Categories
Linux Passwords Security SSH Windows

Linux: SSH Without Password

Process to enable password-free secure connection
SERVER=ALPHA
CLIENT=BRAVO

SERVER KEY GEN
————————
ssh-keygen -t rsa

CLIENT KEY GEN
————————
ssh-keygen -t rsa
ssh-keygen -t dsa

CLIENT KEY CONCAT
————————
cat id_dsa.pub >newKeys
cat id_rsa.pub >>newKeys

CLIENT KEY copy to SERVER
————————
scp newKeys root@alpha:/root/.ssh/newKeys

SERVER KEY AUTHORIZATION
————————
cd /root/.ssh/
cat newKeys >>authorized_keys
echo ‘Key id_dsa_ssh.pub’ >>authorization

Categories
Cisco Linux Security SSH Windows

Source IP Range to allow remote access for Barracuda Support to SSH

You should NEVER open up any SSH port for unlimited access from the outside world. People are run brute-force SSH grinders to own boxes for botnets 24/7 these days. As such, you need to know the source IPs that Barracuda uses to provide remote management support so that you can restrict access to only their team from the internet.

Read on to learn how to do this with a cisco firewall w/ PIX or ASA IOS of 6.3(5) or later
====================================================================

Allow inbound access via SSH from ONLY Barracuda support to your appliance by taking the following steps:

1. Create a static NAT from the inside (or DMZ) interface where the Barracuda lives to the outside interface. In the example below, tcp port 22 for SSH is forwarded to outside address “P.P.P.P” is from inside address “I.I.I.I”:

static (inside,outside) tcp P.P.P.P 22 I.I.I.I 22 netmask 255.255.255.255

2. Create an object group for the remote BARRACUDA management source IPs:

object-group network BARRACUDA_MGMT_IPS
network-object host 205.158.110.60
network-object host 216.129.105.112
network-object host 216.129.105.127
network-object host 216.129.105.129
network-object host 216.129.105.181
network-object host 216.129.105.182
network-object host 216.129.105.183
network-object host 216.129.105.184
network-object host 216.129.125.201
network-object host 216.129.125.202
network-object host 216.129.125.203

3. Create an ACL that allows ONLY the BARRACUDA_MGMT_IPS to access the public address on the outside interface at P.P.P.P. In the example below, “OAI” stand for Outside Access Inbound.

access-list OAI line 1 extended permit tcp object-group BARRACUDA_MGMT_IPS host P.P.P.P eq ssh

4. Apply the ACL to the outside interface inbound:

access-group OAI in interface outside

If you execute “show run | inc ssh”, you should see output similar to the output below:

ASAfirewall# sho access-list OAI | inc ssh
access-list OAI line 1 extended permit tcp object-group BARRACUDA_MGMT_IPS host P.P.P.P eq ssh 0x6f529c33
access-list OAI line 1 extended permit tcp host 205.158.110.60 host P.P.P.P eq ssh (hitcnt=2) 0xdad49ba7
access-list OAI line 1 extended permit tcp host 216.129.105.112 host P.P.P.P eq ssh (hitcnt=0) 0x19777899
access-list OAI line 1 extended permit tcp host 216.129.105.127 host P.P.P.P eq ssh (hitcnt=0) 0x67c53462
access-list OAI line 1 extended permit tcp host 216.129.105.129 host P.P.P.P eq ssh (hitcnt=0) 0x1b9299ec
access-list OAI line 1 extended permit tcp host 216.129.105.181 host P.P.P.P eq ssh (hitcnt=0) 0x450442d4
access-list OAI line 1 extended permit tcp host 216.129.105.182 host P.P.P.P eq ssh (hitcnt=0) 0x11aff386
access-list OAI line 1 extended permit tcp host 216.129.105.183 host P.P.P.P eq ssh (hitcnt=0) 0xf3db4de7
access-list OAI line 1 extended permit tcp host 216.129.105.184 host P.P.P.P eq ssh (hitcnt=0) 0x491444d0
access-list OAI line 1 extended permit tcp host 216.129.125.201 host P.P.P.P eq ssh (hitcnt=0) 0x952b3413
access-list OAI line 1 extended permit tcp host 216.129.125.202 host P.P.P.P eq ssh (hitcnt=0) 0xcc7e836b
access-list OAI line 1 extended permit tcp host 216.129.125.203 host P.P.P.P eq ssh (hitcnt=0) 0x31489fcb

In the example above, we know the ACL is working because we see two hits on the first entry.

