I’ve been reinstalling my system as of late (been way too along a comin’) and I realized that I hadn’t set up a firewall yet. This, in turn, had me think how many ports were open. I was up too late and probably had too many cokes by then. I had given myself a dead simple root password so that I could finish the install and began getting that tightening, turning, wretching in the belly feeling. I couldn’t help thinking that, “This could be the time that some random joe comes along and finds a nice open gate”. Doesn’t make much sense now, but decided then to build a script that toggles a 20 character random password to relieved my paranoia. Here it is for anyone who can find use of it. Oh, and I did get my install done.
#!/bin/bash
# randompass - toggle between random and known passwords for users
# User passwords to protect
users=(root todd akau)
# Program name from it's filename
prog=${0##*/}
# Text color variables
txtund=$(tput sgr 0 1) # Underline
txtbld=$(tput bold) # Bold
bldred=${txtbld}$(tput setaf 1) # red
bldblu=${txtbld}$(tput setaf 4) # blue
bldwht=${txtbld}$(tput setaf 7) # white
txtrst=$(tput sgr0) # Reset
info=${bldwht}*${txtrst} #
pass=${bldblu}*${txtrst}
warn=${bldred}!${txtrst}
# Check if users exist, if they don't remove from the users array
list="${users[@]/%/|}" # Puts array to list, add pipe after each user
users=($(grep -Eo "^(${list// })\>" /etc/shadow)) # strip spaces, end of word
# Password generation
passgen=$(< /dev/urandom tr -dc A-Za-z0-9/.$ | head -c20 | xargs | cat)
# Variables for current passwords
for user in ${users[@]}; do
eval "curpw$user=\$(grep \$user /etc/shadow | awk -F : '{print \$2}')"
done
# Save original passwords (first run)
for save in ${users[@]}; do
if [ ! -f /root/pass$save ]; then
grep $save /etc/shadow | awk -F : '{ print $2 }' > /root/pass$save
echo "$pass Saved ${txtund}$save${txtrst} password"
fi
done
case $1 in
h ) echo " $prog <*u>- toggle random and known passwords. u - update known"
;;
u ) echo "$warn Be sure no random passwords are set before updating passwords!"
echo -n "Update known passwords file(s)? "
read update
if [[ $update == [Yy] ]]; then
for known in ${users[@]}; do
grep $known /etc/shadow | awk -F : '{ print $2 }' > /root/pass$known
echo "$pass Updated ${txtund}$known${txtrst} password"
done
else
echo " Passwords not updated"
exit
fi
;;
* ) if [[ "$curpwroot" == "$(cat /root/passroot)" ]]; then
for u in ${users[@]}; do
usermod -p $passgen $u
echo "$pass Generated password for ${txtund}$u${txtrst}."
done
else
for u in ${users[@]}; do
usermod -p $(cat /root/pass$u) $u
echo "$pass Restored password for ${txtund}$u${txtrst}."
done
fi
;;
esac
I just completed an upgrade install of my basement linux server. The whole setup runs behind a NAT’d LAN, so I choose one IP on my private network to receive all public traffic.
I did a parallel install on new hardware of my original system. I installed the Debian base system, then copied all my configs and etc from the original system (which remained up for the full install). Once I had security set up as I would like on the new system, I locked my root account, changed my password to something secure (for use via sudo), started SSH, and then just switched the IPs of my servers.
You should never, ever have an internet facing machine with running services and no firewall. If you’re doing an install with a crappy password for convenience, make sure to turn SSH and every other service. The truly paranoid don’t even connect an Ethernet cable until the entire install is done! :)
Yeah, I thought about this way to late. Done reinstalls enough times I thought I’d push the fold this time. I know people that won’t install a distro from a livecd that does a net install (most livecd’s are pretty insecure). Blocking ssh wasn’t a deal because it wasn’t installed yet but I almost do nothing without a firewall. Whoops :)
Pwgen…..
I’m a bit leery about folks that don’t leave their links, Drax. Care to elaborate on that?