• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Create a VM ($25 Credit)
  • Buy a Domain
  • 1 Month free Back Blaze Backup
  • Other Deals
    • Domain Email
    • Nixstats Server Monitoring
    • ewww.io Auto WordPress Image Resizing and Acceleration
  • About
  • Links

IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

  • Cloud
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.
    • Setting up a Vultr VM and configuring it
    • All Cloud Articles
  • Dev
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to setup pooled MySQL connections in Node JS that don’t disconnect
    • NodeJS code to handle App logins via API (using MySQL connection pools (1000 connections) and query parameters)
    • Infographic: So you have an idea for an app
    • All Development Articles
  • MySQL
    • Using the free Adminer GUI for MySQL on your website
    • All MySQL Articles
  • Perf
    • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
    • All Performance Articles
  • Sec
    • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
    • Using OWASP ZAP GUI to scan your Applications for security issues
    • Setting up the Debian Kali Linux distro to perform penetration testing of your systems
    • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
    • PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API
    • Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX
    • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
    • All Security Articles
  • Server
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All Server Articles
  • Ubuntu
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Useful Linux Terminal Commands
    • All Ubuntu Articles
  • VM
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All VM Articles
  • WordPress
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
    • How to backup WordPress on a host that has CPanel
    • Moving WordPress to a new self managed server away from CPanel
    • Moving a CPanel domain with email to a self managed VPS and Gmail
    • All WordPress Articles
  • All

Security

Yubico Security Key NFC

February 23, 2022 by Simon

fyi: My Past YubiKey Reviews

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Security Key Series

Introducing the Security Key NFC by Yubico simplified tap and go security key that works on Windows 10 (I tested on Windows 11), iOS and Android devices.

Yubico Security Key NFC USB-A and USB-C Variants
USB-A and USB-C Variants

Looking at the Yubico Compare Products Page I can see the Security Key series is half the price of the Standard YubiKey 5/YubiKey 5 FIPS and YubiKey BIO keys.

Compare Table of YubiKeys

The Yubico Security Key NFC does have some missing features like

  • Yubico OTP
  • OATH – HOTP (Event)
  • OATH – TOTP (Time)
  • OpenPGP
  • Yubico Authenticator OTP Storage
  • No Computer Login (Windows, Mac or Linux)
    • Windows
  • etc

I like the USB-C format over USB-A as my desktop, Mac and phone all have USB-C plugs.

YubiKey Plugged into a UBS-C Port
YubiKey Security Key USB-C Plugged into a MacBook Pro

My growing YubiKey Collection.

4x USB keys
My YubiKey’s

A) YubiKey 4 NEO
B) YubiKey 5Ci
C) YubiKey Security Key C NFC
D) YubiKey Security Key NFC

Seting up the Security Keys

YubiKey do have a setup guide here Let’s get started with your YubiKey (yubico.com)

YubiCo’s wizard allows you to select what services to setup and they provide a video or text based setup guide.

I also set a Key pin with the YubiKey Manager software

Heavy Use (Time To Replace)

My YubiKey 4 NEO (left) has been inserted into my USB A port about 1/2 a million times

YubiKey 4 NEO (left), YubiKey Security Key NFC (right)

Where to Use the New Key

I will use the key wherever I can insert and tap the key. I have immediately added these keys to th efollowiung apps and sites

  • 1Password
  • Cloudflare
  • Google Account
  • Dropbox
  • GitHub
  • My Drive – Google Drive
  • WordPress
  • etc

2FA Directory is a great site for browing what site(s) by category listing is they support 2FA or not.

https://2fa.directory/

Social Category

I have linked the new keys ot my critical sites

I now have a few keys added to critical site and I can put my keys in multiple safe places for backup.

Site A

Site B

Site C

Job done

Security Key Cons

  • No OATH – TOTP (6 digit code based Two Factor Authentication) like on more expensive keys
  • Setting a password with the YubiKey Manager is a bit hidden

Security Key Pros

  • Low Price
  • Simple Tap to Sign in (when setup)

Filed Under: 2FA, Authorization, Security, Yubico, YubiKey

I thought my website was hacked. Here is how I hardened my Linux servers security with Lynis Enterprise

October 24, 2020 by Simon

Disclaimer

I have waited a year before posting this, and I have tried my best to hide the bank’s identity as I never got a good explanation back from them about they the were whitelisting my website.

Background

I was casually reading Twitter one evening and found references to an awesome service (https://publicwww.com/) that allows you to find string references in CSS, JS, CSP etc files on websites.

Search engine that searches the web for the source code of the sites, not the content of them: https://t.co/G7oYQZ4Cbp

— @mikko (@mikko) March 8, 2018

https://t.co/DUyxFD4QbV is one of my new favorite search tools. Finally I can search for html/css/js and see which websites are using it. Really powerful when you think of the right searches…

— Allan Thraen (@athraen) April 26, 2019

See how people are using the publicwww service on Twitter.

I searched https://publicwww.com/ for “https://fearby.com“. I was expecting to only see only resources that were loading from my site.

I was shocked to see a bank in Asia was whistling my website and my websites CDN (hosted via ewww.io) in it’s Content Security Policy.

Screenshot of publicwww.com scan of "fearby.com

I was not hosting content for a bank and they should not be whitelisting my site?

Were they hacked? Was I hacked and delivering malware to their customers? Setting up a Content Security Policy (CSP) is not a trivial thing to do and I would suggest you check out https://report-uri.com/products/content_security_policy (by Scott Helme) for more information on setting up a good Content Security Policy (CSP).

Were we both hacked or was I serving malicious content?

Hacked Koala meme

I have written a few blog posts on creating Content Security Policies, and maybe they did copy my starter Content Security Policy and added it to their site?

I do have a lot of blog readers from their country.

Analytics map of Asia

I went to https://www.securityheaders.com and scanned their site and yes they have whitelisted my website and CDN. This was being sent in a header from their server to any connecting client.

I quickly double-checked the banks Content Security Policy (CSP) with https://cspvalidator.org/ and they too confirmed the bank was telling their customers that my website was ok to load files from.

I would not be worried if a florist’s website had white-listed my website but a bank that has 250 physical branches, 2,500 employees in a country that has 29 million people.

Below is the banks Content Security Policy.

https://cspvalidator.org/ screenshot of the banks csp

I thought I had been hacked into so I downloaded my Nginx log files (with MobaXTerm,) and scanned them for hits to my site from their website.

Screenshot of a years nginx logs.

After I scanned the logs I could see that I had zero traffic from their website

I sent a direct message to Scott Helme on Twitter (CSP Guru) and he replied with advice on the CSP.

Blocking Traffic

As a precaution, I edited my /etc/nginx/sites-available/default file and added this to block all traffic from their site.

if ($http_referer ~* "##########\.com") {
        return 404;
}

I tested and reloaded my Nginx config and restarted my web server

nginx -t
nginx -s reload
/etc/init.d/nginx restart

I also emailed my website CDN’s admin at https://ewww.io/ and asked them to block traffic from the bank as a precaution. They responded quickly as said this was done and they enabled extra logging in case more information was needed data.

If you need a good and fast WordPress Content Delivery Network (CDN) check out https://ewww.io/. They are awesome. Read my old review of ewww.io here.

I contacted the Bank

I searched the bank’s website for a way to contact them, their website was slow, their contact page was limited, they have a chat feature but I needed to log in with FaceBook (I don’t use FaceBook)

I viewed their contact us web page and they had zero dedicated security contacts listed. The CIO was only contactable via phone only.

They did not have a security.txt file on their website.

http://www.bankdomain.com/.well-known/security.txt file not found

TIP: If you run a website, please consider creating a security.txt file, information here.

I then viewed their contact us page and emailed everyone I could.

I asked if they could..

  • Check their logs for malicious files loaded from my site
  • Please remove the references to my website and CDN from their CSP.
  • Hinted they may want to review your CI/CD logs to see why this happened

My Server Hardening (to date)

My website was already hardened but was my site compromised?

Hardening actions to date..

  • Using a VPS firewall, Linux firewall 2x software firewalls
  • I have used the free Lynis Scan
  • Whitelisting access to port 22 to limited IP’s
  • Using hardware 2FA keys on SSH and WordPress Logins
  • Using the WordFence Security Plugin
  • Locked down unwanted ports.
  • I had a strong HTTPS certificate and website configuration (test here)
  • I have set up appropriate security headers (test here). I did need to re-setup a Content Security Policy (keep reading)
  • Performed many actions (some blogged a while ago) here: https://fearby.com/article/securing-ubuntu-cloud/
  • etc

I had used the free version of Lynis before but now is the time to use the Lynis Enterprise.

A free version of Lynis can be installed from Github here: https://github.com/CISOfy/lynis/

What is Lynis Enterprise?

Lynis Enterprise software is commercial auditing, system hardening, compliance testing tool for AIX, FreeBSD, HP-UX, Linux, macOS, NetBSD, OpenBSD, Solaris etc. The Enterprise version is a paid version (with web portal). Lynis Enterprise has more features over the free version.

Snip from here: “Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open-source software with the GPL license and available since 2007.”

Visit the Lynis Enterprise site here: https://cisofy.com/solutions/#lynis-enterprise.

I created a Lynis Enterprise Trial

I have used the free version of Lynis in the past (read here), but the Enterprise version offers a lot of extra features (read here).

Screenshot of https://cisofy.com/lynis-enterprise/why-upgrade/

View the main Lynis Enterprise site here and the pricing page here

View a tour of features here: https://cisofy.com/lynis-enterprise/

Create a Cisofy Trial Account

You can request a trial of Lynis Enterprise here: https://cisofy.com/demo/

Request a Lynis Enterprise trial screenshot

After the trial account was set up I logged in here. Upon login, I was prompted to add a system to my account (also my licence key was visible)

Lynis portal  main screen

Install Lynis (Clone GIT Repo/latest features)

I am given 3 options to install Lynis from the add system page here.

  1. Add the software repository and install the client (The suggested and easiest way to install Lynis and keep it up-to-date).
  2. Clone the repository from Github (The latest development version, containing the most recent changes)
  3. Manually install or activate an already installed Lynis.

I will clone a fresh install from Github as I prefer seeing the latest issues, latest changes from GitHub notifications. I like getting notifications about security.

I logged into my server via SSH and ran the following command(s).

sudo apt-get instal git
mkdir /thefolder
cd /thefolder
git clone https://github.com/CISOfy/lynis

Cloning into 'lynis'...
remote: Enumerating objects: 7, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10054 (delta 0), reused 1 (delta 0), pack-reused 10047
Receiving objects: 100% (10054/10054), 4.91 MiB | 26.60 MiB/s, done.
Resolving deltas: 100% (7387/7387), done.

I logged into https://portal.cisofy.com/ and clicked ‘Add’ system to find my API key

I noted my licence key.

I then changed to my Lynis folder

cd lynis

I then created a “custom.prf” file

touch custom.prf

I ran this command to activate my licence (I have replaced my licence with ########’s).

View the documentation here.

./lynis configure settings license-key=########-####-####-####-############:upload-server=portal.cisofy.com

Output:

Configuring setting 'license-key'
Setting changed
Configuring setting 'upload-server'
Setting changed

I performed my first scan and uploaded the report.

TIP: Make sure you have curl installed

./lynis audit system --upload

After the scan is complete, make sure you see the following.

Data upload status (portal.cisofy.com) [ OK ]

I logged into https://portal.cisofy.com/enterprise/systems/ and I could view my systems report.

You can read the basic Lynis documentation here: https://cisofy.com/documentation/lynis/

Manual Lynis Scans

I can run a manual scan at any time

cd /thefolder/lynis/
sudo ./lynis audit system --upload

To view results I can login to https://portal.cisofy.com/

Automated Lynis Scans

I have created a bash script that updates Lynis (basically running ‘sudo /usr/bin/git pull origin master’ in the lynis folder)

#!/bin/bash

sendemail -f [email protected] -t [email protected] -u "CRON: Updating Lynis (yourserver.com) START" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

echo "Changing Directory to /folder/lynis"
cd /folder/lynis

echo "Updating Lynis"
sudo /usr/bin/git pull origin master

sendemail -f [email protected] -t [email protected] -u "CRON: Updated Lynis (yourserver.com) END" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

This is my bash script that runs Lynis scans and emails the report

#!/bin/bash

sendemail -f [email protected] -t [email protected] -u "CRON: Run Lynis (yourserver.com) START" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

echo "Running Lynis Scan"
cd /utils/lynis/
sudo /utils/lynis/lynis audit system --upload > /folder/lynis/lynis.txt

sendemail -f [email protected] -t [email protected] -u "CRON: Run Lynis (yourserver.com) END" -m "/folder/runlynis.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***  -a /folder/lynis/lynis.txt

I set up two cron jobs to update Lynis (from Git) and to scan with Lynis every day.

#Lynis Update 11:55PM
55 21 * * * /bin/bash /folder/runlynis.sh && curl -fsS --retry 3 https://hc-ping.com/########-####-####-####-############ > /dev/null

#Lynis Scan 2AM
0 2 * * * /bin/bash /folder/runlynis.sh && curl -fsS --retry 3 https://hc-ping.com/########-####-####-####-############ > /dev/null

Thanks to sendemail I get daily emails

I have set up cronjob motoring and emails at the start and end of the bash scripts.

The attachment is not a pretty text file report but a least I can see the output of the scan (without logging into the portal).

Maybe I add the following file also

/var/log/lynis.log

Lynis Enterprise (portal.cisofy.com)

Best of all Lynis Enterprise comes with a great online dashboard available at
https://portal.cisofy.com/enterprise/dashboard/.

Lynis Enterprise Portal

Dashboard (portal.cisofy.com)

Clicking the ‘Dashboard‘ button in the toolbar at the top of the portal reveals a summary of your added systems, alerts, compliance, system integrity, Events and statistics.

Dashboard button

The dashboard has three levels

  • Business (less information)
  • Operational
  • Technical (more information)

Read about the differences here.

three dashboard breadcrumbs

Each dashboard has a limited number of elements, but the technical dashboard has all the elements.

Technical Dashboard

Lynis Enterprise Dashboard https://portal.cisofy.com/enterprise/dashboard/

From here you can click and open server scan results (see below)

Server Details

If you click on a server name you can see detailed information. I created 2 test servers (I am using the awesome UpCloud host)

A second menu appears when you click on a server

Linus Menu

Test Server 01: Ubuntu 18.04 default Scan Results (66/100)

Ubuntu Server Score 66/100

Test Server 02: Debian 9.9 default Scan Results (65/100)

Server

It is interesting to see Debian is 1 point below Ubuntu.

The server page will give a basic summary and highlights like the current and previous hardening score, open ports, firewall status, installed packages, users.

When I click the server name to load the report I can click to see ‘Warnings’ or ‘Suggestions’ to resolve

Suggested System Hardening Actions

I had 47 system hardening recommendations on one system

Lynis identified quick wins.

Some of the security hardening actions included the following.

e.g

  • Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules
  • Incorrect permissions for file /root/.ssh
  • A reboot of the system is most likely needed
  • Found some information disclosure in SMTP banner (OS or software name)
  • Configure maximum password age in /etc/login.defs
  • Default umask in /etc/login.defs could be more strict like 027
  • Add a legal banner to /etc/issue.net, to warn unauthorized users
  • Check available certificates for expiration
  • To decrease the impact of a full /home file system, place /home on a separate partition
  • Install a file integrity tool to monitor changes to critical and sensitive files
  • Check iptables rules to see which rules are currently not used
  • Harden compilers like restricting access to root user only
  • Disable the ‘VRFY’ command
  • Add the IP name and FQDN to /etc/hosts for proper name resolving
  • Purge old/removed packages (59 found) with aptitude purge or dpkg –purge command. This will clean up old configuration files, cron jobs and startup scripts.
  • Remove any unneeded kernel packages
  • Determine if automation tools are present for system management
  • etc

Hardening Suggestion (Ignore or Solve)

If you click ‘Solve‘ Cisofy will provide a link to detailed information to help you solve issues.

Suggested fix: ACCT-9630 Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules

I will not list every suggested problem and fix but here are some fixes below.

ACCT-9630 Audit daemon is enabled with an empty ruleset. Disable the daemon or define rules (fixed)

TIP: If you don’t have auditd installed run this command below to install it

sudo apt-get install auditd
/etc/init.d/auditd start
/etc/init.d/auditd status

I added the following to ‘/etc/audit/rules.d/audit.rules‘ (thanks to the solution recommendations on the Cisofy portal.

