Marco Gonçalves – Page 11 – Lover of life, father, geek, sportsman, businessman, traveller, DIYer, optimistic, freethinker. We are one.

DNS server with djbdns (VegaDNS GUI + bonus replication)

This is my personal guide to setup djbdns tinydns DNS server to publish domain name information to the Internets. If djbdns, tinydns, name server, dns are strange words just move along, move along…

Continue reading “DNS server with djbdns (VegaDNS GUI + bonus replication)”

Setting up SSH access with server keys (no password) in FreeBSD

You want to login from user@host-a to user@host-b automatically (with no password prompt).

Install ssh-copy-id in the host-a. This little handy script takes care of all the dirty details from your back.

cd /usr/ports/security/ssh-copy-id
make install clean

then run (still in host-a)

ssh-copy-id user@host-b

If you get the error “ERROR: No identities found” then you must generate your keys first and then re-run ssh-copy-id. To generate a pair of private/public SSH keys you must issue:

mkdir ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t rsa

You can leave the pass-phrase empty for automatic logins (no password prompt) or the more secure but less practical password prompt each and every time that you use the newly generated keys.

Next login from host-a to user@host-b will be made with SSH keys.

The dirty details

the user@host-a public key, usually ~/.ssh/id_rsa.pub is copied to host-b user/.ssh/authorized_keys
the host-b public host key (/etc/ssh/ssh_host_rsa_key.pub) is copied to host-a known hosts

The not so quiet revolution

How many times did i hear… the “ahh…good old times” rant. Sure, sometimes the world as we know it now is complicated, sometimes unfair and even cruel and bad. But if you stop and zoom out a bit, like 20 years (don’t need to go all the way to the dark ages), one realizes the leap forward. And in technology the leap is nothing short of massive – thank you Mr. Moore. I’m really glad and lucky to be apart of this.

You can get a Raspberry PI a fully functional (and power efficient) computer running Linux for about 30€. You can get a TV stick running Android OS for about 50€ (there are Linux distributions for this kind of device). Linux is free, BSD OS family is free. Most of the SDKs are free. MySQL is free (as other fully capable Relational Database Systems). Many compilers are free. Open Office is free. Heck, even Adobe CS2 can be freely downloaded from Adobe…

Transit Price Drops

Also the price of bandwidth and networking has gone South over the years as the speed and quality has gone North. I remember to dial-up with a 28.8 kbps modem, downloading a single mp3 file was task for one hour, loading a simple webpage was eternity, etc… and in the end of the month the phone bill was obscene… Nowadays, i can download pristine high resolution full movie (in Itunes or other payed service of course) in less than an hour for a fraction of the cost that the mp3.

Documentation, tutorials, examples, e-books, howto’s all over the place. Information (for all levels) is freely available to anyone, you just need time and the right mindset, to read, test and educate yourself about any technology that you want to learn.

So in the web business capital is not the main factor, it’s knowledge and labor. The funny thing is that capitalism did this, an industry that moves billions of dollars and for start capital is not the most important factor (by far). Some kid can (and probably is) somewhere in some room build the next big website or mobile app costing him (or her) nothing more than time.

There is a bright future in this model. You don’t need some guys in suits that are sitting on top of the money to believe in your idea. You are the only one that needs to believe (can you picture the scared faces?) and learn, learn, learn:

Personally i wish i had much more time and piece of mind to learn and thinker with new technologies and projects because now is the time.

FreeBSD migrating user accounts

FreeBSD Quick and dirty way to migrate user accounts from one FreeBSD box to another. From the source box you will only need two files:

/etc/master.passwd
/etc/group

copy them to the target box, but DON’T overwrite (yet) the existing files there. Put them in /root/master.passwd and /root/group. Compare the copied files with the existing ones for new system users that may exist. If there are any new users/groups add them to the copied files.

Then move /root/group to /etc/group and run this magical command

pwd_mkdb -p /root/master.passwd

It will install in /etc/master.passd and recreate all the needed files (/etc/pwd.db, /etc/spwd.db and /etc/passwd).

Securing SSH with SSHGuard

If you have a remote server running some flavor of Unix or Linux 99% chances that you use SSH. The best security practice is to use an access key with password and disable password access altogether. But you end up loosing some flexibility (for some customers Putty is this utterly complex piece of software, imagine them playing with SSH keys…).

The best you can do is to enforce a better user password policy, but even so, as every password service it’s at mercy of brute force attacks. These attacks consume precious clock cycles and worst case scenario they can break a password and gain access to the system.

So, here comes SSHGuard to our rescue. It’s a pretty neat piece of software that is highly flexible and customizable to ones system, needs and paranoia level. On top of that is maintenance free and very easy to setup.

I’m using FreeBSD and the venerable (yet, very capable) IPFW firewall. The choice of the firewall is simply because it’s the one that i am more pro-efficient with.

First thing is to enable IPFW on your system. Open /etc/rc.conf and add these lines

firewall_enable="YES"
firewall_type="open"

actually this setup is only to bring IPFW up, it doesn’t filter anything, all the traffic is passed trough. But if you forget the firewall_type=”open” rule and start the firewall you will be lock out, because the default is no traffic allowed… (and you win a drive to the data-center or some kind of remote rescue shell procedure).

Start IPFW

/etc/rc.d/ipfw start

and check that is running

ipfw show

Now, you are ready to install SSHGuard itself, very easy task

cd /usr/ports/security/sshguard-ipfw
make install clean

and enable it in /etc/rc.conf

sshguard_enable="YES"

Ready? Start it

/usr/local/etc/rc.d/sshguard start

Still, there is a final thing to take care. SSHGuard uses syslogd to monitor incoming (failed) logins. So, you must edit /etc/syslog.conf and uncomment (or add if it’s not there) the line that the SSHGuard port added.

auth.info;authpriv.info     |exec /usr/local/sbin/sshguard

And restart syslogd

/etc/rc.d/syslogd restart

And now your SSH service should be bullet proof to brute force attacks. Keep safe!

UPDATE 2014-02-23

Latest versions of SSHGuard don’t use syslogd any more, it uses an internal “log sucker” that follows the logs. The default logs are “/var/log/auth.log:/var/log/maillog”, as I don’t want it to follow /var/log/mailog i override this in /etc/rc.conf with:

sshguard_watch_logs="/var/log/auth.log"

UPDATE 2014-08-05

For several reasons, I have switched from IPFW to PF. So the port to install is /usr/ports/security/sshguard-pf/ and you must add this line to your /etc/pf.conf and enable PF in /etc/rc.conf

table  persist

then to list the blocked IPs

pfctl -t sshguard -T show

to remove an IP from the list

pfctl -t sshguard -T delete aaa.bbb.ccc.ddd

to remove all the IPs

pfctl -t sshguard -T flush

NOTE

Also going to test drive on a debian box fail2ban, and will soon post quick review and differences, drawbacks, benefits versus sshguard.