Octubre 28

Hardening SSH with OTP for 2 factor authentication

Something I’ve been meaning to do for a while is look into the possibility of using 2 factor authentication, or 2FA, with SSH connections. This would add a much needed level of security to servers I host out in the wild.

Here’s how I did it:

The Google Authenticator mobile app used to be an open source project, it isn’t any more but the project has been kindly forked and looked after by Red Hat under the guise of the FreeOTP project. The first step is to download the app, which is available for Android and iOS there is even a Pebble project in the works. https://fedorahosted.org/freeotp/

Google Play: https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp

iTunes: https://itunes.apple.com/us/app/freeotp/id872559395

Next we need to configure PAM, this is the component in Linux which ties authentication together. It allows us to add modules for various authentication sources into various applications which require authentication, in this case we need a module compatible with FreeOTP to provide authentication to SSH.

We’ll be using the pam_oath for this, the OATH toolkit is designed for building one-time password based systems. http://www.nongnu.org/oath-toolkit/

yum install pam_oath oathtool gen-oath-safe

This gives us the tools needed to link in to pam, and also generate the initial keys to share between the devices.

Next we need to edit /etc/pam.d/ssh to recognise this module by adding the following line to the top:

auth sufficient pam_oath.so usersfile=/etc/liboath/users.oath window=10 digits=6

Notice we specify a users file, this is where the users who harness OTP will have their details stored. Once this is saved we need to restart sshd

service sshd restart

or

systemctl restart sshd

So thats ssh configured, from now on when a user logs into the system via ssh, they will be prompted for a One-time password.

Next up we need to generate the keys which are to be shared between the target host (SSH) and the client generating the OTP (Android or iOS app)

gen-oath-safe jon hotp

Replacing jon with your username. hotp denotes the type of key to be generated, hotp being a counter based key and totp being a time based – choice is yours here.

This command will generate a number of codes, HEX, b32, QR and yubikey. The keys we are interested in are the HEX and the QR:

gen-oath-safe

From the app select the QR scanning option on the top tool bar:

FreeOTP

Scan the generated QR code which will then store the key in the application.

The final step is to add the HEX code to the file we referenced earlier in the sshd pam config file. Drop the following line /etc/liboath/users.oath (making sure you use your generated key and username):

HOTP jon -  da50cc2e1ee6726c847c5b960a62751e9bbea3a9

Once that file is saved we can go ahead and login via ssh with the specified user. You will now be prompted for a One-time password which can be generated by pressing on the entry within FreeOTP.

Note: if ssh keys are setup then these will be preferred over OTP, i’m sure a modification of the pam config would allow for both but haven’t spent any more time on this yet.

Category: OTP, SECURITY | Los comentarios están deshabilitados en Hardening SSH with OTP for 2 factor authentication
Octubre 28

SSH Radius Auth ( OTP)

You are now ready to integrate FreeRadius with your OpenSSH via a PAM agent! Good job 🙂

Configure OpenSSH and PAM

The next step is to configure your OpenSSH server to request the PassCode (PinCode+OTP) to the radius server. For this purpose we will use a radius PAM agent.

    #1: PAM configuration for OpenSSH server:

Edit the file /etc/pam.d/sshd with this configuration. Comment the username/password line and add the PAM library. Be sure you have the PAM radius library.

#auth required pam_stack.so service=system-auth
auth required /lib/security/pam_radius_auth.so

Specify the Radius Server (in this case localhost – 127.0.0.1). Create and edit a file called server in /etc/raddb with the Radius IP,port and the shared secret key.

#Server[:port]  shared_secret      timeout (s)
127.0.0.1             Gtz670_$-yxaca0kut   1
#other-server    other-secret       3
    #2: OpenSSH server (radiusd daemon) configuration:

Edit /etc/sshd/sshd_config and be sure PAM is enabled and keyboard-interactive AuthN support.

UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes

Stop and start the OpenSSH server

[sma]# /etc/init.d/sshd stop
[sma]# /etc/init.d/sshd start

You are now ready to test your login SSH with an software OTP 🙂

Login SSH with OTP AuhN
Login SSH with OTP AuhN

…and if you want more security (!)…

 

Category: OTP, SECURITY | Los comentarios están deshabilitados en SSH Radius Auth ( OTP)
Octubre 24

Site-to-Site VPN with dual ISP for backup/redundancy

I recently came across this scenario where a customer had two internet links terminating on his ASA from two different ISPs. If his primary link (ISP2) was unavailable, he wanted the Site-to-Site VPN to fail over to the backup link (ISP3). This post shows you how to configure a firewall having two internet links using the SLA monitoring feature to get the required redundancy for the Site-to-Site VPN.

