Stuff I'm Up To

Technical Ramblings

Central Logging — May 30, 2020

Central Logging

System logging should not remain a local activity. If you find your system has been compromised often the first thing in the attackers mind is to stop it from logging what they have done, what they are doing, or are about to do. If you’re going to be security minded you must send your logs to another system and monitor the activity there.

This is very easy to do with rsyslog. I’ve built this in an Ansible task within the Lynis Security Auditing. All you need to do is add a simple file in /etc/rsyslog.d and restart rsyslog. Sure it won’t stop you getting hacked, but you’ll at least have a record of what happened up until the point the attacker disables logging.

Continue reading
Lynis Security Auditing — May 29, 2020

Lynis Security Auditing

In the days of corporate lore I faced system hardening challenges driven by Nessus. Now because Nessus isn’t FOSS (Free Open Source Software) it’s not something I can use in my current role. There is an Open Source fork from Greenbone – but there’s some attractive thinking into using Lynis as a build validation tool.

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007.

https://cisofy.com/lynis/#introduction

First off it’s VERY easy to use. It doesn’t require a server and can be pulled down from github and run with no compilation required.

Continue reading
Nginx Configuration Synchronisation — May 25, 2020

Nginx Configuration Synchronisation

Back when I built the Nginx failovers using Nginx and Keepalived I also required that should the config change on the master then the config would automatically be copied to the backup.

There are some important things you need to do for this to work correctly and not put your failover at risk of failing. The last thing you want to do is bork you master servers config and automatically copy a filed config to the backup server and screw that one up too.

Continue reading
PAM_LDAP and uniqueMember — May 24, 2020
SSH Multiplexing — May 21, 2020

SSH Multiplexing

Typically SSH creates a new tcp session for every time you connect to a remote host. But there is a feature of ssh that allows connections to reuse an existing connection using a socket – which is called multiplexing.

Obviously this is only really useful if you are connecting via the same host, you can multiplex to different locations.

Why is this useful?

If I already have a socks connection open to my office gateway I don’t need to open a new TCP connection to pass traffic inside of the office network. Ok, you’re still not sold on the idea? Well we’re using a pretty robust authentication with multi-factor authentication, private keys and passwords to get in via the gateway. This would mean that for every connection I would have to go through that authentication each time. Add to that fail2ban and you get it wrong and your IP is blocked for 90 minutes.

With a multiplexed connection I authenticate ONCE and my subsequent connections go through that already authenticated session.

Continue reading
Remotely Mounting a Fileshare — May 19, 2020
SSH and SOCKS — May 18, 2020

SSH and SOCKS

Here’s my handy script for bringing a socks proxy up and down. Saves the hassle of finding the PID of the ssh proxy process to kill it when you’re done.

socks.sh

#!/bin/bash

SOCKET=~/.ssh/jump.socket
HOST="myuser@gateway.domain.tld -p 22"
PORT=8123

case "$1" in
up|UP)
  if [ -e ${SOCKET} ]; then
    ssh -S $SOCKET -O check ${HOST} > /dev/null
    if [ $? -ne 0 ]; then
      rm -f ${SOCKET}
    else
      ssh -S ${SOCKET} -D ${PORT} -f -C -q -N ${HOST}
    fi
  else
    ssh -M -S ${SOCKET} -D ${PORT} -f -C -q -N ${HOST}
  fi
  ssh -S ${SOCKET} -O check ${HOST}
  ;;
down|DOWN)
  if [ -e ${SOCKET} ]; then
    ssh -S ${SOCKET} -O check ${HOST} > /dev/null
    if [ $? -eq 0 ]; then
      ssh -S $SOCKET -O exit ${HOST}
    fi
  else
    echo "Already down"
  fi
  if [ -e ${SOCKET} ]; then
    rm -f ${SOCKET}
  fi
  ;;
*)
  echo "USAGE:"
  echo "Bring the socks proxy up using:"
  echo "  ./socks.sh up"
  echo "Take the socks proxy down using:"
  echo "  ./socks.sh down"
  ;;
esac

You may want to look at other ports to use other than 1080. Whilst 1080 is a popular socks port it conflicts with docker, so I tend to use an unused port of 8123.

SSH, OATH OTP and LDAP — May 17, 2020

SSH, OATH OTP and LDAP

I got myself into a bit of a knot with this one. We wanted multi-factor authentication setup on the main SSH gateway and that meant private key, password AND OTP. Yes, a real belt and braces security approach.

What I found was that if I added in OATH to PAM that as soon as I entered the OTP I got logged in. Running ssh with -vv to get some verbosity I could see it was getting my private key – so technically I had achieved MFA or more precisely 2FA.

What I needed was to dig a bit deeper into the workings of PAM. Usually it’s just a case of adding in the required PAM entries for LDAP and job done, now I had to figure out required, requisite, sufficient and the options like [success=1...].

Continue reading
SSH Authorized_Keys and LDAP — May 16, 2020
Resetting the Root Password — May 15, 2020
Nextcloud, LDAP and Password Changes — May 14, 2020

Nextcloud, LDAP and Password Changes

Using Nextcloud with LDAP is straight forward enough, you just add in the “LDAP user and group backend”. We wanted to use Nextcloud to enable our LDAP users to change their own password, and this is where things go sticky.

Our Nextcloud was configured just how we like our other LDAP auth systems – with a readonly user that’s able to bind and query only. Try as I might I could not get Nextcloud to change a users password, even though the user was granted write access to their own password in the LDAP ACL on the server.

There were a number of wider things to change before users could change their password, it wasn’t just this use of a readonly binding.

Continue reading
One Time Password and SSHD — May 1, 2020

One Time Password and SSHD

I made a bit of a fool of myself suggesting that we add a free means of securing our external SSH gateway by using Google Authenticator. My boss simply turned around and said

“Why would we recommend that all our users get Google accounts just to logon to our services?”

My Boss

It’s because I haven’t fully moved my mindset away from large commercial free but closed source services, into free and open source.

After five minutes I’d got FreeOTP installed on my phone and setup libpam-oath on my ssh server.

Continue reading