Security

How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins

How to Setup Two-Factor Authentication (Google Authenticator) for SSH Logins &-8211; this Article or News was published on this date:2019-05-28 19:51:13 kindly share it with friends if you find it helpful

By default, SSH already uses a secure data communication between remote machines, but if you want to add some extra security layer to your SSH connections, you can add a Google Authenticator (two-factor authentication) module that allows you to enter a random one-time password (TOTP) verification code while connecting to SSH servers. You’ll have to enter the verification code from your smartphone or PC when you connect.

The Google Authenticator is an open-source module that includes implementations of one-time passcodes (TOTP) verification token developed by Google. It supports several mobile platforms, as well as PAM (Pluggable Authentication Module). These one-time passcodes are generated using open standards created by the OATH Initiative for Open Authentication).

SSH Two Factor AuthenticationSSH Two Factor Authentication

SSH Two Factor Authentication

In this article I will show you how to setup and configure SSH for two-factor authentication under Red Hat, CentOS, Fedora and Ubuntu, Linux Mint and Debian.

Installing Google Authenticator Module

Open the machine that you want to set up two-factor authentication and install following PAM libraries along with development libraries that are needed for the PAM module to work correctly with Google authenticator module.

On Red Hat, CentOS and Fedora systems install the ‘pam-devel‘ package.

- yum install pam-devel make automake libtool gcc-c++ wget

On Ubuntu, Linux Mint and Debian systems install ‘libpam0g-dev‘ package.

- apt-get install libpam0g-dev make automake libtool gcc-c++ wget

Now clone and install the Google authenticator module under Home directory (assume you are already logged in home directory of root) using following git command.

- git clone https://github.com/google/google-authenticator-libpam.git
- cd google-authenticator-libpam/
- ./bootstrap.sh
- ./configure
- make
- make install
- google-authenticator

Once you run ‘google-authenticator‘ command, it will prompt you with a serious of question. Simply type “y” (yes) as the answer in most situation. If something goes wrong, you can type again ‘google-authenticator‘ command to reset the settings.

  1. Do you want authentication tokens to be time-based (y/n) y

After this question, you will get your ‘secret key‘ and ‘emergency codes‘. Write down these details somewhere, we will need the ‘secret key‘ later on to setup Google Authenticator app.

[[email protected] google-authenticator-libpam]- google-authenticator

Do you want authentication tokens to be time-based (y/n) y
https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/[email protected]%3Fsecret%3DXEKITDTYCBA2TLPL
Your new secret key is: XEKITDTYCBA2TLPL
Your verification code is 461618
Your emergency scratch codes are:
  65083399
  10733609
  47588351
  71111643
  92017550

Next, follow the setup wizard and in most cases type answer as “y” (yes) as shown below.

Do you want me to update your "/root/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Configuring SSH to use Google Authenticator Module

Open the PAM configuration file ‘/etc/pam.d/sshd‘ and add the following line to the top of the file.

auth       required     pam_google_authenticator.so

Next, open the SSH configuration file ‘/etc/ssh/sshd_config‘ and scroll down to find the line that says.

ChallengeResponseAuthentication no

Change it to “yes“. So, it becomes like this.

ChallengeResponseAuthentication yes

Finally, restart SSH service to take new changes.

- /etc/init.d/sshd restart

Configuring Google Authenticator App

Launch Google Authenticator app in your smartphone. Press Menu and choose “Setup an account“. If you don’t have this app, you can download and install Google Authenticator app on your Android/iPhone/Blackberry devices.

SSH Two Factor AuthenticationGoogle Authenticator Setup Account

Google Authenticator Setup Account

Press “Enter key provided”.

SSH Two Factor AuthenticationGoogle Authenticator Secret Key

Enter Google Authenticator Secret Key

Add your account ‘Name‘ and enter the ‘secret key‘ generated earlier.

SSH Two Factor AuthenticationGoogle Authenticator Account Name

Google Authenticator Account Name and Secret Key

It will generate one time password (verification code) that will constantly changing every 30sec on your phone.

SSH Two Factor AuthenticationGoogle Authenticator One Time Password

Google Authenticator One Time Password

Now try to login via SSH, you will be prompted with Google Authenticator code (Verification code) and Password whenever you attempt to log in via SSH. You have only 30 seconds to enter this verification code, if you miss it will regenerate new verification code.

login as: sfnews
Access denied
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Password:
Last login: Tue Apr 23 13:58:29 2013 from 172.16.25.125
[[email protected] ~]-

If you don’t have smartphone, you can also use a Firefox add-on called GAuth Authenticator to do two-factor authentication.

Important: The two-factor authentication works with password based SSH login. If you are using any private/public key SSH session, it will ignore two-factor authentication and log you in directly.