The site having two ISPs (in this case, FW2) is the one that needs major changes. Basic site-to-site configuration remains the same and only additional configuration for the backup peer IP 3.3.3.1 is covered under this post.

Backup Site-to-Site VPN - Peering with 2 peer IPs on a single firewall

On FW1:

2.2.2.1 is the primary peer IP for this VPN whose configuration is already in place and the tunnel is up and working.

1. Create tunnel group for the backup peer IP.

tunnel-group 3.3.3.1 type ipsec-l2l
tunnel-group 3.3.3.1 ipsec-attributes
 ikev1 pre-shared-key cisco

2. Add the backup peer IP to the existing crypto map for 2.2.2.1 and make sure the connection-type is set to bi-directional (which is the default).

crypto map outside_map 10 set peer 2.2.2.1 3.3.3.1
crypto map outside_map 10 set connection-type bi-directional

On FW2:

Interface configuration on FW2 firewall.

interface GigabitEthernet0
 description Connected to ISP2 - Primary link
 nameif outside
 security-level 0
 ip address 2.2.2.1 255.255.255.0 
!
interface GigabitEthernet1
 description Connected to ISP3 - Backup link
 nameif outside2
 security-level 0
 ip address 3.3.3.1 255.255.255.0

1. Create an SLA monitor to monitor the gateway IP of ISP2 (primary link). Add a default route pointing towards the gateway IP of ISP3 (secondary link) with an AD value 254. Track it using the SLA monitor.

sla monitor 10
 type echo protocol ipIcmpEcho 2.2.2.2 interface outside
 frequency 5
sla monitor schedule 10 life forever start-time now
!
track 1 rtr 10 reachability
!
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1 track 1
route outside2 0.0.0.0 0.0.0.0 3.3.3.2 254

2. IKEv1 and ‘crypto map outside_map’ is already enabled and applied on the outside interface. When the ISP2 link goes down, the outside2 interface will be terminating the VPN and the following needs to be done for the VPN to establish. Also check for the connection-type which should be set to bi-directional (be default).

Enable ‘crypto ikev1’ and apply the ‘outside_map’ on the outside2 interface;

Existing config:

crypto ikev1 enable outside
crypto map outside_map interface outside
crypto map outside_map 10 set connection-type bi-directional

Additional config:

crypto ikev1 enable outside2
crypto map outside_map interface outside2

3. Create additional NAT statements for outside2 interface mirroring with your existing NAT.

Existing NAT:

nat (inside,outside) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface

Additional NAT:

nat (inside,outside2) source static 10.2.2.0-24 10.2.2.0-24 destination static 10.1.1.0-24 10.1.1.0-24 no-proxy-arp route-lookup
nat (inside,outside2) after-auto source dynamic any interface
Category: CISCO, VPN | Los comentarios están deshabilitados en Site-to-Site VPN with dual ISP for backup/redundancy
Octubre 13

TWO-FACTOR AUTHENTICATION FOR TERMINAL SERVERS

The competent approach to IT security in terms of server authorization, both inside and outside the company premises, implies a number of important measures. They include providing a unique user name and meeting password complexity requirements, as well as conducting the planned password change and non-disclosure of credentials to third parties, etc. However, many users quickly forget about these policies. For easy reference, they hang a piece of paper with their username and password in a prominent place, such as their monitor. That can be quite convenient for an attacker wishing to gain access to their sensitive data.Laptop-with-Password-Post-it-768x585

Used products

As an example, let’s consider implementation of OTP password based on multiOTP  project – open source PHP software, capable of working on standard algorithms which are well proven in the industry of multi-factor authentication (HOTP, TOTP, OCRA).

To provide additional input fields for OTP, we will be using the MultiOneTimePassword-CredentialProvider

The user will generate one-time passwords on their mobile device using Google Authenticator.

MultiOTP installation

Download  the multiOTP product and place the contents of the Windows folder from the downloaded directory into the root of the system drive: C:\multiotp.

