bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Security Paranoia – Google Authenticator For SSH

Thu Nov 28, 2013 12:43 pm

If you want to secure your Linux machine from attacks you should change the default fort number for services such as SSH, FTP or your web server. While this is a good practice if you’re extremely paranoid, there still have to be another ways of doing this. Indeed, there are. There is one in particular I’m really fond of, though this method is not suitable for everyone and every situation, and you should really consider all the pros and cons of using this method. We’re talking about securing SSH access with Google Authenticator and creating two-factor authentication method for your machine.

Before we begin

There seems to be real ado about this method of authentication nowadays. More and more services, including GitHub, Evernote and others, are incorporating 2FA into their services. This is understandable, especially for companies keeping critical personal data (kind of ironic in the NSA era, to be honest…). But what benefits would you gain from incorporating 2FA into your personal space, and should you actually use it?
First of all, what is two-factor authentication? Sometimes shortened to 2FA, it gives you an extra layer of security that requires not only your password and username to access a service, but also a piece of information only you should know and have access to, such as a physical token. While in theory it could even be a security question, it wouldn’t be that secure since that kind of information is yet available on the Internet thanks to Facebook and co. Using a username and password combined with a 2FA token makes it harder for potential intruders to gain access and steal your personal data or identity. Google Authenticator is a good example of 2FA, but there are also other methods such as a fob or a USB key.

Read more at my blog: http://www.bartbania.com/index.php/secu ... r-for-ssh/
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

gstreeter
Posts: 106
Joined: Sun Sep 02, 2012 11:11 am
Location: UK

Re: Security Paranoia – Google Authenticator For SSH

Thu Nov 28, 2013 4:44 pm

Make sure you register or setup a second device for 2FA in case your primary gets stolen, breaks etc. Otherwise if it's an external service and you haven't got any backup such as emergency reset codes that'll be the end for your account :o

For SSH I use public key certificate authentication and disable password authentication to avoid the password-guess-bots.

salts
Posts: 13
Joined: Fri Nov 15, 2013 2:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Thu Nov 28, 2013 11:04 pm

For SSH always disable root access, if you need root you can then sudo once logged in also delay login after bad password, 30 seconds is enough to get the script kiddies to move on.

Then fail2ban is excellent and means you don't have to rely on third party services.

Always read the log files which will show you how many attacks you are getting and if they are human or automated, automated attacks normally move on when a delay kicks in or fail2ban blocks them, humans tend to adapt and learn how many times f2b allows failed login before blocking and how long the before it drops the attack IP address from the ban tables, But read the logs, stops you getting a false sense of security.

bubbl
Posts: 85
Joined: Sun Jul 14, 2013 9:15 pm
Location: United Kingdom
Contact: Website

Re: Security Paranoia – Google Authenticator For SSH

Thu Nov 28, 2013 11:22 pm

Those are all good advices, yet, 99% of RPi users don't even know of their existence. They'd rather plug'n'play thinking Linux is like Windows.
We're not here because we are free. We're here because we are not free. There is no escaping reason. No denying purpose. Because we both know without purpose, we would not exist.
http://www.bartbania.com/

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Security Paranoia – Google Authenticator For SSH

Fri Nov 29, 2013 1:05 am

bubbl wrote:Those are all good advices, yet, 99% of RPi users don't even know of their existence. They'd rather plug'n'play thinking Linux is like Windows.
Again, let's be realistic here.

Linux IS better than Windows, security-wise. It's NOT perfect, but it IS better than Windows.

That said, Windows is used by billions of people world-wide and works well enough for most people.

Therefore, it can be deduced that Linux is at least as workable as Windows, so there's not really a problem with
thinking Linux is like Windows.
Now, what were we talking about here?
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

salts
Posts: 13
Joined: Fri Nov 15, 2013 2:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Fri Nov 29, 2013 3:06 am

That said, Windows is used by billions of people world-wide and works well enough for most people.
Well at least a billion :-) exploit wise Linux and Windows always seem pretty close, it's those billion desktops that makes Windows more worthwhile for attack, in the data centre both are well locked down.

To be fair to the OP, they are pointing out that people new to RPi and Linux in general, from a Windows environment, tend to expect firewall, AV etc. to be on by default and as RPi attracts new users they need to be advised this is not true.

I agree Linux is better security wise than Windows, but you do need to know, it's up to you to ensure it is secure, I also believe that Linux is better than Windows full stop. However we won't open that tin of worms.