Secure Files/Directories using ACLs (Access Control Lists) in Linux

Secure Files/Directories using ACLs (Access Control Lists) in Linux &-8211; this Article or News was published on this date:2019-05-28 19:22:52 kindly share it with friends if you find it helpful

As a System Admin, our first priority will be to protect and secure data from unauthorized access. We all are aware of the permissions that we set using some helpful Linux commands like chmod, chown, chgrp… etc. However, these default permission sets have some limitation and sometimes may not work as per our needs. For example, we cannot set up different permission sets for different users on same directory or file. Thus, Access Control Lists (ACLs) were implemented.

Linux Access Control ListsLinux Access Control Lists

Linux Access Control Lists

Let’s say, you have three users, ‘sfnews1‘, ‘sfnews2‘ and ‘sfnews3‘. Each having common group say ‘acl’. User ‘sfnews1‘ want that only ‘sfnews2‘ user can read and access files owned by ‘sfnews1‘ and no one else should have any access on that.

ACLs (Access Control Lists) allows us doing the same trick. These ACLs allow us to grant permissions for a user, group and any group of any users which are not in the group list of a user.

Note: As per Redhat Product Documentation, it provides ACL support for ext3 file system and NFS exported file systems.

How to Check ACL Support in Linux Systems

Before moving ahead you should have support for ACLs on current Kernel and mounted file systems.

1. Check Kernel for ACL Support

Run the following command to check ACL Support for file system and POSIX_ACL=Y option (if there is N instead of Y, then it means Kernel doesn’t support ACL and need to be recompiled).

[[email protected] ~]- grep -i acl /boot/config*

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y

2. Check Required Packages

Before starting playing with ACLs make sure that you have required packages installed. Below are the required packages that needs to be installed using yum or apt-get.

[[email protected] ~]- yum install nfs4-acl-tools acl libacl		[on RedHat based systems]
[[email protected] ~]$ sudo apt-get install nfs4-acl-tools acl	[on Debian based systems]

3. Check Mounted File System for ACLs Support

Now, check the mounted file system that whether it is mounted with ACL option or not. We can use ‘mount‘ command for checking the the same as shown below.

[[email protected] ~]- mount  | grep -i root

/dev/mapper/fedora-root on / type ext4 (rw,relatime,data=ordered)

But in our case its not showing acl by default. So, next we have option to remount the mounted partition again using acl option. But, before moving ahead, we have another option to make sure that partition is mounted with acl option or not, because for recent system it may be integrated with default mount option.

[[email protected] ~]- tune2fs -l /dev/mapper/fedora-root | grep acl

Default mount options:    user_xattr acl

In the above output, you can see that default mount option already have support for acl. Another option is to remount the partition as shown below.

[[email protected] ~]- mount -o remount,acl /

Next, add the below entry to ‘/etc/fstab’ file to make it permanent.

/dev/mapper/fedora-root /	ext4    defaults,acl 1 1

Again, remount the partition.

[[email protected] ~]- mount -o remount  /

4. For NFS Server

On NFS server, if file system which is exported by NSF server supports ACL and ACLs can be read by NFS Clients, then ACLs are utilized by client System.

For disabling ACLs on NFS share, you have to add option “no_acl” in ‘/etc/exportfs‘ file on NFS Server. To disable it on NSF client side again use “no_acl” option during mount time.

How to Implement ACL Support in Linux Systems

There are two types of ACLs:

  1. Access ACLs: Access ACLs are used for granting permissions on any file or directory.
  2. Default ACLs: Default ACLs are used for granting/setting access control list on a specific directory only.

Difference between Access ACL and Default ACL:

  1. Default ACL can be used on directory level only.
  2. Any sub directory or file created within that directory will inherit the ACLs from its parent directory. On the other hand a file inherits the default ACLs as its access ACLs.
  3. We make use of “–d” for setting default ACLs and Default ACLs are optionals.
Before Setting Default ACLs

To determine the default ACLs for a specific file or directory, use the ‘getfacl‘ command. In the example below, the getfacl is used to get the default ACLs for a folder ‘Music‘.

[[email protected] ~]- getfacl Music/

- file: Music/
- owner: root
- group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::rw-
After Setting Default ACLs

To set the default ACLs for a specific file or directory, use the ‘setfacl‘ command. In the example below, the setfacl command will set a new ACLs (read and execute) on a folder ‘Music’.

[[email protected] ~]- setfacl -m d:o:rx Music/
[[email protected] ~]- getfacl Music/
- file: Music/
- owner: root
- group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

How to Set New ACLs

Use the ‘setfacl’ command for setting or modifying on any file or directory. For example, to give read and write permissions to user ‘sfnews1‘.