# This is an example configuration suitable for most systems
# Before running with this configuration:
# - Remove or comment items which are not applicable
# - Check paths of binaries and files

###################
# Remove any existing rules
###################

-D

###################
# Buffer Size
###################
# Might need to be increased, depending on the load of your system.
-b 8192

###################
# Failure Mode
###################
# 0=Silent
# 1=printk, print failure message
# 2=panic, halt system
-f 1

###################
# Audit the audit logs.
###################
-w /var/log/audit/ -k auditlog

###################
## Auditd configuration
###################
## Modifications to audit configuration that occur while the audit (check your paths)
-w /etc/audit/ -p wa -k auditconfig
-w /etc/libaudit.conf -p wa -k auditconfig
-w /etc/audisp/ -p wa -k audispconfig

###################
# Monitor for use of audit management tools
###################
# Check your paths
-w /sbin/auditctl -p x -k audittools
-w /sbin/auditd -p x -k audittools

###################
# Special files
###################
-a exit,always -F arch=b32 -S mknod -S mknodat -k specialfiles
-a exit,always -F arch=b64 -S mknod -S mknodat -k specialfiles

###################
# Mount operations
###################
-a exit,always -F arch=b32 -S mount -S umount -S umount2 -k mount
-a exit,always -F arch=b64 -S mount -S umount2 -k mount

###################
# Changes to the time
###################
-a exit,always -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k time
-a exit,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time
-w /etc/localtime -p wa -k localtime

###################
# Use of stunnel
###################
-w /usr/sbin/stunnel -p x -k stunnel

###################
# Schedule jobs
###################
-w /etc/cron.allow -p wa -k cron
-w /etc/cron.deny -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/crontab -p wa -k cron
-w /var/spool/cron/crontabs/ -k cron

## user, group, password databases
-w /etc/group -p wa -k etcgroup
-w /etc/passwd -p wa -k etcpasswd
-w /etc/gshadow -k etcgroup
-w /etc/shadow -k etcpasswd
-w /etc/security/opasswd -k opasswd

###################
# Monitor usage of passwd command
###################
-w /usr/bin/passwd -p x -k passwd_modification

###################
# Monitor user/group tools
###################
-w /usr/sbin/groupadd -p x -k group_modification
-w /usr/sbin/groupmod -p x -k group_modification
-w /usr/sbin/addgroup -p x -k group_modification
-w /usr/sbin/useradd -p x -k user_modification
-w /usr/sbin/usermod -p x -k user_modification
-w /usr/sbin/adduser -p x -k user_modification

###################
# Login configuration and stored info
###################
-w /etc/login.defs -p wa -k login
-w /etc/securetty -p wa -k login
-w /var/log/faillog -p wa -k login
-w /var/log/lastlog -p wa -k login
-w /var/log/tallylog -p wa -k login

###################
# Network configuration
###################
-w /etc/hosts -p wa -k hosts
-w /etc/network/ -p wa -k network

###################
## system startup scripts
###################
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init

###################
# Library search paths
###################
-w /etc/ld.so.conf -p wa -k libpath

###################
# Kernel parameters and modules
###################
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/modprobe.conf -p wa -k modprobe
###################

###################
# PAM configuration
###################
-w /etc/pam.d/ -p wa -k pam
-w /etc/security/limits.conf -p wa -k pam
-w /etc/security/pam_env.conf -p wa -k pam
-w /etc/security/namespace.conf -p wa -k pam
-w /etc/security/namespace.init -p wa -k pam

###################
# Puppet (SSL)
###################
#-w /etc/puppet/ssl -p wa -k puppet_ssl

###################
# Postfix configuration
###################
#-w /etc/aliases -p wa -k mail
#-w /etc/postfix/ -p wa -k mail
###################

###################
# SSH configuration
###################
-w /etc/ssh/sshd_config -k sshd

###################
# Hostname
###################
-a exit,always -F arch=b32 -S sethostname -k hostname
-a exit,always -F arch=b64 -S sethostname -k hostname

###################
# Changes to issue
###################
-w /etc/issue -p wa -k etcissue
-w /etc/issue.net -p wa -k etcissue

###################
# Log all commands executed by root
###################
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootcmd
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootcmd

###################
## Capture all failures to access on critical elements
###################
-a exit,always -F arch=b64 -S open -F dir=/etc -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/home -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/srv -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/local/bin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/usr/sbin -F success=0 -k unauthedfileacess
-a exit,always -F arch=b64 -S open -F dir=/var -F success=0 -k unauthedfileacess

###################
## su/sudo
###################
-w /bin/su -p x -k priv_esc
-w /usr/bin/sudo -p x -k priv_esc
-w /etc/sudoers -p rw -k priv_esc

###################
# Poweroff/reboot tools
###################
-w /sbin/halt -p x -k power
-w /sbin/poweroff -p x -k power
-w /sbin/reboot -p x -k power
-w /sbin/shutdown -p x -k power

###################
# Make the configuration immutable
###################
-e 2

# EOF

I reloaded my audit daemon config

auditctl -R /etc/audit/rules.d/audit.rules

Further configuration can be added (read this), read the auditd man page here or read logs you can use the ‘auditsearch‘ tool (read the Ubuntu Man Page here)

Here is a great guide on viewing audit events.

Because we have this rule ( ‘-w /etc/passwd -p wa -k etcpasswd ) to monitor the passwords file, If I read the contents of \etc\passwd it will show up in the audit logs.

We can verify the access of this file by running this command

ausearch -f /etc/passwd

Output

ausearch -f /etc/passwd
----
time->Mon Jun 10 16:58:13 2019
type=PROCTITLE msg=audit(##########.897:3639): proctitle=##########################
type=PATH msg=audit(##########.897:3639): item=1 name="/etc/passwd" inode=1303 dev=fc:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(##########.897:3639): item=0 name="/etc/" inode=12 dev=fc:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(##########.897:3639): cwd="/root"
type=SYSCALL msg=audit(##########.897:3639): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=556241ea9650 a2=441 a3=1b6 items=2 ppid=1571 pid=1572 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=446 comm="nano" exe="/bin/nano" key="etcpasswd"

I might write a list of handy ausearech commands and blog about this in the future

SSH Permissions (fixed)

to fish the ssh permissions warning I ran the command to show the issue on my server

./lynis show details FILE-7524
2019-05-25 23:00:04 Performing test ID FILE-7524 (Perform file permissions check)
2019-05-25 23:00:04 Test: Checking file permissions
2019-05-25 23:00:04 Using profile /utils/lynis/default.prf for baseline.
2019-05-25 23:00:04 Checking /etc/lilo.conf
2019-05-25 23:00:04   Expected permissions:
2019-05-25 23:00:04   Actual permissions:
2019-05-25 23:00:04   Result: FILE_NOT_FOUND
2019-05-25 23:00:04 Checking /root/.ssh
2019-05-25 23:00:04   Expected permissions: rwx------
2019-05-25 23:00:04   Actual permissions: rwxr-xr-x
2019-05-25 23:00:04   Result: BAD
2019-05-25 23:00:04 Warning: Incorrect permissions for file /root/.ssh [test:FILE-7524] [details:-] [solution:-]
2019-05-25 23:00:04 Using profile /utils/lynis/custom.prf for baseline.
2019-05-25 23:00:04 Checking permissions of /utils/lynis/include/tests_homedirs
2019-05-25 23:00:04 File permissions are OK
2019-05-25 23:00:04 ===---------------------------------------------------------------===

I tightened permissions on the /root/.ssh folder with this command

chmod 700 /root/.ssh

Configure minimum/maximum password age in /etc/login.defs (fixed)

I set a maximum and minimum password age in ‘/etc/login.defs‘

Defaults

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

Add a legal banner to /etc/issue, to warn unauthorized users (fixed)

I edited ‘/etc/issue’ on Ubuntu and Linux

Ubuntu 18.04 default

Ubuntu 18.04.2 LTS \n \l

Debian Default

Debian GNU/Linux 9 \n \l

Cisofy said this “Define a banner text to inform both authorized and unauthorized users about the machine and service they are about to access. The purpose is to share your policy before an access attempt is being made. Users should know that there privacy might be invaded, due to monitoring of the system and its resources, to protect the integrity of the system. Also unauthorized users should be deterred from trying to access it in the first place.“

Done

Default umask in /etc/login.defs could be more strict like 027 (fixed)

Related files..

  • /etc/profile
  • /etc/login.defs
  • /etc/passwd

I edited ‘/etc/login.defs’ and set

UMASK           027

I ran

umask 027 /etc/profile
umask 027 /etc/login.defs
umask 027 /etc/passwd

Check iptables rules to see which rules are currently not used (fixed)

I ran the following command to review my firewall settings

iptables --list --numeric --verbose

TIP: Scan for open ports with ‘nmap’

Watch this handy video if you are not sure how to use nmap

Install nmap

sudo apt-get install nmap

I do set firewall rules in ufw (guide here) and ufw is a front end for iptables.

Scan for open ports with nmap

nmap -v -sT localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-06-12 22:09 AEST
Initiating Connect Scan at 22:09
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 8080/tcp on 127.0.0.1
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Completed Connect Scan at 22:09, 0.02s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00012s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy

Everything looked good.

Harden compilers like restricting access to root user only (fixed)

Cicofy said

Compilers turn source code into binary executable code. For a production system a compiler is usually not needed, unless package upgrades are performed by means of their source code (like FreeBSD ports collection). If a compiler is found, execution should be limited to authorized users only (e.g. root user).

To solve this finding, remove any unneeded compiler or change the file permissions. Usually chmod 700 or chmod 750 will be enough to prevent normal users from using a compiler. Related compilers are as, cc, ld, gcc, go etc. To determine what files are affected, check the Lynis log file, then chmod these files.

I ran

chmod 700 /usr/bin/as
chmod 700 /usr/bin/gcc

Turn off PHP information exposure (fixed)

Cisofy siad

Disable the display of version information by setting the expose_php option to 'Off' in php.ini. As several instances of PHP might be installed, ensure that all related php.ini files have this setting turned off, otherwise this control will show up again.

This was already turned off but a unused php.ini may have been detected.

I searched for all php.ini files

find / -name php.ini

Output

/etc/php/7.3/apache2/php.ini
/etc/php/7.3/fpm/php.ini
/etc/php/7.3/cli/php.ini

yep, the cli version of php.ini had the following

expose_php = On

I set this to Off

Purge old/removed packages (59 found) with aptitude purge or dpkg –purge command. This will cleanup old configuration files, cron jobs and startup scripts. (fixed)

Cisofy said

While not directly a security concern, unpurged packages are not installed but still have remains left on the system (e.g. configuration files). In case software is reinstalled, an old configuration might be applied. Proper cleanups are therefore advised.

To remove the unneeded packages, select the ones marked with the 'rc' status. This means the package is removed, but the configuration files are still there.

I ran the following recommended command

dpkg -l | grep "^rc" | cut -d " " -f 3 | xargs dpkg --purge

Done

Install debsums utility for the verification of packages with known good database. (fixed)Cisofy said

Install the debsums utility to do more in-depth auditing of your packages.

I ran the following suggested command

apt-get install debsums

I googled and found this handy page

I scanned packages and asked ‘debsums” to only show errors with this command

sudo debsums -s

The only error was..

debsums: missing file /usr/bin/pip (from python-pip package)

I did not need pip so I removed it

apt-get remove --purge python-pip

Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc (fixed)

I ignore this as I do not allow logins via password and only I have an account (it’s not a multi user system).

I white list logins to IP’s.

I only allow ssh access with a private key and long passphrase.

I have 2FA OTP enabled at logins.

I have cloudflare over my domain.

I setup fail2ban to auto block logins using this guide

Reboot (fixed)

I restated the server

shutdown -r now

Done

Check available certificates for expiration (fixed)

I tested my SSL certificate with https://dev.ssllabs.com

https://dev.ssllabs.com/ scan of my site

Add legal banner to /etc/issue.net, to warn unauthorized users (fixed)

Cisofy said…

Define a banner text to inform both authorized and unauthorized users about the machine and service they are about to access. The purpose is to share your policy before an access attempt is being made. Users should know that there privacy might be invaded, due to monitoring of the system and its resources, to protect the integrity of the system. Also unauthorized users should be deterred from trying to access it in the first place.

Do not reveal sensitive information, like the specific goal of the machine, or what can be found on it. Consult with your legal department, to determine appropriate text.

I edited the file ‘/etc/issue.net’ and added a default pre login message (same as ‘/etc/issue’).

Install Apache mod_evasive to guard webserver against DoS/brute force attempts (ignored)

I ignored this message and I don’t use the Apache (I use the Nginx web server). I have added Apache to be blocked from installing.

I clicked Ignore in the Cisofy portal.

Ignore Button

Install Apache modsecurity to guard webserver against web application attacks (ignored)

I clicked Ignore for this one too

Ignore Button

Check your Nginx access log for proper functioning (reviewed)

Cisofy said…

Disabled logging:
Check in the Lynis log for entries which are disabled, or in the nginx configuration (access_log off).

Missing logging:
Check for missing log files. They are references in the configuration of nginx, but not on disk. The Lynis log will reveal to what specific files this applies.

I checked my Nginx config (‘/etc/nginx/nginx.conf‘) for all log references and ensured the logs were writing to disk (OK).

I checked my ‘/etc/nginx/sites-available/default‘ config and I did have 2 settings of ‘access_log off ‘ (this was added during the setup for two sub reporting subfolders for the Nixstats agent.

I restarted Nginx

nginx -t
nginx -s reload
/etc/init.d/nginx restart

Check what deleted files are still in use and why. (fixed)

Cisofy said..

Why it matters
Deleted files may sometimes be in use by applications. Normally this should not happen, as an application should delete a file and release the file handle. This test might discover malicious software, trying to hide its presence on the system. Investigate the related files by determining which application keeps it open and the related reason.

Details
The following details have been found as part of the scan.

/lib/systemd/systemd-logind(systemd-l)
/tmp/ib1ekCtf(mysqld)
/tmp/ibhuK1At(mysqld)
/tmp/ibmTO5F5(mysqld)
/tmp/ibR0dkxD(mysqld)
/tmp/ibvf69KH(mysqld)
/tmp/.ZendSem.gq3mnz(php-fpm7.)
/usr/bin/python3.6(networkd-)
/usr/bin/python3.6(unattende)
/var/log/mysql/error.log.1(mysqld)

I ran the following command to show deleted files in use

lsof | grep deleted

I noticed on my database server a php-fpm service was using files. I don’t have a webserver enabled on this server, so I uninstalled the web-based services.

I have separate web and database servers.

sudo apt-get remove apache*
sudo apt-get remove -y --purge nginx*
sudo apt-get remove -y --purge php7*
sudo apt autoremove

Check DNS configuration for the dns domain name (fixed)

Cisofy said..

Some software can work incorrectly when the system can't resolve itself. 
Add the IP name and fully qualified domain name (FQDN) to /etc/hosts. Usually this is done with an entry of 127.0.0.1, or 127.0.1.1 (to leave the localhost entry alone). 

I edited my ‘/etc/hosts’ file

I added a domain name to the end of the localhost entry and added a new line with my server(s) IP and domain name

Disable the ‘VRFY’ command (fixed)

I was advised to run this command

postconf -e disable_vrfy_command=yes

(Debian) Enable sysstat to collect accounting (no results) (fixed)

Cisofy said..

The sysstat is collection of utilities to provide system information insights. While one should aim for the least amount of packages, the sysstat utilities can be a good addition to help recording system details. They can provide insights for performance monitoring, or guide in discovering unexpected events (like a spam run). If you already use extensive system monitoring, you can safely ignore this control.

I ran the suggested commands

apt-get install sysstat
sed -i 's/^ENABLED="false"/ENABLED="true"/' /etc/default/sysstat

More info on sysstat here.

Consider running ARP monitoring software (arpwatch,arpon) (fixed)

Cisofy said

Networks are very dynamic, often with devices come and go as they please. For sensitive machines and network zones, you might want to know what happens on the network itself. An utility like arpwatch can help tracking changes, like new devices showing up, or others leaving the network.

I read this page to setup and configure arpwatch

sudo apt-get install arpwatch
/etc/init.d/arpwatch start

I will add more on how to use arpwatch soon

Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft (fixed)

Cosofy siad..

Disable drivers like USB storage when not used. This helps preventing unauthorized storage, data copies, or data theft.

I ran the suggested fix

echo "# Block USB storage" >> /etc/modprobe.d/disable-usb-storage.conf
echo "install usb-storage /bin/false" >> /etc/modprobe.d/disable-usb-storage.conf

Determine if automation tools are present for system management (ignored)

I ignored this one

Ignore Button

One or more sysctl values differ from the scan profile and could be tweaked

Cisofy said..

By means of sysctl values we can adjust kernel related parameters. Many of them are related to hardening of the network stack, how the kernel deals with processes or files. This control is a generic test with several sysctl variables (configured by the scan profile).

I was advised to adjust these settings

  • net.ipv4.conf.all.send_redirects=0
  • net.ipv4.conf.default.accept_source_route=0
  • kernel.sysrq=0
  • net.ipv4.conf.all.log_martians=1
  • net.ipv4.conf.default.log_martians=1
  • kernel.core_uses_pid=1
  • kernel.kptr_restrict=2
  • fs.suid_dumpable=0
  • kernel.dmesg_restrict=1

I edited ‘/etc/sysctl.conf‘ and made the advised changes along with these (I Googled each item first)

Install a file integrity tool to monitor changes to critical and sensitive files (fixed)

Cisofy said..

To monitor for unauthorized changes, a file integrity tool can help with the detection of such event. Each time the contents or the properties of a file change, it will have a different checksum. With regular checks of the related integrity database, discovering changes becomes easy. Install a tool like AIDE, Samhain or Tripwire to monitor important system and data files. Additionally configure the tool to alert system or security personnel on events.

It also gave a solution

# Step 1: Install package with appropriate command
apt-get install aide
yum install aide

# Step 2: Initialise database
aide --init
# If this fails: try aideinit

# Step 3: Copy newly created database (/var/lib/aide)
cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

# Step 4:
aide --check

I installed ‘aide’ (read the guide here).

TIP: Long story but the steps above were not exactly correct. Thanks to this post for I was able to set up aide. without seeing this error.

Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing

This is how I installed aide

apt-get install aide
apt-get install aide-common

I initialised aide.

aideinit

This was the important part (I was stuck for hours on this one)

aide.wrapper --check

I can run the following to see what files have changed.

I could see many files have changed since the initial scan (e.g mysql, log files nano search history).

