Linux password anti-cracking and account File Protection

Linux as a multitasking, multi-user operating system, in the same time period may be used for many users, and the user's management is directly related to the security of the entire system, users need to the password management and account file management focus on the emphasis and protection.

(For more details, please pay attention to all aspects of Linux system Management topics: http://os.51cto.com/art/201009/228849.htm)

Linux user management is mainly divided into two aspects: password management, and user and user group management. The following two aspects are elaborated separately.

1. Password management

Password is the user login to the Linux system key, if there is no key will always cost a little effort to log on to the target operating system. Regardless of the remote attack the intruder uses, the entire system cannot be fully controlled without the user password of the administrator or Super Administrator. The easiest and most necessary way to access the system is to steal the user's password. Therefore, for the system administrator account, the most need to protect the password, if the password is stolen, it will mean the advent of disaster.

Most intruders get administrator's password through a variety of systems and setup vulnerabilities, and then implement malicious attacks on the system. Account weak password settings will allow intruders easy to crack and access to computers and networks, and strong passwords are difficult to crack, even if the password cracking software is difficult to do in a short time. Password cracking software generally uses 3 kinds of methods to solve: dictionary guessing, combination of guessing and brute force guess solution. There is no doubt that cracking a strong password is far more difficult than cracking a weak password. Therefore, the system administrator account must use a strong password.

According to statistics, about 80% of the security risks caused by improper password settings. Therefore, the setting of the password is undoubtedly very exquisite skill. When setting a password, follow the password security setting principle, which applies to any password-using situation, including both the Windows operating system and the Unix/linux operating system.

John the Ripper is a tool software used to try to crack the plaintext password software in the case of known ciphertext. The latest version is the JOHN1.7 version, the main support for DES, MD5 two encryption methods of ciphertext to crack the work. It works on a variety of different models and many different operating systems, and has been tested for operating systems that are currently functioning: Linux x86, FreeBSD, x86, Solaris, SPARC, Osf/1 Alpha, DOS, winnt/ WinXP series and so on.

John the Ripper official website: http://www.openwall.com/john/

John the Ripper 1.7 is currently a better crack password tool, in the decryption process will be automatically timed save, users can force interrupt decryption process (using CTRL + C key combination), the next time can be interrupted from the place to continue (John-restore command). Any time the keyboard is tapped, the user can see the entire decryption process, all the cracked passwords will be saved in the current directory in the John.pot file, shadow all the same users will be grouped into a class, so that John will not do unnecessary duplication of work. In the program design, the key password generation conditions are placed in the John.ini file, users can modify the settings, not only support the word type changes, but also support their own writing C small program limit password value way.

Before using the software, we can download the latest version of john-1.7.3.4 for Linux from the Internet, which contains doc, SRC and run three directories, and in the SRC directory, execute the following command on the machine:

#make #make Clean Linux-x86-any

Once installed, you can switch to the run directory and test it as follows:

#cd. /run#./john–test

John the Ripper provides as many as 10 kinds of commands for users to choose from:

pwfile:<file>[,..] : Used to specify the name of the file where the ciphertext is stored, (you can enter multiple, file name i "," delimited, or you can use * or these two wildcard characters to refer to a batch of files). You can also leave the file name at the end of the command line without using this parameter.

wordfile:< dictionary filename >-stdin: the dictionary filename specified for decryption. You can also use stdio to enter it, which is to enter it in the keyboard.

Rules: Use the Word rule change function in the decryption process. Detailed rules can be found in the [List.Rules:Wordlist] section of the John.ini file, such as cooler, cool, etc., that will attempt other cool words.

incremental[:< Mode name: Using traversal mode, all possible cases of combined passwords can also be found in the [incremental:*****] section of the John.ini file.

Single: The use of one mode of decryption, mainly based on user name changes to guess decryption, can eliminate the relatively low-level users. The combination rules can be found in the [List.Rules:Single] section of the John.ini file, which we explain in more detail below.

external:< Mode Name: Using a custom extended decryption mode, users can define the password combinations they want in the John.ini. John also gives several examples in the INI file, defined in [list.external:******] of the INI file, the custom cracking feature.

restore[:< FileName]: Continue the last crack work, after John was interrupted, the current decryption progress is stored in the restore file, the user can copy this file into a new file. If the parameter is not followed by a filename, John uses the restore file by default.

makechars:< file name: Make a character chart, the user specifies the file if it exists, it will be overwritten. John attempts to use intrinsic rules to generate a combination of passwords that is most likely to hit in the corresponding key space, referencing the key that already exists in the John.pot file.

Show: Displays the password that has been cracked, because the John.pot file does not contain a username, and the user should enter the corresponding file name containing the password, John will output the user has been decrypted with the password of the detailed table.

Test: Testing the current machine to run the decryption speed of John, it takes 1 minutes, it will be decrypted in the current situation under the various possible conditions of the corresponding decryption speed, such as the simultaneous decryption of 100 users of the average speed, the use of traversal method to decrypt the decryption mode. Salts refers to the number of users, if the given 100 users to decrypt the average speed of 18,000 times/sec, so that the simultaneous decryption of 100 users, decryption speed of 180 times per second. Because most of the time is used in the key comparison process. So the user should be selected.

users:<login|uid>[,..] : Only a user of a certain type or a user belonging to a group is cracked. If the resulting passwd file does not contain a redaction, then the shadow should be combined, and John's accompanying program Unshadow. EXE can complete this process, of course, users can also do by hand. Generally, users who are able to enter CSH are the preferred objects for decryption. You can also want to uid=0 the root level of the user.

Shells:[!] <shell>[,..] : As with the above argument, this option can be used to decrypt all users who can use the shell and ignore other users. “！ "means that you do not want certain types of users. For example: "-shells:csh".

Salts:[!] <count>: Only choose to decrypt the user greater than <count> account number, you can give users the right to choose, as soon as possible to get the required user pass.

Lamesalts: Specifies the cleartext used by the password in the user. (I'm not sure about the function of this feature).

timeout:<: Specifies that the decryption lasts for a few minutes, and that John stops running automatically at the time.

List: All the passwords you are trying to use are listed on the screen during decryption and are not recommended, it will waste most of your time on the display and greatly slow down the decryption speed. Typically only applies when redirecting output to a file to verify that some of the patterns set by the user are normal.

Beep-quiet: When decrypting the password, whether to let the PC Horn called to remind the user.

Noname-nohash: Do not use memory to save "user name" content.

DES-MD5: Specifies whether to use the decryption method is des or MD5, for the Decryption des password ignore this option.