- Oracle 11g Anti-hacker's Cookbook
- Adrian Neagu
- 1160字
- 2021-08-05 18:41:32
Enforcing the use of strong passwords and restricting the use of previous passwords
It is essential to establish an effective security policy for Oracle software owner users. In this recipe we will talk about managing complex password rules that can primarily prevent brute force attacks. Restriction of using previous passwords and too similar passwords is an additional security measure which can be implemented to prevent undesired access into the system.
Password rule checking and restriction of the use of previous passwords is performed by Pluggable Authentication Module, or simply known as PAM, discussed in this recipe. In these days PAM is available and used on all major Linux and Unix distributions. The differences in implementation on these platforms are minimal.
Getting ready
All steps will be performed on the database server host nodeorcl1.
How to do it...
- As the user
rootopen/etc/pam.d/system-authfor editing. Modify the line that begins withpassword requisite pam_cracklib.so, with the following line:password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 - Save and close the file. At this step you can try to set some weak passwords, such as dictionary-based or very short passwords to verify that the defined rules are enforced.
- If the password enforcement rules are working, login as the
oracleuser and change the password to a strong password, such asof24UT()next(1)=2:[oracle@nodeorcl1 ~]$ passwd Changing password for user oracle. Changing password for oracle (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
- At this step we will set up the restriction for using previous passwords. First create
/etc/security/opasswdfile and set its permission to600. This file will retain the used password history for comparisons:[root@nodeorcl1 security]# touch /etc/security/opasswd ; chmod 600 /etc/security/opasswd - Open the
/etc/pam.d/system-authfile and modify the line added in step 4 by appending thedifokparameter andrememberparameter at the end of the line beginning withpassword sufficient pam_unix.soas follows:password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1 difok=6 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=10
- Login as
oracleand change the password. Try to set the password as the same password used before. The PAM module will detect that the password is unchanged as we can see from the following listing:[oracle@nodeorcl1 ~]$ passwd Changing password for user oracle. Changing password for oracle (current) UNIX password: New UNIX password: Password unchanged New UNIX password
- Next, type a password with only two characters, difference. We will get a message that will tell us that the password is too similar to the old one:
[oracle@nodeorcl1 ~]$ passwd Changing password for user oracle. Changing password for oracle (current) UNIX password: New UNIX password: BAD PASSWORD: is too similar to the old one Finally use a strong password (Ty%u60i)R_"Wa?) with more than three different characters as follows: [oracle@nodeorcl1 ~]$ passwd Changing password for user oracle. Changing password for oracle (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [oracle@nodeorcl1 ~]$
Note
It is highly recommended to perform security assessments regularly on your system. To check your real password's strength you should try to use a password cracker.
For a list and description of some of the best available password crackers consult http://nrupentheking.blogspot.com/2011/02/best-password-crackers-in-hackers.html.
Some recommendations for generating strong passwords:
- Strong passwords should contain lowercase, uppercase, special characters (such as@,&,},?, and !), high ASCII code characters (such as ? and ?), or unicode characters (such as ?, and ?).
- Divide your password in to more than 2 or 3 groups and use special characters, high ASCII codes, or Unicode characters as delimiters for groups (for example: u6Yi5@My1k!P;m8U where @,!, and ; are delimiters).
- Use more than 8 characters; 15-20 is a good number to prevent brute-force attacks. A brute force cracker program will need exponentially more time to break a password directly proportional with the password length.
- Do not use more that 40 percent numbers in your password.
- Avoid dictionary words.
How it works...
The Linux PAM module pam_cracklib.so checks the password against dictionary words and other constraints using minlen, lcredi, ucredi, dcredit, and ocredit parameters, which are defined as follows:
- minlen: Minimum length of password. In our case must be 12.
- lcredit: Minimum number of lower case letters. In our case must be 2.
- ucredit: Minimum number of upper case letters. In our case must be 2.
- dcredit: Minimum number of digits. In our case must be 1.
- ocredit: Minimum number of other characters. In our case must be 1.
To restrict the use of a previous password, the system must save the used passwords to use them for comparison. The file used for storing previous passwords is called opasswd. In case it does not exist, it must be created in the /etc/security directory. The restrict enforcement is performed in stacking mode by combining the remember parameter of the pam_unix.so module with the difok parameter of the pam_cracklib.so module. The remember parameter will configure the number of previous passwords that cannot be reused, and difok is used to specify the number of characters that must be different between the old and the new password.
PAM configuration files on Red Hat Linux and variants are located in /etc/pam.d directory. The service shares the same name as the application designed to authenticate; for example the PAM configuration file for the su command is contained in a file with the same name (/etc/pam.d/su).
Next, we will take a look at the PAM configuration file format. To understand this we will use the line corresponding to the password module modified in this recipe:
password requisite pam_cracklib.so try_first_pass retry=3 minlen=12 lcredit=-2 ucredit=-2 dcredit=-1 ocredit=-1
The first directive is the module type. A brief summary of module types and how PAM enforces the rules is as follows:
The second directive from the PAM configuration files is represented by control flags. These flags tell what to do with the result returned by a module. All PAM modules return a success or failure result when called.
The third directive is the pluggable module. The next parameters represent the arguments passed to the pluggable module.
There is more...
You can bypass PAM rules for password enforcement as root; hence the passwords to comply with the enforcement rules must be changed by each user.
- Download and build John the Ripper from source code as follows:
[root@nodeorcl1 run]# make clean linux-x86-64 - Unshadow
/etc/passwordand/etc/shadowinto a separate file,/tmp/passwd.db:[root@nodeorcl1 run]# ./unshadow /etc/passwd /etc/shadow > /tmp/passwd.db - Add the file as an argument and perform a simple password cracking session:
[root@nodeorcl1 run]# ./john /tmp/passwd.db - The weak passwords are found instantaneously:
Loaded 3 password hashes with 3 different salts (FreeBSD MD5 [32/64 X2]) testuser (testuser) root1234 (root) guesses: 3 time: 0:00:00:00 100% (1) c/s: 2150 trying: Root999 - root1234 Use the "--show" option to display all of the cracked passwords reliably [root@nodeorcl1 run]#
- ArchiCAD 19:The Definitive Guide
- 火格局的時空變異及其在電網(wǎng)防火中的應(yīng)用
- Cinema 4D R13 Cookbook
- Machine Learning for Cybersecurity Cookbook
- Seven NoSQL Databases in a Week
- 自動控制原理
- Photoshop CS4經(jīng)典380例
- 自主研拋機器人技術(shù)
- Implementing Oracle API Platform Cloud Service
- 新編計算機圖形學
- Excel 2010函數(shù)與公式速查手冊
- 一步步寫嵌入式操作系統(tǒng)
- PowerMill 2020五軸數(shù)控加工編程應(yīng)用實例
- Creating ELearning Games with Unity
- 基于Proteus的PIC單片機C語言程序設(shè)計與仿真