Nice

Now lets schedule daily checks and create a cron job.

cat /folder/runaide.sh
#!/bin/bash

sendemail -f [email protected] -t [email protected] -u "CRON: AIDE Run (yourserver.com) START" -m "/folder/runaide.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password***

MYDATE=`date +%Y-%m-%d`
MYFILENAME="Aide-"$MYDATE.txt
/bin/echo "Aide check !! `date`" > /tmp/$MYFILENAME
/usr/bin/aide.wrapper --check > /tmp/myAide.txt
/bin/cat /tmp/myAide.txt|/bin/grep -v failed >> /tmp/$MYFILENAME
/bin/echo "**************************************" >> /tmp/$MYFILENAME
/usr/bin/tail -100 /tmp/myAide.txt >> /tmp/$MYFILENAME
/bin/echo "****************DONE******************" >> /tmp/$MYFILENAME

#/usr/bin/mail -s"$MYFILENAME `date`" [email protected] < /tmp/$MYFILENAME

sendemail -f [email protected] -t [email protected] -u "CRON: AIDE Run (yourserver.com) END" -m "/folder/runaide.sh" -s smtp.gmail.com:587 -o tls=yes -xu [email protected] -xp ***my*google*gsuite*email*app*password*** -a /tmp/$MYFILENAME -a /tmp/myAide.txt

Above thanks to this post

I setup a cron job to run this daily

#Run AIDE
0 6 * * * /folder/runaide.sh && curl -fsS --retry 3 https://hc-ping.com/######-####-####-####-############> /dev/null

ACCT-9622 – Enable process accounting. (fixed)

Solution:

Install “acct” process and login accounting.

sudo apt-get install acct

Start the “acct” service

/etc/init.d/acct start
touch /var/log/pacct
chown root /var/log/pacct
chmod 0644 /var/log/pacct
accton /var/log/pacct 

Check the status

/etc/init.d/acct status
* acct.service - LSB: process and login accounting
   Loaded: loaded (/etc/init.d/acct; generated)
   Active: active (exited) since Sun 2019-05-26 19:42:15 AEST; 4min 42s ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 0 (limit: 4660)
   CGroup: /system.slice/acct.service

May 26 19:42:15 servername systemd[1]: Starting LSB: process and login accounting...
May 26 19:42:15 servername acct[27419]: Turning on process accounting, file set to '/var/log/account/pacct'.
May 26 19:42:15 servername systemd[1]: Started LSB: process and login accounting.
May 26 19:42:15 servername acct[27419]:  * Done.

Run CISOfy recommended commands

touch /var/log/pacct
chown root /var/log/pacct
chmod 0644 /var/log/pacct
accton /var/log/pacct 

Manual Scan of Lynis

I re-ran an audit of the system (and uploaded the report to the portal) so I can see how I am progressing.

./lynis audit system --upload

I then checked the error status and the warnings were resolved.

Progress?

I rechecked my servers and all warnings are solved, now I just need to work on information level issues

Warning level errors fixed,  and informational to go

Cisofy Portal Overview

Quick breakdown of the Cisofy Portal

Overview Tab (portal.cisofy.com)

The Overview lab displays any messages, change log, API information, add a new system link, settings etc.

Lynis Overview tab

Dashboard Tab (portal.cisofy.com)

The dashboard tab will display compliant systems any outdated systems, alerts and events.

Lynis Dashboard screenshot https://portal.cisofy.com/enterprise/dashboard/

TIP: If you have a system that reports “Outdated” run the following command.

./lynis audit system --upload

Systems Tab (portal.cisofy.com)

The systems tab shows all systems, OS version, warnings, information counts, the date the system’s client last uploaded a report and the client version.

Systems tab shows all systems, OS version, warnings, information counts, date client last uploaded a report update and client version

If you are making many changes and manual Lynis scans keep an eye on your upload credits, You can see by the above and below image, I have lowered my suggested actions to harden my servers (red text).

Lynis scans reached

Clicking a host name reveals a summary of the system.

Clicking a system reveals a summary of the system.

Remaining information level issues are listed.

I can click Solve and see more information about the issue to resolve.

TIP: I thought it would be a good idea to copy this list to a spreadsheet for detailed tracking.

Spreadsheet listing issues to complete and done

I had another issue appear a few days later.

Compliance Tab (portal.cisofy.com)

A lot of information is listed here.

Compliance Tab

Best practice guides are available

best practice ghttps://portal.cisofy.com/compliance/udes

I could go on an on but https://cisofy.com/ is awesome.

TIP: Manually updating Lynis

from the command line I can view the Linus version with this command

./lynis --version
2.7.4

To update the Lynis git repository from the Lynis folder run this command

git pull
Already up to date.

Automatically updating and running Lynis scans

I added the following commands to my crontab to update then scan and report Lynis results to the portal.

TIP: Use https://crontab.guru/ to choose the right time to run commands (I chose 5 mins past 1 AM every day to update and 5 mins past 2 AM to run a scan.


#Lynis Update
5 1 * * * root -s /bin/bash -c 'cd /utils/lynis && /usr/bin/git pull origin master'

#Lynis Scan
5 2 * * * root -s /bin/bash -c '/utils/lynis/lynis audit system --upload'

Troubleshooting

fyi: Lynis Log file location: /var/log/lynis.log

Cisofy Enterprise Conclusion

Pros:

  • I can learn so much about securing Linux just from the Cisofy Fix recommendations.
  • I have secured my server beyond what I thought possible.
  • Very active development on Github: https://github.com/CISOfy/lynis/
  • Cisofy has a very good inteface and updates often.
  • New security issues are synced down and included in new scans (if you update)

Cons:

  • I am unable to pay for this for my servers here in Australia (European legal issues).
  • Needs Hardware 2FA

Tips

Make sure you have curl installed to allow reports to upload. I had this error on Debian 9.4.

View the latest repository version information here.

I added my Lynis folder to the Linux $PATH variable

export PATH=$PATH:/folder/lynis

Fatal: can’t find curl binary. Please install the related package or put the binary in the PATH. Quitting..

Lynis Enterprise API

View the Lynis Enterprise API documentation here

Lynis Enterprise Support

Support can be found here, email support [email protected].

Getting started guide is found here.

Bonus: Setting Up Content Security Policy and reporting violations to https://report-uri.com/

I have a few older posts on Content Security Policies (CSP) but they are a bit dated.

  • 2016 – Beyond SSL with Content Security Policy, Public Key Pinning etc
  • 2018 – Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx

Wikipedia Definition of a Content Security Policy

Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.[1] It is a Candidate Recommendation of the W3C working group on Web Application Security,[2] widely supported by modern web browsers.[3] CSP provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website—covered types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

If you want to learn about to setup CSP’s head over to https://report-uri.com/products/content_security_policy or https://report-uri.com/home/tools and read more.

I did have Content Security Policies (CSP) set up a few years back, but I had issues with broken resources. A lack of time on my behalf to investigate the issues forced me to disable the Content Security Policy (CSP). I should have changed the “Content-Security-Policy” header to “Content-Security-Policy-Report-Only.”

I will re-add the Content Security Policy (CSP) to my site but this time I will not disable it and will report to https://report-uri.com/, and if need be I will change the header from “content-security-policy” to “content-security-policy-report-only”. That way a broken policy won’t take down my site in future.

If you want to set up a Content Security Policy header and with good reporting of any violations of your CSP policy simply head over to https://report-uri.com/ and create a new account.

Read the official Report URI help documents here: https://docs.report-uri.com/.

Create a Content Security Policy

The hardest part of creating a Content Security Policy is knowing what to add where.

You could generate your own Content Security Policy by heading here (https://report-uri.com/home/generate) but that will take a while.

Create a CSP

TIP: Don’t make your policy live straight away by using the “Content-Security-Policy” header, instead use the “Content-Security-Policy-Report-Only” header.

To create a content Security Policy faster I would recommend you to use this Firefox plugin to generate a starter Content Security Policy.

Screenshot of https://addons.mozilla.org/en-US/firefox/addon/laboratory-by-mozilla/

Install this plugin to Firefox, enable it and click the Plugins icon and ensure “Record this site…” is ticked.

Laboratory plugin inFirefix

Then simply browse to your site (browse as many pages as possible) and a Content Security Policy will be generated based on the content on the page(s) loaded.

TIP: Always review the generated CSP, it allows everything needed to display your site.

Export the CSP from the Firefox plugin to the clipboard

This is the policy that was generated for me in 5 minutes browsing 20 pages.

default-src 'none'; connect-src 'self' https://onesignal.com/api/v1/apps/772f27ad-0d58-494f-9f06-e89f72fd650b/icon https://onesignal.com/api/v1/notifications https://onesignal.com/api/v1/players/67a2f360-687f-4513-83e8-f477da085b26 https://onesignal.com/api/v1/players/67a2f360-687f-4513-83e8-f477da085b26/on_session https://yoast.com/feed/widget/; font-src 'self' data: https://fearby-com.exactdn.com https://fonts.gstatic.com; form-action 'self' https://fearby.com https://syndication.twitter.com https://www.paypal.com; frame-src 'self' https://en-au.wordpress.org https://fearby.com https://googleads.g.doubleclick.net https://onesignal.com https://platform.twitter.com https://syndication.twitter.com https://www.youtube.com; img-src 'self' data: https://a.impactradius-go.com https://abs.twimg.com https://fearby-com.exactdn.com https://healthchecks.io https://pagead2.googlesyndication.com https://pbs.twimg.com https://platform.twitter.com https://secure.gravatar.com https://syndication.twitter.com https://ton.twimg.com https://www.paypalobjects.com; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://adservice.google.com.au/adsid/integrator.js https://adservice.google.com/adsid/integrator.js https://cdn.onesignal.com/sdks/OneSignalPageSDKES6.js https://cdn.onesignal.com/sdks/OneSignalSDK.js https://cdn.syndication.twimg.com/tweets.json https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/footer-45a3439e.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/footer-e6604f67.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/footer-f4213fd6.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/header-1583146a.min.js https://fearby-com.exactdn.com/wp-content/cache/fvm/1553589606/out/header-823c0a0e.min.js https://fearby-com.exactdn.com/wp-content/piwik.js https://onesignal.com/api/v1/sync/772f27ad-0d58-494f-9f06-e89f72fd650b/web https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js https://pagead2.googlesyndication.com/pagead/js/r20190610/r20190131/show_ads_impl.js https://pagead2.googlesyndication.com/pub-config/r20160913/ca-pub-9241521190070921.js https://platform.twitter.com/js/moment~timeline~tweet.a20574004ea824b1c047f200045ffa1e.js https://platform.twitter.com/js/tweet.73b7ab8a56ad3263cad8d36ba66467fc.js https://platform.twitter.com/widgets.js https://s.ytimg.com/yts/jsbin/www-widgetapi-vfll-F3yY/www-widgetapi.js https://www.googletagservices.com/activeview/js/current/osd.js https://www.youtube.com/iframe_api; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/ https://onesignal.com/sdks/ https://platform.twitter.com/css/ https://ton.twimg.com/tfw/css/; worker-src 'self' 

I can truncate starter Content Security Polity and remove some elements. Remove duplicated entries to separate files on a remote server add a wildcard (if I trust the server).

I truncated the policy with the help of the sublime text editor and Report URI CSP Generator.

I added this to the file ‘/etc/nginx/sites-available/default’

add_header "Content-Security-Policy-Report-Only" "default-src 'self' https://fearby.com/; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://adservice.google.com.au https://adservice.google.com https://cdn.onesignal.com https://cdn.syndication.twimg.com https://fearby-com.exactdn.com https://onesignal.com https://pagead2.googlesyndication.com https://platform.twitter.com https://s.ytimg.com https://www.googletagservices.com https://www.youtube.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://onesignal.com https://platform.twitter.com https://ton.twimg.com; img-src 'self' data: https://a.impactradius-go.com https://abs.twimg.com https://fearby-com.exactdn.com https://healthchecks.io https://pagead2.googlesyndication.com https://pbs.twimg.com https://platform.twitter.com https://secure.gravatar.com https://syndication.twitter.com https://ton.twimg.com https://www.paypalobjects.com; font-src 'self' data: https://fearby-com.exactdn.com https://fonts.gstatic.com; connect-src 'self' https://onesignal.com https://yoast.com; object-src https://fearby.com/; frame-src 'self' https://en-au.wordpress.org https://fearby.com https://googleads.g.doubleclick.net https://onesignal.com https://platform.twitter.com https://syndication.twitter.com https://www.youtube.com; worker-src 'self'; form-action 'self' https://fearby.com https://syndication.twitter.com https://www.paypal.com; report-uri https://fearby.report-uri.com/r/d/csp/reportOnly";

I added the following to the file ‘/etc/nginx/sites-available/default‘ (inside the server node).

Any issues with the Content Security policy will be reported to my web browsers development console and to https://report-uri.com/.

My Chrome development console reports an issue with a graphic not loading from Namecheap.

Namecleap icon not loading

The event was also reported to the Report URI server.

Screenshot of reports at https://report-uri.com/account/reports/csp/

Don’t forget to check the reports often. When you have no more issues left you can make the Policy live by renaming the “Content-Security-Policy-Report-Only” header to “Content-Security-Policy”.

FYI: I had directive reports of ‘script-src-elem’ and it looks like they are new directives added to Chrome 75.

Don’t forget to visit the Report URI setup page and get a URL for where live reports get sent to.

Screenshot of https://report-uri.com/account/setup/

If you go to the Generate CSP page and import your website’s policy you can quickly add new exclusions to your policy

After a few months of testing and tweaking the policy, I can make it live (‘Content-Security-Policy’).

Lynis Enterprise

I have learned so much by using Lynis Enterprise from https://cisofy.com/

I am subscribed to issues notifications at https://github.com/CISOfy/lynis/issues/ and observe about 20 notifications a day in this GitHub community. Maybe one day I will contribute to this project?

Finally, Did the Bank reply?

Yes but it was not very informative.

Dear Simon,

Thank you very much  for the information and we have completely removed the reference that you have raised concern.
We are extremely sorry and apology for the inconvenience caused due to this mistake.

We are thankful for the information and support you have extended.

I tried to inquire how this happened and each time the answer was vague.

Thank you for your support. This was mistakenly used during the testing and we have warned the vendor as well.
I like to request you to close the ticket for this as we have already removed this.

We like to assure such things won’t happen in future.

It looks like the bank used my blog post to create their CSP.

Oh well at least I have a secured my servers.

Thanks for reading.

 

 

Version:

v1.1 – Changed the URL, Removed Ads and added a Lynis Enterprise Conclusion

v1.01 – Fixed the URL

v1.0 – Initial Version

Filed Under: 2nd Factor, CDN, Content Security Policy, Cron, Database, Debian, NGINX, One Signal, PHP, Security, Ubuntu, Vulnerabilities, Vulnerability, Weakness, Website Tagged With: Bank, Cisofy, Content Security Policy, Hacked, Linus

Yubico 5C NFC USB-C Hardware Two Factor Security Key etc

October 8, 2020 by Simon

I have been using Yubico YubiKeys since 2018. I have blogged a bit about them before:

  • Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

At first, I used my YubiKeys to secure Mac OSX, websites I used then services like 1Password, Dropbox, Twitter. Google Mail, Github, WordPress. Now I have over 80 websites and servers protected with my YubiKeys.

I also used my YubiKeys to secure servers I setup (protecting Command-line SSH Sessions).

Security Basics

Before I begin showing the YubiKey 5C NFC device I would like to explain a bit about…

  • a) Strong Passwords, Not Reusing Passwords
  • b) Hacked Websites and Data Breaches

(Apologies for click-baiting and not showing the YubiKey 5C NFC right away but I love Security)

a) Secure Passwords, Not Reusing Passwords

Hackers trying to obtain your login and password could use Brute Force Attacks, Dictionary Attacks and other ways to try and break into your accounts.

If you have not heard of or used http://howsecureismypassword.net/ head over there now and enter your password (or enter a part of your password if you do not trust them).

Enter your password into howsecureismypassword.net

I entered an old password I used a lot in 1990’s and https://howsecureismypassword.net/ said it a computer will take 1 day to guess/generate my password.

https://howsecureismypassword.net/ 1 day to guess my password

I entered a more complex password generated in my password manager (1Passwsord) and now it will take 68 quattuorvigintillion years for a computer to guess/generate my password.

68 quattuorvigintillion years to gues my password

That sounds good but it is not, computers are getting faster and websites can still be hacked directly (bypassing complex passwords). When a website is hacked data is sold far and wide in minutes.  Anyone who obtains or buys hacked usernames and passwords will try and use those credentials on as many sites as possible.

TIP: Do not use the same password across different websites, if one site is hacked an attackers will know your password on other sites. Even if the hacked website used encryption to hash your password before storing it hackers can use Rainbow Tables to know the real password to speed up obtaining your password.

b) Hacked websites and Data Breaches

How do you know what sites have been hacked?

Enter https://haveibeenpwned.com/

Go to https://haveibeenpwned.com/ and enter your emails address and click “Pwned?” to see if your email has been obtained in past known data breaches. You can also check your password too.

https://haveibeenpwned.com/ at (great expense and complexity) indexes hacked data (called pastes) from known website breaches in as little as 40 seconds of the information appearing online. Hacked data from websites are published online to validate the hacker’s valuable data (in order to sell it) or to show a hackers achievement.

https://haveibeenpwned.com/ is a safe site run by https://www.troyhunt.com/ and is an industry-standard for sharing information about hacked websites in order to protect exposed in those hacks.

I entered my email address into https://haveibeenpwned.com/ 

Enter you email address into https://haveibeenpwned.com/

My email address has been found in multiple hacks

Enter you Email.