User avatar
jojopi
Posts: 3567
Joined: Tue Oct 11, 2011 8:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Fri Nov 29, 2013 8:58 am

bubbl wrote:If you want to secure your Linux machine from attacks you should change the default fort number for services such as SSH, FTP or your web server.
That depends on your definition of "attacks". If you mean the background noise of scripts that randomly scan the entire internet looking for the softest targets, then yes, changing ports will reduce your visibility enormously. But if someone has targeted you or your network specifically, then running on non-default ports will hardly slow them down at all. It cannot really be called "securing".
There is one in particular I’m really fond of, though this method is not suitable for everyone and every situation, and you should really consider all the pros and cons of using this method.
It would have been good to discuss the pros and cons a little, especially compared to SSH keys, which are the mainstream secure authentication method. Keys already provide two-factor authentication, if implemented correctly. You have the private key file which is stored on a single physical machine, and the passphrase which is needed to decrypt it. The main risk is that, if you allow access to users other than yourself, the server cannot know whether their passphrases are good, their hosts secure, and their key files handled correctly.

Your procedure does not disable key authentication, anyway.
user@machine /usr/local/src $ sudo tar -xf gauth.tar.bz2
You should not sudo a "tar x"! That allows tar to apply the ownership and permissions from inside the archive, which is inappropriate when it was made on a foreign machine. In this case, it means the directory is owned by root, and you have to sudo a slew of later commands that you should not have needed to. It would also have allowed the creation of device files and setuid binaries, if that is what the archive said.

If you really want to use /usr/local/src (there is no particular reason to do so) then add yourself to group "staff", or set the permissions you want.

This, and your other rather heated thread, suggests that your attitude to security is unusual. You appear to be particularly concerned by remote attacks and esoteric defences for services that most people will not even have open to the internet, but neglect well-understood local security principles.

The standard install state of most Linux distributions is fine for security, with the sole exception of the default password in most pre-installed Pi images. A user is far more likely to introduce security issues by enabling additional services with incorrect local practices, or by blindly following instructions to install third-party software, than they are to improve matters.

What is wrong with "sudo apt-get install libpam-google-authenticator", anyway?
NOTICE: Do not neglect the emergency codes! Save them right away in an encrypted file, print them out and keep them in your wallet, tattoo them onto your pupil, they will save your life once you don’t have access to your smartphone.
Remember that the emergency codes bypass the need to have your smartphone. Whilst you cannot store them with your phone, you must protect them at least as well. You probably will not notice losing them as soon as you would your phone. Tattooing them where others can see is definitely not acceptable. And you should write them down, rather than print them and risk leaving copies in your print spool and the printer's memory.

Actually, I think most people will be better to destroy the scratch codes. You can always regain control next time you have physical access to the Pi.

bradvoy
Posts: 8
Joined: Sat Nov 30, 2013 7:50 pm

Re: Security Paranoia – Google Authenticator For SSH

Sat Nov 30, 2013 8:07 pm

I was not aware of fail2ban until it was mentioned earlier in this thread. I read about it, and it sounded like a good tool, so I installed and configured it. It's working, but not quite the way I had expected.

When not at home I access my Raspberry Pi via my Internet-facing router which has a port forwarding rule that allows me to access the Pi. The entries in auth.log, which is used by fail2ban, show the IP address of the router rather than the IP address of the system the ssh session originates from. The result is that if there are too many failed logins from a system on the Internet, fail2ban bans the router, which effectively bans the entire Internet, instead of banning just the IP address that the failed logins originated from. Is there a way to configure things that will avoid this problem?

User avatar
DougieLawson
Posts: 41900
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 12:39 am

In fail2ban you can configure known good addresses.

My home LAN runs as 10.1.1.0/24
So /etc/fail2ban/jail.conf has

Code: Select all

ignoreip = 127.0.0.1/8 10.1.1.0/24
Languages using left-hand whitespace for syntax are ridiculous

DMs sent on Twitter/LinkedIn will be answered next month.
Fake doctors - are all on my foes list.

The use of crystal balls and mind reading is prohibited.

salts
Posts: 13
Joined: Fri Nov 15, 2013 2:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 5:20 am

Hi,

It's a bit late so if I am off track, just point me in the right direction.

I agree that the local network(s) can be excluded from being banned, but if all forwarded traffic from the router is being presented as a local network then would this not result in nothing ever getting banned?