All configuration is done through the command line. Run CMD as an Administrator and go to our directory:

cmd-help

The following is a list of commands needed to configure and sync the multiOTP service with the Active Directory:

  1. C:\multiotp>multiotp -config default-request-prefix-pin=0

Enter the PIN code by default when you create new users (1 | 0)

  1. C:\multiotp>multiotp -config default-request-ldap-pwd=0

Use Active Directory password instead of the PIN code by default (1 | 0)

  1. C:\multiotp>multiotp -config ldap-server-type=1

Select the AD/LDAP server (1 = Active Directory | 2 = standard LDAP)

  1. C:\multiotp>multiotp -config ldap-cn-identifier=”sAMAccountName”

Set the CN user identifier (sAMAccountName, eventually userPrincipalName)

  1. C:\multiotp>multiotp -config ldap-group-cn-identifier=”sAMAccountName”

Set the group CN identifier (sAMAccountName for Active Directory)

  1. C:\multiotp>multiotp -config ldap-group-attribute=”memberOf”

Set the attribute that determines group membership

  1. C:\multiotp>multiotp -config ldap-ssl=0

Set an SSL connection to be used by default (0 | 1)

  1. C:\multiotp>multiotp -config ldap-port=389

Set the connection port (389 = standard | 636 = SSL connection)

  1. C:\multiotp>multiotp -config ldap-domain-controllers=servilon.com,ldaps://192.168.254.10:389

Set the Active Directory server(s)

  1. C:\multiotp>multiotp -config ldap-base-dn=”DC=SERVILON,DC=COM”

Specify the domain suffix

  1. C:\multiotp>multiotp -config ldap-bind-dn=”CN=Administrator,CN=Users,DC=servilon,DC=com”

Set the account used to connect to AD DS.

  1. C:\multiotp>multiotp -config ldap-server-password=”P@$$w0rd”

Set the password used to connect to AD DS

  1. C:\multiotp>multiotp -config ldap-in-group=”OTP”

Set group in which users must use the OTP to access the server

  1. C:\multiotp>multiotp -config ldap-network-timeout=10

Synchronization timeout – set in seconds

  1. C:\multiotp>multiotp -config ldap-time-limit=30

Set the timeout for the OTP password reset

  1. C:\multiotp>multiotp -config ldap-activated=1

Enable the AD/LDAP multiOTP server

  1. C:\multiotp>multiotp -debug -display-log -ldap-users-sync

Synchronization of users with AD/LDAP. This last command must be run each time you add a new user or configure a scheduled run of the script.

If all commands were entered correctly and the AD/LDAP server is available, running the last command should result in synchronization and creation of a new user for the multiOTP service:

cmd-sync

Setting up Google Authenticator

Now you need to transfer the unique user key on the user’s device. The most convenient way to do so is to use a QR code. We need to establish a web server which will help us view and register users. Just go to the multiotpfolder and run webservice_install.cmd. A browser with a multiOTP web administration console should appear. After entering it, we can create a new local user, or view a list of existing users, which is very useful:

web-console-350x329

But most importantly, the web console will help us register a user on a mobile device. Click “Print” in the chosen user line and you will we see a QR code generated for the user in a new tab:

web-console-user-1024x862

Scan the generated QR code with the help of Google Authenticator. The registration process is complete.

As you can see, everything is quite simple. It is also possible to send a QR code to the user by email and the user will do the registration himself. If all goes well, there will be an available OTP password updated on your mobile device every 30 seconds:

Screenshot_2016-02-12-14-12-52-197x350

Installing MultiOneTime Password Credential Provider

Now we need to tell our Terminal server to use an additional OTP password upon user authentication. To do this, run the previously downloaded MultiOneTimePassword-CredentialProvider installer, where we only need to specify the Default Provider installation and the folder with multiotp service:

provider

provider-conf

Important! After installing Credential Provider, users without OTP installed will not be able to access the server. Therefore, you must take care to set up OTP password on the Administrator’s account.

login-1024x601

Results

Now our Terminal server has received an additional level of security in the form of an OTP password based on a free solution multiOTP-Credential Provider.

This solution can be deployed entirely on the user’s PC and build a barrier against an attacker trying to log on to the employee’s office PC.

Category: TSE, WINDOWS | Los comentarios están deshabilitados en TWO-FACTOR AUTHENTICATION FOR TERMINAL SERVERS
Octubre 13

Mikrotik User Manager as Radius Server

mikrotik user manager

I continue to post about hotspot billing system. Actually I wanted to post about Daloradius. However, because still need more experiments, then I delay for a while. And now I’m posting about the “user manager” of the Mikrotik. What is a user manager? User Manager is a RADIUS server application. It is a separate package for RouterOS.

 

Install User Manager.

