LPI 101-500 – 110.2: Securing a computer

1. etc/nologin, xinetd, systemd.socket

In topic 107 one, we talked about the Etsy password file. Among other things. Here I demonstrated how you can prevent a certain person from logging into the system. Once again. To remember, there are amp teen users here who are not allowed to log in simply because user bin or the user has been no login. No login, no login no log in here can be found instead of the shell used. This tells the system that this user is not authorized to log in. There is another possibility to prevent logging in globally. For example, because you notice that someone is trying to break into the system a file called Etsy no login must simply be created for this. There doesn’t even have to be content in it, but content may be deposited as a kind of message that users see when they try to log in.

If a file at c no login exists, nobody can log onto the system except root. But be careful. Please do not try this on a live system. On my Ubuntu, for example, root is deactivated by default. Or in better words, the direct login as root is deactivated by default. But you can activate it in the following way simply use pseudo su minus then we are root. And now we have to create a password for root just password root. Then we create a new password password updated successfully. Exit. Now we try to log in as root directly as a route. And now a direct login as root as possible. Okay, now let’s create a file at cnologin pseudovifnologin and maybe I enter a little text. You cannot log in at the moment.

That’s it. If I now log off from the system, let’s try it switch user. For example, now we are locked off and you see you cannot log in at the moment. I don’t do anything you see here. And if I try to use my password, you see I cannot log in anymore. Since you cannot enter the user yourself with this Ubuntu version, you can only select it. So I can only select manual. Here. I have no possibility to choose another user or to choose root, so I locked myself out of the system. Fortunately, the ATC no login file is automatically removed after a restart. So restart the system once and we will come back inside. Alternatively, you can of course log in as root via the console and remove the file manually.

Now I restarted my system and the login was possible again. Let’s see what the content of our Etsy no login file is. And you can see this file was deleted automatically because of our restart. There was already a detailed video about the file’s etsy password and etsy shadow. As a reminder, the Etsy password file contains the user accounts, including password. The password is represented by an X, which means that the password is in the etsy shadow file. The password is stored in encrypted form in the etsy shadow file. I activated my root user beforehand by assigning him a password to deactivate root again, as it should be by default on Ubuntu systems.

We edit the etsy shadow file and replace the encrypted password with a call sign pseudo pi etsy shadow. And here the first line is root and here we have our encrypted password and we simply delete that and use the call sign and we test whether we can still log in as root. And believe me, that was the correct password. But we get an authentication failure. That’s because we changed the password of root in the etsy shadow file. The overview for this chapter also includes the directory at c initd and the file at c init tab. We talked about these in detail in previous lessons. In the directory at Cindy D you can find services and functions that are started by the system. Here we could deactivate corresponding services that we do not use. The fewer services running the less attack surface system offers.

The number of possible consoles could be limited to one in the etsy initiab file. This prevents you from having multiple consoles open and forgetting to log off from one, which is also a security risk. We come to the so called superdemann Xinid. Xinid is the successor to Init D, but it is no longer part of the exam. Xinid stands for extended Internet Device or Extended Internet Service Demon. Xinid manages Internet based connections in a secure manner. XMD monitors certain ports and if there is a request to the corresponding port, xnd starts the associated services but makes various things available, such as the possibility of allowing different services only at certain times or defense mechanisms against different types of attacks.

The predecessor Initd could not start any services itself. Initd use the so called TCP wrapper called TCPD. For this Xinity has integrated a TCP wrapper. Xinity is not installed by default on my Ubuntu, which is why I will do it now just pseudo apt install xdnet the main configuration file of xfinity is the file at cexinity conf. So let’s take a quick look and we see that the file actually only contains an include command for the directory at cxinid d. The other things are commented out here, so they are not active. So let’s look into this folder CX in at DT d of course here we can see various files that xfinity uses. Even if we do not have to configure xfinity for the exam and do not have to completely master the files, it still makes sense to take a quick look to see what such a file looks like.

So let’s for example, use the file time. By default, all services are always deactivated to activate a service. We just have to set the value disable to know exinid works with the two files at chost allow and at chost Deny. Just like in a deed did before with the help of these two files, the Xinidi can be configured. Here we can tell the program which accesses are allowed and which accesses are prohibited. It is important to note that the Etsy hosts allow file takes precedence over the Etsy host deny file. So if something is forbidden in the host deny file, but it is also allowed in the host allow file, then it is allowed because host allow always takes precedence over host deny. So both files should be empty if they exist.

Let’s take a look pseudo VI at the host allow. It’s empty. Let’s check the other one. In order to secure the system as well as possible, we should first of all prohibited everything that is not expressly permitted. To do this, we edit the Etsy host deny file VI etsy host deny or colon ore this means that all clients from the second Ore, all clients are denied to or are denied access to all services. In order to allow individual services, we have to edit the Etsy hostallow VI at sea hostallow and here we could add something like this. For example all local or colon local. This entry means that all local clients so clients within their own network should have access to all services instead of local.

We can also enter individual host names or IP addresses or entire address ranges. And instead of all we can or we could address individual services. But this would lead too far for the Epic One exam. A more complex configuration is not required for the exam. Finally. Let’s take a look at the system. D socket. What is the system D socket? System V socket is a System D tool and works similarly to a TCP wrapper. System D socket provides the sockets for the corresponding service units. We change to the following directory at the System D system sockets target once here, we see you already configured sockets with VI. We can take a closer look here. So for example, Uuid and you can see the content of this file. However, what all of this is and what it does is not relevant for the exam.