- setfacl -m u:sfnews1:rw /sfnews1/example

How to View ACLs

Use the ‘getfacl‘ command for viewing ACL on any file or directory. For example, to view ACL on ‘/sfnews1/example‘ use below command.

- getfacl /sfnews1/example

- file: sfnews1/example/
- owner: sfnews1
- group: sfnews1
user::rwx
user:sfnews1:rwx
user:sfnews2:r--
group::rwx
mask::rwx
other::---

How to Remove ACLs

For removing ACL from any file/directory, we use x and b options as shown below.

- setfacl -x ACL file/directory  	- remove only specified ACL from file/directory.

- setfacl -b  file/directory   		-removing all ACL from file/direcoty

Let’s implement ACL’s on following scenario’s.

Two Users (sfnews1 and sfnews2), both having common secondary group named ‘acl‘. We will create one directory owned by ‘sfnews1‘ and will provide the read and execute permission on that directory to user ‘sfnews2‘.

Step 1: Create two users and remove password from both

[[email protected] ~]- for user in sfnews1 sfnews2

> do
> useradd $user
> passwd -d $user
> done
Removing password for user sfnews1.
passwd: Success
Removing password for user sfnews2.
passwd: Success

Step 2: Create a Group and Users to Secondary Group.

[[email protected] ~]- groupadd acl
[[email protected] ~]- usermod -G acl sfnews1
[[email protected] ~]- usermod -G acl sfnews2

Step 3: Create a Directory /sfnews and change ownership to sfnews1.

[[email protected] ~]- mkdir /sfnews1
[[email protected] ~]- chown sfnews1 /sfnews1/
[[email protected] ~]- ls -ld /sfnews1/

drwxr-xr-x 2 sfnews1 root 4096 Apr 17 14:46 /sfnews1/
[[email protected] ~]- getfacl /sfnews1

getfacl: Removing leading '/' from absolute path names
- file: sfnews1
- owner: sfnews1
- group: root
user::rwx
group::r-x
other::r-x

Step 4: Login with sfnews1 and create a Directory in /sfnews folder.

[[email protected] ~]$ su - sfnews1

Last login: Thu Apr 17 14:49:16 IST 2014 on pts/4
[[email protected] ~]$ cd /sfnews1/
[[email protected] sfnews1]$ mkdir example
[[email protected] sfnews1]$ ll

total 4
drwxrwxr-x 2 sfnews1 sfnews1 4096 Apr 17 14:50 example
[[email protected] sfnews1]$ whoami 
sfnews1

Step 5: Now set ACL using ‘setfacl‘, so that ‘sfnews1‘ will have all rwx permissions, ‘sfnews2‘ will have only read permission on ‘example‘ folder and other will have no permissions.

$ setfacl -m u:sfnews1:rwx example/
$ setfacl -m u:sfnews2:r-- example/
$ setfacl -m  other:--- example/
$ getfacl example/

- file: example
- owner: sfnews1
- group: sfnews1
user::rwx
user:sfnews1:rwx
user:sfnews2:r--
group::r-x
mask::rwx
other::---

Step 6: Now login with other user i.e. ‘sfnews2‘ on another terminal and change directory to ‘/sfnews1‘. Now try to view the contents using ‘ls‘ command and then try to change directory and see the difference as below.

[[email protected] ~]$ su - sfnews2

Last login: Thu Apr 17 15:03:31 IST 2014 on pts/5
[[email protected] ~]$ cd /sfnews1/
[[email protected] sfnews1]$ ls -lR example/
example/:
total 0
[[email protected] sfnews1]$ cd example/

-bash: cd: example/: Permission denied
[[email protected] sfnews1]$ getfacl example/

- file: example
- owner: sfnews1
- group: sfnews1
user::rwx
user:sfnews1:rwx
user:sfnews2:r--
group::rwx
mask::rwx
other::---

Step 7: Now give ‘execute‘ permission to ‘sfnews2‘ on ‘example‘ folder and then use ‘cd‘ command to see the effect. Now ‘sfnews2‘ have the permissions to view and change directory, but don’t have permissions for writing anything.

[[email protected] sfnews1]$ setfacl -m u:sfnews2:r-x example/
[[email protected] sfnews1]$ getfacl example/

- file: example
- owner: sfnews1
- group: sfnews1
user::rwx
user:sfnews1:rwx
user:sfnews2:r-x
group::rwx
mask::rwx
other::---
[[email protected] ~]$ su - sfnews2

Last login: Thu Apr 17 15:09:49 IST 2014 on pts/5
[[email protected] ~]$ cd /sfnews1/
[[email protected] sfnews1]$ cd example/
[[email protected] example]$ getfacl .
[[email protected] example]$ mkdir test

mkdir: cannot create directory ‘test’: Permission denied
[[email protected] example]$ touch test

touch: cannot touch ‘test’: Permission denied

Note: After implementing ACL, you will see a extra ‘+‘ sign for ‘ls –l’ output as below.

