Thanks a lot, Brian!
I miss such info, would be good to have better knowledge of BQ internals.
Best,
--
Arthur Sherman
> -----Original Message-----
> From: Brian N. Smith [mailto:brian (at mark) nuonce.net]
> Sent: Friday, July 06, 2007 4:53 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:10325] Added "Security" to your system.
>
> 100% of the people who use BlueQuartz are 50% there to
> hacking your system! (Yikes). How? They know your "admin"
> and "root" account exist. So, how does one over come this?
>
> Now, this is NOT full proof by any means. It will aid you
> though in securing your system!!!
>
> **** NOTICE ****
>
> I did this on a TEST system. Highly controlled environment (VMWare).
> Please follow each and every step line by line. It "should"
> work for you with out any issues. If "worse case scenario"
> happens, you can single boot you system, undo the changes,
> and be back up and running.
> Most importantly! MAKE BACKUPS. That is going to be the
> FIRST part in this little how to. If you don't, and you mess
> it up, I am sorry!!
>
> **** NOTICE ****
>
> 0 - MAKE BACKUPS.
>
> mkdir /my-system-backup-file
> cp /etc/passwd /my-system-backup-file
> cp /etc/shadow /my-system-backup-file
> cp /etc/ssh/sshd_config /my-system-backup-file
>
>
> 1 - Login as "admin" and create a new "Server Administrator".
> Give it a great name, something NOT in a dictionary. For
> example purposes, I named mine "master_trader" (not really,
> but sounds stupid).
>
> 2 - Give him "full" access to your box, meaning, select ALL
> permissions.
>
> 3 - Give him a great, hard to guess password. Alpha numeric,
> use special characters, like 10 digits long.
>
> 4 - Give him a test. Make sure that you can login to the system.
>
> 5 - Lets give him more "GOD" like powers.
>
> cd /usr/sausalito/codb/objects/
> search "master_trader"
>
> Look for a file called ".fullName" .. That is "DOT" then fullName.
>
> Change into that sub directory
>
> Create a new file called ".systemAdministrator". Put a "1"
> in it. To make life easier, copy & paste the next line
>
> echo "1" > .systemAdministrator
>
> 6 - Lets modify the Server Admin page so that our new "admin"
> user can access it.
>
> pico /usr/sausalito/ui/web/base/vsite/adminList.php
>
> Near the "top", locate the following code and change the
> "admin" to your new user
>
> // Only admin should be here
> if ($loginName != "admin") {
> header("location: /error/forbidden.html");
> return;
> }
>
> 7 - Lets "disable" the following users: root, admin, root-admin.
>
> Change their "shell" from "/bin/bash" to "/bin/false".
> usermod -s /bin/false root
> usermod -s /bin/false root-admin
> usermod -s /bin/false admin
>
> Now disable their accounts as well.
>
> Edit the "/etc/shadow" file, and between the 1st and 2nd
> colon, remove the garbage and put a "*" in there instead.
>
> The users "root, root-admin, admin" can NO longer log into
> your system, BUT all applications still run.
>
> 8 - Optional, but I recommend it.
>
> Since the new user you created is stored in the PAM database,
> and we have seen it has the ability to get corrupted, I would
> recommend changing SSH to allow "root" to login. NOW, since
> we technically do NOT have a user called "root", but a user
> called "root-master_trader", it will be a BIT (not entirely) safer.
>
> pico /etc/ssh/sshd
>
> Search for: "PermitRootLogin no"
> Change to "PermitRootLogin yes"
>
> Save and restart SSH
>
> /etc/rc.d/init.d/sshd restart
>
> Now, try to login as that user. It should work now, with out
> any issues. This will help, should your PAM database ever
> get corrupted.
> You can still login into your system and recover with out any issues!!
>
> 9 - Optional, BUT, I do recommend it.
>
> Now, even though your new user, NO ONE should "hopefully"
> guess, But, I hate the "root-" in front of it. So, I would
> recommend changing it.
> IT can NOT be the same as the "master_trader", so think of a
> 2nd secure name. Make sure it is hard to guess!!!
>
> usermod -l NEWUSERNAMEHERE master_trader
>
> Now there you go. You have two new users on your system.
> You got rid of "root", the #1 known super user account. You
> got rid of "admin" & "root-admin", which are highly known
> Cobalt / BlueQuartz usernames and passwords. And you have
> made your system that much more secure. If you build your
> new users to be something like "brian" or "joe", or any short
> word that is commonly known, that is your bad, and you will be hacked!
>
> Good luck to you!
>
> Thanks,
> Brian N. Smith
>
>
>