security Archives • Page 2 of 5 • Linux Tips

Change The ‘sudo’ Password Timeout

Today’s article is going to be a pretty basic article about sudo, where we learn how to change the sudo password timeout. It’s pretty easy to change the sudo password timeout value, and reasonably safe to do so if you use visudo. So, with that in mind, read on!

When you use sudo you’re given a grace period. During that time, you can use sudo again without being asked to type your password again. This is an arbitrary value, typically 15 minutes (I think), and you can customize that value for your particular environment. It’s not difficult.

This is something people may want to change if they’re slow, doing a lot with sudo, or have good physical security. This is also something that someone might want to change for the opposite reason. Some people may want to decrease the length of time that they have with sudo because they work in a shared environment. Who knows? It’s your computer, you can do what you want!

So, what is sudo? It’s how you temporarily use elevated permissions. In fact, I wrote a whole article on this subject, which you can read if you’re so inclined – and I’d suggest doing so if you’re new to Linux:

So, What Is ‘sudo’ Anyhow?

Well then, I mentioned another application. I mentioned ‘visudo’ above.

This may come as a surprise, but I actually wrote an article about visudo! You can read that as well, especially if you’re new to Linux:

Use visudo To Edit The sudoers File

Huh… It’s almost as if I’ve been waiting to write this article for a while and that I took the time to write articles that explain all these things. For a brief moment, one might be fooled into thinking I am good at preparing things. Little do you know… It’d be far more accurate to just say that I’ve written a bunch of articles already. I’d prefer it if you thought it was the former, but there’s definitely a touch of the latter.

Change The sudo Password Timeout:

If you clicked on either of the two links above, you’d know that those tools are used in the terminal. You didn’t click them, did you? Well, you’re going to need an open terminal. In most distros, you can just press CTRL + ALT + T and your default terminal should open.

With your terminal now open, we’re going to use visudo to edit your sudoers file. In my particular case, we’ll be using Nano. (See? Yet another article you can rely on for more information about Nano!) The command to start banging away on your sudoers file would be simply this:

sudo visudo

1	sudo visudo

Now, I can’t say for sure that you’ll be using Nano for this. As you didn’t click the links above, I’ll remind you that visudo uses your default text editor. So, you’ll need to be prepared for that. Your default text editor may be Vim, for example, and you’ll need to know the basics to change your sudo password timeout.

NOTE: If you want, you can change your default text editor. (Did you see that? I did it again!)

Anyhow…

With your sudoers file now open for editing, you just enter the following on a new line:

Defaults timestamp_timeout=<number_of_minutes>

1	Defaults timestamp_timeout=<number_of_minutes>

As far as I can tell, most distros default to 15 minutes. So, you can use sudo and then you won’t be asked for the password again for the next fifteen minutes. In the above, you replace the obvious with the obvious. If you wanted 10 minutes leeway without retyping the password, you’d use this command:

Defaults timestamp_timeout=10

1	Defaults timestamp_timeout=10

If you wanted an hour’s worth of leeway without typing your sudo password again, then the command would just be this:

Defaults timestamp_timeout=60

1	Defaults timestamp_timeout=60

See? It’s not very complicated at all.

If you want to be fancy, you could include a comment. A comment starts with an # symbol and is thus ignored by the system. You might want to enter something like this:

# I changed my default sudo timeout value
Defaults timestamp_timeout=30

1 2	# I changed my default sudo timeout value Defaults timestamp_timeout=30

By adding a comment, you’ll be reminded of what changes you’ve made from the default configuration. This is generally a good idea, especially if you’re going to heavily modify your system.

As this is Nano, you can finish editing the sudoers file by pressing the CTRL + X, then Y, and then the ENTER button. That will save the changes with Nano. If you’re not using Nano, you’ll need to refer to the manual (unless you already know how to save an edited file).

Closure:

And there you go! You can now change your sudo password timeout value to whatever it is you desire, assuming it’s whole minutes. I do not believe it works with fractions of minutes. You shouldn’t need to reboot or anything. It should take effect immediately and be the new timeout value the very next time you use a command that starts with sudo.

