Securing SSH with SSHGuard

SSHGuardIf you have a remote server running some flavor of Unix or Linux 99% chances that you use SSH. The best security practice is to use an access key with password and disable password access altogether. But you end up loosing some flexibility (for some customers Putty is this utterly complex piece of software, imagine them playing with SSH keys…).

The best you can do is to enforce a better user password policy, but even so, as every password service it’s at mercy of brute force attacks. These attacks consume precious clock cycles and worst case scenario they can break a password and gain access to the system.

So, here comes SSHGuard to our rescue. It’s a pretty neat piece of software that is highly flexible and customizable to ones system, needs and paranoia level. On top of that is maintenance free and very easy to setup.

I’m using FreeBSD and the venerable (yet, very capable) IPFW firewall. The choice of the firewall is simply because it’s the one that i am more pro-efficient with.

First thing is to enable IPFW on your system. Open /etc/rc.conf and add these lines

firewall_enable="YES"
firewall_type="open"

actually this setup is only to bring IPFW up, it doesn’t filter anything, all the traffic is passed trough. But if you forget the firewall_type=”open” rule and start the firewall you will be lock out, because the default is no traffic allowed… (and you win a drive to the data-center or some kind of remote rescue shell procedure).

Start IPFW

/etc/rc.d/ipfw start

and check that is running

ipfw show

Now, you are ready to install SSHGuard itself, very easy task

cd /usr/ports/security/sshguard-ipfw
make install clean

and enable it in /etc/rc.conf

sshguard_enable="YES"

Ready? Start it

/usr/local/etc/rc.d/sshguard start

Still, there is a final thing to take care. SSHGuard uses syslogd to monitor incoming (failed) logins. So, you must edit /etc/syslog.conf and uncomment (or add if it’s not there) the line that the SSHGuard port added.

auth.info;authpriv.info     |exec /usr/local/sbin/sshguard

And restart syslogd

/etc/rc.d/syslogd restart

And now your SSH service should be bullet proof to brute force attacks. Keep safe!

UPDATE 2014-02-23

Latest versions of SSHGuard don’t use syslogd any more, it uses an internal “log sucker” that follows the logs. The default logs are “/var/log/auth.log:/var/log/maillog”, as I don’t want it to follow /var/log/mailog i override this in /etc/rc.conf with:

sshguard_watch_logs="/var/log/auth.log"

UPDATE 2014-08-05

For several reasons, I have switched from IPFW to PF. So the port to install is /usr/ports/security/sshguard-pf/ and you must add this line to your /etc/pf.conf and enable PF in /etc/rc.conf

table  persist

then to list the blocked IPs

pfctl -t sshguard -T show

to remove an IP from the list

pfctl -t sshguard -T delete aaa.bbb.ccc.ddd

to remove all the IPs

pfctl -t sshguard -T flush

NOTE

Also going to test drive on a debian box fail2ban, and will soon post quick review and differences, drawbacks, benefits versus sshguard.

Facebook pollution

facebook-logo-reversedIt’s spring time cleaning at my Facebook account…. i am sick and tired of excessive crap that don’t add anything, except loosing my precious eye time. Facebook for me is a really cool medium to keep up with friends, family and companies. And guess what? If i added you to my Facebook friends list is because i want to ear something about YOU. Something that YOU did, some of YOUR photos or video, some great (or not so great) news about YOUR life, some place that YOU are or have been, YOUR thoughts about something, etc… Not this pollution that i currently get in my news feed.

I can even categorize the persons that i am about to remove from my news feed, “unfriend”or block.

The human hubs

These are the most annoying people for me. Just read some news (or just the main title) in the Internets, and share, share, share… Guess what? I read the fucking news in my tablet, also listen to radio and watch some TV like most people do.  I really don’t need 20 shares in my news feed about something that is all over the media. Please, please don’t do this, if the news isn’t related to you and you don’t have personal toughs or insights about it. Don’t share it with me.

