Sunday, April 26, 2009

BASH - Check if input is IP address

A little script I wrote, will help you determine wether the input is a legal IPv4 IP address:

#!/bin/bash
#
#Written by:Paul Podolny 26.4.2009
#Purpose: The script checks a passed IPv4 IP address and determines it's class.



#Check that input is passed in the form of IPv4 IP address
if [ ! "$(echo $1 | grep '[0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}[.][0-9]\{1,3\}')" ]
then
echo "Usage: '$0' "
exit 1
fi

DOTSCHK=`echo $1 | awk '{gsub("[0-9]","");print}' | wc -c`
if [ $DOTSCHK -ne 4 ];then
echo "illegal input"
exit 1
fi


for n in $(seq 1 4);do

OCTET=`echo $1 | awk -F "." '{print $'$n'}'`
if [ $OCTET -lt 0 -o $OCTET -gt 255 ]; then #check if the octet range is between 0 & 255
echo "$1 is not legal IP address"
exit 1
fi
done

echo "$1 is legal IP address"


#Check wether IP is external or internal + determines it's class.
case $1 in

192.168.*.*)
echo "$1 is class C internal IP address"
;;

172.*.*.*)
SCND=`echo $1 | awk -F "." '{print $2}'`
if [ $SCND -ge 16 -a $SCND -le 31 ];then
echo "$1 is class B internal IP address"
fi
;;

10.*.*.*)
echo "$1 is class A internal IP address"
;;

169.254.*.*)
echo "$1 is an APIPA IP address"
;;

*)
echo "$1 is an external IP address"
;;
esac

Sunday, April 5, 2009

Securing GRUB Boot Loader

Lots of us tend to think that Linux OS is secure, in fact it's an illusion that comes due to a fact that less home users use it therefore less hack tool are available for an average home user.
We forget some dominant backdoors that can cause serious trouble & malicious activity on sensitive servers.
One of these "backdoors" is leaving a boot loader unsecured. Don't forget that it's extremely easy to recover root password in linux, watch and see for yourselves (I used Red Hat Enterprise 5 for the example).

First of all we will reboot the server, and wait until GRUB boot loader comes up, press (esc) to pause the countdown:
We will highlight the Linux version and press 'e' for 'edit' this will bring us to a line with the
Kernel version, we will select 'e' again and we will be able to edit the line:
in the end of the line, after "rhgb quiet" we will add "single":


The machine will boot now in single mode, the shell will be the root shell so all that's left is
type passwd and hola, we obtained the root password.

Easy huh? To prevent such scenarios, linux includes a nice feature called grub-crypt.
(found in /sbin/grub-md5-crypt)
When we will run it, a key will be generated for us (depending on the password we passed). For those who are not familiar with cryptography md5 is a wi
dely used cryptographic function with a 128bit strength hash value.

All that's left now is to add the generated key to /etc/inittab file in the following syntax:
password --md5 :generated hash key:
that's it, save the file and reboot. Now if we try to edit GRUB boot loader we will be asked to authenticate:



Note that after the hash has been set into the /etc/inittab file it cannot be seen, so it's another cool security feature.

Have fun and stay secured ;)

Friday, April 3, 2009

Random password generator

A little handy script that will help you generate random passwords:

#!/bin/bash

#Written by Paul.P - 2.4.2009
#The script generates a random password, argument $1 sets password length

clear

#If no argument passed - default length of 12 will be used

length=$1

[ -n "$length" ] || length=12;echo "no arguments passed, using default length (12)"

#Strength check
if [ "$length" -lt 8 ];then
echo "the password of $length characters length is not strong enough."
exit 1
fi

password=$(dd if=/dev/urandom bs=512 count=1 2> /dev/null | tr -cd 'a-zA-Z0-9' \
| cut -c 1-$length)
echo "$password"