Of course, this comes with some security considerations. If this is a public kiosk, you’d have to be a fool to make this longer. You’d have to be a fool to have sudo access to begin with! That’s why they make guest accounts!

But, if you’re home alone and the neighbors aren’t going to sneak in to steal your wifi password, you’re probably good to go. Heck, if you are daring, you can use sudo without a password. I don’t recommend that, but you can…

Also, this article contains a whole lot of links to other articles. Google will be pleased! I think it speaks to how many articles I’ve already written more than any foresight on my part.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

Let’s Password Protect A File

Today’s article is a fun one, where we’ll learn how to password protect a file using something called GPG. It’s not complicated. You can learn how to password protect a file in just a few minutes. You can then send these files out and other people can decrypt them – assuming you’ve shared the password with them.

We all have secrets. They’re not all digital, but they could be. We may also want to be able to share files that have private information in them, meaning you only want people with the password to open it. Though, I suppose, brute force is always an option – but you can at least make it difficult by using a complex password, preferably one that you didn’t generate yourself.

So, what is GPG? GPG stands for “GNU Privacy Guard”. It’s fairly standard and used quite a bit. There are other applications, like PGP, but I think all of you folks that use a ‘full’ distro will have GPG installed by default. It’s one of those tools that you might not use all that often, but it seems to be included by default in a lot of places. I suspect that’s because other things rely on GPG, but I’m way too ~~lazy~~ inept to look that up.

By the way, the GPG man page describes it as:

gpg – OpenPGP encryption and signing tool

That GPG is what we’re going to be using for this exercise. Trust me, it’s easier than you might think.

Password Protect A File:

Do I have to mention it? Of course I do! It’s time for your favorite thing, an open terminal ready for your commands. You can open your default terminal by pressing CTRL + ALT + T.

With your terminal now open, the command to password protect a file would be:

gpg -c /path/to/file

1	gpg -c /path/to/file

The -c flag stands for encryption. It should then ask you for a password, that you’ll need to enter twice, and then it will make an encrypted copy of the file with a .gpg extension. The original file will still exist, so this isn’t encrypting that original file. It’s making an encrypted copy and you’ll want to safely delete the original file if that’s your intention.

Now, to open the new <file_name>.gpg file, you’ll need to use the following command:

gpg <file_name>.gpg

1	gpg <file_name>.gpg

Now, when I went to open that with the same computer and the same session it didn’t ask for a password. I shipped it to another computer and it did just that. I do not know why.

When you successfully open the password protected file, it will ask you if you want to overwrite the original. This shouldn’t happen when you ship it to someone else unless they happen to already have a file with that specific name. It also will let you say don’t want to overwrite the file and let you pick a new file name for the unencrypted content.

Closure:

You can actually do this with a folder if you’d prefer. It’s just specifying a folder instead of a file. The process is exactly the same. So, like I said in the start, it’s a really easy task to password protect a file. The terminal is useful for all sorts of stuff.

Thanks for reading! If you want to help, or if the site has helped you, you can donate, register to help, write an article, or buy inexpensive hosting to start your own site. If you scroll down, you can sign up for the newsletter, vote for the article, and comment.

How To: Cancel Your LastPass Account

This is just a PSA type of article, about how to cancel your LastPass account. Below are the reasons why you might want to cancel your LastPass account and how you can go about actually canceling that account.

Below is a copy of a recent email from LastPass:

Dear LastPass Customer, 
We recently notified you that an unauthorized party was able to gain access to a third-party cloud-based storage service which is used by LastPass to store backups. Earlier today, we posted an update to our blog with important information about our ongoing investigation. This update includes details regarding our findings to date, recommended actions for our customers, as well as the actions we are currently taking.
We thank you for your patience and continued support of LastPass.
The Team at LastPass

Click the link in the quoted text for more information.