[[email protected] sfnews1]- ll

total 4
drwxrwx---+ 2 sfnews1 sfnews1 4096 Apr 17 17:01 example

Reference Links

ACL’s Documentation

LUKS: Linux Hard Disk Data Encryption with NTFS Support in Linux

LUKS: Linux Hard Disk Data Encryption with NTFS Support in Linux &-8211; this Article or News was published on this date:2019-05-28 19:21:57 kindly share it with friends if you find it helpful

LUKS acronym stands for Linux Unified Key Setup which is a widely method of disk-encryption used by Linux Kernel and is implemented with the cryptsetup package.

The cryptsetup command line encrypts a volume disk on fly using symmetric encryption key derived from supplied passphrase that is provided every time a volume disk, a partition and also a whole disk (even a USB stick) is mounted in filesystem hierarchy and uses aes-cbc-essiv:sha256 cipher.

Linux Hard Disk EncryptionLinux Hard Disk Encryption

Linux Hard Disk Encryption Using LUKS

Because LUKS can encrypt the entire block devices (hard-disks, USB sticks, Flash disks, partitions, volume groups etc) on Linux systems is largely recommended for protecting removable storage media, laptop hard-disks or Linux swap files and not recommended for file level encryption.

NTFS (New Technology File System) is a proprietary file system developed by Microsoft.

Ubuntu 14.04 provides full support for LUKS encryption and also NTFS native support for Windows with the help of ntfs-3g package.

To prove my point in this tutorial I’ve added a new hard-disk (4th) on Ubuntu 14.04 box (the system reference to newly added HDD is /dev/sdd) which it will be divided in two partitions.

  1. One partition (/dev/sdd1 -primary) used for LUKS encryption.
  2. The second partition (/dev/sdd5 – extended) formatted NTFS for accessing data on both Linux and Windows based systems.

Also the partitions will be automatically mounted on Ubuntu 14.04 after reboot.

Step 1: Create Disk Partitions

1. After your hard-disk is physically added on your machine use ls command to list all /dev/devices ( the fourth disk is /dev/sdd).

- ls /dev/sd*
Linux Hard Disk EncryptionList Partitions in Linux

List Partitions in Linux

2. Next check your newly added HDD with fdisk command.

$ sudo fdisk –l /dev/sdd
Linux Hard Disk EncryptionCheck Linux Hard Disk

Check Linux Hard Disk

Because no filesystem had been written what so ever the disk doesn’t contain a valid partition table yet.

3. The next steps slices the hard-disk for a two partition result using cfdisk disk utility.

$ sudo cfdisk /dev/sdd

4. The next screen opens cfdisk interactive mode. Select your hard-disk Free space and navigate to New option using left/right key arrows.

Linux Hard Disk Encryptioncfdisk Interactive Mode

cfdisk Interactive Mode

5. Choose your partition type as Primary and hit Enter.

Linux Hard Disk EncryptionSelect Your Partition Type

Select Your Partition Type

6. Write down your desired partition size in MB.

Linux Hard Disk EncryptionWrite Down Partition Size

Write Down Partition Size

7. Create this partition at the Beginning of hard-disk Free space.

Linux Hard Disk EncryptionCreate a Partition

Create a Partition

8. Next navigate to partition Type option and hit Enter.

Linux Hard Disk EncryptionPartition Type

Partition Type

9. The next prompt present a list of all types of filesystem and their number code ( Hex number). This partition will be a Linux LUKS encrypted so choose 83 code and hit Enter again to create partition.

Linux Hard Disk EncryptionEnter File System Type

Enter File System Type

10. The first partition is created and the cfdisk utility prompt goes back to beginning. To create the second partition used as NTFS select the remaining Free space, navigate to New option and press Enter key.

Linux Hard Disk EncryptionCreate New Partition

Create New Partition

11. This time the partition will be an Extended Logical one. So, navigate to Logical option and again press Enter.

Linux Hard Disk EncryptionSelect Logical Partition Type

Select Logical Partition Type

12. Enter your partition size again. For using the remaining free space as the new partition leave the default value on size and just press Enter.

Linux Hard Disk EncryptionEnter Size of Partition

Enter Size of Partition

13. Again choose you partition type code. For NTFS filesystem choose 86 volume code.

Linux Hard Disk EncryptionSelect Partition Type

Select Partition Type

14. After reviewing and verifying partitions select Write, answer yes on next interactive prompt question then Quit to leave cfdisk utility.

