Today we will learn how to set up Nginx so that clients have to authenticate using certs. This provides additional security above basic password authentication.…
read more...Replacing Google Authenticator with oathtool and gpg
I've thought it would be cool to have Two Factor Authentication operating on the command line, perhaps in some isolated container, rather than having it in a phone which can easily be lost or broken. We will also combine it with gpg encryption, so that we have an additional layer of security. How TFA works It's important to understand that TFA is a general term for all systems that require multiple authentication factors. However, the vast majority of sites offering TFA for end users are based on the same technology, known as TOTP. TOTP stands for Time-based One-time-password. The site…
read more...Getting Started with Docker using Cockpit (Fedora 26)
Introduction For ages, I've been wanting to get into Docker, especially how it's now the next big thing. In this tutorial, we will see how Docker works, it's basic commands, what you can do with it and also touch upon Docker security, such as isolation. So what is Docker? Docker is a platform used to deploy applications in a convenient way. It's kinda like virtual machines, but not quite. It's exploded in popularity because it makes system administration a lot more efficient and better. Installing stuff, especially web applications is annoying, compiling stuff, dependencies breaking, extraneous files left everything, then…
read more...sshuttle - a VPN for the lazy
sshuttle is a Python based script that allows you to tunnel connections through SSH in a far more efficient way then traditional ssh proxying. By far the greatest perk of sshuttle is that it requires no installation on the server side. As long as you have an SSH server (with python installed) you're good to go. Because it inserts iptables entries, the client running sshuttle must be root however no special privileges are needed on the server. How to use it Install $ sudo pip install sshuttle # you may need to install # python-pip Tunnel to all networks (0.0.0.0/…
read more...My IPTables Configuration Script
I've talked quite a lot about iptables but haven't really shown how I actually put it into practice. Today I'll share a shell script I wrote to set up IPTables on my Fedora 25 Desktop. Download Warning: Make sure you check its appropriate for your needs and you understand its functionality before running it. The shell script sets up the following Multiple user based chains for NFS, SSH, and HTTP Organized TCP / UDP chains Source restriction based on the use of IPsets Structure and Functions of the Script We begin by defining the function configures our SSH hardening chain The…
read more...Using Dynamic Blocklists with IPtables + IPset
In this tutorial, we will learn how to make automatically updated block lists of known bad addresses using ipset and iptables. This provides a proactive security approach that can use external datasets to discover addresses known for malicious activity and prevent them from accessing your web server. A quick overview on IPSet In some of my earlier tutorials, we learned how we could use ipset to create dynamic filtering rules which are independent of iptables. For example, if we wanted to give our friend temporary access to SSH, # create ipset sudo ipset create ssh_ip hash:ip # add friends ip…
read more...Network Basics: The DHCP client
So what is DHCP? How automatic configuration works The DHCP client When you bring your laptop over to your buddies house and plug into their network, your internet is ready by "magic". This is achieved by the DHCP client daemon dhcpcd. When a new network link comes on line (e.g plugging in an ethernet cable, or connecting over WiFi), your machine sends announces itself to all devices on the link, and, if present, a DHCP server (usually the network's router) replies back, informing your computer of the settings for the particular network, and reserves you an IP…
read more...Network basics: Link Local Addressing and 169.254.x.x
What are those 169.254.x.x addresses all about? An look at IPv4 Link Local Addressing Earlier, we looked at DHCP. A familiar experience of troubleshooting networks is that when something breaks, Windows spends a while trying to connect, and eventually gives a seemingly meaningless address in the range of 169.254.xx.xx. Why does it do this? What are these addresses? Are they useful? The IANA (the international body that governs internet numbering and addressing) has reserved the range 169.254.0.0 - 169.254.255.255 as "link local address space". When Windows…
read more...IPtables: Constructing user chains
Now that we are familiar with how iptables is organized we can start defining our own chains. This allows for greater control, flexibility, and in some cases, better efficiency. The most profound efficiency gain is not in the processing by the system, it's in the maintenance, upkeep, and auditing by the sysadmin. We'll begin with a simple "LOG 'N DROP" that we will use in place of -j DROP so we can keep tabs of what the system is filtering Creating a logging chain Next we will create a chain called `LOGDROP` This chain logs packets passing through…
read more...Converting a Hostfile Adblock into Unbound DNS records
There are lots of places where you can download ad blacklists in the form of simple host files, but they require manual installation on every device. Instead we will make records for our DNS server so we can block ads network wide. I used a blacklist from somewhocares. This github page contains a range of different filters and their stats. If you wish to learn more about setting up Unbound, I have an example configuration fileHere is my script to do it. It also allows you to specifiy a different address than "0.0.0.0". This is…
read more...Let's Encrypt on UniFi Controller (Signed SSL/TLS)
In this tutorial, we will learn how to replace the self signed SSL certificate provided with the Unifi controller with a free trusted certificate from Let's Encrypt. The immediate advantage of this is that your browser will stop complaining that "Your connection is not secure" when you connect to the controller, and having a CA signed certificate provides additional security against man-in-the-middle attacks by proving the authenticity of the controller. It's also just better practice and looks more professional. For this to work, you must have a domain name pointing to your controller (you can't get SSL certs…
read more...IPset: Automatic Blocking of Portscans
In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters. Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows. We start by creating the set: Note we set a timeout of 3600 (1hr) ipset create denied_telnet hash:ip timeout 3600 Next we create a rule to add telnet connections to the set…
read more...Dynamic Rules with IPSet
Wouldn't it be good if port scanning IPs could trigger a rule that adds themselves to a 'known offenders' firewall list? Wouldn't it be good if you could combine white and black ACLs into single unified rules. Typically IPTables operates statically from a predefined collection of rules. This has the advantage of allowing you to filter packets to very exact parameters. However at the cost of a lot of tedious and manual work, and when you're manually adding a bunch of these, easy mistakes are all to common with potentially quite severe consequences on a production system. The idea is…
read more...