One of the most important security features used today are
passwords. It is important for both you and all your users to have
secure, unguessable passwords. Most of the more recent Linux
distributions include passwd
programs that do not allow you to set a
easily guessable password. Make sure your passwd
program is up to date
and has these features.
In-depth discussion of encryption is beyond the scope of this document, but an introduction is in order. Encryption is very useful, possibly even necessary in this day and age. There are all sorts of methods of encrypting data, each with its own set of characteristics.
Most Unicies (and Linux is no exception) primarily use a one-way
encryption algorithm, called DES (Data Encryption Standard) to encrypt
your passwords. This encrypted password is then stored in (typically)
/etc/passwd
(or less commonly) /etc/shadow
. When you attempt to login,
the password you type in is encrypted again and compared with the entry in
the file that stores your passwords. If they match, it must be the
same password, and you are allowed access. Although DES is a two-way
encryption algorithm (you can code and then decode a message, given
the right keys), the variant that most unices use is one-way. This
means that it should not be possible to reverse the encryption to get
the password from the contents of /etc/passwd
(or /etc/shadow
).
Brute force attacks, such as "Crack" or "John the Ripper" (see Section refnam) can often guess passwords unless your password is sufficiently random. PAM modules (see below) allow you to use a different encryption routine with your passwords (MD5 or the like). You can use Crack to your advantage, as well. Consider periodically running Crack against your own password database, to find insecure passwords. Then contact the offending user, and instruct him to change his password.
You can go to http://consult.cern.ch/writeup/security/security_3.html for information on how to choose a good password.
ssh
(Secure Shell) and stelnet