Authenticate SSH with “Google Authenticator” OTP

By Kernel 7 On August 9th, 2013

This guide assumes you already have the following:
+ Linux RPM-based system
+ NTP Synchronization
+ Internet Access for “Google Authenticator” API

[1] Install pre-requisites for “Google Authenticator“:
yum install gcc pam-devel subversion python-devel git

[2] Install Google Authenticator PAM module:
mkdir /tmp/google-authenticator
cd /tmp/google-authenticator/
git clone http://code.google.com/p/google-authenticator/
cd google-authenticator/libpam/
make && make install

[3] Setup SSH’s PAM to use Google Authenticator:
vi /etc/pam.d/sshd

  • At the beginning, add:
    auth required pam_google_authenticator.so

    • vi /etc/ssh/sshd_config

  • Change the following:
    ChallengeResponseAuthentication yes
  • Change the following:
    UsePAM yes
  • Change the following:
    PubkeyAuthentication no

    • service sshd restart

    [4] Setup Google Authenticator for any user that will have access to the system (i.e. jdoe):
    su – jdoe
    google-authenticator
    + Note your “Secret Key”, “Verification Code”, and “Scratch Codes”.
    + Answer “y”, “y”, “n”, “y”.

    [5] Test SSH Login with the user configured (i.e. jdoe):
    + Setup the Google Authenticator on your Smart Phone
    + Launch an SSH session to login with “jdoe”
    + Enter the Verification Code from Google Authenticator (Smart Phone)
    + Enter your Linux password

    Posted in General, GNU/Linux, Security | Comments Off on Authenticate SSH with “Google Authenticator” OTP

    VMware ESX/ESXi Host Updates via CLI

    By Kernel 7 On April 28th, 2013

    VMware ESX/ESXi patches can be applied easily through the CLI.
    As a pre-requisite for this guide, you need to enable SSH access to the ESX/ESXi host.

    [1] Download the necessary patches from VMware’s web site:
    http://www.vmware.com/go/downloadpatches

    [2] Browse the ESX/ESXi host’s storage and upload the patches to the “/DATA_STORE_LOCATION/esxi-patches/” folder.

    [3] Shutdown all the VMs and put the ESX/ESXi host in “Maintenance Mode”.

    [4] Apply the patches one after the other in the order they were released, using the following command in the SSH CLI:
    ESX/ESXi v4.x :: esxupdate –bundle=/DATA_STORE_LOCATION/esxi-patches/ESXXXXX-XXXXXXXXX.zip update
    ESX/ESXi v5.x :: esxcli software vib update -d “/DATA_STORE_LOCATION/esxi-patches/ESXXXXX-XXXXXXXXX.zip”

    [5] Reboot the vSphere/ESX/ESXi host if required by the patches installed.

    Posted in General, Virtualization | Comments Off on VMware ESX/ESXi Host Updates via CLI

    Nagios Downtime Scheduling (PHP)

    By Kernel 7 On January 6th, 2012

    Nagios is particularly complicated itself in scheduling a downtime, and automating it is a pain.
    Here is an easy to use PHP script that will make scheduling a breeze:

    [1] Download the “Downtime Scheduling Utility” and extract it to your preferred location:
    http://sweetdeliah.com/nagios/downtime/nagios_down-0.2.tar.gz

    [2] To schedule a maintenance, here is a template:
    ./nagios_down.php -h ‘host-server-001′ -f -b ’03:00 23 January 2012′ -e ’03:30 23 January 2012’ -a ‘John Doe’ -c ‘Monthly Maintenance for Windows Patches’

    This will put the host “host-server-001” in maintenance mode for 30 minutes on January 23rd, 2012, between 03:00 AM and 03:30 AM, with “John Doe” as the person responsible for logging the downtime, and “Monthly Maintenance for Windows Patches” as a comment.

    [3] You can automate the process using Cron or your Custom GUI if any.

    Posted in General, GNU/Linux | Comments Off on Nagios Downtime Scheduling (PHP)

    Delete & Flush Logs under GNU/Linux

    By Kernel 7 On November 1st, 2011

    As a last resort to fix log space issues, stop “syslog”, delete the logs in question, start “syslog”.
    Here is an example for Debian:
    /etc/init.d/rsyslog stop && rm -rf /var/log/daemon* && sync && /etc/init.d/rsyslog start

    Schedule it when necessary.

    Posted in GNU/Linux | Comments Off on Delete & Flush Logs under GNU/Linux

    Security Templates for BGP, BIND, IOS, JunOS

    By Kernel 7 On June 8th, 2009

    [+] Secure ISC BIND Template:
    http://www.cymru.com/Documents/secure-bind-template.html

    [+] Secure BGP Template for Cisco Routers:
    http://www.cymru.com/Documents/secure-bgp-template.html

    [+] Secure BGP Template for Juniper Routers:
    http://www.cymru.com/gillsr/documents/junos-bgp-template.pdf

    [+] Secure IOS Template:
    http://www.cymru.com/Documents/secure-ios-template.html
    http://wiki.nil.com/Router_security_template

    [+] Secure JunOS Template:
    http://www.cymru.com/gillsr/documents/junos-template.pdf

    Posted in General | Comments Off on Security Templates for BGP, BIND, IOS, JunOS

    Daily Backup of All MySQL Databases !

    By Kernel 7 On June 2nd, 2009

    As you already know, “mysqldump” is nifty command. The following examle script should be scheduled to run daily via “cron” to backup all your MySQL Databases in a SQL file like “MySQL-Dump—v2009-06-02.sql” and compress it to save on space:

    mysqldump –host=YOUR_MYSQL_HOST –port=YOUR_MYSQL_PORT –user=root \
    –password=YOUR_ROOT_PASSWORD –add-drop-database –add-drop-table –comments –force \
    –all-databases > /YOUR_BACKUP_LOCATION/MySQL-Dump—v`date +”%Y-%m-%d”`.sql ; \
    gzip /YOUR_BACKUP_LOCATION/MySQL-Dump—v`date +”%Y-%m-%d”`.sql

    Posted in GNU/Linux | Comments Off on Daily Backup of All MySQL Databases !

    Does your Site Belong to You ?

    By Kernel 7 On June 1st, 2009

    If you want to reveal hidden/illicit content (parasites) that hackers insert into benign web pages using various security holes, use the following site, you might just be surprised:

    http://www.unmaskparasites.com/

    Posted in Malware | No Comments »


    « Previous Entries