A full list of hacked websites with my email and password is displayed.

List of hacked websitres

When sites I was using were hackled only 1% of the sites bothered to notify me. You could have been hacked in the past and you may not be aware of it.

Subscribing to be notified when your emails(s) are seen in pasted in highly recommended (and it’s free).

Notify Me Form

fyi: Awesome Security Now Podcats

If you want to stay up to date with online security and the never-ending race for security check out the free Security Now Podcast that has been running from 2005 to 2020.  Steve and Leo do a great job ant breaking down very very very complex security topics for non-tech geeks every week.

Password Manager + YubiKey

You are still reading, good.  I know this is bad news but you need to know this stuff.

So I hear you say how can I generate (different passwords per site) and store those passwords securely?  This sounds like a plug (it’s not) but I use 1Password password manager.

1Password is an awesome password manager I use to generate and store secure passwords and best of all it only costs $2.99 USD a month (or $39.47 AUD paid annually). Here is a 3-year-old post of mine showing an older version of 1Password. I like 1Password because it’s super secure, integrates with YubiKeys and https://haveibeenpwned.com/ and works well on Windows, MacOS, iOS and Android.

1Password integrates with HaveIBeenPwned and 1Password 🙂

@1Password just keeps getting better and better. Ping: @troyhunt pic.twitter.com/qTtE6XyoXb

— Grant Harrington (@harringg) May 22, 2018

1Password is the right price for me and for the features it provides.

1password pricing page

1Password allows you to generate strong passwords.

1Password Password generator

fyi: Here is a list of all password managers (some free) at Wikipedia.

Of you can use https://www.grc.com/passwords.htm to generate really strong passwords manually.

Why Use YubiKeys

If you use a really simple password, reuse a password (I know you do) or you know a site will be hacked one day a YubiKey can be a physical thing you have that a hacker does not have.

Think of the YubiKey as a physical password that hackers cannot steal.

Well, you can be mugged and your YubiKey could be stolen but will they have your email and password that is needed with the key to log in to a site?

My YubiKey’s

  • YubiKey 4 NEO (Left)
  • YubiKey 5Ci (Middle)
  • YubiKey 5C NFC (Right)
My 3 YubiKeys

My YubiKey 4 NEO (on the right) has been used about 5,000 times and it is still going strong.

YubiKey 5Ci (for Mobile)

If you need a YubiKey with a Lighting and USB C plug (without NFC) check out this review.

Yubico YubiKey 5Ci with USB-C and Lightning connector for mobile devices

Why use NFC?

Why is NFC so good? The USB Standard only allows for 10,000 inserts and removals before the pins wear out. The Wireless nature of NFC has no impact on lifespan.

YubiKey 5C NFC

On the left, you can see my YubiKey 5C NFC compared to the YubiKey 5Ci (in the centre) and the YubiKey 4 NEO (on the right).

My YubiKeys

YubiCo YubiKey 5C NFC Welcome Video

The YubiKey 5C NFC has a USB C plug and NFC. For me, this is the perfect key.

The YubiKey has a selection of covers that (for all keys) that you can stick onto the keys to stylize them and tell the difference between when you have multiple keys.

YubiStyle Covers.

I went with a Polka Rainbow Cover

Cover Applied

My cover application was not a perfect application by me but it’s Wabi-Sabi enough for me.

YubiKey with Cover on

YubiKey Authenticator

When you use a YubiKey on a site that supports them you will either be prompted to Insert and Tap they key after the traditional login process

Insert YubiKey

Or enter a 6 digit code that is randomly generated in the Authenticator App (and valid for 30 seconds).  To obtain this code you will need to install the YubiCo Authenticator for Windows, MacOS or Mobile (iOS or Android)

Download the Free Authenticator App here: https://www.yubico.com/products/services-software/download/yubico-authenticator/

Inserting or Tapping the key will display the linked sites and 6 digit codes.

YubiKey OTP Diagram
Image credit: https://developers.yubico.com/yubioath-desktop/

I have many websites OTP’s stored in my Keys 🙂

My OTP Passwords

How to use the YubiCo Authenticator App Video on the YubiCo YouTube channel

How to find sites that use 2FA/MFA

Head on over to https://twofactorauth.org/.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

https://twofactorauth.org/ allows you to find sites that use (or do not use) 2FA.

For example, you can search for (e.g “play”) and see if the matching sites have 2FA enabled to protect logins.

My Google Play, PlayStation and Ubisoft UPlay accounts are protected with 2FA.

Searched fore Play

You can also view categories and see what websites and services are up to date. This can be handy if you are looking for a product or service. Go with the most secure provider.

List of sites thta use 2FA

Common Site 2FA Instruction Pages

Here is a list of common social media sites and their instruction pages for enabling 2FA

  • Buffer: https://blog.bufferapp.com/introducing-the-safest-social-media-publishing-on-the-web
  • Dropbox: https://help.dropbox.com/security/enable-two-step-verification
  • Facebook: https://www.facebook.com/help/148233965247823
  • GMail: https://www.google.com/intl/en-US/landing/2step/features.html
  • Google Drive: https://www.google.com/intl/en-US/landing/2step/features.html
  • Linked In: https://www.linkedin.com/help/linkedin/answer/544
  • One Drive: https://support.microsoft.com/en-us/help/12408/
  • Pinterest: https://help.pinterest.com/en/articles/two-factor-authentication
  • Reddit: https://www.reddithelp.com/hc/en-us/articles/360043470031
  • Snapchat: https://support.snapchat.com/en-US/article/enable-login-verification
  • Skype: https://support.microsoft.com/en-us/help/12408/
  • Tumblr: https://www.tumblr.com/docs/en/two_factor_auth
  • Twitter: https://support.twitter.com/articles/20170388
  • Yahoo Mail: https://help.yahoo.com/kb/SLN5013.html
  • WhatsApp: https://www.whatsapp.com/faq/en/general/26000021
  • WordPress: https://en.support.wordpress.com/security/two-step-authentication/
  • Zoom: https://support.zoom.us/hc/en-us/articles/360038247071

 

Using the Yubico 5C NFC on a Computer with no USB C Plug?

My Windows 10 PC has a USB C Plus but its on the rear of my PC.

USB C at the rear of the PC

It is a pain plugging my key into the USB C plug at the back of my PC so I ordered a $5 USB 3 to USB C adapter so I can plug this into the front of my PC

USB to USB C Adapter

I have an 8 way USB 3 (externally powered) USB Hub under my monitor to easily connect my many dongles and USB devices into.

The YubiKey 5C NFC sits high in the adapter but it allows me to use it easily on my PC when needed and more importantly I can use the USB C plug on my phone without an adapter.

USB Hub

USB (standard Plug, Lightning or USB C YubiKey have you covered.

https://www.yubico.com/store/

Risks of Hardware 2FA

If you damage or lose a YubiKey you could be locked out of a website or service. When possible I use multiple YubiKeys so you have a backup device to login with.

Multiple YubiKeys

I can add multiple YubiKeys to Dropbox

add key to dropbox

Sites will also provide a list of recovery codes you can use in case you lose your YubiKey’s. Save these codes in a safe place (you will only be given them once)

Dropbox Recovery Codes

1Password is great for storing backup codes.

Purchasing a Yubikey 5C NFC

You can buy YubiKey’s from…

  • Trust Panda: https://www.trustpanda.com.au/products/yubikey-5c-nfc
  • Mi-Token: https://shop.mi-token.com/#!/public-catalogue 
  • YubiCo Direct :https://www.yubico.com/store/
  • M. Tech: https://mtechpro.com/product/yubico/
  • Sektor: https://www.sektor.com.au/Product/MSYK335
  • Sektor (NZ): https://www.sektor.co.nz/cybersecurity
  • YubiKey Resellers: https://www.yubico.com/support/shipping-and-buying-information/resellers/

Conclusion

My new YubiKey 5C NFC is sitting proudly in my YubiKey collection. I use One key for work, one key for Home (PC Use) and one key for Mobile use.

YubiKeys on my Keychain

YubiKey 5C NFC Pros

  • NFC (I use this a lot on mobile and at work on NFC printers for authentication)
  • No batteries required
  • Durable
  • Multiple usage modes (6 digit codes or insert and press)
  • Works well on my Android Phone with USB-C Plug
  • Physical security to back up my online credentials

YubiKey 5C NFC Cons

  • You need to opt-in on sites to use it (not really a con)
  • You need a PC with USB C plug to easily access the YubiKey 5C NFC.

The YubiKey 5C NFC comes at a time when “Human Malware” related phishing attacks continue to surge. I have thousands of hack attempts on my website and email daily so I know I need to stay a step ahead of hackers.

I know companies who were hacked, could not care less if my username and password were breached.

YubiCo YubiKeys allow me to feel safer online

Links

  • YubiStyle Covers: https://www.yubico.com/product/yubistyle-covers/
  • Security Now Podcast: https://grc.com/securitynow (2005 to 2020)
  • http://howsecureismypassword.net/
  • https://haveibeenpwned.com/

v1.0 : Initial Draft

Filed Under: 2FA, 2nd Factor, Pwned, Security, Yubico, YubiKey Tagged With: Yubico, YubiKey 5C NFC

Finding software that needs updating on Windows using SUMo (Review)

May 30, 2020 by Simon

Recently I blogged about using Acronis True Image 2020 to backup and restore your Windows computer after a friend had to manually reinstall her Windows PC.

Her Windows PC died and she could not recover Windows with a System Restore snapshot or via the retailers systems image recovery process.

I use Back Blaze software to automatically backup my computer but I do not have an up to date collection of needed installation files in case I need to perform a Clean Installation of Windows 10.

I found SUMo in the process of assisting my friend.

SUMo to the Rescue

I found SUMo (Software Update Monitor) from KC Softwares that allows me to analyse my existing installed software and their versions, find and download new versions (installers or setup files) for my software.

I am using the Pro version of SUMo (buy here).

Tip: The trial version will inform you of an update but it will not show you links to obtain the updates easily.

SUMo Trial Limitations

The best feature of SUMo is I can find apps on my PC that need updating.

Also in one click (Right click) you will be directed to the applications official site (official site (or App page on SUMo)) and be able to download the app installer to the new version of the app.

Rigth click on an outdated app in SUMo to get the new aopo.

The Trial version is limited to informing you that an update is available.

SUMo telling your there is an update available

Also updating SUMo to the PRO version streamlines it’s own updates too. You can update SUMo in the PRO version with one click. 🙂

SUMo Pro Scan

After I opening SUMo PRO (I waited for it to find installed apps) then I clicked “Check” to scan all my apps for updates.

SUMo happily went through the list of my installed apps and gathered the applications versions (and checked online if newer versions existed).

SUMO scanning my installed software.

SUMo found 239 installed applications on my PC, 188 were up to date, 53 needed minor (recent updates) and 2 needed major (old) updates.

SUMo report of installed software

Its awesome that in one click and I can see what software needs updating. In the process I was able to see what applications I don’t use (they were old versions) and I uninstalled them

SUMo Settings

I will update my software and to ensure my software does not get out of date I enabled “Load at startup” and “Check for new software at startup” (SUMo).

I did not enable “Scan for new software at startup” but seeing SUMo Start and update will remind me to check for updates if I have time.

SUMo settings.

I also enabled “Show file path” in the SUMo Application list so I can see where the programs are.  I found multiple instances of Python installed all over my PC.

SUMo FIle Path

Getting Application Updates

I right clicked on each of my applications (that needed updating) and clicked “Get Update from…” then “.. from developer’s Site (Direct)“.

If you don’t want to right click you can click the “Get Update” button in the tool bar to get selected applications update. 

This will open a web browser page to the software vendors website.

Get Uopdate

SUMo also has a page available with stats on the application’s known statistics (nice table of versions, beta or stable status and numbers of users).

Updating Software

I was able to right click “Get Update from…” – “.. from developer’s Site (Direct)” for each application in the list that needed an update. I was directed to the software vendors page for each software where I could download the app updates.

Within minutes I had dozens of vendor pages open with links to new versions of my outdated software.

Dozens of site pages with fresh app installs.

Within a short period I had amasses gigabytes of new application installs.

4.5GB of data of new application installs

I installed each of the new updates and then moved the new installs to my B:\Installs folder (in case I have to manually reinstall Windows in the future).

Install Locations

Checking Application Update Status

After I updated my out of date applications I then right clicked on the apps in SUMo and clicked Check to re check the status of the applications 

Check the uodate status

SUMo Right Click Actions

Fyi: SUMo has a number of actions in the right click menu (on an installed Application).

  • Delete: Removes item from list. Will appear again on next scan or manually addition
  • Ignore: Blacklist : this Software/company pair will never appear again, whatever the version, file path, …
  • Skip: Items remains listed but a SPECIFIC version gets no longer notified as update for a given time (1 day / week / month) or forever.

(snip from here)

I had a few items I Deleted from the list or Ignored.

Rigth click menu

My Visual Studio (development) software was reporting an older version of Python (2.7). I updated Visual Studio to the latest version but Python 2.7 remained. I deleted Visual Studio from the list and was prompted  (this is not deleting the application from the hard disk just from the generated list.

Delete confirmation/ box.

After a few hours updating apps

I whittled down the list of my applications that needed updating 

I could sort applications in the list by OK status or apps that needed Minor or Major updates applied.

SUMO app list

All Apps Updated

I can now say that all of my Applications are all up to date.

All apps upto date

Export

I used the export feature in SUMo to build an excel file listing all my applications.

Fyi: SUMo exported this list as a “;” separated file, I opened the file in Sublime Text Editor and replaced “;” with TAB and then pasted this list back into  Excel.

Excel Export of installed apps.

Conclusion

SUMo allowed me to update my installed applications and update my aged cache of application installs I was keeping in case I needed to manually rebuild Windows.

SUMo made this an absolute pleasure to do.

Pros

  • Price: 19.99 Euros (about $33.27 AUD) is a bargain.
  • Simplicity (it just works so well, why does Windows not do this)
  • Saves me time finding out of date apps and update files for an emergency and inevitable manual Windows reinstall.
  • My apps are more secure after updating them

Cons

  • I needed this in my life 10 years ago
  • Would be nice to have an inbuilt help file (instead of email support)

Try the free version here

v 1.0 Initial Post

Filed Under: Backup, Security, Uncategorized, Update, Windows Tagged With: find, software, SUMo, updates

Connecting to a server via SSH with Putty

April 7, 2019 by Simon

This post aims to show how you can connect to a remote VM server using Telnet/SSH Secure shell with a free program called Putty on Windows. This not an advanced guide, I hope you find it useful.

2020 Update. I have stopped using Putty and WinSCP. I now use MobaXterm (a tabbed SSH client for Windows) as it is way faster than WinSCP and better than Putty. Read my review post of MobaXTerm here.

You will learn how to connect (via Windows) to a remote computer (Linux) over the Telnet protocol using SSH (Secure Shell). Once you login you can remotely edit web pages, learn to code, install programs or do just about anything.

Common Terms (Glossary)

  • Putty: Putty is a free program that allows you to connect to a server via Telnet. Putty can be downloaded from here.
  • Port: A port is a number given to a virtual lane on the internet (a port is similar to a frequency in radio waves but all ports share the same transport layer frequency on the internet). Older unencrypted webpages work on Port (lane 80), older mail worked on Port 25, encrypted web pages work on Port 443. Telnet (that SSH Secure Shell uses) used Port 22. Read about port numbers here.
  • SSH: SSH is a standard that allows you to securely connect to a server over the telnet protocol. Read more here.
  • Shell: Shell or Unix Shell is the name given to the interactive command line interface to Linux. Read more about the shell here.
  • Telnet: Telnet is a standard on the TCP/IP protocol that allows two-way communication between computers (all communicatin issent as characters and not graphics). Read more on telnet here and read about the TCP protocols here and here.
  • VM: VM stands for Virtual Machine and is a name given to a server you can buy (but it is owned by someone else). Read more here.

Read about other common glossary terms used on the Inetre here:
https://en.wikipedia.org/wiki/Glossary_of_Internet-related_terms

Background

If you want a webpage on the internet (or just a server to learn how to program) it’s easier to rent a VM for a few dollars a month and manage it yourself (with Telnet/SSH Secure Shell) than it is to buy a $5,000 server, place it in a data centre and pay for electricity and drive in every few days and update it. Remote management of VM servers via SSH/Secure Shell is the way for small to medium solutions.

  • A simple web hosting site may cost < $5 a month but is very limited.
  • A self-managed VM costs about $5 a month
  • A website service like Wix, Squarespace, Shopify or WordPress will cost about $30~99 a month.
  • A self-owned server will cost hundreds to thousands upfront.

There are pros and cons to all solutions above (e.g cost, security, scalability, performance, risk) but these are outside this post’s topic. I have deployed VMs on provides like AWS, Digital Ocean, Vultr and UpCloud for years. If you need to buy a VM you can use this link and get $25 free credit.

I used to use the OSX Operating System on Apple computers. I was used to using the VSSH software program to connect to servers deployed on UpCloud (using this method). With the demise of my old Apple Mac book (due to heat) I have moved back to using Windows (I am never using Apple hardware again until they solve the heat issues).

Also, I prefer to use Linux servers in the cloud (over say Windows) because I believe they are cheaper, faster and more secure.

Enough talking lets configure a connection.

Public and Private Keys?

Whenever you want to connect to a remote server via Telnet/SSH Secure Shell you will need a public and private key to encrypt communications between you and the remote server.

The public key is configured on your server (on Linux you add the public key to this file ~/.ssh/authorized_keys).

The private key is used by programs (usually on your local computer) to connect to the remote server.


