Skip to main content

Technology (old posts, page 1)

As I Tinker I Learn, Somtimes I Even Write It Down.

Server set-up Checklist

Configure your linux server I often see questions on /r/selfhosted on how to secure a server. Here is a quick checklist of things you might want to look into.

Follow best practices for the basics

Lock down the Server

  • Disable root login via SSH
  • Close all unused incoming ports via UFW/iptables
  • Limit outgoing ports as well as incoming using UFW/iptables
  • Watch for credential stuffing/brute force attacks with Fail2ban

Backup your configs/files

  • Securely encrypted backup via Duplicity
  • External Backup to external drive.
  • Remote backup, either via a regularly swapped out external drive or via the cload

Set up monitoring services to let you know when something goes wrong

Here are a few extra things you can do to bolster your ssh security

Useful resources


Static Blogging

Now for the obligatory static blog post on any static blog This blog is a Nikola static blog, a python based static blog generator.

Why did I choose Nikola?

  1. It's Python based - I like python, I know python, and I can hack python. Jekyll, the most popular static blog generator, is written in Ruby. I found it to be slow and painful to work with. I couldn't be bothered learning it's particulars. Also my Desktop and Server came with python so there was no barrier to entry.
  2. Batteries are Included - I looked at the popular Pelican, it's arguably more flexible and powerful than Nikola, but you have to do more initial configuration. I had already been procrastinating on re-starting my blog for over a year, I needed to get started

Why do people like Static Blogs?

  1. You need to be savvy - Static Blogs scratch the tech tinkering itch, don't like something it's simple to change that.
  2. It's simple - Many CMS systems are over complicated messes, overkill for the typical blog. Do you need to render your blog on the fly for each visitor? PHP is useful but if you don't need it why use it?
  3. Portable - You render your site as it changes, have beef with your service provider? Change your dns and upload with next to no configuration. Done
  4. It's Fast - How fast can a server trow out a few kb of static html? Very fast! With Wordpress you need to install caching plugins to make your site essentially static, why not skip the middle man and do it from the start.
  5. You write how you like - Markdown, reStructuredText, MediaWiki Markdown or even HTML.
  6. It's secure - No database to hack, no PHP to patch.

Why do people hate Static Blogs?

  1. No web based content management system - This is something that tends to be lacking in any static blog. It's static after all! There are many ways to get around this by using something like Netlify CMS. Personally I'm using the Atom test editor and will be going over this in a future post.
  2. You need to be savvy - As a general rule you need to be able to deal with the nuts and bolts of your blog. This is a good and bad thing, depending on your disposition.

TOTP with SSH (Google Auth)

For your ssh you can use google-authenticator-libpam to add time based codes to your ssh login.

On debian/ubuntu:

    sudo apt update && sudo apt install google-authenticator-libpam

    google-authenticator

    Do you want authentication tokens to be time-based (y/n) y
    [...]
    Do you want me to update your "/home/dugite/.google_authenticator" file? (y/n) y
    [...]

You will see a QR code/secret key that you can scan with a TOTP app like andotp, authy or google authenticator (WARNING Google authenticator has no backup options). There are also your emergency scratch codes.

In /etc/ssh/sshd_config Add:

    # Use Challenge Response Auth i.e. TOTP
    ChallengeResponseAuthentication yes
    # Require both publickey and TOTP
    AuthenticationMethods publickey,keyboard-interactive

In /etc/pam.d/sshd

    # Comment out Standard Un*x authentication.
    # @include common-auth
    # Load the google TOTP Authentication module
    auth required pam_google_authenticator.so

Goodbye Chrome and other things

Google, once the tech enthusiast darling is looking more and more like Microsoft did in the mid 90's.

Google to restrict modern ad blocking Chrome extensions to enterprise users

Google is first and foremost an ad company so it should come as no surprise that now they are leading the browser market share

All hail the King

Now Microsoft is switching to chromium as a browser backend it's no surprise we see Google moving to limit Ad-blockers.

Google is eating our mail

Google really got entrenched with the tech enthusiast crowd because gmail was free, quick and had good spam filtering. Now we are all feeling the consequences of encouraging non-technical people to centralize their emails with them. A once open and vibrant standard is increasingly looking like a mono-culture with both Google and Microsoft's opaque filtering and non-standard blocking making running your own email server almost impossible. Along with the launch of google's AMP for email we see yet another example of Google pushing through their own interests over the interests of the email ecosystem.

