Stuff I'm Up To

Technical Ramblings

FreeRADIUS and Docker — July 7, 2020

FreeRADIUS and Docker

Today I built a FreeRADIUS server within a Docker container set using docker-compose. As we only have a small number of users on the WiFi system it was setup only as a simple SSID with WPA-PSK that gradually gets spread to every man and his dog.

Fortunately it only acts as a Guest network and provides internet access – but the next step is to have a proper corporate SSID with secure LAN access. For this we want 802.1X and a RADIUS server to provide integration between wireless and LDAP.

Continue reading
Central Logging — May 30, 2020

Central Logging

System logging should not remain a local activity. If you find your system has been compromised often the first thing in the attackers mind is to stop it from logging what they have done, what they are doing, or are about to do. If you’re going to be security minded you must send your logs to another system and monitor the activity there.

This is very easy to do with rsyslog. I’ve built this in an Ansible task within the Lynis Security Auditing. All you need to do is add a simple file in /etc/rsyslog.d and restart rsyslog. Sure it won’t stop you getting hacked, but you’ll at least have a record of what happened up until the point the attacker disables logging.

Continue reading
Lynis Security Auditing — May 29, 2020

Lynis Security Auditing

In the days of corporate lore I faced system hardening challenges driven by Nessus. Now because Nessus isn’t FOSS (Free Open Source Software) it’s not something I can use in my current role. There is an Open Source fork from Greenbone – but there’s some attractive thinking into using Lynis as a build validation tool.

Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007.

https://cisofy.com/lynis/#introduction

First off it’s VERY easy to use. It doesn’t require a server and can be pulled down from github and run with no compilation required.

Continue reading
SSH, OATH OTP and LDAP — May 17, 2020

SSH, OATH OTP and LDAP

I got myself into a bit of a knot with this one. We wanted multi-factor authentication setup on the main SSH gateway and that meant private key, password AND OTP. Yes, a real belt and braces security approach.

What I found was that if I added in OATH to PAM that as soon as I entered the OTP I got logged in. Running ssh with -vv to get some verbosity I could see it was getting my private key – so technically I had achieved MFA or more precisely 2FA.

What I needed was to dig a bit deeper into the workings of PAM. Usually it’s just a case of adding in the required PAM entries for LDAP and job done, now I had to figure out required, requisite, sufficient and the options like [success=1...].

Continue reading
Resetting the Root Password — May 15, 2020
One Time Password and SSHD — May 1, 2020

One Time Password and SSHD

I made a bit of a fool of myself suggesting that we add a free means of securing our external SSH gateway by using Google Authenticator. My boss simply turned around and said

“Why would we recommend that all our users get Google accounts just to logon to our services?”

My Boss

It’s because I haven’t fully moved my mindset away from large commercial free but closed source services, into free and open source.

After five minutes I’d got FreeOTP installed on my phone and setup libpam-oath on my ssh server.

Continue reading
Asterisk – SIP + TLS — April 13, 2020
Wireguard on a Raspberry Pi — April 9, 2020
Linux LDAP Auth — January 16, 2020

Linux LDAP Auth

Up until now all of my Linux authentication has been local file based auth. I’ve added LDAP to services and applications, but logging into a Linux box has always had local users.

Following a process to install LDAP as the pam authenticator for Debian Buster included the following steps.

$ sudo apt install libnss-ldapd libpam-ldap ldap-utils

Then provide the details meeting your LDAP needs. Such as:

LDAP URI: ldap://ldap.domain.tld/
Search Base: dc=domain,dc=tld
DN and password of the Admin account if required: cn=admin,ou=People,dc=domain,dc=tld

Now you need to modify some configuration files.

Edit /etc/nsswitch.conf to add in references to ldap, we’re also going to use it for sudo and have added that into the config.

/etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap
...
sudoers: files ldap

/etc/pam.d/common-password

Remove use_authok from any line in the file common-password.

/etc/pam.d/common-session

Add the following line:

session optional pam_mkhomedir.so skel=/etc/skel umask077

For good measure restart nscd after making any changes to the above files.

