Stuff I'm Up To

Technical Ramblings

Nginx and LDAP Authentication — July 11, 2020

Nginx and LDAP Authentication

We want a little more control over some of our reverse proxies and wanted to place a little extra burden on the users as possible. To do this we chose to use the same passwords for authentication as we do everywhere else – hence LDAP.

Thankfully Nginx have decided to include the module gx_http_auth_request_module in both the Nginx Plus and Open Source.

The prerequisite http_auth_request module is included in both NGINX Plus packages and prebuilt NGINX binaries.

Nginx

The documentation on implementing this walks you through a reference implementation which can be long winded. I tried to make it simpler with this article.

Continue reading
FreeRADIUS and Docker — July 7, 2020

FreeRADIUS and Docker

Today I built a FreeRADIUS server within a Docker container set using docker-compose. As we only have a small number of users on the WiFi system it was setup only as a simple SSID with WPA-PSK that gradually gets spread to every man and his dog.

Fortunately it only acts as a Guest network and provides internet access – but the next step is to have a proper corporate SSID with secure LAN access. For this we want 802.1X and a RADIUS server to provide integration between wireless and LDAP.

Continue reading
Upgrading MySQL in a Container — July 3, 2020

Upgrading MySQL in a Container

Upgrading MySQL 5.5 to 5.7 in a docker container set caused me some trouble. Setting the tag to 5.7.30 was all well and good but when I fired up the container MySQL would stop immediately.

Looking at the log I found The table is probably corrupted and references to run mysql_upgrade which I was expecting to have to do, but how do you do that when the service fails to start and the container is offline?

Continue reading
Apache Directory Studio and memberOf — June 4, 2020
Icinga2 — June 3, 2020

Icinga2

Having had some experience with Nagios and writing Nagios plug-ins and using nagiosql3 to manage the configuration, the new job uses Icinga. I’ve had no exposure to it at all – until now.

Icinga2 uses Nagios as the monitoring engine, but where Nagios is a bit rough around the edges – Icinga2 smooths that all out. Icinga2 layers over it a nice web interface and a whole bunch of add-ons to add value to your monitoring and reporting.

I started by installing a local copy of Icinga2 v2.6.2 onto a virtual machine and encountered a few gotchas along the way. More because reading the docs is a lengthy process and I found you had to skip around the platforms specific stuff that didn’t apply to the OS you’re installing on. You also had to navigate several pages of different steps for web server, api and director.

My build is a Debian 10 Buster installation and I intended to just do an out of the box type of installation. That was until I encountered Apache2 and decided it would actually be easier just to go with what I know and use Nginx.

Continue reading
Central Logging — May 30, 2020

Central Logging

System logging should not remain a local activity. If you find your system has been compromised often the first thing in the attackers mind is to stop it from logging what they have done, what they are doing, or are about to do. If you’re going to be security minded you must send your logs to another system and monitor the activity there.

This is very easy to do with rsyslog. I’ve built this in an Ansible task within the Lynis Security Auditing. All you need to do is add a simple file in /etc/rsyslog.d and restart rsyslog. Sure it won’t stop you getting hacked, but you’ll at least have a record of what happened up until the point the attacker disables logging.

Continue reading
Lynis Security Auditing — May 29, 2020

Lynis Security Auditing

In the days of corporate lore I faced system hardening challenges driven by Nessus. Now because Nessus isn’t FOSS (Free Open Source Software) it’s not something I can use in my current role. There is an Open Source fork from Greenbone – but there’s some attractive thinking into using Lynis as a build validation tool.

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007.

https://cisofy.com/lynis/#introduction

First off it’s VERY easy to use. It doesn’t require a server and can be pulled down from github and run with no compilation required.

Continue reading
Nginx Configuration Synchronisation — May 25, 2020

Nginx Configuration Synchronisation

Back when I built the Nginx failovers using Nginx and Keepalived I also required that should the config change on the master then the config would automatically be copied to the backup.

There are some important things you need to do for this to work correctly and not put your failover at risk of failing. The last thing you want to do is bork you master servers config and automatically copy a filed config to the backup server and screw that one up too.

Continue reading
PAM_LDAP and uniqueMember — May 24, 2020
SSH Multiplexing — May 21, 2020

SSH Multiplexing

Typically SSH creates a new tcp session for every time you connect to a remote host. But there is a feature of ssh that allows connections to reuse an existing connection using a socket – which is called multiplexing.

Obviously this is only really useful if you are connecting via the same host, you can multiplex to different locations.

Why is this useful?

If I already have a socks connection open to my office gateway I don’t need to open a new TCP connection to pass traffic inside of the office network. Ok, you’re still not sold on the idea? Well we’re using a pretty robust authentication with multi-factor authentication, private keys and passwords to get in via the gateway. This would mean that for every connection I would have to go through that authentication each time. Add to that fail2ban and you get it wrong and your IP is blocked for 90 minutes.

With a multiplexed connection I authenticate ONCE and my subsequent connections go through that already authenticated session.

Continue reading
Remotely Mounting a Fileshare — May 19, 2020
SSH and SOCKS — May 18, 2020

SSH and SOCKS

Here’s my handy script for bringing a socks proxy up and down. Saves the hassle of finding the PID of the ssh proxy process to kill it when you’re done.

socks.sh

#!/bin/bash

SOCKET=~/.ssh/jump.socket
HOST="myuser@gateway.domain.tld -p 22"
PORT=8123

case "$1" in
up|UP)
  if [ -e ${SOCKET} ]; then
    ssh -S $SOCKET -O check ${HOST} > /dev/null
    if [ $? -ne 0 ]; then
      rm -f ${SOCKET}
    else
      ssh -S ${SOCKET} -D ${PORT} -f -C -q -N ${HOST}
    fi
  else
    ssh -M -S ${SOCKET} -D ${PORT} -f -C -q -N ${HOST}
  fi
  ssh -S ${SOCKET} -O check ${HOST}
  ;;
down|DOWN)
  if [ -e ${SOCKET} ]; then
    ssh -S ${SOCKET} -O check ${HOST} > /dev/null
    if [ $? -eq 0 ]; then
      ssh -S $SOCKET -O exit ${HOST}
    fi
  else
    echo "Already down"
  fi
  if [ -e ${SOCKET} ]; then
    rm -f ${SOCKET}
  fi
  ;;
*)
  echo "USAGE:"
  echo "Bring the socks proxy up using:"
  echo "  ./socks.sh up"
  echo "Take the socks proxy down using:"
  echo "  ./socks.sh down"
  ;;
esac

You may want to look at other ports to use other than 1080. Whilst 1080 is a popular socks port it conflicts with docker, so I tend to use an unused port of 8123.