How to create a Public and Private Key on Linux

I usually run this command on Ubuntu or Debian Linux to generate a public and private SSH key.

sudo ssh-keygen -t rsa -b 4096

The key below was generated for this post and is not used online. Keys are like physical keys, people who have them and know where to use them can use them.

Output:

Generating public/private rsa key pair.
Enter file in which to save the key (/username/.ssh/id_rsa): ./server
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in ./server.
Your public key has been saved in ./server.pub.
The key fingerprint is:
SHA256:sxfcyn4oHQ1ugAdIEGwetd5YhxB8wsVFxANRaBUpJF4 [email protected]
The key's randomart image is:
+---[RSA 4096]----+
| .oB**[email protected]       |
|  +.==B.+        |
| o .o+o+..       |
|  .. +..o...     |
|    o ..Sooo.    |
|         ++o.    |
|        .o+o     |
|        .oo .    |
|         ...     |
+----[SHA256]-----+

The two files were created

server
server.pub
  • “server” is the private key
  • “server.pub“is the public key

Public/Private Key Contents

Public Key Contents (“server.pub”)

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC7Xo9bOCXJ7gVjP8tKOxHVId3KTo5I0VRU/kSRK3+mGd5VbDbQABo3tdWzYhzkjODzRS9TeL2dcLAQNNQKshi9IW5IGDS1NocSCLFQId5BFr9s3E79fkWqcZkKmwocepXOOZ91EDKgIFxviOzZKe99sdxxMoZzi1nxgVyXl4TnaelyiQxeKYniVs1iqDfYWQCxkKsmYit8TvGtOwrhLvKNh9362/y5ebpXVdFlRuB83eF7k8RHNYCQyOJJVx4cw3TIsAN0GMOwjuaOZbp7rR1d6k7RZmaApNRTbaWOXy32UiBST5TV/jXF2UL/4IBnn+yvCrM0v79e/3omgjlVVKfWByFzMv/YlBKCAX3xxtJQ9RkzTqseKupXmmJU0rik6Xuz31N2oyw4M7yJofSUGVCN0pnpKEvnKxqolfD9egdQy2XDaNioY7cvOO1qRegCKE0sDh1m5MzJWMhbDs7macSMyd6+0O5qWc/ByHy0G/mVbd8kO4jIuEzEs4IFkPCToEZp7KfkY7KRkOhccLbQ4ApCesUfBtGGAN1f33NnXCHae3Cx46nSd23fvgDZUVnjI47tNJH5Z8FNVlW/fp5Rgeu/aPUephnDX2IBxwIKQOmSTDY+nxU4V+c93H1gSOJfvqYbVKIAXKyN9Yh6LC44ZvLrL4q0TC0QlH2+kxMLnuj7zw== [email protected]

Private Key Contents (“server”), always keep the private key safe and never publish it.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D34670C40CE3778974BEF97094010597

b4oecyqLsWt9n+G12ldVNlaQxSKF1wSrlBPg6FGiHRauTCyreUwoI2dMOAkwnGmN
8fcy51fH7D3Kg0G9fWWNPd+oUDwZmrpB8Mv6Ndk4bLYZEbkNOFgvPwNre7edTBOD
JGZRdWqb+yrywgvz3iTXPNjNK5REU3u3JmD69jInFNo92j765QQKA4sFgEyD/8g+
zg8yefIQAhEsVELC5LXPPyuTfA+x0Q+040PqCJ+FCISJI1CeZjLwk7Fbe453Vj81
zaDsurl5X5gaRUlVjB2asr6etWdMLWcalX4Nbyj2A10L3J4ONjKq3Wc2muJ0Q6ES
oNqBaU2iHPlK8yK0TGj/ERfjaG1qdlhBcow0pSapRqGopXBuVBLVuyc2NHe5CCTk
Ezq+LZGsVYmiOIIY4QRJdEN/DVLFHRGK/xA9A7unm484zXIEO6wznE0DuCTtyZs0
luJ3bKLRcack3K1Dphq0LjSG4YxQlkHewa9k9AKpDPTqeeKKckySakiDCGPT6htk
VqaCKrApAt6GQ2hLVXZ0BFVN5A3WUJ5s+HpFvTUzHTNZcdsVS4PgxhuCtnSO/BdS
/G+ODc4aZJNYQD9QQfWUnxkgnQJCWJ+aBZtKF7eDPRYY7qD9jWxubDzrFplBkmAi
O+aX5N8dpU3lEty4INjyh5LpgZW3swjUhEKWi/c1k+Qd1gCWzYzwAq2BfpWcF8Z+
c+y9lQUKbq2yDlxReCIsfb/hda5k1HjgaUlhKbjWIITSlGqf/NE9i+vj0rQEMQXQ
mxBoilfLUPd5A1ttG5XvqC2ex5HBmjzCazZ13Z/2c/PkwicHBmrf5bKYHZp49niV
44n8tZRamCUv6HaJUaKR22MigOG/qGppGPodGeLNj1DFLYAEQ78SYcVhEqIICBo1
t1yaIemUq8MWXSZz1K3cP4FEXQcEziQxFLU/0DCE0P0mIU3MExUmjB/nVE8vxb5l
p3ej3yrRGe+P2neco2gttgaTEi6l/S+0TIiZNstnVPG48BPW71mwVg9XR1d+avO7
OpXt0UgocX0xp7zBgK2up8Ai6v66WwjoNgyvFe02aK4/+fSC+aJ5D6N7JVNxd/bn
Py4W8oLKnrE1PKtIfBw/aE+rgudaMIyuxCaLllRKyDxVPPiJFp2iFcH/Y+k+0vDa
xE9Jpdd0zOWkZyebAxrS8zAUUNNaTQ+rWkj/zORjE4ptHpdwdazzHoQwIs+1kjsv
e/+JEmoskH7XozLnxClVhhWMXWfgQsPWBqPnGzieW0tv9SeIAU/BLJCHJRhBMAT1
ugBtcda1VMlAPVroYtVyUdCxkYZqGfIDbKqtOvvuBgUIUe/HnC3ExQQycC9F05BH
RJibaM/11MLTcZSO7KOK65Dg2v3VBhe6rfDl4tTR0yOySPXCacb9aMt2pMPTEe0/
wU49wCefchfD2bsR3kXPpUqm+HbkHORpIwsMZfQO/8dooXYdiYUdzV9roXG6OGVQ
SsV/xR2lE3XrR71TBegfRnQirI8tj4psSor+yCj3qV936Oh31D96Z6P4glshibsG
ffWAO/TSdu5ZV+UVahh6bTozs+g+odUu/S48TeI1fk7lPlqwZdjoSHXUI2v1FAQ2
jSSywuZQxHlGhg6OeI052cxx3zcVyVVLFHhIrfvufNc3c3+KYhtyiSzBNYN1BrJi
xNXwlDS1jYWgRHkf9zbNBU0MLTYHjZZvO9Jpl/UhKKBdIvJFwmGmXS2lgU6slunJ
Ojp4tY1tbI520KOskV/OoqEfmhXh5fTlI3onzoK1aLqxk1d0d65ONcxqVbAG79RN
b0Q5PgewSOgFlcZ7tEIZKAWsWVhjlFTSGRujdZVM1vZB9fCJesemai7HU0e4J+Do
tqvss8I2n6TPxlTYFzQ4w12pIiOzx/8cFLX78NLN8wQFElhhczeuW5HDAnmPxYhQ
eLY0HgDCFSvVAvGXo0j1gcBUcOr/LzZSsJhxsB7FKyrUjlmD/7Y45WoKJj41bKL+
y4+iDhXyLBiqVClRijsguwiCkmPFiR7Bng2pglS0oIWPWu1UbTJWVJPfuUTOBC+M
4/2fBtgFjUz8iUISs9ncEKkERlxodBIu+ekgLJZAigSMvUKfGE1YB1AA9x96VLjd
VJSjjWvnhMEoSwNzlNQ9+dhoD5Cg9zicgIIKnHnovYGOu8g9ZWfvhJFrKZgkfLRv
r2KgkWiHWpf0swiyGUOlGJDe39nMMkoxib7XE/J3VI3na1ZUOIf8kl9kdHXJ0R3C
2IjdbfiFHEDOrakp5oeVf8BbLK7RB8OlxgJAS47Byh8j97U7f13A5ZYlK3bkZ7E4
h7mCJQozgWP81ut0d9WUlcKp5M8yg2ctZ7h4oeG4Js4ceHqd19Z4P+1xWKwXcdmV
+uhiTftevTu3/UhYQVV4ck98C9pursJJYL5hTnIIpTSWIR+jSahhtzUy/upjugPp
cKi6eGlOkcHdKNRtiu7/IZqni85fC8PAwPZ93SICdiq6BpGaGWFh046weIJuflSK
Pd76+M70YRd+pkaRjJyFJ3hLyg7W5mlOb1+yBIlXKzpbch9B5E4dRHCcOsg4+v/9
exRgAnvUIhR/GpSySDDwgKHg8rAyjjoGeZFH3TJIemAAimyaR608a9tCn7SxVobs
UQlZ9WwC0dQIEv7mSvSige3imbybPtCoBHJAqsJqKCFJEDWbIF5l2VYZcfJUYaEI
oZAJHYGnZm33yQ6eSOusXJ2SnnGZ+ZsGO4bDVSwN20FkSt11gN8Wjrki9CxeVQp7
dWbKX1r/lZw74yUB4cYN23hgLJsdqvM7THzwlBkVtgV74RGY0qv59ecBUSQedlSK
dkOnkmoCiGRSNyf+ebijQaygnfK0ArG5wiRF/RQWiPFj7S6DHRxIOrXqcmvhJ7Ly
NApn9pPYyoZEAbk82MAXkapZ5+YLIKLjdNsYuKq5xVty+mc+FfxLWmZGX+QQinra
Z9DfY9KQw4rxJ/ju4ILnDrygm/QBsNFXBojOuzOIULt7c26s3d/47T+IXA4SIX4v
cPqYa6S3PU/Yoe5/Ya3tFxXmBXgEgVLZuujMs7dyCOAqLEyBEHYqIclp+TElWQLR
V660fczVXeedfd2tNBy1IBj1vhGa9j5mZLbFwTczykwCFfihLIrxSEc1MQA4CaSX
-----END RSA PRIVATE KEY-----

The Public and Private keys is used to encrypt all Telnet/SSH connections and traffic to your server. Keep these key’s private.

fyi: Putty can create SSH Keys too

If you do not have a Linux computer or Linux server to generate keys the Putty generator can create keys too.

Puttygen generating a key based on the randomness of mouse movements.

I did not know Putty can create keys.

Do save the public and private key(s) that were generated in Puttygen (tip: PPK files are what we are after along with the public key later in this post).

Public keys are added to your server when you deploy them. On Linux, you can add new Pulic keys after deployment by adding them to this file “~/.ssh/authorized_keys” to allow people to log in.

Puttygen does format the keys differently than how Ubuntu generates them. Read more here. I’ll keep generating keys in Linux over Puttygen.

Output of the public and PPK files from Puttygen

Putty SSH Client on Windows

Putty is a free windows program that you can use to connect to serves via SSH. Download and install the Putty program.

Open Putty

Putty Icon

Default Putty User Interface.

Screenshot of the Putty Program

To create a connection add an exiting IP address (server name) and SSH port (22) to Putty.

Screenshot of an IP and port entered into putty

In Putty (note the tree view to the left of the image), You can set the auto login name to use to log into the remote server under the Connection the Data in the tree view item

Screenshot showing the SSH usename being added to putty under Connection then Data menu,

You can also set the username under the Connection then Rlogin section of Putty.

Set the usernmae undser rlogin area of putty

OK, lets add the private SSH Key to Putty.

Putty Screehshot showing no support for standard SSH keys (only PPK files)

It looks like Putty only supports PPK private key files not ones generated by Linux. I used to be able to use the private key in the VSSH program on OSX and add the private key to connect to the server over SSH. Putty does not allow you to use Linux generated Private keys directly.

Convert your (Linux generated) private key to (Putty) PPK format with Puttygen

Putty comes with a Key Generator/Converter, you can open your existing RSA private key and convert it (or generate a new one).

TIP: If you generate a key in Puttygen don;t forget to ad’d it to your authorized host file in your remote server.

Open Puttygen

Puttygen icon

Click Conversions than Import Key and choose the private key you generated in Linux

Screenshot showing import RSA key to convert

The private key will be opened

Screenshot of imported RSA key

You can then save the private key as a PPK file.

Save the private key as a PPK file
“server.ppk” Key contents (sample key)
PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: imported-openssh-key
Public-Lines: 12
AAAAB3NzaC1yc2EAAAADAQABAAACAQC7Xo9bOCXJ7gVjP8tKOxHVId3KTo5I0VRU
/kSRK3+mGd5VbDbQABo3tdWzYhzkjODzRS9TeL2dcLAQNNQKshi9IW5IGDS1NocS
CLFQId5BFr9s3E79fkWqcZkKmwocepXOOZ91EDKgIFxviOzZKe99sdxxMoZzi1nx
gVyXl4TnaelyiQxeKYniVs1iqDfYWQCxkKsmYit8TvGtOwrhLvKNh9362/y5ebpX
VdFlRuB83eF7k8RHNYCQyOJJVx4cwnTIsAN0GMOwjuaOZbp7rR1d6k7RZmaApNRT
baWOXy32UiBST5TV/jXF2UL/4IBnn+yvCrM0v79e/3omgjlVVKfWByFzMv/YlBKC
AX3xxtJQ9RkzTqseKupXmmJU0rik6Xuz31N2oyw4M7yJofSUGVCN0pnpKEvnKxqo
lfD9egdQy2XDaNioY7cvOO1qRegCKE0sDh1m5MzJWMhbDs7macSMyd6+0O5qWc/B
yHy0G/mVbd8kO4jIuEzEs4IFkPCToEZp7KfkY7KRkOhccLbQ4ApCesUfBtGGAN1f
33NnXCHae3Cx46nSd23fvgDZUVnjI47tNJH5Z8FNVlW/fp5Rgeu/aPUephnDX2IB
xwIKQOmSTDY+nxU4V+c93H1gSOJfvqYbVKIAXKyN9Yh6LC44ZvLrL4q0TC0QlH2+
kxMLnuj7zw==
Private-Lines: 28
DkpbM78GgGBSgfs9MsmZwDJj6HFXdoe+fCP1rLnwbE99mvU6Fbs23hXd+FsVdQbb
VR5tKTocV7tEwGjtLCHSTSF6gap0l4ww0Ecuvr/Dra2CJ2BsntyssBrWnlUT7OlA
M9zKQAzywAy4AHkph0YvH4l7BcJ5V1pUltm2JDTU6+iFqXDsstUUEDcQ4u0EalWU
EEsW+quNSwO0HBHvWY6N7tbiuEN9L+cFYIdsJEDfqM4hNi+7Ym+SQq5FOPyA6gXa
vhujsjPQAWI3TFxh7EIvsPDMCXxWHL6qaDvOMmPPTZDbEvm4nQ5Kax9jWacPILn7
ezc7ZAiZdDiFbkF3TLyuHx71mjChZgLoZLWYfXR3MBEEYnkNO/7oSMRUwDzEyWKW
ZgqdUtGg0cR+qWvaxQTDQsN/DjB7jGgnlreF92S8xSsbk5GgpZnTQ1V0cm3oecB+
+JP90K4Fi979gPWnwTfg6ZvmLUiVz3uBbvegkT9CVZhhZXSKq53H+SjTZfKBPrM9
NHGLkYr1WjToGR39LMrh4X3KChGewMFyuxtpkEQV60eCnHZBHgTco2A0yriRprOP
Ks4qJXOtZnsMYMesUDX9W5wLc4HcRvRh2UBPw/8bPz6mNrBk8j5SPIwBrPMIBejd
4IPoYezaEFKPg2bP7dn+Nftz5CGagcV2g+zhE615dsWzX1P7yu/1dTmz9LXaMmN6
d+zJE8TtjeaoW5NE1H3Flj9rknzJW7xQfokhS5hMkOg6J0AA6Pk13tupu8WHMkVB
x7nVu876f8tIbT8GzXCGgSl+zS7IJO3pt9T9QHIYa+T3oTIUqfBfK1WffUZwHMRn
Xn/VKUtIIIPiVfCtQuxSrTiJzQcoJ/yvfv62YAGv2LsDlBoHfXRdf6h3TCCCOVxT
WE45sbj3gJ1Cgjt1SEd/8A3hkstn2U2NKBI9gkB9H5BbDJoAXq6/4CkwaQvSEzs7
LK5btRlWop+7gqkyMPpgxv9li9IEDJ999ufMqxkFgOBkmkR5Si71elXRnwiKrjfU
Ce14iy7Dd7lb7IU9OEBjWFZlSigVEnc8klhGHDuxnojiW1ld7pUDIkAAbdTMOFON
abcpfNwcg5Y3l+1KwIQHuewAUuA9472jV4V9EAn7pJ7wgmYHbzMzg9Z9dM8h/3UI
axBzAW+cJM80gN+nZMbmDC9FkXV16GSuqC2iQUVGb2TIheAS7oCR+JFZFQNv0ytF
rGQ9K1wIGbMI4oDPcAid7DzrEXVl3d2x8MtwF/WzfHehVJD1h1uNwezLf1gBKyas
9GBfDOYwd8zgaL2H99GYD1Ba7TePJY81mx7m10eYdwDj1vCpboKE3cE6AyL7ki+4
Ix7GSzQs9NBckF9+8eVXe2T4Cc450hIoN0BWcxVUUdGCA1skZ1PczPs1z/ae4lxd
l5WmPy8Gyh7cnZpyqzvwAPSFDadkNP60eekfkRHyo4QyLhj7QZtO0kOgWhT3CHma
FjZ5jJu59U/4gc0TpQ8ra3vgKQKudloExsg027+34nR98dN+zzUj4S2C/J34W98C
DEEu/SO7nfW/a2UARXBKWCbS+3j24zHc9dbgX2tZoAoInUvRGiSOsLVsMhDiBoyb
wWoNxrKPR3Fi5zZ+GfDUgUGpZoW/b54KnFouIHBYbI41Gkh4vj6lxOGh/sb3SPHd
Wg6EN/0z/mer3bG0a2/ZHKYA5KGWRXWYvYLz4Je8fb/egBrSU6BztwSNeilzA9lI
J4BO7pzXECnWYutB14UxHw==
Private-MAC: 12298fa865ac574da81898252e83b812200cba59

Now the PPK key can be added to Putty for any server connection that uses the public key. Use the right key for the right server though.

