Installing Samba, SSH, dhcpd and Nessus
Installing samba-2.2.8a
Note: The new version installs files in different locations than earlier versions.
cd source
./configure --prefix=/usr
(paths for config files are hard coded in the binary.
if you configure without specifying prefix, binaries
will have /usr/local compiled into them and will not
work unless you change the initialization files.)
make
make install
ln -s /etc/smb.conf /usr/lib/smb.conf
mkdir /usr/var/locks
ln -s /etc/smbpasswd /usr/private/smbpasswd
testparm
remove "read prediction" from /etc/smb.conf (no longer supported)
cd /etc/rc.d
Edit smb and nmb if necessary to make sure they point to the correct
smbd and nmbd binaries.
./smb stop ('restart' option doesn't always work. The port sometimes needs
several seconds to close. Make sure the old smbd and nmbd have stopped
by typing: ps -aux | grep mbd)
./nmb stop
./smb start
./nmb start
log files are now in /usr/var
smbpasswd is in /usr/private
|
Problems with samba
1. Samba (smbd and nmbd) writing too much to syslog.Despite being started with logging = 0, nmbd fills up the logs with unimportant information like this:
nmbd: [2004/08/26 17:01:34, 0] nmbd/nmbd_incomingdgrams.c:
process_local_master_announce(314)
nmbd: process_local_master_announce: Server DIPHTHERIA at\
IP 63.127.146.xyz is announcing itself as a local \
master browser for workgroup WORKGROUP and \
we think we are master. Forcing election.
nmbd: [2004/08/26 17:01:34, 0] nmbd/nmbd_become_lmb.c:u
nbecome_local_master_success(154)
nmbd: Samba name server ENTROPY has stopped being a local
master browser for workgroup
WORKGROUP on subnet 63.127.146.196
nmbd: nmbd/nmbd_become_lmb.c:become_local_master_stage2(404)
nmbd: Samba name server ENTROPY is now a local master brows
er for workgroup WORKGROUP on subnet 63.127.146.196
nmbd: nmbd/nmbd_namequery.c:query_name_response(112)
nmbd: nmbd/nmbd_packets.c:process_browse_packet(1063)
nmbd: process_browse_packet: Discarding datagram from IP 63
.127.146.196. Source name ENTROPY<00> is one of our names !
|
This gets really annoying if you have multiple Samba servers on your network, all of them sending their logs to the same place.
Solution: Editing /etc/syslog.conf doesn't work. To get rid of the syslogs without preventing writing to the log file, edit the Samba source code in lib/debug.c and delete the following lines:
| File | Approx. Line | Line |
| lib/debug.c | 534 | syslog( priority, "%s", msgbuf ); |
| lib/snprintf.c | 848 | syslog(facility_priority, "%s", msg); |
| lib/system.c | 1328 | syslog( priority, "%s", *msgbuf ); |
| nsswitch/pam_winbind.c | 30 | vsyslog(err, format, args); |
| pam_smbpass/support.c | 77 | vsyslog(err, format, args); |
and recompile and reinstall. (Actually, only the first one is probably necessary).
Then type
cd /usr/lib/samba/classic mv nmbd nmbd.bak mv smbd smbd.bak ln -s /usr/sbin/nmbd nmbd ln -s /usr/sbin/smbd smbd |
killall nmbd /etc/init.d/nmb start |
2. Samba not authenticating users (with error NT_STATUS_WRONG_PASSWORD)
This happened only on one computer. This message can be caused by errors in smb.conf, or by permission problems. On our computer, this problem could be fixed by making /homes globally readable. However, this solution is unacceptable for security reasons, and it also causes sendmail to refuse to forward mail. Changing to a different version of samba had no effect. The same configuration on other computers worked fine.