Good luck! I wish they would publish this information instead of making us call in to get it from them – what a waste of time.

Categories
Cisco Firewall Linux Networking Security VPN Windows

Cisco PIX ASA VPN integration Active Directory IAS

Using AD to authenticate VPN users via a PIX or ASA device

aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server RADIUS (inside) host timeout 10

crypto map IPSEC client authentication RADIUS

  • Create a Client matching the inside IP of the PIX w/ shared secret above
  • Modify the policy to match a security group
  • Events for IAS appear in the System Event log
Categories
Amazon Web Services AWS EC2 Linux Security SSH Ubuntu VPN wifi Windows

Escaping Restrictive/Untrusted Networks with OpenVPN on EC2

Perhaps you are behind a corporate firewall which does not allow you to access certain types of resources on the Internet. Or, perhaps you are accessing the Internet over an open wifi where you do not trust your network traffic to your fellow wifi users or the admins running the local network.

These instructions guide you in setting up an OpenVPN server on an EC2 instance, sending all your network traffic through a secure channel to port 80 on the EC2 instance and from there out to the Internet.

EC2 Instance
Run the latest Ubuntu 8.10 Intrepid image. You can find the most current AMI id in a table on http://alestic.com

ec2-run-instances –key ami-0372946a

Make a note of the instance id (e.g., i-6fceba06). Watch the status using a command like this (replace with your own instance id):

ec2-describe-instances

Repeat the describe instances command until it shows that the instance is “running” and make a note of the external hostname (e.g., ec2-75-101-179-94.compute-1.amazonaws.com).

Connect to the instance using the external hostname you noted. (Note: When running the Ubuntu images from Canonical use the “ubuntu” user instead of “root”).

remotehost=
remoteuser=root
ssh -i .pem $remoteuser@$remotehost

OpenVPN Server
Upgrade the EC2 instance and install the necessary OpenVPN software:

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y openvpn
sudo modprobe tun
sudo modprobe iptable_nat
echo 1 sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A POSTROUTING -s 10.4.0.1/2 -o eth0 -j MASQUERADE

Generate a secret key for secure communication with OpenVPN:

sudo openvpn –genkey –secret ovpn.key

Start the OpenVPN server on the EC2 instance. We are (ab)using port 80 because most closed networks will allow traffic to this port 😉

sudo openvpn
–proto tcp-server
–port 80
–dev tun1
–secret ovpn.key
–ifconfig 10.4.0.1 10.4.0.2
–daemon

OpenVPN Client
Back on the local (non-EC2) workstation, set up the software:

sudo apt-get install -y openvpn
sudo modprobe tun
sudo iptables -I OUTPUT -o tun+ -j ACCEPT
sudo iptables -I INPUT -i tun+ -j ACCEPT

Download the secret key from the EC2 instance:

ssh -i .pem $remoteuser@$remotehost ‘sudo cat ovpn.key’ > ovpn.key
chmod 600 ovpn.key

Start the OpenVPN client:

sudo openvpn
–proto tcp-client
–remote $remotehost
–port 80
–dev tun1
–secret ovpn.key
–redirect-gateway def1
–ifconfig 10.4.0.2 10.4.0.1
–daemon

Edit /etc/resolv.conf and set it so that DNS is resolved by the EC2 name server:

sudo mv /etc/resolv.conf /etc/resolv.conf.save
echo “nameserver 172.16.0.23” sudo tee /etc/resolv.conf

You should now be able to access any Internet resource securely and without restriction.

Teardown
When you are done with this OpenVPN tunnel, remember to shut down the EC2 instance and restore the DNS configuration:

sudo killall openvpn
ec2-terminate-instances
sudo mv /etc/resolv.conf.save /etc/resolv.conf

If you have ways to improve this approach, please leave a comment.

Disclaimer
These instructions are not intended to assist in illegal activities. If you are breaking the laws or rules of your government or college or company or ISP, then you should understand the security implications of the above steps better than I do and be willing to accept consequences of your actions.

Categories
Linux Passwords Security Windows

Excellent Web-based Password Generator

Password Generator to create good, secure passwords.