$ sudo systemctl restart nscd

References: https://www.server-world.info/en/note?os=Debian_10&p=openldap&f=3

VCSA root Locked Out! — June 7, 2019

VCSA root Locked Out!

This gave me cause for tears today. The VCSA (vCenter Server Appliance) management Web UI (https://vcsa:5480) decided not to let me in as root. I’m guessing I spannered the password a few too many times.

It’s a very good job that at some point in the past I put my public key onto the system so I could use my plain old no password required private key to logon to the system using ssh!

SSH Logon with Private Key

Now I’m logged onto the console how do I go about getting access back to the Web UI? I discovered that the VCSA system uses pam_tally2 to lockout sessions. What I needed to do was reset the root account:

# pam_tally2 --user=root
 Login           Failures Latest failure     From
 root               10    06/07/19 14:12:11  unknown
# pam_tally2 --user=root --reset
 Login           Failures Latest failure     From
 root               10    06/07/19 14:12:11  unknown
# pam_tally2 --user=root
 Login           Failures Latest failure     From

Now I can logon to the Web UI!

The lesson to learn here is to install your public key onto your precious Linux boxes!

Public Key from Private Key — January 3, 2019

Public Key from Private Key

I fall over this every so often. I have the private key file but would either have to trawl servers for authorized_keys files to get the public password or remember how to obtain the public key from the private key.

Time to document it here so I don’t have to hunt for it with Google again.

For an RSA PEM format public key

$ openssl rsa -in private.key -pubout

-----BEGIN PUBLIC KEY-----
MIIBIDA ...
-----END PUBLIC KEY-----

For an SSH putty friendly version

$ ssh-keygen -y -f private.key

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQE ...
RADIUS Testing — November 5, 2018

RADIUS Testing

We have a need to authenticate a couple of devices via our Wifi access points with a RADIUS server. Right now I wanted to test things out using a MAC address authentication process. But for some reason we can’t get it working on the AP’s.

How do I test the RADIUS authentication policies are correct?

I recall using a RADCHECK program in Windows many years ago and figured Linux would probably have something similar. Sure enough a quick search means I can install freeradius-utils which includes radtest and radclient.

I needed to pass a number of RADIUS attributes and values with my test call and this is how I did it:

$ cat << EOF | radclient -x [radisuserver] auth [supersecretkey]
User-Name = 6894244B56EB
User-Password = 6894244B56EB
NAS-Port-Type = 19
NAS-Port = 0
Calling-Station-Id = SSID
EOF

This spoofed an auth call to the RADIUS server using the specified MAC address as user name and password and pretended the call was from a NAS-Port-Type of Wireless - 802.1x (19). I got the table of values from here: https://www.juniper.net/documentation/en_US/junos/topics/concept/subscriber-management-nas-port-type-overview.html

Statement Option NAS-Port-Type Value Description
value

0–65535

Number that indicates either the IANA-assigned value for the RADIUS port type or a custom number-to-port type defined by the user
adsl-cap

12

Asymmetric DSL, carrierless amplitude phase (CAP) modulation
adsl-dmt

13

Asymmetric DSL, discrete multitone (DMT)
async

0

Asynchronous
cable

17

Cable
ethernet

15

Ethernet
fddi

21

Fiber Distributed Data Interface
g3-fax

10

G.3 Fax
hdlc-clear-channel

7

HDLC Clear Channel
iapp

25

Inter-Access Point Protocol (IAPP)
idsl

14

ISDN DSL
isdn-sync

2

ISDN Synchronous
isdn-v110

4

ISDN Async V.110
isdn-v120

3

ISDN Async V.120
piafs

6

Personal Handyphone System (PHS) Internet Access Forum Standard
sdsl

11

Symmetric DSL
sync

1

Synchronous
token-ring

20

Token Ring
virtual

5

Virtual
wireless

18

Other wireless
wireless-1x-ev

24

Wireless 1xEV
wireless-cdma2000

22

Wireless code division multiple access (CDMA) 2000
wireless-ieee80211

19

Wireless 802.11
wireless-umts

23

Wireless universal mobile telecommunications system (UMTS)
x25

8

X.25
x75

9

X.75
xdsl

16

DSL of unknown type