SSH key-based authentication

First, generate a key without password:

root@example:~# ssh-keygen -f ~/.ssh/id_rsa -q -P ""

You will see id_rsa and id_rsa.pub

root@example:~# ls -la .ssh
total 20
drwx------ 2 root root 4096 Nov 18 15:19 .
drwx------ 7 root root 4096 Apr 14  2018 ..
-rw------- 1 root root 1679 Nov 18 15:19 id_rsa
-rw-r--r-- 1 root root  401 Nov 18 15:19 id_rsa.pub
-rw-r--r-- 1 root root  444 Sep 22  2017 known_hosts

Read more “SSH key-based authentication”

qFirewall (qfw) – a quick iptables firewall script

This is my new basic firewall script. For updates, check my github: https://github.com/xdth

Screenshot

Code

#! /bin/bash

# ######################### qFirewall (qfw) 0.1 ########################
#
# This is a basic iptables firewall script.
#
# Usage:
# ./qfw {start|stop}
#
# Notes:
# 1. Comment or uncomment the firewall rules below according to your
#    needs.
# 2. For convenience, add this script to your /usr/bin or alike with
#    chmod +x permissions.
# 2. License: MIT
# 3. Author: dth at dthlabs dot com
#    Site:   https://dthlabs.com
#    github: https://github.com/xdth
#
# Brussels, Jan 23, 2018
# note: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
# #######################################################################


# #######################################################################
# ## Rules function -- edit this according to your needs

function qfw_rules {
  # Block everything
  iptables -t filter -P INPUT DROP
  iptables -t filter -P FORWARD DROP
  iptables -t filter -P OUTPUT DROP
  echo "     > Block everything"

  # Don't break established connections
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  echo "     > Don't break established connections"

  # Authorize loopback (127.0.0.1)
  iptables -t filter -A INPUT -i lo -j ACCEPT
  iptables -t filter -A OUTPUT -o lo -j ACCEPT
  echo "     > Authorize Loopback"

  # ICMP (ping)
  iptables -t filter -A INPUT -p icmp -j ACCEPT
  iptables -t filter -A OUTPUT -p icmp -j ACCEPT
  echo "     > Authorize ICMP (ping)"

  # SSH in/out
  iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 9000 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 9000 -j ACCEPT
  echo "     > Authorize SSH"

  # DNS in/out
  iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  echo "     > Authorize DNS"

  # NTP Out
  iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
  echo "     > Authorize NTP outbound"

  # HTTP + HTTPS Out
  iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 8080 -j ACCEPT

  # HTTP + HTTPS In
  iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 8080 -j ACCEPT
  echo "     > Authorize http and https"

  # FTP Out
  iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT

  # FTP In
  iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
  iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  echo "     > Authorize FTP"

  # Mail SMTP
  iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 587 -j ACCEPT
  iptables -t filter -A INPUT -p tcp --dport 465 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 465 -j ACCEPT

  # Mail POP3:110
  iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

  # Mail IMAP:143
  iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

  # Mail POP3S:995
  iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
  iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
  echo "     > Authorize mail"

  # OpenVZ Web Pannel
  # iptables -t filter -A OUTPUT -p tcp --dport 3000 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 3000 -j ACCEPT
  # echo "     > Authorize OpenVZ panel"

  # Allow WMs
  # iptables -P FORWARD ACCEPT
  # iptables -F FORWARD
  # echo "WMs ok"
  # echo "     > Authorize WMs"

  # Saltstack
  # iptables -t filter -A OUTPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4505 -j ACCEPT
  # iptables -t filter -A OUTPUT -p tcp --dport 4506 -j ACCEPT
  # iptables -t filter -A INPUT -p tcp --dport 4506 -j ACCEPT
  # echo "     > Authorize Saltstack"

  # Block UDP attack
  # iptables -A INPUT -m state --state INVALID -j DROP
  # echo "     > Block UDP attack"

}


# #######################################################################
# ## Other functions

function qfw_help {
  echo "qFirewall usage: ./qfw {start|stop}"
  exit 1
}

function qfw_seeya {
  echo "     > Thanks for using qFirewall (qfw) v1. Have a good day."
  echo ""
  echo ""
}

function qfw_separator {
  echo ""
  echo ""
  echo "===================== qFirewall (qfw) v0.1 ====================="
  echo ""
}

function qfw_reset {
  iptables -F
  iptables -X
  iptables -t nat -F
  iptables -t nat -X
  iptables -t mangle -F
  iptables -t mangle -X
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t filter -F
  iptables -t filter -X
}

function qfw_start {
  qfw_separator
  echo "     > Starting qFirewall..."
  qfw_clean
  echo "     > Loading the rules..."
  qfw_rules
  echo "     > Rules loaded"
  echo "     > qFirewall started"
}

function qfw_clean {
  echo "     > Cleaning rules..."
  qfw_reset
  echo "     > Rules cleaned"
}

function qfw_stop {
  qfw_separator
  echo "     > Stopping qFirewall..."
  qfw_clean
  echo "     > qFirewall stopped"
}


# #######################################################################
# ## Main

case "$1" in
  start)
  qfw_start
  ;;
  stop)
  qfw_stop
  ;;
  *)
  qfw_help
  exit 1
  ;;
esac

qfw_seeya

exit 0

Intel NUC D34010WYK – Accessing and updating the BIOS

For some reason my USB3 external HD wasn’t being recognized by my NUC. I had a very old BIOS version, so I tried updating it, which solved the problem. Here’s how:

Search for the latest bios:
https://downloadcenter.intel.com/search?keyword=D34010WYK

In my case, it was this one. Download and save the .bio file in an USB key.
https://downloadcenter.intel.com/download/26632/NUCs-BIOS-Update-WYLPT10H-86A-

Open your NUC and look for the BIOS security jumper:


Read more “Intel NUC D34010WYK – Accessing and updating the BIOS”

USB device encrypted LVM on LUKS

Let’s encrypt an external USB hard disk drive. Get root already and type lsblk. Then insert the USB key and check its name by typing lsblk again. In my case, it was sdb1, but yours might be different. Get yours right, or bad things can happen to your other devices.

[root@slayer dth]# lsblk
NAME                    MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
...
sdb                       8:16   0   1.8T  0 disk  
└─sdb1                    8:17   0   1.8T  0 part  
...

Read more “USB device encrypted LVM on LUKS”

Configuring a SAML IDP with LDAP as authentication source

In this setup, the SAML IDP will be available at example.com/auth and we will use the ldap server configured in this post.

Start by moving to the directory above the DocumentRoot for the domain. Let’s say that it is /var/www/example.com, so

cd /var/www/

Download the latest simplesamlphp version

wget https://simplesamlphp.org/res/downloads/simplesamlphp-1.14.4.tar.gz && tar xvfz simplesamlphp-1.14.4.tar.gz

Read more “Configuring a SAML IDP with LDAP as authentication source”

Installing and configuring LDAP and phpldapadmin

This will be a minimal setup. It’s a good idea to start by doing an update and upgrade on your system. In debian, use:

apt-get update && apt-get upgrade

Install the packages (set and confirm admin password)

apt-get install slapd ldap-utils phpldapadmin

Then vim /etc/ldap/ldap.conf and include:

BASE dc=example,dc=net
URI ldap://127.0.0.1

Read more “Installing and configuring LDAP and phpldapadmin”

Installing and configuring Awesome WM in Archlinux

Start by installing xorg and nvidia graphics

pacman -S xorg-server xorg-server-utils xorg-xinit xorg-utils xorg-twm xorg-xclock xterm xorg-xrandr nvidia nvidia-libgl xf86-input-evdev

Reboot

reboot

Install awesome, touchpad support and vicious

pacman -S awesome xf86-input-synaptics vicious hddtemp alsa-utils wireless_tools

Read more “Installing and configuring Awesome WM in Archlinux”

Installing archlinux with encrypted LVM on LUKS (UEFI), via ssh.

We will install archlinux with LVM on LUKS encryption (UEFI), via ssh. This is for advanced users. If you just want to install archlinux, look elsewhere.

Download the ISO and burn it to your USB key like so:

dd bs=4M if=/path/to/archlinux.iso of=/dev/sdx && sync

Set the keyboard layout. In my case, it’s Belgian AZERTY (/usr/share/kbd/rubfhaps/i386/azerty/be-latin1.map.gz)

loadkeys be-latin1

Verify if you are booted in UEFI mode (is this directory populated?)

ls /sys/firmware/efi/efivars

Read more “Installing archlinux with encrypted LVM on LUKS (UEFI), via ssh.”