Solution
Added "create mode = 0777" to the [homes] section of smb.conf. Our smb.conf file now looks like this:
[global] status = yes security = share encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd unix password sync = yes passwd program = /usr/bin/passwd %u ... (more lines) ... [homes] comment = Home Directories path = /home/%u browseable = yes writable = yes guest ok = no read only = no create mode = 0777 |
Installing nessus
make sure gtk is installed make sure openssl is installed http://www.openssl.org. make sure nmap 2.52 or higher is installed http://www.insecure.org/nmap/ You must remove old version first, or it will link to the wrong library and crash. If nessus was installed anywhere other than /usr/local/lib, 'uninstall-nessus' will not work, and the old version must be uninstalled by hand: cd /usr/local/lib rm libness* rm -rf *nessu* rm libness* cd /usr/sbin rm libness* rm -rf *nessu* rm libness* cd /usr/bin rm libness* cd /usr/local/sbin rm -rf *nessus* To install nessus, install the following four packages in the order shown. nessus-libraries configure make make install (as root) Ensure that /usr/local/lib is in the file /etc/ld.so.conf. ldconfig libnasl configure make make install (as root) nessus-core configure --enable-cipher make make install (as root) Add /usr/local/bin and /usr/local/sbin to PATH. nessus-plugins configure make make install (as root) |
Running nessus
Nessus is a two-part client-server program. Start server first, then connect to it with the GUI-based client. It is important always to use the latest version of nessus in order to find the latest vulnerabilities.
First set up the password and certificate allowing you to connect
to the nessus server:
First time use only:
as root, start nessusd giving your username and passwd (not root's).
nessus-makecert
nessus-adduser
To run:
su to root
export PATH=$PATH:/usr/local/bin:/usr/local/lib:/usr/local/sbin
nessusd -D (-D = daemon, run in background)
if you use -P username,passwd as suggested in manual, it says:
unrecognized option '--P'
(the man page is wrong about the options).
Then change to regular user and start the nessus client:
nessus&
Enter your password and click 'login'
You should get the nessus two-pane window.
Set target to scan and enable desired plugins.
Notify user of impending doom and stop cflowd before running scan
(nessus scan will crash a number of apps including cflowd and
often crashes the target system if it is running Linux.)
Click "start".
|
Installing SSH (secure shell)
This information has been moved.
Installing dhcpd
Dhcpd must be upgraded due to a major security problem. The new version (3.0pl1) is available from ftp.isc.org. The authors at ISC have made a couple of changes to dhcpd that make installation difficult. However, these changes are clearly explained in the README file. It may be necessary to take down your server to install the fixed version of dhcpd.
Back up /usr/sbin/dhcpd
Edit /usr/src/linux/.config and make the following changes.
CONFIG_PACKET=y
CONFIG_FILTER=y
Rebuild and install a new kernel with CONFIG_PACKET (Packet socket) and
CONFIG_FILTER (Socket Filtering) enabled.
make oldconfig (to make sure changes are propagated to header files)
or make clean
make
make bzImage
(copy new kernel to /boot/)
/sbin/lilo
/etc/rc.d/dhcp stop
Build the software
configure
make
make install
Edit /etc/dhcpd.conf and add the line
ddns-update-style ad-hoc;
Some of the config files have also been moved to new locations.
cp /var/lib/dhcp/dhcpd.leases /var/state/dhcp/
/etc/rc.d/dhcp start
|
Installing crack
Crack is very quirky and has an unusual installation procedure. Also, development of crack stopped many years ago, so it's likely that compilation of crack will begin to fail on more and more systems. For example, crack already no longer compiles correctly on Linux. It gives the error message:
gcc: elcid.o: No such file or directory make[1]: *** [../../run/bin/linux-2-unknown/dictfilt] Error 1 make[1]: Leaving directory `/home/tjnelson/crack/c50a/src/util' make: *** [utils] Error 1 |
Installing crack:
- Edit 'Crack' and uncomment the section under "gcc 2.7.2", making sure that the line LIBS=-lcrypt is uncommented.
- Build the libdes library that comes with crack.
It should create a file named libdes.a .cd c20a/src/libdes xmkmf make make install
- Change back to the c50a directory and type
On Linux it will say:Crack -makeonly
gcc: elcid.o: No such file or directory
- Replace the Makefile in src/util with the Makefile at the link below.
