Servers
SHARE
Facebook X Pinterest WhatsApp

Enterprise Unix Roundup: Paradigm Wars II, Pass the Hubris Page 2

Written By
thumbnail Michael Hall
Michael Hall
Jul 20, 2010
ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More



Main
     In Other News     Security Roundup     Tips of the Trade

Security Roundup

  • Several vendors released patches for assorted vulnerabilities in the Linux kernel, including Debian (1, 2, 3), Mandrake, and SUSE. Although the vulnerabilities addressed vary, all involve potential root compromises.
  • OpenPKG, and Debian released MySQL patches to address a bug that could allow malicious
    users to overwrite files with permissions of the MySQL owner (which is often the root user).
  • Several vendors also patched a vulnerability in the version control software CVS that could allow a malicious user to create any file on the local user’s disk. Look for patches from
    OpenPKG, Mandrake, SUSE, and
    Red Hat.
  • HP reported a patch for systems using IPsec/IKE (Internet Key Exchange) and vulnerable to an exploit that could lead to a root compromise.

Tips of the Trade

One of the tools the blackhats used in that crack attack was a piece of software called “John the Ripper” (“John” henceforth). Some reports call John “sophisticated” and say it “sniffs” passwords. While we don’t want to take anything away from its developers, John isn’t particularly exotic, and it doesn’t so much “sniff” passwords as much as throw itself at the system password file with a brute-force dictionary attack, looking for weak passwords.

John is, in fact, so common that the best way to keep from it from having its way with your own password file is to first use it to audit users’ passwords — before a malicious user compromises an account (using a weak password, for example) and does it for you.

A visit to the John the Ripper home page provides download information. Versions are available for a wide variety of Unix and Linux variants as well as OpenVMS, Microsoft Windows, and a few others.

You can also take a look at crack, which does much the same thing and has the benefit of being one of the snarkiest FAQs on the ‘net. Snark aside, the FAQ provides download links and some useful information about how to get it up and running on your system.

Both programs can ensure that your users aren’t creating the dreaded “plain English password.”

Finally, consider installing pam_passwdqc, a module that runs in conjunction with PAM to check the strength of passwords users enter using the passwd command. Among this module’s tricks is the ability to detect whether a user’s new password is too similar to the last one as well as the ability to offer a randomly generated choice to users when they run passwd.

>> To Main

>> To Other News

thumbnail Michael Hall

Michael Hall is a ServerWatch contributor.

Recommended for you...

thumbnail What Is a Container? Understanding Containerization
Guides
What Is a Container? Understanding Containerization
Allan Jay Monteclaro
Dec 14, 2023
thumbnail What Is a Print Server? | How It Works and What It Does
Guides
What Is a Print Server? | How It Works and What It Does
Nisar Ahmad
Dec 8, 2023
thumbnail What Is a Network Policy Server (NPS)? | Essential Guide
Guides
What Is a Network Policy Server (NPS)? | Essential Guide
Allan Jay Monteclaro
Nov 29, 2023
thumbnail Virtual Servers vs. Physical Servers: Comparison and Use Cases
Servers
Virtual Servers vs. Physical Servers: Comparison and Use Cases
Ray Fernandez
Nov 14, 2023
ServerWatch Logo

ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.

facebook
linkedin
rss
x

Company

About us Contact us Advertise with us

Categories

Servers Guides Hardware Virtualization OS Monitoring Storage

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information