Sep 292016
 

As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).

This new one is about my recent home network improvement:

  • Vodafone Fiber Link (with Vodafone Station Revolution)
  • Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS

I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.

It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized 😎 ):

what I was after

Continue reading »

Oct 122014
 

Pretty long title for a pretty long work, which took me more than initially thought. And because I’ve sorted out blending multiple info from multiple sites, here we go with a unified post.

Let’s start with the goal.

I wanted to have root access to my home machine via SSH/SFTP with a strong authentication system; but I also wanted to offer to a friend of mine an access to an externally connected hard drive with a simple password.

And to keep everything more secure, I wanted to have this guy chrooted into the directory he can login.

I will not cover the strong authentication setup since there are very good instructions on their site.

To enable the strong authentication only for root, I had to modify a little bit my /etc/ssh/sshd_config file as shown below.

  • disable PAM integration, by putting a hash at the beginning of the line:
    # UsePAM yes

    This is needed since we’re going to use the Match Group directive

  • inserted the following lines below the Subsystem sftp /usr/lib/openssh/sftp-server section
    Match Group root
    ForceCommand /usr/sbin/login_duo

Save and exit, restart the ssh service and test that if you try to ssh the system, after you type in root username and the password something appears similar to what reported below:

$ ssh root@192.168.1.50
root@192.168.1.50's password: 
Duo two-factor login for root
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX 1791
 2. Phone call to +XX XXX XXX 1791
 3. SMS passcodes to +XX XXX XXX 1791
Passcode or option (1-3):

Once you choose (for example) 1 and confirm on your authentication device, login will complete.

To enable chromed access for my friend without forcing him to enroll to strong auth, I have created an sftp group with the command:

groupadd sftp

Then I have him to this group with the command:

usermod -G sftp <login name>

I have also disabled his shell with the command:

usermod -s /bin/bash

and set his home directory to my external disk with the command:

usermod -d /media/external/friend

Finally I have created the following entries for sftp in /etc/ssh/sshd_config file under the Subsystem sftp /usr/lib/openssh/sftp-server section as shown below.

Match Group sftp
 ChrootDirectory /media/external/friend
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp

NOTABENE: the directory friend must be owned by root with 700 rights. Because my friend is part of the sftp group, to allow him to upload content I needed to create a directory upload below the directory friend and had to chown such directory to his login name as shown below:

listato

If you want to have some more background info about why you need to change ownership and set rights are mentioned, check here.

Once you complete all the editing, remember to restart the ssh service with the command

service ssh restart

Enjoy!

 

Apr 132014
 

First of, a BIG thank you to my friend Luca Ferrarotti who inspired, actively contributed and helped me with this HowTo.

Then, something I wanted to write since a very long time. Other articles in this blog instruct about how to use OS X or iOS to build a native client to site IPSec VPN terminated on McAfee (formerly Stonesoft) Next Generation Firewall. Since I joined Stonesoft many years ago, lots of people enquired me and Support and my SE colleagues about how to build this configuration… here you are. Your voice has been listened!

I wrote this article using McAfee Next Generation Firewall version 5.5.6 and McAfee Security Management Center 5.7.0, while on client side I am on Ubuntu 12.04.4 LTS. Continue reading »

Apr 062011
 

Few notes to myself, to avoid forgetting a cool thing I’ve just learned.

The need is to implement radius based authentication to access a directory on Apache2 Web server.

Here’s how to proceed (instructions have been tested on an Ubuntu 10.10).

First, you need to install the needed module for Radius authentication on Apache2, using the command:

apt-get install libapache2-mod-auth-radius

Then, you need to enable it with command:

a2enmod auth_radius

You need now to make your apache web server aware of where to send authentication requests for Radius. There are two ways, depending if you want to make this configuration apache-wide (therefore edit /etc/apache2/http.conf) or if you want to limit it to a specific virtual host (thus you’ll edit /etc/apache2/sites-enabled/<yoursitename>.conf).

Add the line:

AddRadiusAuth <IP address of the Radius server>:<port where Radius service is listening> <shared secret> [timeout [:retries]]

Assuming you want to protect a specific directory called auth-test, you can insert the following directive in your site/virtualhost configuration file (/etc/apache2/sites-enabled/<yoursitename>.conf):

<Directory “/var/www/testmyauth”>
Options Indexes FollowSymlinks
AuthType Basic
AuthName “Roarin RADIUS Authentication”
AuthBasicAuthoritative Off
AuthBasicProvider radius
AuthRadiusAuthoritative on
AuthRadiusActive On
Require valid-user
</Directory>

 

Naturally you might add the above directives also in a .htaccess file in the directory you want to protect with Radius based authentication…

Finally, restart or reload you apache2 using one of the commands:

service apache2 reload

service apache2 restart

Enjoy 😉

Aug 272010
 

osa_logo_180x66This very well done and useful site has been done, among others, by a great ex-coworker I respect very much.

As a note-to-self, I’m placing it in my collection of useful tech tips since their library and documentation is more than useful.

And yes, I’m committing to participate there as well, although I don’t know when I’ll be able to send my first contribution.

But committmen is a start, right? 😉