I can no longer trust LastPass with my passwords and wanted to quit their services, closing my account. The only link I could easily find was at the bottom of their email – and that would simply unsubscribe you from their email list.

With the help of @Condobloke on Linux.org, I was eventually able to find how to close my LastPass account (so I’m told by LastPass). When closing my account, they asked for a reason. The reason I gave was:

I no longer have faith in your security

For the record, I had never used LastPass for anything. I had just signed up for an account. I never actually used the extension or their services.

Cancel Your LastPass Account:

The first link you’ll see is in their email, and all that option does is remove you from their mailing list. You’re ONLY unsubscribing to their email list, not actually removing your account.

That’s this link:

http://417-klk-478.mktoweb.com/lp/logmeintransact/UnsubscribePage.html?mkt_unsubscribe=1

Link left plain on purpose. That link will ONLY remove you from their mailing list. It will not delete your account. So, I recommend deleting your account before removing yourself from the mailing list.

To delete your account, you need a link provided by @Condobloke:

https://lastpass.com/delete_account.php

Again, the link is left plain on purpose. That link will only get you started.

When you have logged in and clicked the button to remove your account, your account is still not deleted. You need to check your email and they send you an additional link. You can use that link to remove your account, remembering to confirm it when they ask time and time again.

When they ask you for a reason as to why you’re removing your account, you might want to tell them that it’s because you can no longer trust their security. They had the chance to be secure and failed. They might be making the ‘right steps’ now, but those steps should have been made before now.

What You Can Do:

If you’re going to use a password manager, you are better off getting one where you control the data. That means you want an ‘offline password manager’ that’s free and (hopefully) open source (so it can be audited, if need be).

I do not have enough experience with offline password managers to make a recommendation. I also am not going to be the one to suggest a specific product only to find out I sent you barking up the wrong tree. So, my suggestion is that you use your favorite search engine and look up ‘offline password manager’. Then, pick what you think works best for you.

I’ve done some looking and this article looks solid. I make no recommendations based on that link, it just looks pretty thorough to me. The article may contain errors and I’m not responsible for that, as I lack the time to dig deeper into this due to a rather impressive winter storm.

Good luck and do due diligence before deciding on a specific offline password manager platform. Read reviews, check security history, make sure it’s easy enough for you to use, and make sure it works with the software you intend it to work with.

Closure:

Well, I don’t use the ‘News’ category often, but this seemed like an important article to get out there. It’s time sensitive so it’s not going to be scheduled for publication, it’ll be published as soon as I’m done proofreading it.

Stay safe out there. Remember, “Practice safe hex!”

EDIT: Fixed a typo.

Show Failed SSH Login Attempts

Today’s article is pretty straightforward, I’m going to show you how to show failed SSH login attempts. It should be a pretty short article, as I’m just going to show you two ways for a couple of system types. This is Linux, so there are certainly more ways to go about it, but I’ll show you a couple of them.

Yes, I’ve written about SSH a great deal. It is, in my opinion, one of the greatest remote administration tools ever conceived. But, attackers know this and any public-facing computer, with an IP address that can be reached externally, will be subject to port scanning and intrusion attempts.

I’ve written some SSH security articles, but one of the best things you can do is change the port that SSH uses. This will stop a bunch of malicious intrusion attempts. However, smart hackers will quickly scan for open ports with automated tools. Some of them will inevitably find your SSH port.

These people will then try to login. Securing your SSH is pretty important. I’ve written a few articles, so here’s a search of SSH-related articles previously published. Feel free to browse them at your leisure. I really need to do an article about Fail2Ban, but I haven’t gotten that far yet. One of these days!

So, like I said, you can show failed SSH login attempts. One of the things you can do with this information is scan for commonalities. You can also check to see if the hackers are using a username that already exists. If they’re using a username that already exists, it could be coincidental or it could mean they already have some insider information.

Well then, let’s jump into the article…

Show Failed SSH Login Attempts:

Like oh so many of my articles, and this one involving SSH, you’re going to want an open terminal for this. If you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open.