Add the private key to a Putty server by clicking Connection, SSH, AUTH section and browing to the PPK file.

Screenshot showing the PPK key file added to Putty

Now we need to save the connection, click back on the Session note at the top of the treeview, type a server name and click Save

Save Putty connection.

Connecting to your sever via Telnet/SSH wiht Putty.

Once you have added a server name, port, usernames and private key to Putty you can double click the server list item to connect to your server.

You will see a message about accepting the public key from the server. Click Yes. This fingerprint will be the same fingerprint that was shown when you generated the keys (if not maybe someone is hacking in the middle of your local computer and server)

Putty messgae box asking to to remember the public key

Hopefully, you will now have full access to your server with the account you logged in with.

Screenshot of an Ubuntu screen after login

Happy Coding.

Alternatives to self-managed VM’s

I will always run self-managed server (and configure it myself) as its the most economical way to build a fast and secure server in my humble opinion.

I have blogged about alternatives but these solutions always sacrifice something and costs are usually higher and performance can be slower.

I am also lucky enough I can do this as a hobby and its not my day job. when you self manage a VM you will have endless tasks or securing your server and tweaking but its fun.

More Reading

Read some useful Linux commands here and read my past guides here. If you want to buy a domain name click here.

If you are bored and want to learn more about SSH Secure shell read this.

Related Blog Posts

  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Useful Linux Terminal Commands
  • Setup two factor authenticator protection at login (SSH) on Ubuntu or Debian
  • etc

Version: 1.1 Added MobaXterm link

Filed Under: 2FA, Authorization, AWS, Cloud, Digital Ocean, Linux, Putty, Secure Shell, Security, Server, SSH, Ubuntu, UpCloud, VM, Vultr Tagged With: Connecting, Putty, secure, server, Shell, ssh

How to install PHP 7.2.latest on Ubuntu 16.04

November 17, 2018 by Simon

How to install PHP 7.2.latest on Ubuntu 16.04/ Ubuntu 18.04/Debian etc/

I have a number of guides on moving away from CPanel, Setting up VM’s on UpCloud, AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. PHP is my programming language of choice.

PHP has a support page that declares the support date ranges and support types: http://php.net/supported-versions.php

PHP 7.0 going EOL

A version of PHP is either actively supported, security fix supported or end of life. Read this post to check WordPress for PHP compatibility.

From time to time vulnerabilities come up that require PHP updates to be applied.

Multiple flaw found in #PHP, most severe of which could allow arbitrary code execution

Affected Versions:
PHP 7.2 —prior to 7.2.5
PHP 7.1 —prior to 7.1.17
PHP 7.0 —prior to 7.0.30
PHP 5.0 —prior to 5.6.36https://t.co/TtiqXePoHu

Upgrade to the latest version of PHP immediately

— The Hacker News (@TheHackersNews) May 1, 2018

#PHP 7.2.12 has been released https://t.co/iNXGYTs0PX

— Neustradamus (@neustradamus) November 9, 2018

Source Link here

Advertisement:



I have guides on setting up PHP 7 here on Digital Ocean, here on AWS and here on Vultr. I have tried upgrading to PHP 7.1 in the past with no luck (I forgot to change something and rolled back to 7.0).

FYI: I have a guide on setting up PHP child workers so the output from some commands below may be different than yours. Here are the steps I performed to install PHP 7.2 alongside 7.0 then switch. to 7.2.

Backup your system

Do perform a Snapshot or Backup before proceeding. Nothing beats a quick restore if things fail.

Note: Use this information at your own risk.

Updating php 7.2.12 to 7.2.12

Update your Ubuntu systems

apt-get update && apt-get upgrade

Updating from an older php (e.g 5.x, 7.1, 7.1 to say 7.2.12)

Backup PHP

cd /etc/php
zip -r php7.0backup.zip 7.0/

Install Helper

This software provides an abstraction of the used apt repositories. It allows you to easily manage your distribution and independent software vendor software sources. More Info

apt-get install python-software-properties

Add the main PHP repo (more information)

add-apt-repository ppa:ondrej/php

Update the package lists

“In a nutshell, apt-get update doesn’t actually install new versions of the software. Instead, it updates the package lists for upgrades for packages that need upgrading, as well as new packages that have just come to the repositories.” from here

apt-get update

List Installed Packages (optional)

dpkg -l

Install PHP 7.2

apt-get install php7.2

Install common PHP modules

apt-get install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml

Install PHP FPM

apt-get install php7.2-fpm

Update all packages (may be needed to update from php 7.2.4 to 7.2.5)

sudo apt-get upgrade

Edit your NGINX sites-available config

sudo nano /etc/nginx/sites-available/default
# I set: fastcgi_pass /run/php/php7.2-fpm.sock;

Edit your NGINX sites-enabled config

sudo nano /etc/nginx/sites-enabled/default
# I set: fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;

I edited these lines

location ~ \.php$ {
    ...
    fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
    ...
}

Edit your PHP config (and make desired changes)

sudo nano /etc/php/7.2/fpm/php.ini

Edit your PHP pool config file (as required). See this guide here.

e.g.

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 8M
> post_max_size = 8M

sudo nano /etc/php/7.2/fpm/pool.d/www.conf

Make sure you set: listen = /run/php/php7.2-fpm.sock

Set PHP 7.2 as the default PHP

update-alternatives --set php /usr/bin/php7.2

Check your PHP version

php -v

Reload PHP

sudo service php7.2-fpm reload

Reload NGINX

nginx -t
nginx -s reload
/etc/init.d/nginx restart

Check the status of your PHP (and child workers)

sudo service php7.2-fpm status
● php7.2-fpm.service - The PHP 7.2 FastCGI Process Manager
   Loaded: loaded (/lib/systemd/system/php7.2-fpm.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2018-05-04 19:02:27 AEST;
     Docs: man:php-fpm7.2(8)
  Process: 123456 ExecReload=/bin/kill -USR2 $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 123456 (php-fpm7.2)
   Status: "Processes active: 0, idle: 10, Requests: 0, slow: 0, Traffic: 0req/sec"
    Tasks: 11
   Memory: 30.5M
      CPU: 10.678s
   CGroup: /system.slice/php7.2-fpm.service
           ├─16494 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
           ├─16497 php-fpm: pool www
           ├─16498 php-fpm: pool www
           ├─16499 php-fpm: pool www
           ├─16500 php-fpm: pool www
           ├─16501 php-fpm: pool www
           ├─16502 php-fpm: pool www
           ├─16503 php-fpm: pool www
           ├─16504 php-fpm: pool www
           ├─16505 php-fpm: pool www
           └─16506 php-fpm: pool www

Check your website.

Troubleshooting

Guides that helped me.

https://thishosting.rocks/install-php-on-ubuntu/

https://websiteforstudents.com/wordpress-supports-php-7-2-heres-how-to-install-with-nginx-and-mariadb-support/

Check your log files

tail /var/log/nginx/error.log

Debug FPM Service

systemctl status php7.2-fpm.service
● php7.2-fpm.service - The PHP 7.2 FastCGI Process Manager
   Loaded: loaded (/lib/systemd/system/php7.2-fpm.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2018-05-06 00:18:55 AEST; 7min ago
     Docs: man:php-fpm7.2(8)
  Process: 123456 ExecReload=/bin/kill -USR2 $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 123 (php-fpm7.2)
   Status: "Processes active: 0, idle: 10, Requests: 44, slow: 0, Traffic: 0req/sec"
    Tasks: 11
   Memory: 212.6M
      CPU: 12.052s
   CGroup: /system.slice/php7.2-fpm.service
           ├─438 php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
           ├─441 php-fpm: pool www
           ├─442 php-fpm: pool www
           ├─443 php-fpm: pool www
           ├─444 php-fpm: pool www
           ├─445 php-fpm: pool www
           ├─446 php-fpm: pool www
           ├─447 php-fpm: pool www
           ├─449 php-fpm: pool www
           ├─450 php-fpm: pool www
           └─451 php-fpm: pool www

May 06 00:18:55 server systemd[1]: Stopped The PHP 7.2 FastCGI Process Manager.
May 06 00:18:55 server systemd[1]: Starting The PHP 7.2 FastCGI Process Manager...
May 06 00:18:55 server systemd[1]: Started The PHP 7.2 FastCGI Process Manager.

Remove PHP 7.0

sudo apt-get purge php7.0-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libaspell15 libauthen-pam-perl libc-client2007e libio-pty-perl libmcrypt4 librecode0 libtidy-0.99-0 libxmlrpc-epi0 linux-headers-4.4.0-109
  linux-headers-4.4.0-109-generic linux-headers-4.4.0-112 linux-headers-4.4.0-112-generic linux-headers-4.4.0-87
  linux-headers-4.4.0-87-generic linux-headers-4.4.0-96 linux-headers-4.4.0-96-generic linux-image-4.4.0-109-generic
  linux-image-4.4.0-112-generic linux-image-4.4.0-87-generic linux-image-4.4.0-96-generic linux-image-extra-4.4.0-109-generic
  linux-image-extra-4.4.0-112-generic linux-image-extra-4.4.0-87-generic linux-image-extra-4.4.0-96-generic mlock
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  php7.0-cli* php7.0-common* php7.0-curl* php7.0-fpm* php7.0-gd* php7.0-imap* php7.0-intl* php7.0-json* php7.0-mbstring* php7.0-mcrypt*
  php7.0-mysql* php7.0-opcache* php7.0-pspell* php7.0-readline* php7.0-recode* php7.0-sqlite3* php7.0-tidy* php7.0-xml* php7.0-xmlrpc*
  php7.0-xsl*

PHP 7.0 Removed 🙂

Remove other unused packages

sudo apt autoremove

At the time of writing (November the 18th 2018) PHP 7.2.12 is the latest version of PHP and PHP 7.3 will be out at the end of the year.

Good luck and I hope this guide helps someone

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.4 Updated the post to mention PHP 7.0 EOL

v1.3 Updated to add PHP 7.2.12 information

v1.2 PHP 7.2.9 and PHP 7.2 updates

v1.1 Remove PHP 7.0 steps

v1.0 Initial post

Filed Under: Patch, PHP, php72, Security, Ubuntu Tagged With: 16.04, 7.2.latest, How, install, on, php, to, ubuntu

Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App

October 28, 2018 by Simon

Here is a quick guide to show you how to add two-factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA authenticator app

I have a number of guides on moving away from CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line.

Why Secure WordPress

WordPress CMS is a widely targeted CMS for hackers. View the official WordPress stats on WordPress Version/PHP and MySQL Version. View WordPress vulnerabilities here.

Read the Sucuri 2017 report on reported WordPress Hacks here (spoiler 34,371 infected websites in 2017).

Plugins exist to secure and scan WordPress. Read my blog post here on the now-retired Gravityaity Scan plugin and the awesome WordFence security plugin.

You (and hackers) can scan your site with https://wpscans.com/ or other open-source tools like wp-scan from OWASP ZAP. If you manage a WordPress site I’d recommend you install Kali Linux to scan your site.

Running a wp scan in Kali Linux is easy.

wpscan --url https://fearby.com --debug-output 2> ~/Desktop/wpscan.txt

The output from the Kali Linux wpscan tool

WPscan tool in KaiLinux

What are Hardware YubiCo YubiKeys

Read my guide here to see what YubiCo YubiKeys are and how to use them.

Yubico YubiKeys

Get the Two-Factor Plugin for WordPress Plugin

Plugin: https://en-au.wordpress.org/plugins/two-factor/

Two-Factor

Plugin Page at WordPress.org

Two Factor Auth Plugin

The source code for this plugin is available (nice): https://github.com/georgestephanis/two-factor. This plugin was updated 2 weeks ago (nice).

Downloading the Plugin

FYI: I do not allow downloading or updating of plugins in WordPress (via FTP), I prefer SSH manual downloading. FTP plugin installation and updating are not allowed on my site.

I got the latest download URL (e.g. https://downloads.wordpress.org/plugin/two-factor.zip) by copying the URL from the download button above.

I connected to my server via SSH and navigated to my WordPress plugin folder

cd /your-www-root/wp-content/plugins

I download the plugin.

[email protected]:/your-www-root/wp-content/plugins# wget https://downloads.wordpress.org/plugin/two-factor.zip
--2018-10-28 14:44:27--  https://downloads.wordpress.org/plugin/two-factor.zip
Resolving downloads.wordpress.org (downloads.wordpress.org)... 198.143.164.250
Connecting to downloads.wordpress.org (downloads.wordpress.org)|198.143.164.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 47882 (47K) [application/octet-stream]
Saving to: 'two-factor.zip'

two-factor.zip                             100%[=======================================================================================>]  46.76K  --.-KB/s    in 0.001s

2018-10-28 14:44:27 (37.1 MB/s) - 'two-factor.zip' saved [47882/47882]

I extracted the plugin zip file

[email protected]:/your-www-root/wp-content/plugins# unzip two-factor.zip
Archive:  two-factor.zip
   creating: two-factor/
   creating: two-factor/assets/
  inflating: two-factor/assets/banner-1544x500.png
  inflating: two-factor/assets/banner-772x250.png
  inflating: two-factor/assets/icon-128x128.png
  inflating: two-factor/assets/icon-256x256.png
  inflating: two-factor/class.two-factor-core.php
   creating: two-factor/includes/
  inflating: two-factor/includes/function.login-header.php
   creating: two-factor/includes/Google/
  inflating: two-factor/includes/Google/u2f-api.js
   creating: two-factor/includes/Yubico/
  inflating: two-factor/includes/Yubico/U2F.php
   creating: two-factor/providers/
  inflating: two-factor/providers/class.two-factor-backup-codes.php
  inflating: two-factor/providers/class.two-factor-dummy.php
  inflating: two-factor/providers/class.two-factor-email.php
  inflating: two-factor/providers/class.two-factor-fido-u2f-admin-list-table.php
  inflating: two-factor/providers/class.two-factor-fido-u2f-admin.php
  inflating: two-factor/providers/class.two-factor-fido-u2f.php
  inflating: two-factor/providers/class.two-factor-provider.php
  inflating: two-factor/providers/class.two-factor-totp.php
   creating: two-factor/providers/css/
  inflating: two-factor/providers/css/fido-u2f-admin.css
   creating: two-factor/providers/js/
  inflating: two-factor/providers/js/fido-u2f-admin-inline-edit.js
  inflating: two-factor/providers/js/fido-u2f-admin.js
  inflating: two-factor/providers/js/fido-u2f-login.js
  inflating: two-factor/readme.md
  inflating: two-factor/readme.txt
  inflating: two-factor/two-factor.php
  inflating: two-factor/user-edit.css

Enable the Plugin

Don’t forget to update the plugin in WordPress.

Enable the Plugin in WordPress

Once the plugin is enabled I can setup Two-factor authentication

Edit your Users

To setup two-factor authentication open your WordPress users screen (/wp-admin/users.php).

WordPress Users List /wp-admin/users.php

Notice the Two-Factor column

Edit your desired user to enable two-factor login options

Scroll down to Two Factor Options header, you will see a QR code that you can scan with your two-factor authentication app (e.g Google Authenticator or YubiCo Authenticator).

Enable 2FA via plugin

Always generate and save backup codes in case you lose your YubiKeys or authenticator app.

You can enable authentication methods as required.

Add the code to your Authenticator app. I will add mine to my Yubico Authenticator app that requires the insertion of a physical YubiKey. I can read my YubiKey via NFC and use my mobile phone to generate one time passwords too. Read here to learn about YubiKey 2FA (touch) devices. I have secured my Ubuntu/Debian and macOSX with these keys,

TIP: Don’t forget to save the user after editing.

Add the YubiKey 2FA (touch) to WordPress logins.

While editing a user click Register New Key under Security Keys

Add the YubiKey 2FA to WordPress

Add your primary and backup YubiKey as required (I added both of mine).

Screenshot showing two YubiKeys added to WordPress.

Enable all desired 2FA options

  • Email (OFF)
  • Time based One-Time Password (Authenticator App) (ON)
  • FIDO Universal 2nd Factor (U2F) – YubiKey Insertion and touch (ON)
  • Backup Codes (ON)

Set all desired 2FA login methods

TIP: Don’t forget to save the user after editing.

Users Table

Aim to set up every user who has access to your WordPress to use 2FA.

Mobile 2FA login

I tested logos via mobile and I was prompted to tab my YubiKey to my phone. Nice.

What happens at login?

When One Time Password is enabled as the primary authentication method I am prompted for a one-time password after entering my username and password. I then need to insert my YubiKey (or tap the YubiKey to my phone (via NFC)) to generate a one time password.