The compulsive gamer

Also very annoying kind. Let’s be honest, i don’t care less that you waste your time growing virtual animals, vegetables, villages, whatever you feel like, it’s your time anyway. If it makes you happy, just do it, but please don’t send me more game invitations. If i want to play video games, i do it in my Playstation with my big TV set and powerful speakers in full throttle mode, and even all that apparatus is just picking up dust most of the time.
So, do your thing for entertainment and i do mine, but please don’t send me no more fucking game invitations (except if it is outdoors, or go and watch a football game or something similar and non Facebook related).

The political activist

These people are also a pain in the ass. Yes, these are difficult times, i agree, and maybe your are in some deep shit because of the government and the austerity policy. Maybe your unemployed and got nothing else to do but to share 50 posts about how bad are the politicians, the government and the all system. I’m far from being apolitical and if you have your life messed up you have my sympathy, but please, please don’t spend the days sharing posts against the president, the government, Angela Merkel, EU, etc… It makes you look a negative person distilling hate, notably if it is obsessive, and i have people with more than 20 posts of this kind daily… Take your cause elsewhere, go outside, write your own letter to the president, write in the walls of the parliament, show up in the demonstrations, whatever. And then please, also take some pictures of what you did to change and post them in Facebook.

The humorist

The least annoying, if it is done with moderation. Moderation, again, keyword is moderation. But unfortunately some people just share and post every each and single meme that they come across. A dog a cat and a mouse picture, share. A sentence about live with a sunset picture, share. A guy falling down some stairs, share. A pope-mobile pulled by monkeys, share, etc, etc… please use some common sense and share with moderation and with some quality criteria, not just some shit that you happened to see somewhere.

And, that’s about it. One has got to do, what one has got to do. Cleaning time now.

 

Raspberry PI follow-up

raspberry_pi_logoSo, i did get a (actually 2) Raspberry PI and did get it up and running, it was time to do anything useful with it…

Time to setup a Samba server for network recording of security camera feeds. I went along with SWAT, a web based graphical interface to samba configuration. Like all Debian based software, the installation process is pretty straight forward,

apt-get update
apt-get install swat

And auto-magically it installs everything that you need, it evens adds the needed configuration line to /etc/inetd.conf 🙂

[global]
        netbios name = INTRANET
        server string = %h server
        map to guest = Bad Password
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        guest account = nobody
        usershare allow guests = Yes
        panic action = /usr/share/samba/panic-action %d
        idmap config * : backend = tdb

[public1]
        comment = Samba Public 1
        browsable = yes
        public = yes
        writable = yes
        read only = No
        guest ok = Yes
        path = /media/usb0/samba/cam1/

[public2]
        comment = Samba Public 2
        browsable = yes
        public = yes
        writable = yes
        read only = No
        guest ok = Yes

Then just point your browser to the PI ip at port 901. Curious enough, i found the SWAT tool too complex for the simple configuration that i wanted: i trust all users in the network, so my need was just two shares that anyone could read/write. So, i ditch SWAT and went on to good ol’style configuration file editing. The final /etc/samba/smb.conf that is working for me:

Fired up samba
# service samba restart

And the cams had no problem finding the samba shares and recording into them.

Next step was to get an easy way to navigate and download recordings. Of course you can also use the samba shares to navigate and read, but specially to outside access it would implied to configure a VPN access to the network (you don’t want your security camera feeds exposed in the Internets with read/write permissions to the world, right?). I went for HTTP with some kind of a file explorer software that allows users/permissions, file/directory browsing, and file download. For the server part i opted for lighttpd, a small footprint server, and for the voodoo PHP (all pretty familiar technology to me). Again the installation is for dummies:

apt-get install lighttpd
apt-get install php5-cgi

Then just a tiny adjustment at /etc/lighttpd/lighttpd.conf:

index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

fastcgi.server = ( ".php" => ((
                     "bin-path" => "/usr/bin/php-cgi",
                     "socket" => "/tmp/php.socket"
                 )))

and restart it. For the software i went for the super nice, cool and powerful AjaXplorer. Just download it and untar to /var/www directory. Then point your browser to PI and log in with admin/admin (changed the password) and then it was just a matter of setting up a user account and a repository pointing to /media/usb0/samba/ (the parent directory of both samba shares).