Categories
Apache Grep Linux Security

Set Apache Password Protected Directories With .htaccess File

There are many ways you can password protect directories under Apache web server. This is important to keep your file privates from both unauthorized users and search engines (when you do not want to get your data indexed). Here you will see the basics of password protecting a directory on your server. You can use any one of the following method:
  1. Putting authentication directives in a section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.
  2. If you do not have access to Apache httpd.conf file (for example shared hosting) then with the help of file called .htaccess you can create password protect directories. .htaccess file provide a way to make configuration changes on a per-directory basis.

In order to create apache password protected directories you need:

  • Password file
  • And Directory name which you would like to password protect (/var/www/docs)

Step # 1: Make sure Apache is configured to use .htaccess file

You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www. Therefore, my entry in httpd.conf looks like as follows:


Options Indexes Includes FollowSymLinks MultiViews
AllowOverride AuthConfig
Order allow,deny
Allow from all

Save the file and restart Apache
If you are using Red Hat /Fedora Linux:

# service httpd restart

If you are using Debian Linux:

# /etc/init.d/apache-perl restart

Step # 2: Create a password file with htpasswd

htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:
htpasswd -c password-file username
Where,

  • -c : Create the password-file. If password-file already exists, it is rewritten and truncated.
  • username : The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:

# mkdir -p /home/secure/

Add new user called sysadmin

# htpasswd -c /home/secure/apasswords sysadmin

Make sure /home/secure/apasswords file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command. Usually apache use www-data user. Use the following command to find out Apache username. If you are using Debian Linux use pache2.conf, type the following command:
# grep -e '^User' /etc/apache2/apache2.conf

Output:

www-data

Now allow apache user www-data to read our password file:
# chown www-data:www-data /home/secure/apasswords
# chmod 0660 /home/secure/apasswords

If you are using RedHat and Fedora core, type the following commands :
# grep -e '^User' /etc/httpd/conf/httpd.conf

Output:

apache

Now allow apache user apache to read our password file:
# chown apache:apache /home/secure/apasswords
# chmod 0660 /home/secure/apasswords

Now our user sysadmin is added but you need to configure the Apache web server to request a password and tell the server which users are allowed access. Let us assume you have directory called /var/www/docs and you would like to protect it with a password.

Create a directory /var/www/docs if it does not exist:
# mkdir -p /var/www/docs

Create .htaccess file using text editor:
# cd /var/www/docs
# vi .htaccess

Add following text:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user sysadmin

Save file and exit to shell prompt.

Step # 3: Test your configuration

Start your browser type url http://yourdomain.com/docs/ or http://localhost/docs/ or http://ip-address/docs

When prompted for username and password please supply username sysadmin and password. You can add following lines to any file entry in httpd.conf file:

AuthType Basic
AuthName "Restricted Access"
AuthUserFile /home/secure/apasswords
Require user sysadmin

To change or setup new user use htpasswd command again.

Troubleshooting

If password is not accepted or if you want to troubleshoot authentication related problems, open and see apache access.log/error.log files:

Fedora Core/CentOS/RHEL Linux log file location:
# tail -f /var/log/httpd/access_log
# tail -f /var/log/httpd/error_log

Debian Linux Apache 2 log file location:
# tailf -f /var/log/apache2/access.log
# tailf -f /var/log/apache2/error.log

See also:

Categories
Linux Security TCP/IP

Linux Kernel /etc/sysctl.conf Security Hardening

How do I set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of my system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters?

sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:

  1. Limit network-transmitted configuration for IPv4
  2. Limit network-transmitted configuration for IPv6
  3. Turn on execshield protection
  4. Prevent against the common ‘syn flood attack’
  5. Turn on source IP address verification
  6. Prevents a cracker from using a spoofing attack against the IP address of the server.
  7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

sysctl command

The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter

To load settings, enter:
# sysctl -p

Sample /etc/sysctl.conf

Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):

# The following is suitable for dedicated web server, mail, ftp server etc.
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
 
# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
 
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
 
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
 
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
 
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
 
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
 
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
 
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
 
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
 
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
 
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
 
########## IPv6 networking ends ##############
 
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
 
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
 
# increase system file descriptor limit
fs.file-max = 65535
 
#Allow for more PIDs
kernel.pid_max = 65536
 
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
Categories
Linux Security WPA

Linux WPA Cracking Tutorial Video

Categories
Grep Linux Security

Closing open ports and services on Linux

It is important to close any unneeded open ports.
To view a list of running services you can execute the following command:

chkconfig –list | grep on

To disable a running service you can execute the command:

chkconfig service name off

Then you should stop this service from running by executing:

/etc/init.d/service stop