  1. Check the Mikrotik, whether user-manager existing package. Click the System – Packages.
  2. mikrotik - package list
  1. Download package “user-manager” in www.mikrotik.com / download. Select the package,according to the Mikrotik version you are using. If you are using a Mikrotik with package the old version, you can download the old version of the package in http://files.shelbybb.com/mikrotik/ or http://204.62.56.64/mikrotik/
  2. Open Winbox, then click user-manager.npk package already downloaded, and drag it to the Winbox. File will automatically be uploaded, and can be seen in Winbox – Files list.
  3. install mikrotik user manager
  4. Restart.
  5. Check back in the Mikrotik, with the opening Winbox, System – Packages. File “user-manager” should be shown.

Mikrotik Configuration

If all is ok, proceed with the following steps. Open winbox, click Radius – then click the plus sign (+) to add. Open dialog box will appear. Enter the IP address of the Radius User Manager, secret, for example : testing123, port, and check the hotspot service. Then click OK. Remember : IP address of Radius Server must IP Wan of router Mikrotik or you can enter IP localhost  (127.0.0.1)

 

Back to Radius

mikrotik - radius settings

open dialog. Click Incoming. Check Accept, Port is 1700. Then OK.

mikrotik - radius port incoming

Then in the hotspot dialog box, click server profiles tab. Click twice hsprof1. Then the new dialog box will appear. Click radius tab. Select use radius, and accounting. Then click OK.

 

Mikrotik User Manager

mikrotik - server profiles settings

Finish to configure mikrotik, next open browser, and go to http://<ip-address-mikrotik>/userman. You will find login page user manager of mikrotik, enter default username : admin and blank password. Let’s begin to configure mikrotik user manager.

  • Configure Routers

Click routers – add – New.  In the new dialog box about router details, enter name, IP address, secret, and coa port. Look at example picture.

mikrotik user manager - routers settings

  • Configure Customer

For security, change password admin for login mikrotik user manager. Click customer, admin. And in customer details  box, enter  password, and other information.

mikrotik user manager - customers settings

Create a user in the “user manager”, and then from the client computer browser, login using a user that has been created. If successful redirect and connect to the internet, meaning that the Mikroti User Manager has been successfully configured as a Radius Server.

Next, I will explain how to create voucher in User Manager.

Category: Uncategorized | Los comentarios están deshabilitados en Mikrotik User Manager as Radius Server
Octubre 13

Como testear o probar un servidor syslog remoto en Linux

Muy seguramente muchos SysAdmin, nos ha tocado alguna vez, instalar y configurar un servidor rsyslog, a donde lleguen todos los logs de diferentes servicios y servidores, es decir, un servidor que recolecte de forma centralizada  todos los archivos logs de diferentes equipos. Y por que hacer esto? Principalmente hacerlo por seguridad y facilitar la administracion.

Ahora muchos se estaran preguntando por seguridad es necesario centralizar los logs? y la respuesta es si. Si. un atacante logra comprometer un servidor y los logs se almacen en el mismo, pues muy facilmente el atacante podra modificar dichos logs a su gusto para complicarnos mucho mas la tarea de descubrir como fue que vulneraron dicho servidor. por tal motivo siempre se recomienda enviar los logs a otro servidor

Ahora, despues de hacer todo el proceso de instalacion y configuracion, abrimos los archivos de logs, pero alguna veces no empieza a loguear, y nos preguntamos. ¿Donde esta el problema? en el servidor log, o en el dispositvo el cual es el encargado de enviar los logs? Para resolver esta inquietud y darnos una idea de donde esta el problema, podemos hacer una prueba muy sencilla, solo basta con enviar un pequeño mensaje al puerto donde esta escuchando rsyslog usando netcat:

nc -w1 -u ip_syslog  puerto <<< “Probando servidor syslog.. mensaje enviado desde mi maquina local”

Si nuestro servidor rsyslog esta bien configurado, despues de ejecutar la prueba anterior, al abrir los archivos de log debera aparecer el mismo mensaje:

probar syslog

De ser la prueba exitosa quiere decir que el problema radica en el equipo el cual es el encargado de enviar los logs, y se debe revisar la configuracion de dicho equipo para que envie los logs adecuadamente al servidor de logs remotos. Si por el contrario el mensaje no llega correctamente, deberas revisar la configuracion de tu servidor de logs.

Category: TIPS AND TRICKS | Los comentarios están deshabilitados en Como testear o probar un servidor syslog remoto en Linux