Now, only one thing left, clean up and report. What to use? Of course PHP again. But this one in command line, so i installed the CLI version.

apt-get install php5-cli

And i did i script that cleans up old recordings and send me a daily report email using basic functions and the great PHPMailer class.

require('phpmailer/class.phpmailer.php');

function deleteDir($dir, $days) {
    $now      = time();
    $diff     = 60*60*24*$days;
    $treshold = $now - $diff;

    $d = dir($dir);
    while (false !== ($entry = $d->read())) {
        if ($entry != '.' && $entry != '..') {
            $year  = substr($entry, 0, 4);
            $month = substr($entry, 4, 2);
            $day   = substr($entry, 6, 2);

            if (mktime(0, 0, 0, $month, $day, $year) < $treshold)
                exec("/bin/rm -rf ".$dir.$entry);
        }
    }

    $d->close();
}

function getDirUsage($dir) {
    exec("/usr/bin/du -sh ".$dir, $output, $return);

    if ($return > 0)
        return 0;

    $output = $output[0];
    $output = explode("\t", $output);

    return $output[0];
}

/*
 * DELETE OLD FILES, +30d
 */

deleteDir('/media/usb0/samba/cam1/video/', 30);
deleteDir('/media/usb0/samba/cam2/video/', 30);

/*
 * GET USED/FREE SPACE
 */

exec ('df -h', $output);
foreach ($output as $line) {
    if (strpos($line, '/media/usb0')) {
        $disk_line = $line;
        break;
    }
}

$disk_line = explode(" ", $disk_line);
$disk_line = array_values(array_filter($disk_line));

$disk_used_space = $disk_line[2];
$disk_used_perc  = $disk_line[4];
$disk_free_space = $disk_line[3];

/*
 *  GET YESTERDAY RECORDINGS USAGE
 */

$yesterday  = date("Ymd", time() - 60 * 60 * 24);
$cam1_space = getDirUsage('/media/usb0/samba/cam1/video/'.$yesterday.'/');
$cam2_space = getDirUsage('/media/usb0/samba/cam2/video/'.$yesterday.'/');

/*
 *  GET YESTERDAY RECORDINGS USAGE
 */

$yesterday  = date("Ymd", time() - 60 * 60 * 24);
$cam1_space = getDirUsage('/media/usb0/samba/cam1/video/'.$yesterday.'/');
$cam2_space = getDirUsage('/media/usb0/samba/cam2/video/'.$yesterday.'/');

/*
 * SEND REPORT EMAIL
 */

$mail = new PHPMailer();
$mail->IsSMTP();                            // telling the class to use SMTP
$mail->SMTPAuth = true;                     // enable SMTP authentication
$mail->Port     = 25;                       // set the SMTP port
$mail->Host     = "mail.domain.com";        // SMTP server
$mail->Username = "username";               // SMTP account username
$mail->Password = "password";               // SMTP account password

$mail->From     = "email@domain.com";
$mail->FromName = "Descriptive email";
$mail->AddAddress("my_email@domain.com");

$mail->CharSet = "UTF-8";
$mail->Subject  = "Cam Report";
$mail->Body     = "YESTERDAY RECORDINGS\n".
                  "Cam 1: $cam1_space\n".
                  "Cam 2: $cam2_space\n".
                  "\n\n".
                  "HDD SPACE STATUS\n".
                  "Free: $disk_free_space\n".
                  "Used: $disk_used_space ($disk_used_perc)\n";
$mail->WordWrap = 50;

if(!$mail->Send())
        error_log($mail->ErrorInfo);

Then just run it daily with cron
30 3 * * * /usr/bin/php /path/to/script/cams.php > /dev/null

For now that’s all, but i guess there will be more updates on the Raspberry PI as i have still some ideas floating in my head.

Raspberry PI first steps

As every and each true geek, i get myself a Raspberry PI. First error, i ordered only the Raspberry, should have bought also a case (i will buy one soon, but with added shipment costs…).

