration.

5. Connect the Nessus scanner.

root@nessus> /opt/nessus/sbin/nessuscli fetch --security-center
nessud can now be started, SeccrityCenter will upload the plugins

6. Manually copy over the plugins file.
    Copy the file tar.gz file from Security Center to or download latest plugins from Tenable.

Note - In Security Center The plugins are located here: /opt/sc/data/plugins

7. Load the plugins into Nessus.

root@nessus> /opt/nessus/sbin/nessuscli update plugins_file.tar.gz

* Update successful. The changes will be automatically processed by Nessus 

8. Start the Nessus service

root@nessus> service nessusd start

9. Login to the web interface for Nessus and wait for the bar to complete.

root@nessus> firefox https://localhost:8834

10. Login to the web interface for the Security Center. Add the Nessus scanner back and verify connectivity.

You're done.

If you have any questions or comments please post them below.

Related posts
Manually Update Plugins for your PVS
Reset Admin account on Security Center

Is SELinux running?

There is a simple question that you need to know when you get a new Linux server to manage, is SELinux running? If so, what are its setting? Below are some ways to answer these questions.

See if the SELinux configuration file exists and if it does what the settings for SELinux are.

root@earth> cat /etc/sysconfig/selinux
#    This file controls the state of SELinux on the system.
#    SELINUX= can take one of these three values:
#                enforcing - SELinux security policy is enforced.
#                permissive - SELinux prints warnings instead of enforcing.
#                disabled - No SELinux policy is loaded.
SELINUX=permissive
#    SELINUXTYPE= can take one of these two values:
#               targeted - Only targeted network daemons are protected.
#               strict - Full SELinux protection.
#               mls - Multi Level Security protection.
SELINUXTYPE=targeted
#    SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0

The getenforce command displays the current SELinux enforcement policy being used.

root@earth> /usr/sbin/getenforce
Permissive

The sestatus command is a tool that is used to get the status of  a system running SELinux.

root@earth> /usr/sbin/sestatus
SELinux status:              enabled
SELinuxfs mount:           /selinux
Current mode:                permissive
Mode from config file:     permissive
Policy version:               21
Policy from config file:    targeted

Reference
Security Enhanced Linux (SELinux) project page
Wikipedia - SELinux

Clear fmadm or FMA fault logs

If the System Administrator doesn't have log rotation setup, logs fill up on the server from time to time. Usually the system or audit logs are the root cause, but sometimes the Fault Management Architecture (FMA) logs are the cause. On Solaris or if installed on Linux, there is a utility called fmd (Fault Manager Daemon) that checks for issues with the system hardware. This program is managed by the fmadm program. Follow the steps below to clear out the logs.

Clear error fmadm reports

root@earth> fmadm repair  UUID

The UUID is the event code that is shown when you run the fmadm faulty command.

* Note: If the above command doesn't clear the error then, there is a real issue hardware that needs to be addressed.

Clear reports and resource cache

root@earth> cd /var/fm/fmd
root@earth> rm e* f* c*/eft/* r*/*

Clearing out FMA files without rebooting.

root@earth> svcadm disable -s svc:/system/fmd:default
root@earth> cd /var/fm/fmd
root@earth> find /var/fm/fmd -type f -exec ls {} \;
root@earth> find /var/fm/fmd -type f -exec rm {} \;
root@earth> svcadm enable -s svc:/system/fmd:default

Reference
blogs.oracle.com: How to clear fmadm log or FMA faults log
Fault Management Architecture

Manpage:
fmadm(1M)
fma

Unlock locked accounts

These are my notes no unlocking user accounts, below I go over a few ways to get a user account back up and running. Such as changing the expiration date on an expired account and resetting the PAM Tally for a user.

In keeping with the space theme, I will be using earth as the server's hostname and man as the name of the user account.

This the most common way to unlock your account.

root@earth> passwd -u man

Change the expiration date of the user account

root@earth> usermod --expire 9999 man

This works on some systems

root@earth> ipa user-unlock man

This resets the account if all else fails.

root@earth> pam_tally --user=man --reset

References.
www.cyberciti.biz
From RHEL user-unlock command
SuperUser pam command

How to install or upgrade Java in Linux

These are my notes on how to install or update Java on a Linux server. In this how to, I will be using the Java from Oracle and not the operating systems or distros repository. You can download and install either a rpm or a tar file, from Oracle's site.

When using the Java provided on Oracle's website, they give you a choice of downloading rpm or tar file.

You can download Java here.
http://www.java.com/en/download/linux_manual.jsp

Installing Java with using RPM

Find the current version of Java on the system.

root@earth> find / -name java -type f
/usr/java/jre1.7.0_55/bin/java

Note If you use which or java -version commands to find Java on you system. This will only show your the system's main java. You may have additional versions installed.

Now take each line of output and paste it at the end of this command. This gives you the name of the rpm package that installed this file and version of Java.

root@earth> rpm -qf    /usr/java/jre1.7.0_55/bin/java
jre-1.7.0_55-fcs

Uninstall the old package.

root@earth> rpm -e  jre-1.7.0_55-fcs

Note- Do not run the above command for java that is part of an application. If the file was in /usr/bin/ you should be fine.

Install Java

root@earth> rpm  -ivh    jre-7u65-linux-x64.rpm

You can alternately upgrade Java instead.

root@earth> rmp   -Uvh    jre-7u65-linux-x64.rpm

Install Java using a tar file
Change directory to where Java is going to be installed. Usually it will be /user/java.

root@earth> cd  /usr/java

Move the tar file to /usr/java.

Unpack the tarball and install Java

root@earth> tar  zxvf   jre-7u65-linux-i586.tar.gz

Delete the tar file after you test Java and your done.

Reference:
Java.com

Related posts on this Blog
How to install Java 7 & 8 on Solaris
Access the Java Control Panel
Updating Java on Solaris

How to Manually Remove the NetBackup Client on Linux

These are my notes on removing a NetBackup client on a Linux system. This how to is based on the Symantec Tech Note, which is referenced at the bottom of this post. This is for the most part the recommended way of removing NetBackup. I have added a few more steps so that your logs are not filled with error messages.

Shut down running NetBackup processes. (optional)

man@earth> sudo netbackup stop
stopping the NetBackup client daemon
stopping the NetBackup network daemon

Or you can use this command.

man@earth> sudo bp.kill_all

Looking for NetBackup processes that need to be terminated.

Looking for more NetBackup processes that need to be terminated.
Stopping bpcd...
Stopping vnetd...

Check for running processes. (optional)

man@earth> sudo bpps -x
NB Processes
------------

Shared Symantec Processes
-------------------------
root 2827 1 0 Apr22 ? 00:00:00
/opt/VRTSpbx/bin/pbx_exchange

If you see more then what is list above then than NetBackup didn't shut down. If the commands didn't work then move to the next step.

Remove the NetBackup client.

man@earth> rm -r /usr/openv

Look for NetBackup files in xinet.d

man@earth> ls -l /etc/xinetd.d/

Look for the bpcd, bpjava-msvc, ventd and vopied files. If the file is found remove it.

Edit the services file.
Backup the /etc/services file. Remove all NetBackup services, such as the ones listed above.

Restart xinetd 
For Susie run this command

man@earth> sudo /etc/rc.d/xinetd restart

For all others run this command

man@earth> sudo /etc/rc.d/init.d/xinetd restart

Reference:
Tech Note 71923

If you have any questions or comments post they below.