Linux Hard Disk EncryptionWrite Partition Table to Disk

Write Partition Table to Disk

Linux Hard Disk EncryptionConfirm Changes

Confirm Changes

Linux Hard Disk EncryptionQuit to leave cfdisk utility

Quit to leave cfdisk utility

Congratulations ! Your partitions have been successfully created and are now ready to be formatted and used.

15. To verify again disk Partition Table issue the fdisk command again which will show a detailed partition table information.

$ sudo fdisk –l /dev/sdd
Linux Hard Disk EncryptionConfirm Parition Table

Confirm Parition Table

Step 2: Create Partition Filesystem

NTFS Filesystem

16. To create NTFS filesystem on second partition run mkfs command.

$ sudo mkfs.ntfs /dev/sdd5
Linux Hard Disk EncryptionCreate NTFS Filesystem

Create NTFS Filesystem

17. To make the partition available it must be mounted on filesystem to a mount point. Mount the second partition on fourth hard-disk to /opt mount point using mount command.

$ sudo mount /dev/sdd5 /opt

18. Next, check if partition is available and is listed in /etc/mtab file using cat command.

$ cat /etc/mtab
Linux Hard Disk EncryptionCheck Partition Availability

Check Partition Availability

19. To unmount partition use the following command.

$ sudo umount /opt
EXT4 LUKS

20. Make sure cryptsetup package is installed on your system.

$ sudo apt-get install cryptsetup		[On Debian Based Systems]

- yum install cryptsetup				[On RedHat Based Systems]

21. Now is time to format the first partition on fourth hard-disk with ext4 filesystem by issuing the following command.

$ sudo luksformat  -t ext4  /dev/sdd1

Answer with uppercase YES on “Are you sure?” question and enter three times your desired passphrase.

Linux Hard Disk EncryptionFormat Partition

Format Partition

Note: Depending on your partition size and HDD speed the filesystem creation can take a while.

22. You can also verify partition device status.

$ sudo cryptsetup luksDump  /dev/sdd1
Linux Hard Disk EncryptionVerify Partition Status

Verify Partition Status

23. LUKS supports maximum 8 passwords added. To add a password use the following command.

$ sudo cryptsetup luksAddKey /dev/sdd1
Linux Hard Disk EncryptionAdd a Password

Add a Password

To remove a password use.

$ sudo cryptsetup luksRemoveKey /dev/sdd1
Linux Hard Disk EncryptionRemove a Password

Remove a Password

24. For this Encrypted partition to be active it must have an name entry (be initialized ) to /dev/mapper directory with the help of cryptsetup package.

This setting require the following command line syntax:

$ sudo cryptsetup luksOpen  /dev/LUKS_partiton  device_name

Where “device_name” can be any descriptive name you like it! ( I’ve name it mine crypted_volume). The actual command will look like as shown below.

$ sudo cryptsetup luksOpen  /dev/sdd1 crypted_volume
Linux Hard Disk EncryptionActive Encrypted Partition

Active Encrypted Partition

25. Then verify if your device is listed on /dev/mapper, directory, symbolic link and device status.

$ ls /dev/mapper
$ ls –all /dev/mapper/encrypt_volume
Linux Hard Disk EncryptionVerify Encrypted Partition

Verify Encrypted Partition

$ sudo cryptsetup –v status encrypt_volume
Linux Hard Disk EncryptionEncrypted Partition Status

Encrypted Partition Status

26. Now for making the partition device widely available mount it on your system under a mount point using mount command.

$ sudo mount  /dev/mapper/crypted_volume  /mnt
Linux Hard Disk EncryptionMount Encrypted Partition

Mount Encrypted Partition

As can be seen the partition is mounted and accessible for writing data.

27. To make it unavailable just unmount it from your system and close the device.

$ sudo umount  /mnt
$ sudo cryptsetup luksClose crypted_volume
Linux Hard Disk EncryptionUmount Encrypted Partition

Umount Encrypted Partition

Step 3: Mount Partition Automatically

If you use a fixed hard-disk and need both partitions to be automatically system mounted after reboot you must follow this two steps.

28. First edit /etc/crypttab file and add the following data.

$ sudo nano /etc/crypttab
  1. Target name: A descriptive name for your device ( see above point 22 on EXT4 LUKS).
  2. Source drive: The hard-disk partition formatted for LUKS ( see above point 21 on EXT4 LUKS).
  3. Key file: Choose none
  4. Options: Specify luks

The final line would be look like as shown below.

encrypt_volume               /dev/sdd1          none       luks
Linux Hard Disk EncryptionMount Partition Automatically

Mount Partition Automatically

29. Then edit /etc/fstab and specify your device name, mount point, filesystem type and other options.

$ sudo nano /etc/fstab

On last line use the following syntax.

/dev/mapper/device_name (or UUID)	/mount_point     filesystem_type     options    dump   pass

And add your specific content.

/dev/mapper/encrypt_volume      /mnt    ext4    defaults,errors=remount-ro     0     0
Linux Hard Disk EncryptionAdd Partition Entry in Fstab

Add Partition Entry in Fstab

30. To get device UUID use the following command.

$ sudo blkid
Linux Hard Disk EncryptionGet Device UUID

Get Device UUID

31. To also add the NTFS partition type created earlier use the same syntax as above on a new line in fstab ( Here Linux file append redirection is used ).

$ sudo su -
- echo "/dev/sdd5	/opt	ntfs		defaults		0              0"  >> /etc/fstab
Linux Hard Disk EncryptionAdd NTFS Partition in fstab

Add NTFS Partition in fstab

32. To verify changes reboot your machine, press Enter after “Starting configure network device” boot message and type your device passphrase.

Linux Hard Disk EncryptionReboot Machine

Reboot Machine

Linux Hard Disk EncryptionVerify Partition is Mounted Automatically

Verify Partition is Mounted Automatically

As you can see both disk partitions were automatically mounted on Ubuntu filesystem hierarchy. As a advice do not use automatically encrypted volumes from fstab file on physically remote servers if you can’t have access to reboot sequence for providing your encrypted volume password.

The same settings can be applied on all types of removable media such as USB stick , Flash memory, external hard-disk, etc for protecting important, secret or sensitive data in case of eavesdropping or stealing.

25 Useful Apache ‘.htaccess’ Tricks to Secure and Customize Websites

25 Useful Apache &-8216;.htaccess&-8217; Tricks to Secure and Customize Websites &-8211; this Article or News was published on this date:2019-05-28 18:52:51 kindly share it with friends if you find it helpful

Websites are important parts of our lives. They serve the means to expand businesses, share knowledge and lots more. Earlier restricted to providing only static contents, with introduction of dynamic client and server side scripting languages and continued advancement of existing static language like html to html5, adding every bit of dynamicity is possible to the websites and what left is expected to follow soon in near future.

With websites, comes the need of a unit that can display these websites to a huge set of audience all over the globe. This need is fulfilled by the servers that provide means to host a website. This includes a list of servers like: Apache HTTP Server, Joomla, and WordPress that allow one to host their websites.

Apache htaccess TricksApache htaccess Tricks

25 htaccess Tricks

One who wants to host a website can create a local server of his own or can contact any of above mentioned or any another server administrator to host his website. But the actual issue starts from this point. Performance of a website depends mainly on following factors:

  1. Bandwidth consumed by the website.
  2. How secure is the website against hackers.
  3. Optimism when it comes to data search through the database
  4. User-friendliness when it comes to displaying navigation menus and providing more UI features.

Alongside this, various factors that govern success of servers in hosting websites are:

  1. Amount of data compression achieved for a particular website.
  2. Ability to simultaneously serve multiple clients asking for a same or different website.
  3. Securing the confidential data entered on the websites like: emails, credit card details and so on.
  4. Allowing more and more options to enhance dynamicity to a website.

This article deals with one such feature provided by the servers that help enhance performance of websites along with securing them from bad bots, hotlinks etc. i.e. ‘.htaccess‘ file.

What is .htaccess?

htaccess (or hypertext access) are the files that provide options for website owners to control the server environment variables and other parameters to enhance functionality of their websites. These files can reside in any and every directory in the directory tree of the website and provide features to the directory and the files and folders inside it.

What are these features? Well these are the server directives i.e. the lines that instruct server to perform a specific task, and these directives apply only to the files and folders inside the folder in which this file is placed. These files are hidden by default as all Operating System and the web servers are configured to ignore them by default but making the hidden files visible can make you see this very special file. What type of parameters can be controlled is the topic of discussion of subsequent sections.

Note: If .htaccess file is placed in /apache/home/www/Gunjit/ directory then it will provide directives for all the files and folders in that directory, but if this directory contains another folder namely: /Gunjit/images/ which again has another .htaccess file then the directives in this folder will override those provided by the master .htaccess file (or file in the folder up in hierarchy).

Apache Server and .htaccess files

Apache HTTP Server colloquially called Apache was named after a Native American Tribe Apache to respect its superior skills in warfare strategy. Build on C/C++ and XML it is cross-platform web server which is based on NCSA HTTPd server and has a key role in growth and advancement of World Wide Web.

Most commonly used on UNIX, Apache is available for wide variety of platforms including FreeBSD, Linux, Windows, Mac OS, Novel Netware etc. In 2009, Apache became the first server to serve more than 100 million websites.

Apache server has one .htaccess file per user in www/ directory. Although these files are hidden but can be made visible if required. In www/ directory there are a number of folders each pertaining to a website named on user’s or owner’s name. Apart from this you can have one .htaccess file in each folder which configured files in that folder as stated above.

How to configure htaccess file on Apache server is as follows…

Configuration on Apache Server

There can be two cases:

Hosting website on own server

In this case, if .htaccess files are not enabled, you can enable .htaccess files by simply going to httpd.conf (Default configuration file for Apache HTTP Daemon) and finding the Directories> section.

Directory "/var/www/htdocs">

And locate the line that says…

AllowOverride None 

And correct it to.

AllowOverride All

Now, on restarting Apache, .htaccess will work.

Hosting website on different hosting provider server

In this case it is better to consult the hosting admin, if they allow access to .htaccess files.

25 ‘.htaccess’ Tricks of Apache Web Server for Websites

1. How to enable mod_rewrite in .htaccess file

mod_rewrite option allows you to use redirections and hiding your true URL with redirecting to some other URL. This option can prove very useful allowing you to replace the lengthy and long URL’s to short and easy to remember ones.

To allow mod_rewrite just have a practice to add the following line as the first line of your .htaccess file.

Options +FollowSymLinks

This option allows you to follow symbolic links and thus enable the mod_rewrite option on the website. Replacing the URL with short and crispy one is presented later on.

2. How to Allow or Deny Access to Websites

htaccess file can allow or deny access of website or a folder or files in the directory in which it is placed by using order, allow and deny keywords.

Allowing access to only 192.168.3.1 IP
Order Allow, Deny
Deny from All
Allow from 192.168.3.1

OR

Order Allow, Deny
Allow from 192.168.3.1

Order keyword here specifies the order in which allow, deny access would be processed. For the above ‘Order’ statement, the Allow statements would be processed first and then the deny statements would be processed.

Denying access to only one IP Address

The below lines provide the means to allow access of the website to all the users accept one with IP Address: 192.168.3.1.

rder Allow, Deny
Deny from 192.168.3.1
Allow from All

OR


Order Deny, Allow
Deny from 192.168.3.1

3. Generate Apache Error documents for different error codes.

Using some simple lines, we can fix the error document that run on different error codes generated by the server when user/client requests a page not available on the website like most of us would have seen the ‘404 Page not found’ page in their web browser. ‘.htaccess’ files specify what action to take in case of such error conditions.

To do this, the following lines are needed to be added to the ‘.htaccess’ files:

ErrorDocument error-code> path-of-document/string-representing-html-file-content>

ErrorDocument’ is a keyword, error-code can be any of 401, 403, 404, 500 or any valid error representing code and lastly, ‘path-of-document’ represents the path on the local machine (in case you are using your own local server) or on the server (in case you are using any other’s server to host your website).

Example:
ErrorDocument 404 /error-docs/error-404.html

The above line sets the document ‘error-404.html’ placed in error-docs folder to be displayed in case the 404 error is reported by the server for any invalid request for a page by the client.

rrorDocument 404 "html>head>title>404 Page not found/title>/head>body>p>The page you request is not present. Check the URL you have typed/p>/body>/html>"

The above representation is also correct which places the string representing a usual html file.

4. Setting/Unsetting Apache server environment variables

In .htaccess file you can set or unset the global environment variables that server allow to be modified by the hosters of the websites. For setting or unsetting the environment variables you need to add the following lines to your .htaccess files.

Setting the Environment variables
SetEnv OWNER “Gunjit Khera”
Unsetting the Environment variables
UnsetEnv OWNER

5. Defining different MIME types for files

MIME (Multipurpose Internet Multimedia Extensions) are the types that are recognized by the browser by default when running any web page. You can define MIME types for your website in .htaccess files, so that different types of files as defined by you can be recognized and run by the server.

IfModule mod_mime.c>
	AddType	application/javascript		js
	AddType application/x-font-ttf		ttf ttc
/IfModule>

Here, mod_mime.c is the module for controlling definitions of different MIME types and if you have this module installed on your system then you can use this module to define different MIME types for different extensions used in your website so that server can understand them.

6. How to Limit the size of Uploads and Downloads in Apache

.htaccess files allow you the feature to control the amount of data being uploaded or downloaded by a particular client from your website. For this you just need to append the following lines to your .htaccess file:

php_value upload_max_filesize 20M
php_value post_max_size 20M
php_value max_execution_time 200
php_value max_input_time 200

The above lines set maximum upload size, maximum size of data being posted, maximum execution time i.e. the maximum time the a user is allowed to execute a website on his local machine, maximum time constrain within on the input time.