First choice to make, a cheap decent SD card. I bought a 4GB SD card, 6 class (meaning 6 MB/sec – higher the better). The OS image (Raspbian – yet another debian clone) has a considerable size, almost 2GB, so anything smaller than 4GB is probably not a very good idea…

DSC00437Powered it up, and first problem, even though i had an HDMI connection to my TV screen no output was detected – shit! Besides no output, everything seemed normal and in my router it was registered a new device, so ssh to the assigned IP and could log easy with the default pi/raspberry credentials…. (yes i did tried with another cable and still no output), strangely enough if connected to a monitor with the same HDMI cable works fine and also the TV reads perfectly from other HDMI inputs (Laptop, PS3)….

Still about this, i have found that you can do a lot of tweaking in Raspberry HDMI settings, i will thinker with the various options and then report back:
http://elinux.org/RPi_config.txt#Video_mode_options

After boot you must (or at least should) re-size (or make another) partition to reclaim the entire card space. After that i wanted to connect an external HDD, as documented and expected, if connected directly to one of the Raspberry USB ports there is not enough power and the Raspberry crashes and reboots (so does the HDD).  So, i went out to get a self powered cheap USB hub…

DSC00435I connected the USB Hub, and plugged in the Raspberry to it, worked fine. And then the HDD, also powered up nice and no more crashes and reboots as expected. But the damn thing wasn’t recognized… why? Yet another rookie mistake… the micro USB input on the Raspberry is power input only, doesn’t support data, so i fixed it with another external power adapter providing power to the Pi. I think another cable running from the USB hub would also do the job.

Of course i did setup root ssh access (as all good security practices advise not to do, but what the heck i like to live on the edge). Boot, and minimum setup complete, time to move to the real fun stuff 🙂

Update:
Raspberry PI with Raspbian “Wheezy” connected to a LG 50PV350 trough HDMI. The TV set reports “no signal” and shows no image. To fix this, open the SD card boot partition edit config.txt and add

hdmi_force_hotplug=1
hdmi_group=1
hdmi_mode=16

this will set the PI output to HDMI always even if no device is detected, group 1 means TV (2 is monitor) and mode is set to 1080p.

My bite on Apple

Love it or hate it, it’s the kind of company that leaves no one indifferent. It showed the world (at least to the masses) the personal computer, the graphic interface, the decent portable music player, a real smartphone and what a tablet should be like. All very nice and disruptive. All products are incredible well made, beautiful design and taste, and they just work out of the box like no other in the market. I should love it. But the sad true is i don’t.

Company culture runs top down, and Steve Jobs was indeed a visionary and incredible smart person, but also a manipulative, control freak, indifferent to his own child’s, cruel kind of person (probably a big jerk). Unfortunately a lot of that spilled over to Apple.

Lot’s of (unnecessary) proprietary stuff.
Long story of conflicts with other companies and standards. Adobe, Google, just to name a couple.
Closing the market with all kind of patents and legal tricks.
Mac OS X has a huge portion of FreeBSD on it but i don’t see a cent donated by Apple (list of donors include Cisco, Google, Juniper, NetApp, McAfee, Dell, etc).
I see Google doing some incredible work at a social level, Google foundation, X-Prize. In counterpart is there an Apple foundation?
One buys an Iphone/Ipad and must pay a developer account or jail brake. The SDK is only available for Apple computers.
One must get his OWN files to his OWN device trough Itunes…

And the list goes on and on… does the profit, a vision, or whatever justify this kind of policies? Do the ends justify the means? For Steve Jobs sure, for Apple sure, but not for me. So me choices are rather obvious (check here, here and here).

FREEDOM, FREEDOM, FREEDOM bitch!

One more thing 🙂 … it’s kind of sad that all those geeks that were upset some ten years ago by Microsoft monopolistic actions and autism, most of all switched to Apple, giving their love and support to an even worse company in that matter. You can get in a meeting with IT staff and 90% of those that were running Windows laptops some years ago now proudly show their Apple gear… talk about brainwash… i can only recall the old Apple motto “Think different”… probably will glue this to my Linux laptop one of those days.