What you can do


Locking your ssh port with fwknop

In my last post I described how I decrypt my home server remotely with ssh. Today I would like to share how I like to lock/unlock my ssh port with an encrypted port knocking implementation fwknop

The issue with port knocking

On the face of it port knocking looks like a good idea. Lock down your ssh port until you need it, avoiding any zero day issues with the ssh protocols. The problem is this, port knocking is sent in the clear over the network. Anyone looking can see your knock "code", much like if you had a secret door knock some one around the corner could heard the pattern of your knocks.

This is where fwknop comes in, it's SPA (Single Packet Authorization) cannot be re-sent it is one time only. Not to mention it's faster as you are only sending the one packet.

The main issue I had with fwknop is by default you have to specify the source IP address you want to be able to access your server. I found this to be quite painful to set-up, so I found a simple way around the issue.

Note: this only works if you are blocking ports by default. I use UFW to simplify that process. See this Digital Ocean tutorial on the basics of UFW

Server Side:

In Debian based systems fwknop is split into fwknop-client and fwknop-server. We will want both of them

sudo apt install fwknop-server fwknop-client

Next we need to set up the basic config rules on the server found in /etc/fwknop/fwknop.conf Debian and Ubuntu have changed the default interface name from eth0 to enp3s0 so we have to set that. We can also change the listening port here.

PCAP_INTF               enp3s0;

# change your port to your desired listening port.
PCAP_FILTER                 udp port 62201;

Now we use fwknop to generate our key's. We could use GpG here, but I didn't feel the extra encryption brings much to the table as we are only opening the ssh port and I have public key authentication and TOTP enabled.

fwknop -A tcp/22 -D example.tld --key-gen --use-hmac --save-rc-stanza

You can now find the KEY_BASE64 and HMAC_KEY_BASE64 in ~/.fwknoprc we will need these for the /etc/fwknop/access.conf file and the client.

In the /etc/fwknop/access.conf file. Note: I substituted the iptable commands for ufw commands. We don't have to worry about our ssh session being kicked as once it's connected the CMD_CYCLE_CLOSE (at least with ufw) won't close the existing connection.

SOURCE                          ANY

# Limit the Ports able to be opened
OPEN_PORTS                      tcp/22

# Keys from ~/.fwknoprc
KEY_BASE64                      [...]
HMAC_KEY_BASE64                 [...]

# Optionally use iptables
# CMD_CYCLE_OPEN                /sbin/iptables -A INPUT -p $PROTO --dport $PORT -j ACCEPT
# CMD_CYCLE_CLOSE               iptables -D INPUT -p $PROTO --dport $PORT -j ACCEPT

CMD_CYCLE_OPEN                  /usr/sbin/ufw allow $PORT
CMD_CYCLE_CLOSE                 /usr/sbin/ufw delete allow $PORT

# Default cycle time Mandatory for CMD_CYCLE_OPEN/CLOSE
CMD_CYCLE_TIMER                 180

A word of warning, fwknop can run arbitrary commands if ENABLE_CMD_EXEC is enabled. I don't see why you would ever really want to do that. You can also run any bash script from CMD_CYCLE_OPEN and CMD_CYCLE_CLOSE with the optional variables $PROTO, $PORT and $SRC. You can potentially get yourself in a lot of trouble if you do this so proceed with caution.

Now we need to setup the systemd file /etc/systemd/system/fwknop-server.service. Note: on a ubuntu install I had to create the folder /var/fwknop/

[Unit]
Description=Firewall Knock Operator Daemon
After=network-online.target

[Service]
Type=forking
PIDFile=/var/fwknop/fwknopd.pid
ExecStart=/usr/sbin/fwknopd
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target

Then we just enable and start the service

sudo systemctl enable fwknop-server.service && sudo systemctl start fwknop-server.service

Running sudo systemctl status fwknop-server.service should now show you the service is active Active: active (running). Currently if you have already allowed port 22 with ufw it will stay open until the first time you cycle fwknop with a client.

Client Side:

You have three options fwknop-client, fwknop2 on android - [F-Droid] - [Google play] or fwknop-gui available on Windows, Mac and Linux

In fwknop2 and fwknop-gui:

  • KEY_BASE64 -> Rijndael Key
  • Key Is Base 64 - Checkbox below key entry
  • HMAC_KEY_BASE64 -> HMAC Key
  • HMAC Is Base 64 - Checkbox below key entry
  • Allow IP - This can be anything as we are ignoring this setting
  • Access Ports: tcp/22

The Firewall timeout is in seconds and can be anything as long as it's long enough for you to authenticate. Remember if you have the same set-up as I do, you wont get kicked after the timeout.

