I’ve been reinstalling my system as of late (been way too along a comin’) and I realized that I hadn’t set up a firewall yet. This, in turn, had me think how many ports were open. I was up too late and probably had too many cokes by then. I had given myself a dead simple root password so that I could finish the install and began getting that tightening, turning, wretching in the belly feeling. I couldn’t help thinking that, “This could be the time that some random joe comes along and finds a nice open gate”. Doesn’t make much sense now, but decided then to build a script that toggles a 20 character random password to relieved my paranoia. Here it is for anyone who can find use of it. Oh, and I did get my install done.
#!/bin/bash # randompass - toggle between random and known passwords for users # User passwords to protect users=(root todd akau) # Program name from it's filename prog=${0##*/} # Text color variables txtund=$(tput sgr 0 1) # Underline txtbld=$(tput bold) # Bold bldred=${txtbld}$(tput setaf 1) # red bldblu=${txtbld}$(tput setaf 4) # blue bldwht=${txtbld}$(tput setaf 7) # white txtrst=$(tput sgr0) # Reset info=${bldwht}*${txtrst} # pass=${bldblu}*${txtrst} warn=${bldred}!${txtrst} # Check if users exist, if they don't remove from the users array list="${users[@]/%/|}" # Puts array to list, add pipe after each user users=($(grep -Eo "^(${list// })\>" /etc/shadow)) # strip spaces, end of word # Password generation passgen=$(< /dev/urandom tr -dc A-Za-z0-9/.$ | head -c20 | xargs | cat) # Variables for current passwords for user in ${users[@]}; do eval "curpw$user=\$(grep \$user /etc/shadow | awk -F : '{print \$2}')" done # Save original passwords (first run) for save in ${users[@]}; do if [ ! -f /root/pass$save ]; then grep $save /etc/shadow | awk -F : '{ print $2 }' > /root/pass$save echo "$pass Saved ${txtund}$save${txtrst} password" fi done case $1 in h ) echo " $prog <*u>- toggle random and known passwords. u - update known" ;; u ) echo "$warn Be sure no random passwords are set before updating passwords!" echo -n "Update known passwords file(s)? " read update if [[ $update == [Yy] ]]; then for known in ${users[@]}; do grep $known /etc/shadow | awk -F : '{ print $2 }' > /root/pass$known echo "$pass Updated ${txtund}$known${txtrst} password" done else echo " Passwords not updated" exit fi ;; * ) if [[ "$curpwroot" == "$(cat /root/passroot)" ]]; then for u in ${users[@]}; do usermod -p $passgen $u echo "$pass Generated password for ${txtund}$u${txtrst}." done else for u in ${users[@]}; do usermod -p $(cat /root/pass$u) $u echo "$pass Restored password for ${txtund}$u${txtrst}." done fi ;; esac
I just completed an upgrade install of my basement linux server. The whole setup runs behind a NAT’d LAN, so I choose one IP on my private network to receive all public traffic.
I did a parallel install on new hardware of my original system. I installed the Debian base system, then copied all my configs and etc from the original system (which remained up for the full install). Once I had security set up as I would like on the new system, I locked my root account, changed my password to something secure (for use via sudo), started SSH, and then just switched the IPs of my servers.
You should never, ever have an internet facing machine with running services and no firewall. If you’re doing an install with a crappy password for convenience, make sure to turn SSH and every other service. The truly paranoid don’t even connect an Ethernet cable until the entire install is done! :)
Yeah, I thought about this way to late. Done reinstalls enough times I thought I’d push the fold this time. I know people that won’t install a distro from a livecd that does a net install (most livecd’s are pretty insecure). Blocking ssh wasn’t a deal because it wasn’t installed yet but I almost do nothing without a firewall. Whoops :)
Pwgen…..
I’m a bit leery about folks that don’t leave their links, Drax. Care to elaborate on that?