Note that the Makefile at the main crack site is defective--it doesn't
create the essential 'dictfilt' program. If this happens, your 'run/Exxx'
(error) file will contain a lot of lines like:
You could get around this by editing src/util/kickdict.c and removing 'dictfilt' from line 19, but it is better to create a dictfilt executable, because dictfilt is needed to actually find anything. If it says:sh: dictfilt: command not found
edit the main file named Crack and uncomment line 47, where it says LIBS=-lcryptsrc/util/elcid.c:159: undefined reference to `crypt'
- Copy your /etc/shadow to your home directory and encrypt it before moving it
to a non-networked computer. (Don't encrypt it in place!)
des -E shadow > shadow.des
- Un-encrypt the shadow file on a secure machine and merge it with the
/etc/passwd file from the original computer.
des -D shadow.des > shadow
The easiest way to deal with users who select bad passwords is to expire their passwords and install a version of passwd that rejects bad ones. This will stop them temporarily from picking a bad password. Of course, there are more permanent ways, but they are mostly illegal.
Here is the /src/util/Makefile needed for compiling
crack in Linux.
Be sure to download it by shift-clicking. If you
paste it from a browser window, you will have to convert the spaces to tabs
before it will work. Note: make sure you put this file in src/util, not the
main c50a directory.
Running crack:
- Copy /etc/passwd and /etc/shadow to the crack directory using some secure method.
- Edit the top lines in scripts/shadmrg.aix to point to the correct shadow and passwd files.
- Run shadmrg.aix to put the encrypted files in the passwd file. (Crack can't handle 'shadow' directly). The shadmrg program doesn't always work. If not, just substitute the encrypted password for the 'x' in your copy of the passwd file.
- Change to the c50a directory and type ./Crack -makeonly
- ./Crack -makedict
If it says
don't continue, but edit the file conf/dictgrps.conf and correct the first line to contain the correct path for your dict/words file like so:c50a/scripts/smartcat: line 36: /usr/dict/*words*: No such file or directory
1:/usr/share/dict/*words* dict/1/* 2:dict/2/* 3:dict/3/*
- ./Crack ../passwd
(note: you must be in the same directory where the
Crack script is located. The passwd file should be one level above. If you
move up a level and type "c50a/Crack ./passwd" or if you move passwd to the
c50a level and type "./Crack ./passwd" it will bomb out.)
If Crack bombs out with an error about "run/bin/passwd/libc5.a", rename the libc5.a file and start Crack again. The libc5.a file will be re-created.
It should say:
Crack: launching: cracker -kill run/Kcarbon.21545 (exact filename will vary)
Done
Crack will run in the background. The system load will increase to 3 or higher then stabilize at 1. - Check the file run/Ecarbon.21545 (the filename will vary). It should be empty.
- Monitor the run/D... file and
run/E... (error) file with the command:
tail -f Ecarbon.6208 (this should stay empty)
tail -f Dcarbon.6208 (should periodically load words into memory)
tail -f F-merged (will eventually print any cracked passwords).
A number of common words are missing from the default dictionaries. The scripts also may not find your dict/words file on many systems, because this file is nowadays located in /usr/share/dict. To add a new dictionary, just make a list of new words (keep them in lower case) and put it in the c50a/dicts/1 directory. Then run the commands
cd c50a/dict/1 cp /usr/share/dict/words . rm -rf run/dict ./Crack -makedict |
Crack: making dictionary groups, please be patient... |
Your new dictionary can also be in ".dwg" format, in which the first n characters are substituted by a digit. The digit will then automatically be permutated. Or use "dawg" to create them.
Update
Although Crack used to work, it now crashes on my system, with the message
./Crack: line 525: 12064 Segmentation fault \ nohup cracker -kill $crackkf $flags < $crackin > $crackout 2> $crackerr |
kernel: cracker[12360]: segfault at 19dc6260 ip 7f48198af276 sp 7fff21fe0da8 \ error 4 in libc-2.8.so |
John the Ripper is easier to configure, compile, and use.
Back