Screenshot of 2FA login prompt

When FIDO is enabled I need to insert my YubiKey and press the button.

Enter Security Key

Conclusion

I can now secure my WordPress site with 2FA protections without expensive security plugins.

I hope this guide helps someone.

More

Read more here

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.1 Added Mobile login details

v1.0 Initial post

Filed Under: 2FA, 2nd Factor, Auth, Authorization, Blog, MFA, NFC, owasp, Security, SSH, Vulnerability, Yubico, YubiKey Tagged With: 2FA, add, and, app, auth, authenticator, factor, hardware, login, or, Protection, to, two, with, wordpress, Yubico, YubiKeys

Setup two factor authenticator protection at login on Ubuntu or Debian

October 14, 2018 by Simon

This is a quick post that shows how I set up two-factor authenticator protection at login on Ubuntu or Debian

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

Now on with the post.

Backup

I ensured I had a backup of my server. This is easy to do on UpCloud. If something goes wrong I will rollback.

Sever Backup Confirmed

Why Setup 2FA on SSH connections

1) Firewalls or whitelists may not protect you from detection.

2) SSH authorisation bypass bugs may appear.

I’ve just relased libssh 0.8.4 and 0.7.6 to address CVE-2018-10933. This is an auth bypass in the server. Please update as soon as possible! https://t.co/Qhra2TXqzm

— Andreas Schneider (@cryptomilk) October 16, 2018

2FA authorisation is another lube of defence.

Yubico Yubi Key

Read my block post here to learn how to use the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

Timezone

It is important that you set the same timezone as the server you are trying to secure two 2FA. I can run this command on Linux to set the timezone.

On Debian, I set the time using this guide.

dpkg-reconfigure tzdata

Check the time command

> timedatectl
> Local time: Tue 2019-06-25 16:45:20 UTC
> Universal time: Tue 2019-06-25 16:45:20 UTC
> RTC time: Wed 2019-06-26 02:37:44
> Time zone: Etc/UTC (UTC, +0000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

sudo hwclock --show

I set the timezone

> sudo timedatectl set-timezone Australia/Sydney

I confirmed the timezone

> timedatectl
> Local time: Wed 2019-06-26 02:47:42 AEST
> Universal time: Tue 2019-06-25 16:47:42 UTC
> RTC time: Wed 2019-06-26 02:40:06
> Time zone: Australia/Sydney (AEST, +1000)
> Network time on: yes
> NTP synchronized: yes
> RTC in local TZ: no

I installed a npt time server

I followed this guide to install an NTP time server (failed at: ntpdate linuxconfig.ntp) and this guide to manually sync

I installed the Google Authenticator app

sudo apt install libpam-google-authenticator
sudo apt-get install libpam-google-authenticator

Configure Google Authenticator

Run google-authenticator and answer the following questions

Q1) Do you want authentication tokens to be time-based (y/n): Y

You will be presented with a token you can add to the Yubico Authenticator or other authenticator apps,

2FA Code

TIP: Write down any recovery codes displayed

Scan the code with your 2FA Authenticator app (e.g Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io)

Scan 2FA Code

The 2FA code is now available for use in my YubiCo Authenticator app

Authenticator App Ready

Q2) Do you want me to update your “/root/.google_authenticator” file? (y/n): Y

Q3) Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n): Y

Q4) By default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between the authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y: Y

Q5) If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n): Y

Review Google Authenticator Config

sudo nano ~/.google_authenticator

You can change this if need be.

sudo nano ~/.google_authenticator

Edit SSH Configuration (Authentication)

sudo nano /etc/pam.d/sshd

Add the line below the line “@include common-auth”

auth required pam_google_authenticator.so

Comment out the following line (this is the most important step, this forces 2FA)

#@include common-auth

Edit SSH Configuration (Challenge Response Authentication)

Edit the ssh config file.

sudo nano /etc/ssh/sshd_config

Search For

ChallengeResponseAuthentication

Set this to

yes

Ensure the following line exists

UsePAM yes

Add the following line

AuthenticationMethods publickey,password publickey,keyboard-interactive

Edit Common Auth

sudo nano /etc/pam.d/common-auth

Add the following line before the line that says “auth [success=1 default=ignore] pam_unix.so nullok_secure”

auth required pam_google_authenticator.so

Restart the SSH service and test the codes in a new terminal before rebooting.

TIP: Do not exit the working connected session and you may need it to fix issues.

Restart the SSH service a tets it

/etc/init.d/ssh restart
[ ok ] Restarting ssh (via systemctl): ssh.service.

If you have failed to set it up authenticator codes will fail to work.

Failed attempts

Further authentication required
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:
Using keyboard-interactive authentication.
Verification code:

When it is configured OK (at login SSH connection) I was prompted for further information

Further Information required
Using keyboard-interactive authentication
Verification Code: ######
[email protected]#

I am now prompted at login to insert a 2FA token (after inserting my YubiKey)

Working 2FA in Unix

Turn on 2FA on other sites

Check out https://www.turnon2fa.com and tutorials here.

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.4 June 2019: Works on Debian 9.9

V1.3 turnon2fa.com

V1.2 ssh auth bypass

v1.1 Authenticator apps

v1.0 Initial Post

Filed Under: 2FA, 2nd Factor, Auth, Authorization, Code, Debian, Security, Ubuntu, UpCloud, Yubico, YubiKey Tagged With: app, at, authenticator, debian, factor, login, on, or, Protection, security, Setup, two, ubuntu, Yubico, YubiKey

Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software

October 4, 2018 by Simon

This post aims to show you how you can use a Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and other software and services.

Background

Although I am a developer I do like security related topics and I try and do as much as I can to secure my systems and applications. Reading the Multi-Factor Authentication Wikipedia page has all the details on Multi-Factor authentication.

I have been a big fan of 1Password to generate strong and unique passwords for separate accounts for a while now. Read my guide on upgrading from a standalone 1Password licence to a 1Password subscription. I love generating unique and complex passwords with 1Password.

Screenshot of the 1Password.com software generating a complex password with 63 chars

But what happens if someone gets access to my 1password vault? Yubico has a catalogue of support services that I can use Yubikeys with to have, 1password is one supported service 🙂

I want to add Yubico protections with these services.

  • macOS Logins (DONE)
  • macOS Screensavers (DONE)
  • 1Password (DONE)
  • Dropbox (DONE)
  • Twitter (DONE)
  • Google (DONE)
  • Google GSuite (DONE, WAITING TO VERIFY)
  • Google GMail (DONE)
  • Google Analytics and AdSense (DONE)
  • Github (DONE)
  • Thunderbird Email (DONE)
  • Debian servers in the cloud (SSH) (DONE)
  • Ubuntu servers in the cloud (SSH) (DONE)
  • Securing WordPress (DONE)

Etc

Final Warning

Do not attempt to activate Two Factor Authentication on a system unless you…

  • A) Have backups of your data
  • B) Have backup methods of getting into your account(s)

Murphy’s Law: “Anything that can go wrong will go wrong”

You never know when a Two Factor Authentication Key may die or an Authenticator app or a Mac/PC may stop working so always have a backup method just in case.

General

General Yubico YubiKey Setup guides https://www.yubico.com/setup/

Buying a Yubico YubiKey

International visitors can buy a YubiKey from the official store here. Australian readers can buy a key locally here. I grabbed 2x YubiKey YubiKey Neo 4 (with NFC) for $50 USD (about $75 AUD) each.

This blog post will aim to show how you can set up a primary key and backup key for use on macOS and other apps to add hardware-based two-factor authentication to logins.

Authenticator Apps

You can use Google Authenticator, Yubico Authenticator or freeOTP from https://freeotp.github.io

Plugging the YubiKey into macOS Mojave

First I read this guide: https://www.yubico.com/works-with-yubikey/catalog/macos/

1) I plugged in my Yubico Neo key into my USB slot.
2) I closed the Keyboard setup window that appeared (I guess the YubiKey is a kind of a keyboard to allow inserting of challenge-response character streams into apps and websites).

Picture of macOS Mojave wrongly detecting the eYubiKey as a keyboard device type.

3) I followed the basic troubleshooting page and confirmed that the key was being detected (yes it was.)

macOS device list showing the Yubico YubiKey was detected

4) I followed this guide to test U2F functionality and this guide to test OTP functionality. Web pages and Google Chome can talk to the plugged-in YubiKey(s).

I was prompted to register a UTF deice (and create an account)

Register a Device

I was prompted to (insert) and touch my Yubico key.

picture of the browser asking me to insert my YubiKey

Google Chome asked for some permissions first.

FYI: Chrome 67 is recommended to securely allow the reading of UbiKey’s from web pages. Only allow sites you trust access to your USB devices and use a modern browser.

Picture of Google Chrome browser asking for permissions to read the inserted YubiKey

Success, Chrome could now see my YubiKey and my device was now verified.

Picture showing YubiKey registration success in a browser

Technical data is available to let you know what is going on in the background. I am not going to break down how this works but Yubico has in-depth whitepapers and documentation if you are interested.

Nice

Configuring OSX

I logged into my Mac with the account that I was going to secure.

I performed a complete time machine backup before proceeding. If you lock yourself out you will need to restore OSX from a Time Machine backup.

I Read the “Using Yubico Pluggable Authentication Module (PAM) with Challenge-Response” login guide: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

I downloaded the Download the YubiKey Manager

I downloaded the yubikey-manager from here so I could configure the keys to use “HMAC-SHA1 Challenge-Response”.

Oops, I downloaded the wrong tool, good to know this one exists though.

Screenshot of the Yubikey Manager Software showing firmware update and OTP configuration settings

I will update what this tool does in future (update firmware?)

I Downloaded the Yubikey Personalization Tool

I went back to the Yubico download page and downloaded the Personalization tool.

Picture of the Yubico Personalisation tool showing it's available software options

Many options are available here.

It’s time to configure a primary and backup (duplicate YubiKey) for use with macOS etc.

Enable Challenge-Response

I opened the YubiKey Personalization Tool, Inserted my primary key, clicked the Settings tab, and in the Logging Settings group, selected Log configuration output and Yubico format.

I then clicked on the Challenge Response Tab, clicked the HMAC-SHA1 button, selected Configuration Slot 2, ticked “Program Multiple YubiKeys“, changed the “Parameter Generation Scheme = Same for all Keys“, Selected “Fixed 64 byte input” under “HMAC-SHA1 Parameters” and generated a new key (wrote it down).

Under “Configuration Protection” then I selected Enable Protection” I then visited here and generated a 6 digit string to convert to hex array (with spaces (e.g: “70 61 73 73 77 64”)).

Warning: If you set an access code and later forget it, you cannot make any programming changes to this YubiKey. You would need to buy another YubiKey.

I clicked on Write Configuration

If you chose Configuration Slot 1 you will receive a warning about not saving over Configuration Slot 1 due to Yubico VIP/Symantec, I personally do not trust Symantec or the https://vip.symantec.com/ service due to Symantec issuing non-compliant certificates for use on websites. Yubico allows you to swap configuration slots if want to keep the configuration data.

YubiCo Prompt asking for permissions to overwrite slot 1

On the output of the first write, I was prompted to save a file. I saved this to “secretkey.csv” onto the Desktop.

Screenshot of save configuration to CSV

When the write to my primary key was successful, I ejected it then inserted my backup key and wrote the same configuration data to it too (on Configuration Slot 2).

Screenshot of a list view showing the successful Write of information to two keys

Testing the HMAX-SHA1 Challenge

I open the YubiKey Personalization Tool, then click the Tools tab and click Challenge Response. Choose Configuration Slot 2, I selected HMAC-SHA1. I typed a sample input challenge (e.g “hello world”) and clicked Perform.

I noticed the Yubico key touch panel was flashing. I pressed the button, then a response appeared below the input textbox. I copied this response text then insert your second key and perform the same test so I could compare the responses (they should be the same). They were.

If the responses don’t match rewrite the configuration to your primary and secondary keys and ensure the same key and secret was used for both keys.

FYI: I rewrote configuration a few times until I got it right.

Installing the Pluggable Authentication Module (PAM) on macOS

I re-read the Mac login guide here as I don’t want to lock myself out of my Mac.

I opened the Yubico Software Download page here and clicked Computer Login Tools and downloaded the PAM for Mac.

Screenshot of the YubiCo PAM Module download page

I installed the PAM package and verified the package installation with this command.

ls -al /usr/local/lib/security

Output:

Screenshot of the PAM Module Installed (ls on a folder)

Text Output:

> drwxr-xr-x 3 root wheel 96 9 Oct 10:29 .

> drwxrwxr-x 74 simon admin 2368 9 Oct 10:29 ..

> -rwxr-xr-x 1 root wheel 143172 20 Apr 21:13 pam_yubico.so

Backup macOS

Again I ensured my Mac was backed up with Time Machine.

Screenshot of backing up my Mac with Time Machine

I logged in to my Mac with the account I wanted to be protected with the Yubico YubiKeys.

I ran the following command in terminal

mkdir –m0700 –p ~/.yubico

I double checked that my Yubico key(s) were set up for challenge response (above).

I inserted my Uubico key and ran this command

ykpamcfg -2

Feel free to read the “ykpamcfg” manual here. The yubico-pam source code is located here.

Output:

Screenshot of the output of ykpamcfg -2

The contents of “/Users/simon/.yubico/challenge-#######” looked like (I replaced 232 random chars with #’s below). The filename ended with my keys serial number.

v2:########################################################################################################################################################################################################################################:10000:2

Next, I was supposed to copy the challenge output from ykpamcfg to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] with this command..

sudo cp /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER] /Users/[USERNAME]/.yubico

But I had this error.

No such file or directory

Weird as the source file existed?? macOS issues?

I Opened /Users/[USERNAME]/.yubico/challenge-[YUBIKEY SERIAL NUMBER] in the nano editor (sudo elevated process) and saved the file to /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER].

I reopened my terminal and verified the contents of /var/root/.yubico/challenge-[YUBIKEY SERIAL NUMBER]. The file is now there.

Permissions on the file is “-rw——-“. Good.

I inserted my second backuP key and re-ran “ykpamcfg -2” and copied the file to “/Users/simon/.yubico”

I verified the file contents

sudo cd /var/root/.yubico/
ls -al

Output

ls -al output of /var/root/.yubico/

Text Output:

> drwxr-xr-x 4 root wheel 128 9 Oct 09:50 .
> drwxr-x— 12 root wheel 384 9 Oct 09:39 ..
> -rw-r–r– 1 root wheel 244 9 Oct 09:50 challenge-#######
> -rw-r–r– 1 root wheel 244 9 Oct 09:42 challenge-#######

Snip from: https://www.yubico.com/wp-content/uploads/2016/07/yubico_YubiKeyMacLoginGuide_en.pdf

“Program at least two YubiKeys when implementing a requirement for authentication with a YubiKey on your Mac. If you configure only one YubiKey and something happens to the YubiKey, you must restore the Mac from a Time Machine backup that you created before editing the authorization file before you can log back in to your account. ”

Reading the guide regarding multiple accounts (setting up a Key for each login). I have 5 logins on my Mac but when this works I will disable the other accounts from logging in.

Enable the use of the Yubico key when the screensaver is deactivated on macOS

I opened a terminal and edited “/etc/pam.d/screensaver ” (I use the easier nano editor)

sudo nano /etc/pam.d/screensaver

I added this line

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

editing /etc/pam.d/screensaver added auth required /usr/local/lib/security/pam_yubico.so mode=challenge-response

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

I tested my screensaver and no extra protection was provided (the screensaver just exited).

I rebooted, still no change?

I reinstalled the PAM module.

Silly me, I needed to enable the password on the screensaver to then activate the /etc/pam.d/screensaver entries.

I enabled the screensaver passwordsEnable screensaver password in macOS

I am now prompted to enter my password and inset and tap my Yubico Key on screensaver exit (on both keys). Awesome.

Next, I need to enable this at macOS login.

Enable the use of the Yubico key at macOS Login

I edited /etc/pam.d/authorization file with nano in the terminal

sudo nano /etc/pam.d/authorization

I added the same line as was added to the file /etc/pam.d/screensaver

auth       required       /usr/local/lib/security/pam_yubico.so mode=challenge-response

auth[7 spaces]required[7 spaces]/usr/local/lib/security/pam_yubico.so mode=challenge-response

/etc/pam.d/authorization

I saved the file ( [CTRL+O], [CTRL+X] ) and exited nano.

Now let’s log out and test this.

It’s working.

Excellent

Add Two Factor Authentication to 1Password

Here is a guide on using the Yubico YubiKey with 1Password. This directed me to https://support.1password.com/yubikey/

I downloaded the Yubico Authenticator app on macOS and installed it.

Authenticator app

After I inserted my primary Key I received a “No Credentials Found”message.

No Credentials Found

I logged into https://my.1password.com/signin and clicked My Profile.

I clicked More Actions then Turn On Two-Factor Authentication

Enable 1Password Two Factor Auth

I added the generated QR code details to the Android Authenticator and macOS Yubico Authenticator app. At first, I could not scan the QR code in macOS (was Mojave blocking this?), I manually entered the details (after confirming them from the Android app QR code scan).

Details:

  • Issuer: 1Password
  • Account Name: my.1password.com
  • Secret Key: ###################
  • Time: 30
  • Algorithm: SHA-1
  • Period: 30
  • Digits: 6

Add 2nd Factor Details

Now, 1Password web and the desktop app are asking for the 2-factor code (generated in the Yubico Authenticator app after I insert my YubioKey).

Nice

2 Factor Auth enabled on 1password

I logged off and I was not prompted for my Two Factor code?