How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine

How to Install and Use Linux Malware Detect (LMD) with ClamAV as Antivirus Engine &-8211; this Article or News was published on this date:2019-05-28 18:52:00 kindly share it with friends if you find it helpful

Malware, or malicious software, is the designation given to any program that aims at disrupting the normal operation of a computing system. Although the most well known forms of malware are viruses, spyware, and adware, the harm that they intend to cause may range from stealing private information to deleting personal data, and everything in between, while another classic use of malware is to control the system in order to use it to launch botnets in a (D)DoS attack.

Linux Malware DetectLinux Malware Detect

Read Also: Protect Apache Against Brute Force or DDoS Attacks

In other words, you can’t afford to think, “I don’t need to secure my system(s) against malware since I’m not storing any sensitive or important data”, because those are not the only targets of malware.

For that reason, in this article we will explain how to install and configure Linux Malware Detect (aka MalDet or LMD for short) along with ClamAV (Antivirus Engine) in RHEL 7.0/6.x (where x is the version number), CentOS 7.0/6.x and Fedora 21-12.

A malware scanner released under the GPL v2 license, specially designed for hosting environments. However, you will quickly realize that you will benefit from MalDet no matter what kind of environment you’re working on.

Installing LMD on RHEL/CentOS 7.0/6.x and Fedora 21-12

LMD is not available from online repositories, but is distributed as a tarball from the project’s web site. The tarball containing the source code of the latest version is always available at the following link, where it can be downloaded with:

- wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

Then we need to unpack the tarball and enter the directory where its contents were extracted. Since current version is 1.4.2, the directory is maldetect-1.4.2. There we will find the installation script, install.sh.

- tar -xvf maldetect-current.tar.gz
- ls -l | grep maldetect
Linux Malware DetectDownload Linux Malware Detect

Download Linux Malware Detect

If we inspect the installation script, which is only 75 lines long (including comments), we will see that it not only installs the tool, but also performs a pre-check to see if the default installation directory (/usr/local/maldetect) exists. If not, the script creates the installation directory before proceeding.

Finally, after the installation is completed, a daily execution via cron is scheduled by placing the cron.daily script (refer to the image above) in /etc/cron.daily. This helper script will, among other things, clear old temporary data, check for new LMD releases, and scan the default Apache and web control panels (i.e., CPanel, DirectAdmin, to name a few) default data directories.

That being said, run the installation script as usual:

- ./install.sh
Linux Malware DetectInstall Linux Malware Detect in Linux

Install Linux Malware Detect in Linux

Configuring Linux Malware Detect

The configuration of LMD is handled through /usr/local/maldetect/conf.maldet and all options are well commented to make configuration a rather easy task. In case you get stuck, you can also refer to /usr/local/src/maldetect-1.4.2/README for further instructions.

In the configuration file you will find the following sections, enclosed inside square brackets:

  1. EMAIL ALERTS
  2. QUARANTINE OPTIONS
  3. SCAN OPTIONS
  4. STATISTICAL ANALYSIS
  5. MONITORING OPTIONS

Each of these sections contains several variables that indicate how LMD will behave and what features are available.

  1. Set email_alert=1 if you want to receive email notifications of malware inspection results. For the sake of brevity, we will only relay mail to local system users, but you can explore other options such as sending mail alerts to the outside as well.
  2. Set email_subj=”Your subject here” and [email protected] if you have previously set email_alert=1.
  3. With quar_hits, the default quarantine action for malware hits (0 = alert only, 1 = move to quarantine & alert) you will tell LMD what to do when malware is detected.
  4. quar_clean will let you decide whether you want to clean string-based malware injections. Keep in mind that a string signature is, by definition, “a contiguous byte sequence that potentially can match many variants of a malware family”.
  5. quar_susp, the default suspend action for users with hits, will allow you to disable an account whose owned files have been identified as hits.
  6. clamav_scan=1 will tell LMD to attempt to detect the presence of ClamAV binary and use as default scanner engine. This yields an up to four times faster scan performance and superior hex analysis. This option only uses ClamAV as the scanner engine, and LMD signatures are still the basis for detecting threats.

Important: Please note that quar_clean and quar_susp require that quar_hits be enabled (=1).

Summing up, the lines with these variables should look as follows in /usr/local/maldetect/conf.maldet:

email_alert=1
[email protected]
email_subj="Malware alerts for $HOSTNAME - $(date +%Y-%m-%d)"
quar_hits=1
quar_clean=1
quar_susp=1
clam_av=1