Can you post a few lines from the auth.log, showing what is coming through from port forward?

bradvoy
Posts: 8
Joined: Sat Nov 30, 2013 7:50 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 3:25 pm

I understand how to configure fail2ban to ignore known good addresses, such as the other machines on my home network. But that doesn't help with the problem I described, which is that all connections originating from the Internet are logged with the internal IP address of my router. Here are a couple of sample lines from /var/log/auth.log:
Dec 1 15:18:46 pi1 sshd[11713]: Accepted password for pi from 192.168.1.1 port 52672 ssh2
Dec 1 15:18:46 pi1 sshd[11713]: pam_unix(sshd:session): session opened for user pi by (uid=0)
This connection came from a host on the Internet. 192.168.1.1 is the internal address of my router. If I add 192.168.1.1 to the whitelist then I would be whitelisting the entire Internet, which defeats the purpose of using fail2ban.

salts
Posts: 13
Joined: Fri Nov 15, 2013 2:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 3:49 pm

I was of the same opinion that in your situation you would be white listing the internet and thus making fail2ban pointless.

I was obviously was not thinking last night when I asked for lines from the auth.log as I would have advised you redact the user name(sorry), can you change your login name, you should anyway with 2 million+ RPi out there I would expect the automated scripts to have pi as a user name to try.

Just as a sanity check how are you coming in remotely? if you are using a dynamic dns service and trying from home, routers will/should loop back, so although it looks like you are logging in with your.domain.name you will actually be looped back from the router as 192.168.1.1

User avatar
jojopi
Posts: 3567
Joined: Tue Oct 11, 2011 8:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 4:48 pm

bradvoy wrote:This connection came from a host on the Internet. 192.168.1.1 is the internal address of my router.
That is an unusual feature, and I would hope your router has the facility to turn it off. On the outside interface, a NAT router has to use its external IP for all packets, or there is no way for the replies to come back. On the inside, the router is normally the default gateway for its clients, so it can use the real external IPs, and will still see the packets on the way back out.

I would not worry about missing fail2ban, however; it is basically useless. If you do not have weak or leaked passwords, then you do not need it. If you do have weak or leaked passwords, there is no guarantee it will block all of the attacker's IPs before they succeed in logging in. (What a bank would do is to block the accounts whose passwords are being guessed, rather than hoping to recognise the guesser's IPs. That actually provides some security, but it is also a massive denial of service vector.)

If you want security, disable password authentication. If you just want to stop the logs filling up with noise from scripts that were not getting in anyway, changing to a non-standard port will be more effective than reactive ban scripts.

bradvoy
Posts: 8
Joined: Sat Nov 30, 2013 7:50 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 4:58 pm

I am not using a dynamic dns service; I'm just connecting via the IP address, i.e. ssh pi@123.123.123.123. The router is running DD-WRT with a pretty standard configuration; just a simple port-forwarding rule.

I am going to do some of the other things that jojopi suggested, and I may remove fail2ban. I'm just surprised that I can't make it work in a useful way in what I would think is a pretty common configuration.

salts
Posts: 13
Joined: Fri Nov 15, 2013 2:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 6:57 pm

I agree that with jojopi that is a strange feature with your router, though I disagree with fail2ban being useless the more layers in your security the better IMHO, but each to their own.

Joe Schmoe
Posts: 4277
Joined: Sun Jan 15, 2012 1:11 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 8:42 pm

the more layers in your security the better
This is a common misconception (so don't feel bad). There was a paper published a few years back that showed that security-paranoia is basically a net loss productivity-wise. People end up wasting a lot more time dealing with security nonsense than they would if they'd just suffer an occasional break.

It's the old "millions for defense, not a penny for tribute" sort of thing. Other valid analogies include:

1) 9/11, where it was calculated that with the amount of money and treasure we (the US) squandered on the airport security dance and the (idiotic) wars in the middle east, we'd have been better off just enduring another 9/11 every 10 or 15 years.

2) The idiocy of private gun ownership, where you're 42 times more likely to kill a family member than you are to thwart a crime (if you keep a gun in the house).
And some folks need to stop being fanboys and see the forest behind the trees.

(One of the best lines I've seen on this board lately)

salts
Posts: 13
Joined: Fri Nov 15, 2013 2:38 pm

Re: Security Paranoia – Google Authenticator For SSH

Sun Dec 01, 2013 10:13 pm

Rest assured Joe I don't feel bad, as I said my opinion is the more layers the better, though layers for the sake of it with no thought of how they work together are of little use.

BTW 'there was a paper once' or 'research has shown' don't hold much water when compared to below and even then interpret, understand, check the research and adapt to your individual situation rather than blindly following, the last link is along the lines of your argument.

http://www.itbusinessedge.com/cm/blogs/ ... /?cs=40346

http://www.cisco.com/cisco/web/solution ... index.html

http://www.darkreading.com/management/r ... 324?pgno=2

Return to “Advanced users”