Snip from: https://support.1password.com/two-factor-authentication/

“Your 1Password account is now protected by two-factor authentication. From now on, you’ll need to enter a six-digit authentication code from your authenticator app when you sign in to 1Password on a new device.”

I logged in to 1Password from Google Chrome on Android and indeed I was prompted for a two-factor auth code form the Yubico Authenticator app (with a KubiKey inserted).

2nd Factor prompted on new devices

Add Two Factor Authentication to Dropbox
I read https://www.yubico.com/works-with-yubikey/catalog/dropbox-personal/. Dropbox also has setup instructions here.

I logged into Dropbox and went to Settings then Security then clicked Add next to Security Keys

Dropbox 2 factor auth

I started the Wizard, entered my Dropbox password, then inserted my YubiKey.

Add YubiKey to Dropbox

Name the Key

Name the YubiKey

I added my Primary and Backup Key(s)

Added Two Keys

I logged out and back in and no Security Key prompt?

I am using Chrome and had cleared past browsers from the Dropbox list of web browsers at https://www.dropbox.com/account/security

I discovered that I need to set the primary authentication method to Use Mobile App (My Bad, it would be nice if Dropbox set this as default after I added the keys).

Set Primary Method of Two Factor Auth

I added the Dropbox QR code to the Yuboico Authenticator app

Add Dropbox Two Factor Auth to Authenticator

I was asked to enter a 6 digit code from my Yubico Authenticator app to verify the working link. I inserted my YubiKey into my machine to show the code.

Now Dropbox is configured 🙂

Dropbox is configured

Success

I now have to insert my primary key when logging into Dropbox

Dropbox now demands a YubiKey is inserted
I need to find a way to copy my Authenticator credentials to my Backup Key from my Primary key

Authenticator Credential not on both keys

Add Two Factor Authentication to Twitter

I read https://www.yubico.com/works-with-yubikey/catalog/twitter/ (Setup Instructions)

1) Login to Twitter

2) Open your Settings and Look For Security

Twitter Security

3) Click Start

Start Wizard

4) Enter Your Password

5) Accept and enter any SMS codes if you set up SMS Two Factor codes via SMS

6) Click “Review your login verification methods”

Review Login Methods

7) Click “Setup Key”

Setup Key

8) Insert Your YubiKey and follow the prompts to activate it.

Insert Key

9) Now the key will be requoted to log in to Twitter

Activated Key

Testing Two Factor Login to Twitter

I logged out of and back into Twitter but the SMS Two Factor Authentication method was still active?

SMS Two Factor Still Activated

I tried to disable the SMS method in Twitter but two factor was disabled altogether and the registered key was deleted. I re-added my key 🙁

I solved this by choosing “Choose a different verification method” when logging in then choosing “Use your security key“, Twitter then accessed my YubiKey and further login attempts used the key instead of SMS 🙂 I could use an Authenticator code but they YubiKey touch method is quicker.

Alternate Two Factor Options

Done

It would be nice if Twitter allowed multiple keys to be used to log in?

Add Two Factor Authentication to Google, Google cloud, Gsuite etc

I read https://www.yubico.com/works-with-yubikey/catalog/google-accounts (Instructions https://myaccount.google.com/).

Adding two Factor authentication details to Google was not easily accessible at Google so I Googled (lol) this https://support.yubico.com/support/solutions/articles/15000006418-using-your-yubikey-with-google

I loaded: https://myaccount.google.com/signinoptions/two-step-verification/enroll-welcome

I clicked Get Start

Add Two Factor to Google Get Started

I clicked Choose Another Option (not SMS Two factor)

Add Other Two Factor

Clicked Security Key

Add Security Key

As prompted I inserted my key and allowed access to it.

Insert Key

I named the Key

Name the key

I repeated the steps and added my 2nd key.

Add 2nd Key

Done

I logged out my https://myaccount.google.com and logged back in and I was prompted to insert my YubiKey

Insert YubiKey

Nice

I did try and login to my google GSuite account at https://admin.google.com but it did not prompt me to insert a key. I will do this next.

Add Two Factor Authentication to GSuite

I logged into the GSuite admin interface at https://admin.google.com/ I generated some backup codes in case I need them in the future.

I checked my main admin user account and I could see the 2 google security keys synced through from Google.

Check Securiy Keys

I then searched GSuite for “Two Factor” and loaded the “Enforcement” Page

I enabled “Turn On Enforcement Now”

I enabled “Only Security Keys”

I logged out and back into https://gsuite.google.com/ TWICE and no security key prompt.

Silly me: I forgot to click save at the bottom of the screen and it appears there is a 24-hour delay?

Don't forget to press save

Add Two Factor Authentication to GMail

This is already done (above), GSuite email takes up to 24 hours to become active, GMail is instant.

Gmail two factor auth working.

Add Two Factor Authentication to Google Analytics

I can’t see an option to turn Two Factor Auth on in Google Analytics 🙂

I did send feedback to the Google Analytics team.

Adsense Feedback

Add Two Factor Authentication to Google Adsense

I can’t see an option to turn Two Factor Auth on in Google Adsense either 🙂

I did send feedback to the Google AdSense team.

No AdSense 2FA

Add Two Factor Authentication to Github

I logged into Github, opened my Settings and clicked Security then Enable two-factor authentication

GitHub

Click Setup using an app save the recovery codes.

Open the Yubico Authenticator app (ensure you can see the QR Code in GitHub)

In the Yubico Authenticator, App click File then Scan QR Code

The GitHub details should be added to the Authenticator

Authenticator App

Two Factor via authenticator tokens is enabled and now I can see a Keys options,

Add Keys

I clicked Add next to security keys then Register New Device, I gave the key a name then clicked Add.

Add 2 Keys

I added both keys then I Logged out and back in and two factor was enabled by YubiKey 🙂

Two Factor Enabled

Add Two Factor Authentication to Debian servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

Add Two Factor Authentication to Ubuntu servers in the cloud (SSH)

Read Setup two-factor authenticator protection at login on Ubuntu or Debian

YubiKey Support

There are loads of Yubico support articles here: https://support.1password.com/yubikey/

Yubico Developer Info

A GitHub repository of source code is located here: https://github.com/Yubico

Other developer related pages here

      • https://developers.yubico.com/FIDO2/
      • https://developers.yubico.com/OTP/
      • https://developers.yubico.com/U2F/
      • https://developers.yubico.com/OATH/
      • https://developers.yubico.com/PGP/
      • https://developers.yubico.com/PIV/
      • https://developers.yubico.com/YubiHSM2/
      • https://developers.yubico.com/Software_Projects/

Securing WordPress

Read this guide on Securing WordPress with 2FA (YubiKey insertion or Authenticator app).

I found a good WordPress plugin to handle 2FA logn methods.

Set all desired 2FA login methods

I am prompted to insert my YubiKey after logging into WordPress.

Nice

Java Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has Java repository that contains a Java library with an accompanying demo server, as well as a JAAS module, to validate YubiKey OTP’s (One-Time Passwords).

https://developers.yubico.com/yubico-java-client/

PHP Code to use the Yubico YubiKey in software (challenge mode)

todo: I will add this section soon.

Yubico has PHP library ad source code but it has not been updated in 3 years. I cannot get this working on PHP 7.2.

https://github.com/Yubico/php-yubico

Using Yubico YubiKeys as 2fA with one-time Passwords.

The YubiKeys can be used to store and generate one time passwords.

Read more about 2fa here

  • twofactorauth.org
  • turnon2fa.com/tutorials

Here is a good plugin to tell you what sites use 2fa as you browse: https://2fanotifier.org

I have used my YubuKeys to store dozens of 2fa One time password son sites

e.g Namecheap

Namecheap enable 2fa

I enabled 2fa OTP (over phone/SMS 2fa) at Namecheap

2fa enabled at namecheap

Recovery info and backup

Always setup, and obtain backup access codes (or set alternate two-factor login methods) to software and know how you can disable YubiKey 2FA logins if needed.

Read more on YubiKey data backup policy here.

Copy Yubico Authenticator credentials to my Backup Key from my Primary Key

My Primary and Secondary YubiKeys have different Authenticator credentials (I need to sync them)

Authenticator Credential not on both keys

Set a YubKey Password (Yubico Authenticator App)

You can set a YubiKey Password so limit access to Two Factor Linked Accounts in the Yubico Authenticator. Nice.

      1. Open the Yubico Authenticator App
      2. Insert your YubiKey
      3. Open the File then Set Password Menu
      4. Click Set Password

Now when you insert the YubiKey you will be prompted for a password Before Two Factor tokens are displayed.

Set Yubico Password

Find a YubiKey Device Quiz

Use this quiz to find the right YubiKey for you: https://www.yubico.com/quiz/

Final Warning

Do not attempt to activate Two Factor Authentication on a system unless you…

  • A) Have backups of your data
  • B) Have backup methods of getting into your account(s)

Murphy’s Law: “Anything that can go wrong will go wrong”

You never know when a Two Factor Authentication Key may die or an Authenticator app or a Mac/PC may stop working so always have a backup method just in case.

Issue(s)

Thunderbird email on Google Chrome (accessing GSuite) is not accepting the key.

It is prompting…

Thunderbird prompting for the key

But it is not recognising the key (no matter how many times I insert or press the key)?

Key not detecting in Thunderbird

It appears Thunderbird 52 may not support keys yet, May have to wait until release 60.

I installed Thunderbird 63 (BETA) from https://www.thunderbird.net/en-US/channel/

Installed Thunderbird 63 BETA

After I installed Thunderbird it asked for my Security Key, accepted it and asked for further permissions.

Thunderbord a63 beta asking for permissions

I can now read my email in Thunderbird with my YubiKey

Update: June 2019

1Password now allow you to setup 2FA (authenticator app or YuiKey leys (or both)) authentication on your 1Password login. Read the official post here.

Goto https://my.1password.com/profile/2fa to setup 2FA.

You can setup 2FA (authapp and or hardware keys)

1Password set 2fa

You will be notified by email if a 2FA method is setup.

Email alert about 2fa

You will need to sign out and back into your apps web, Desktop and Mobile.

Web Signin

desktop Signin

You will need to insert and press your hardwre key.

Press 2FA Key

And enter your 2FA code

Enter 2fa otp code

Mobile app login

Enter 2fa code on mobile app loginb]

I used my YubiCo Authentocator app to get the temporary OTP.

Get OTM from auth app

You can remove previous logged in devices from accessing your data or force them to reqire 2FA at next login

de Auth existing defices

Nice

Links

YubiCo Device Comparison Chart: https://www.yubico.com/products/yubikey-hardware/compare-yubikeys/

Email Subscription form YubiCo: https://pages.yubico.com/email_subscription.html

Conclusion

Thunderbird issues (solved by installing a BETA).

Not all apps have the same method (some have Authenticator App only) and some have YubiKey Insert/Touch, some allow one key or multiple keys.

The only issue is my Huawei Mate 9 phone is a little flakey at reading NFC (fixed: I just have to tap for 5 seconds)

I have attached the YubiKeys to a dog chain’s and they live around my neck.

dog_clains

Version History

v1.1 Added authenticator/Namecheap 2fa info.
v1.0.1 YubiKey Backup Policy and comparison chart
v1.0.0 WordPress
v0.8.1 authenticator apps
v0.8.0 Draft: Debian/Ubuntu and many other changes
v0.7.0.1 Draft: Issue – Thunderbird Issue Solved
v0.7.0 Draft: Issue – Thunderbird Issue
v0.6.9 Draft: Protected GitHub
v0.6.9 Draft: Unable to Protect Google AdSense and Analytics
v0.6.8 Draft: Protected Google Gmail (https://gmail.com)
v0.6.7 Draft: Protected Google GSuite (https://gsuite.google.com/ and https://admin.google.com/)
v0.6.6 Draft: Protected Google (https://myaccount.google.com/)
v0.6.5 Draft: Protected Twitter
v0.6 Draft: Set a YubKey Password (Yubico Authenticator App)
v0.5 Draft: Sync Authenticator credentials?
v0.4 Draft: Protected Dropbox
v0.3 Draft: Protected 1Password
v0.2 Draft: Protected macOS Login
v0.1 Draft: Protected macOS Screensaver

Filed Under: 2FA, Auth, MFA, NFC, Security Tagged With: and, authentication, device, hardware-based, improve, logins, NEO, OSX, software, the, to, two-factor, Using, Yubico, YubiKey

No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

August 5, 2018 by Simon

No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Domain names for just 88 cents!

Now on with the post.

Murphy’s Law

I recently had an issue where I set up a website for a friend. I invested 6 hours into setting up..

I setup…

  • Debian OS
  • NGINX Web Server
  • MySQL Database
  • PHP 7.2
  • PHP-FPM Child Workers
  • HTTPS Certificate
  • Security (Firewall/Headers/SSH, WordPress, Plugins etc).
  • Installed WordPress and Plugins
  • Setup DNSSEC
  • Etc

I had tested GTMetrix scores = less than 1 second.  Security headers were tested and I was happy with the site.

The server and backups were automatically deleted after 7 days while I was away from my keyboard because I assumed the account was valid and had credits.

Lesson Learned

  • Always have a backup (of the server, setup/ www, MySQL etc).
  • Script setups (Ansible, Puppet or Scripts) to sate time redeploying if need be.
  • Backups are not always available.
  • Do have setup documented (Check)
  • Do have a disaster plan

I have guides on setting up a server on UpCloud, AWS, Vultr, Digital Ocean but setting up can be rather repetitive so how can you prevent resetting up servers?

Why Plan for the Worst

  • Companies disappear.
  • Some hosts go down.
  • Some hosts have weird trial modes and internal process that could take your site down.
  • Human error?
  • Murphy’s Law

How I will prevent this in future

  1. I am building a Java desktop app for Windows/OSX/Linux app that will deploy and set up on UpCloud/Vultr/Digital Ocean providers and allow for 1 click deploy and backup and restore.
  2. I am going to re-establish replication between servers with RSync etc.
  3. I am going to start to automate installs and environments.
  4. I am going to set up a hot (ready to go) Green/Blue mirrored environments (www and DB server) on different providers in case of emergency. Then I can set the active live servers with DNS (blog posts soon).
  5. Consider a server farm (same provider or different providers)

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.0 Initial Post

Filed Under: Backup, Disaster Recovery, Restore, Security, Server, VM Tagged With: a, are, different, have, hot, I, matter, No, on a, provider, ready, recommend, server-provider, spare, strongly, Using, what, you

  • Go to page 1
  • Go to page 2
  • Go to page 3
  • Interim pages omitted …
  • Go to page 5
  • Go to Next Page »

Primary Sidebar

Poll

What would you like to see more posts about?
Results

Support this Blog

Create your own server today (support me by using these links

Create your own server on UpCloud here ($25 free credit).

Create your own server on Vultr here.

Create your own server on Digital Ocean here ($10 free credit).

Remember you can install the Runcloud server management dashboard here if you need DevOps help.

Advertisement:

Tags

2FA (9) Advice (17) Analytics (9) App (9) Apple (10) AWS (9) Backup (21) Business (8) CDN (8) Cloud (49) Cloudflare (8) Code (8) Development (26) Digital Ocean (13) DNS (11) Domain (27) Firewall (12) Git (7) Hosting (18) HTTPS (6) IoT (9) LetsEncrypt (7) Linux (20) Marketing (11) MySQL (24) NGINX (11) NodeJS (11) OS (10) PHP (13) Scalability (12) Scalable (14) Security (44) SEO (7) Server (26) Software (7) SSH (7) ssl (17) Tech Advice (9) Ubuntu (39) Uncategorized (23) UpCloud (12) VM (44) Vultr (24) Website (14) Wordpress (25)

Disclaimer

Terms And Conditions Of Use All content provided on this "www.fearby.com" blog is for informational purposes only. Views are his own and not his employers. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Never make changes to a live site without backing it up first.

Advertisement:

Footer

Popular

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Add Google AdWords to your WordPress blog

Security

  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
  • Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx
  • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
  • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
  • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
  • Beyond SSL with Content Security Policy, Public Key Pinning etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Run an Ubuntu VM system audit with Lynis
  • Securing Ubuntu in the cloud
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Code

  • How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
  • Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
  • How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic
  • Installing Android Studio 3 and creating your first Kotlin Android App
  • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
  • How to use Sublime Text editor locally to edit code files on a remote server via SSH
  • Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE
  • Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

Tech

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Is OSX Mojave on a 2014 MacBook Pro slower or faster than High Sierra
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • The case of the overheating Mac Book Pro and Occam’s Razor
  • Useful Linux Terminal Commands
  • Useful OSX Terminal Commands
  • Useful Linux Terminal Commands
  • What is the difference between 2D, 3D, 360 Video, AR, AR2D, AR3D, MR, VR and HR?
  • Application scalability on a budget (my journey)
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Wordpress

  • Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
  • Setting web push notifications in WordPress with OneSignal
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Wordfence Security Plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
  • Moving WordPress to a new self managed server away from CPanel
  • Moving WordPress to a new self managed server away from CPanel

General

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
  • Connecting to a server via SSH with Putty
  • Setting web push notifications in WordPress with OneSignal
  • Infographic: So you have an idea for an app
  • Restoring lost files on a Windows FAT, FAT32, NTFS or Linux EXT, Linux XFS volume with iRecover from diydatarecovery.nl
  • Building faster web apps with google tools and exceed user expectations
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

Some ads on this site use cookies. You can opt-out if of local analytics tracking by scrolling to the bottom of the front page or any article and clicking "You are not opted out. Click here to opt out.". Accept Reject Read More
GDPR, Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT