Category Archives: Linux

Secure/Lock accounts with PAM tally2

pam_tally2 is a PAM module to allow interaction in users interfaces on numbers of failed login attempt it can reset count on success, can deny access if too many attempts fail.

this module is unique because it  not just reflect remote connection but also reflect the ttys and any system login method as it uses PAM

example from tty:


some parameters

  1. deny used to block access of numbers of failed attempts
  2. unlock_time used to set a time duration for blocked access in seconds
  3. even_deny_root root is excluded by default, you set this parameter to tell tally2 count for root too
  4. root_unlock_time same as unlock_time but  for root only


example PAM config:


to reflect the tty access we have to configure our tally2 module in /etc/pam.d/system-auth


here is our final layout for system-auth

to reflect the  remote connections  that use password example sshd

we config our /etc/pam.d/password-auth with tally


notice that we have done 2 things  one in auth interface that verifies the account and 2nd one in the account interface to reflect the permissions of the account


here is some output of /var/log/secure


as you see tally2 kills the connection 🙂

for manual interaction with tally2 counter

there is a command called pam_tally2

to remove a counter failures



password policy with pam_cracklib

cracklib pam module is a method to check the password against dictionary list and gives you availability to check the strength of the password and set rules to identify the poor passwords


here is the most important parameters for this module

  1.  minlen minimal password length
  2. dcredit maximum number of digits
  3. ucredit maximum uppercase letters
  4. lcredit maximum lower case letters
  5. ocredit maximum other letters not similar to the old one
  6. maxrepeat limit repeated letters
  7. reject_username check if the username inside the password to avoid this week accounts bob/bob or bob/bob123
  8. enforce_for_root this is the most important one, why? , because if you didn’t apply it users will just notice the warning and whatever password will be applied with the parameter will force the user to use our policy 😉
  9. dicpath set crack lib dictionary to specific passwords database base I recommend (rockyyou) database coz it contains many leaked passwords and used by many attackers to brute-force the system example dicpath=/var/wordlist/rockyyou.txt


time to deploy our password policy

we want to apply this for new password also we can force the users to update their passwords once they do log in via this command

this command has a high impact  it will find all users with a bash shell and  force them to update the password even the root  u can exclude the root by piping the output from grep and use grep -v root

example result

we will use the passwd module inside /etc/pam.d/passwd

to add our new policy


here is the output of different failed password change

BAD PASSWORD: is too similar to the old one
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a (reversed) dictionary word
BAD PASSWORD: it is too short



Pluggable Authentication Modules

Linux comes with Pam Modules to help you to interact with the running services in hardening way and custom the security of the service as you need.

PAM is extra Rules to Control user interfaces ( Auth, Account, Session)  layers for the applications

the applications/services should be compiled with

here is an example for sshd service

Continue reading

users in shadow file explanation

this article explain the /etc/shadow

this file content the users information

example of the user data

username -> n1x
password -> $6$UoDmVdoW$tYQQm5uHgOpeEKPygIaQ1GM/0IBbdYVrLHu8ZYF5pT17D3VM.FFKa2wS8J6gqbGKC2IpgImXy7SYVJK9r/fdw.
last date password update since 1970-1-1 -> 16631

you can calculate it simply in python

minmum password age -> 7
maximum password age -> 15
warning days -> 2
inactive days -> 14
expiration date -> 16819

we can list or modify a user by a chage command

for setting default config for all users you can use /etc/login.defs

# Password aging controls:
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.

AIDE : Intrusion Detection Environment

this article about Intrusion Detection for file system changes like modification changing owner extra, for critical files or directories in our environment

we using a software called AIDE

Advanced Intrusion Detections Environment
this software base on a library called mhash this lib used to calculate file hashes
and AIDE save the file info inside DB with base64 formate
the information that will be saved depends on the aide configuration file

example of default info for the Linux image file

let’s decode this Continue reading

umask permissions explanation

what is umask?
umask is the default permissions for writing a file in the system

where the settings for umask?
1 – /etc/profile
2 – /etc/bashrc

Continue reading

Persistent mount for luks with unlock Key

creating a encrypted disk with luks

our  Little problem here to mount a encrypted disk  automatically on boot

so no need to enter the pass for mounting but this risky if the machine theft happen because we will use a key inside the system and it will be leaked if our machine stolen

so lets do it first we have to create a key and add it  our partition

to create a key

don’t forget it to set key permission to be 600

Continue reading

Linux Disk Encryption with LUKS

today we going to make an encrypted disk partition

list prepare our partition

I have a new disk in  /dev/sdb

I will create a partition 100 on it with fdisk

Continue reading

RPM integrity and scripts

Yum repository comes with gpg  and md5 support to verify the validity of the package

You can list installed gpg keys in your system via

It will show the unique id for the installed keys in your  system


To list all information related to a key
rpm -qi pgp-key-unique-id


It will show version, vendor  and much more useful for debugging
To verify a package against the  installed keys

U can use parameter  k with rpm

Continue reading

RedHat Packaging Security with yum

RedHat comes with a mitigated package called RHSA (RedHat security advisory)

This RHSA comes with a unique id  like CVE Contain the date of fix and these type packages  come for the applications that shipped from RedHat

Example RHSA-2015:0291
For listing available updates for application

For quick installation to security batches

Continue reading