By the way, if you’re this far into the article and don’t know what SSH, it’s ‘secure shell’ and a way to remotely connect to another computer. Basically, you login to a remote computer and then you’re using the remote computer’s terminal. However, you can do so with graphics, you just need to forward x11.

So, it’s a pretty useful tool. I use SSH often, even in my own home. What? It’s faster than walking to another room, and I often test things remotely. SSH makes perfect sense for this sort of stuff.

With your terminal freshly open and properly logged into the remote computer, you can show failed SSH login attempts pretty easily. Like I said, I’ll show you a couple of ways. The first is pretty universal and should work with all but a couple distros:

grep "Failed password" /var/log/auth.log

1	grep "Failed password" /var/log/auth.log

RHEL and CentOS (Fedora too? I have not tested.) may store the data elsewhere, so you can try this command to show failed SSH login attempts:

grep "Failed" /var/log/secure

1	grep "Failed" /var/log/secure

If you have failed SSH login attempts, one of those two commands should show you them. If the first doesn’t work, and you know you have failed attempts, try the second one. The logs are usually stored (as far as I know) in either of those two locations.

Closure:

See? It’s a nice and short article today, just like I said it would be. This time around, we’ve learned how to show failed SSH login attempts. Even if you’re using Fail2Ban and mandating certificate login, it’s always good to check to see what the bad guys are up to.

Disallow SSH Login For A Specific User

In today’s article, we’re going to learn how to disallow SSH login for a specific user. The reasons you might want to do this should be obvious, so that’ll save some time! Read on to learn how!

I’ve covered SSH in many articles. If you search for “SSH”, you’ll find a bunch of articles covering the subject. I’m not sure why there are so many, but there are. I seem to have a lot of notes on the subject.

Here, this link will help you search for SSH articles.

SSH is “Secure Shell”, a method to login to remote computers so that you can manage them without being their physically. It’s used by systems administrators regularly, without ever needing a GUI to manage their Linux systems.

It’s also used by people like me, too lazy to walk to the other side of the room. I’m literally using SSH to manage stuff on my laptop from here on this desktop as I write this. On top of that, while not logged in right now, I was using SSH to manage a VPS earlier today.

So, SSH isn’t just for professional system administrators and, if you use SSH at home, you might as well know how to secure it. This article will help you secure your system – by learning how to disallow SSH login for a specific user.

Disallow SSH Login For A Specific User:

This article requires an open terminal on (and connection to) the computer you wish to change. That may require you to login to that computer remotely. If you’re on a local device and you don’t know how to open the terminal, you can do so with your keyboard – just press CTRL + ALT + T and your default terminal should open. Otherwise, SSH into it like a boss.

With your terminal/connection now open, enter the following command:

sudo nano /etc/ssh/sshd_config

1	sudo nano /etc/ssh/sshd_config

Find a place to make a new line and enter the following with some care:

DenyUsers          <username>

1	DenyUsers <username>

Now, this one is a bit picky. Obviously, you substitute <username> with the real name – but in between “DenyUsers” and the username you absolutely MUST press the TAB key. If you try to just use spaces, it will not work! You MUST use the TAB key which will appear to insert spaces for you!

Assuming you’ve done everything correctly, you’ll need to restart SSH for the changes to take effect. You can do that with this command:

sudo systemctl restart ssh

1	sudo systemctl restart ssh

If you were logged into a remote system to make the changes on that system, the above command is gonna log you out and you’ll need to login again. You knew that, but I figure I’ll mention it.

Hmm… If you’re a barbarian that doesn’t use systemd, try this:

sudo service ssh restart

1	sudo service ssh restart

When SSH restarts, the prohibited user will get a “Permission Denied” message when they try to login. Ha! That’ll teach Jerry in accounting from thinking he’s a system admin!

Closure:

Whelp… You have another article. This one has shown you how to disable SSH login for a specific user (Jerry in accounting, who had no business accessing the server anyhow). You’re welcome!