RHEL 7 Two-Factor SSH Via Google Authenticator

650x300xgoogle-authenticator-header.png.pagespeed.gp+jp+jw+pj+js+rj+rp+rw+ri+cp+md.ic.194erIegOZ.jpg

In this post,  I am going to walk you through the process of installing and configuring two- factor SSH authentication via Google Authenticator. My base system is running a fresh install of RHEL 7.2

Installation Steps

The first step on my system was to install autoreconf, automake, and libtool. These packages are required by the bootstrap.sh script that we will need to in a couple more steps.

# yum -y install autoconf automake libtool

Now, we are going to install Git.

#yum -y install git

One more dependency to knock out. Install pam-devel as shown below.

# yum -y install pam-devel

Next, we clone the google-authenticator Git repo. In this example, I am cloning to /root

# git clone https://github.com/google/google-authenticator.git
Cloning into ‘google-authenticator’…
remote: Counting objects: 1435, done.
remote: Total 1435 (delta 0), reused 0 (delta 0), pack-reused 1435
Receiving objects: 100% (1435/1435), 2.32 MiB | 0 bytes/s, done.
Resolving deltas: 100% (758/758), done.

Now change directory as shown below and run bootstrap.sh.

# cd /root/google-authenticator/libpam

# ./bootstrap.sh

Now run the following commands to finalize the module installs.

# ./configure

#make

#make install

Assuming that you do not run into any errors, the following modules will be installed.

  • /usr/local/lib/security/pam_google_authenticator.so
  • /usr/local/lib/security/pam_google_authenticator.la

Continue reading

Advertisements

RHEL6 – How to Setup an Anonymous FTP Server


tow-truck-driver-cartoon-character-final-coghillToday on the fatmin we are going to setup an ftp server on RHEL6 that accepts anonymous uploads. We are going to do so with SELinux support and will be making modifications to iptables as well. Sounds fun, right?

Installation:

First and formost we need to install vsftpd

# yum -y install vsftpd && service vsftpd start && chkconfig vsftpd on

Our anonymous upload directory will be /var/ftp/anon, and we need to change group ownership to the ftp group and then change permissions so that the members of that group can write to it. Note that no one other than root can read or execute anything under /var/ftp/anon.

# chgrp ftp /var/ftp/anon
# chmod 730 /var/ftp/anon
# ls -ld /var/ftp/anon
drwx-wx—. 3 root ftp 4096 Oct 19 13:34 /v1

SELinux Support:

Next we need to configure SELinux support and assign the correct context to the /v1 directory and its future contents. Note -a is add -t is type.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’

Now lets go ahead and apply the new context. Note -vv is verbose, -F force and R is recursive

# restorecon -vvFR /var/ftp/anon

Now we need to get and set the allow_ftpd_anon_write boolean

# setsebool -P allow_ftpd_anon_write=1

Now lets check to make sure the setting “stuck”.

# getsebool -a | grep allow_ftpd_anon_write
allow_ftpd_anon_write –> on

Configure Vsftpd:

Now vi /etc/vsftpd/vsftpd.conf and ensure that the following configuration values are set and un-commented. Note that I had to add the last line to my config file.

anonymous_enable=YES

anon_upload_enable=YES

chown_uploads=YES

chown_username=daemon

anon_umask=077

Configure iptables:

Add the following to /etc/sysconfig/iptables-config. In my case I only needed to add the ip_nat_ftp part to the line

IPTABLES_MODULES=”nf_conntrack_ftp ip_nat_ftp”

Now you are going to want to make sure that these two lines exist in /etc/sysconfig/iptables.

-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp –dport 21 -j ACCEPT

Now restart iptables

Addendum:

Note that I ran into issues with the semanage command below.

# semanage fcontext -a -t public_content_rw_t ‘/var/ftp/anon(/.*)’

It seems that the context assigned to the /var/ftp/anon directory was not changing correctly from public_content_t to public_content_rw_t.

# ls -Zd /var/ftp
drwxrwxrwx. root root system_u:object_r:public_content_t:s0 /var/ftp

However when I checked the file_contexts file all looked correct.

# cat /etc/selinux/targeted/contexts/files/file_contexts.local/var/ftp/anon(/.*)    system_u:object_r:public_content_rw_t:s0

So I ran the chon command seen below and did not run the restorecon command. This worked as afterwards the context on the directory /var/ftp/anon was correct.

# chcon -R -t public_content_rw_t /var/ftp/anon

 

RHEL6 – Simple Iptables How To

Firewall supportYour mother and I were talking last night about how important it is to properly configure Iptables, and how despite that fact, many just choose to disable it. So today we are going to discuss iptables.

Overview:

By far the easiest way to setup a simple firewall using Iptables is to use system-config-firewall, or system-config-firewall-tui. I prefer this method as iptables can be a bit confusing on the command line and in its config file (/etc/sysconfig/iptables) is not exactly user friendly. At the very least you can create a basic set of rules and then customize by hand. Lets take a look at the file in its default form on my RHEL 6 box.

But before we do that, lets review a couple of terms that we need to know.

  1. INPUT – are inbound packets
  2. OUTPUT are outbound packets
  3. FORWARD – packets from another machine that the firewall should forward (like to a vm on the host).
  4. ACCEPT – the packet is accepted
  5. DROP – the packet is dropped as if it never existed
  6. REJECT – the packed is rejected and and error message is returned to sender
  7. RULE – the basic building block — tells the firewall what to do with a packet
  8. CHAIN – a list of all rules which will be checked in order from first to last
  9. POLICY – the default action, like accept, drip, reject, forward

Now that you have memorized the list above, here is my /etc/sysconfig/iptables.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited.

Now lets run system-config-firewall tui and enable apache and ftp, plus we want to configure our box to respond to ICMP ping requests. This process is pretty self explanitory once you start.

Once that is done lets view /etc/sysconfig/iptables again.

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type echo-request -j REJECT –reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp –icmp-type echo-reply -j REJECT –reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp –icmp-type destination-unreachable -j REJECT –reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT

Iptables Command:

The iptables command can be used in several different ways.

List the current rules in use, similar to viewing the /etc/sysconfig/iptables file

#iptables -L

To set a default policy use iptables -P, in the example below we are setting the default INPUT policy to DROP.

#iptables -P INPUT DROP

Now lets say we want to delete all our existing rules, note that i did not say policy

#iptables -F

To add a rule use iptables -a, for example lets say you have a default policy of INPUT DROP but we want to accept all established and related packets. Note that -m must be used when adding rules to a chain as it forces modprobe to load any necessary modules.

#iptables -A INPUT -m state –state ESTABLISHED, RELATED

Now lets say that we want to reject all packets from 192.168.10.10. Note -j specifies the action that the rule is to take — in the case below, REJECT

#iptables -A INPUT -s 192.168.10.10 -j REJECT

Now lets say we want to ACCEPT all ICMP traffic from our local subnet. The -p is protocol

#iptables -A INPUT -p ICMP -s 192.168.1.0/24 -j ACCEPT

Please note that under RHEL you can use following commands to save firewall rules.Make sure that you do this before you restart iptables.

#service iptables save