And there we go a nice locked ssh port. You will now have to send a SLA to your server prior to connecting with your ssh client.


Securing My Server With Dropbear SSH

Having a small home server I've always wanted to encrypt my files, however I have never wanted to be locked out if I'm far away. Enter dropbear ssh. A small light weight ssh server already packaged in debian to work prior to decryption.

Install

sudo apt update && sudo apt install dropbear-initramfs

Note: initramfs will kick up an error after installing dropbear-initramfs. This is solved after adding your public key

Add your ssh key

ssh-keygen -f ~/.ssh/dropbear.id_rsa
sudo cat ~/.ssh/dropbear.id_rsa > /etc/dropbear-initramfs/authorized_keys

Changing the port

/etc/dropbear-initramfs/config

DROPBEAR_OPTIONS="-p 3000"

A little extra security

You can further secure dropbear by disabling forwarding and limiting it to only executing the cryptroot-unlock command.

Just add no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" to the authorized_keys file in front of the ssh public key

It should look something like this:

no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock" ssh-rsa A AQQQQQJJQQHx[...]

Finishing up

sudo update-initramfs -u

See the dropbear manpage for further details


Better SSH Management with Keepass and Putty

Out of the box keepass recognizes the URI ssh:// and will open it with putty. However it is limited, you can't change ports from the default port 22 nor can you save a convenient list of port forwards. Thankfully this is something you can change.

Things you will need:

  1. Keepass
  2. Putty
  3. Keeagent

Alternativly you can do an easy install with the windows package manager chocolatey

choco install putty.install keepass.install keepass-plugin-keeagent -y

URL overrides

We will now define a new ssh:// override globaly in keepass. It is possible to also do so per entry, for portability, however I do not use this feature as I run linux at home and use a separate override on that system.

  1. Tools -> Options
  2. Integration tab
  3. URL Overrides

  1. Click the add button
  2. Enter ssh in the Scheme field
  3. Enter: cmd://putty {T-REPLACE-RX:/{S:Forwards}/\{S:Forwards\}/ /} -P {T-REPLACE-RX:/{BASE:PORT}/-1/22 /} {BASE:HOST} -l {USERNAME} in the url override field. Note: add -pw {PASSWORD} to the end if you wish to auto submit your password. Just be aware this could be considered slightly insecure.

The Keepass entry

  1. Create an entry as you normally would adding the ssh:// URL

Note: to add a port just use ssh://example.tld:222

  1. If you need port forwards add then under the Advanced tab as a String Field entry in the following format: -L 6080:127.0.0.1:6080 -L 444:10.1.1.1:444

Now when you open the url you will have your putty session with port changes and port forwards.

Breaking it down

  1. cmd://putty

    Opens putty via a shell command

  2. {T-REPLACE-RX:/{S:Forwards}/\{S:Forwards\}/ /}

    If the string field Forwards doesn't exist delete the string {S:Forwards}

  3. -P {T-REPLACE-RX:/{BASE:PORT}/-1/22 /}

    The {BASE:PORT} placeholder returns -1 If a port is not defined. If this happens we should replace it with the default ssh port 22

  4. {BASE:HOST}

    The Hostname/IP address part of the URL

  5. -l {USERNAME} -pw {PASSWORD}

    Login with the username and (optionally) password of the entry


Are Email Clients Insecure?

@bryanleeward asked on the thunderbird discourse:

PLEASE HELP… this effects many Thunderbird & gmail users:

Every few months I get “Security” alerts from Google re my gmail Security Settings, saying: “Turn off less secure access.” IF I do that, then I can’t boot Thunderbird! I’ve had same problem with Thunderbird-gmail using Debian, Trisquel, and Ubuntu.

Yet ironically, when I receive these Google alerts, Thunderbird gives also gives me a warning - “To protect your privacy, Thunderbird has blocked remote content in this message.”

IE to get Thunderbird and gmail to work together, I have to disregard BOTH your security alerts! WHY?.. but more importantly:

  1. Is there a way to keep max Google Security Settings AND still use Thunderbird?
  2. Is Thunderbird really less secure, even with other email systems?

Thanks for any help, Bryan

Google considers all 3rd party access to email i.e. Thunderbird, Outlook ect to be Less secure than the web interface. This is both correct and incorrect depending on your situation. Google’s max security disables 3rd party access to your emails, this allows them to: block bad IP’s, use two factor auth and use browser fingerprinting to detect illegitimate access.

Thunderbird is not insecure at all. Google just want’s the majority of users to go through a more limited access method.

I don’t ever see such emails because I enabled two factor auth and use an app password with a limited scope to the Mail app. Consider going this route if it concerns you.

Thunderbird blocks remote content. I.e. it stops images and other files from being loaded from the internet when viewing an email. As email is mostly html automatically loading images from the web is not a great idea security wise. Initially this will be a pain point but you eventually build up a white-list of legitimate remote content, nice and secure.

I recommend using the allow from domain names rather than sender address as that’s harder to spoof than an email address:


Customizing the Nextcloud Mail App

As the mail app developers don’t want to add a horizontal reading pane to the app I have been using the custom css app 5 in order to do so, I also wrote a quick user script to automatically expand all my folders as that isn't an option in the mail app.

Jump to the Auto Expand script

Horizontal reading pane in mail app

Note: Tested in Firefox and Nextcloud 15

Usage:

  1. Know what you are doing.
  2. Install the custom css app.
  3. Navigate to Admin -> Theming.
  4. Paste contents of this CSS file into the custom CSS text area 6.
  5. Save.

Currently I have:

  • The basic Horizontal layout
  • Added a resize to the message list so you can drag it up and down for simpler management of mail
  • Added a yellow highlight to The images have been blocked to protect your privacy notification
  • Added the color #ebebeb as the message header background to better separate panes
  • Added a thick border color #ebebeb to the top of the reply field to better separate it from the current message
  • Shrunk the load more messages scroll down area
  • Realigned the empty messages background
  • Changed subfolder background color from gradient to solid
  • Added indicator line to subfolder Parent
  • Added indicator line and Bold text to open Parent Folder

Auto Expand mail folders using GreaseMonkey

Requirements:

  1. The Latest Firefox
  2. Greasemonkey 4.3 or greater

Open the Greasemonkey dashboard and click the + sign to add a new script.

Past the following code, changing the yourdomain.tld to your domain:

// ==UserScript==
// @name     Nextcloud Mail Expand folders
// @namespace   https://yourdomain.tld/
// @include     https://yourdomain.tld/apps/mail/*
// @require     https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
// @require     https://gist.github.com/raw/2625891/waitForKeyElements.js
// @version  1
// @grant    NEXTCLOUDMAIL
// ==/UserScript==

/* Paste Here */

this.$ = this.jQuery = jQuery.noConflict(true);

console.log('[ NMEF ] - Waiting');
waitForKeyElements (".navigation-account", expandALL, true);

function expandALL() {
  console.log('[ NMEF ] - Expand ALL Folders');
  $('.account-toggle-collapse').trigger("click");
  console.log('[ NMEF ] - Expand individual Folders');
    $('.with-counter.collapsible > button').trigger('hover').trigger("click");
    $('.with-counter.collapsible.ui-droppable > button').trigger('hover').trigger("click");
}

Note: this loads the remote content jquery and waitForKeyElements.js, if you wish to have them bound locally open the // @require links and past the contents at the / Paste Here / line. Then just delete the lines:

// @require     https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
// @require     https://gist.github.com/raw/2625891/waitForKeyElements.js

Have I Been Pwned Check

It's 2019 and Information security is a hot topic these days. Old stuffy bosses everywhere are asking about the companies security exposer, really they should be asking about their own security exposer. Hackers often target the older management types because they lack the knowledge to care about, or secure their own passwords properly.

I created this simple Python script to sit in cron, check a list of the companies emails and then issue a nicely formatted email.

Mako

For the emails I used smtplib and most importantly I generated the HTML using the Mako template engine.

Mako is fantastic, I was first exposed to it when fiddling around with the Nikola blogging engine (this blog is built with Nikola). After figuring out the in's and out's of mako you can string together a fairly robust template. I also use this with my signature generator

Python Boilerplate

Long ago I discovered that in my little projects I was often repeating what I did, over and over again. Building a sensible boiler plate has been the best thing I have done so far

The script is available on github for free under the MIT License