Vegard Skjefstad

www.vegard.net

Menu Close

Search results: "2FA" (page 1 of 2)

How to Secure SSH with 2FA on Ubuntu

As you know, I love two factor authentication (2FA). Now the time has come to secure SSH with 2FA on all our Ubuntu servers.

I recently noticed that the bandwidth usage on VBOX4 had increased slightly. Apart from the spikes that come when the server is doing its nightly offsite backup, there was also an average increase in bandwidth usage. In an ideal world, that would be caused by the success of my Facebook antics, but I’ve got Piwik stats that says otherwise.

Now, that there is a slight bandwidth increase that last for a few days isn’t uncommon. Google sometimes finds it necessary to index the entire site. But I’m a curious little nerd, and with the help of netstat I checked incoming connections. It showed a Chinese IP address trying to connect to poor VBOX4 via SSH. That isn’t necessarily a reason to panic either. If you have a computer connected to the internet, there will be bots trying to connect to various services around the clock. For my own convenience, I’ve got SSH running on the standard port, 22, which makes it a prime target for that kind of shenanigans.

Moving it away from the standard port could be an option. But security by obscurity isn’t really security IMHO. Sure, it makes things a little bit harder. But there are only 65,535 ports to choose from, and if a bot wants to find your SSH port, it will find it eventually. Port knocking might be a better scheme if you want to hide your doors.

Or, you can hire a kick-ass doorman! That’s what we’re going to do with 2FA.

Read more

2FA, U2F & the YubiKey

If you’re even the least bit security conscious, you’re probably aware of two factor authentication (2FA). The idea is simple, yet brilliant: In addition to authenticating with a username and password combination, you also have to use a one-time code. The code is usually provided by a token of some kind, like a scratch card, or an app on your mobile phone.

Since the token is something physical that you normally bring with you or store somewhere semi-secure (“in a drawer”) at home, it’s virtually impossible for someone who have managed to get access to your username and password to log in: Without the token, they are missing the second factor in the authentication chain, the one-time password.

More and more sites are now supporting 2FA in one form or another. While this is a good thing, it might also have an unintended consequence: If you have a token from site A, that token will not work at site B, meaning that if you use 2FA on many sites, you can easily end up with a lot of tokens. Many sites use 2FA codes generated by the Google Authenticator app, which obviously helps a lot. But even though the use of Google Authenticator might be considered the de facto standard for 2FA, how to provide 2FA hasn’t really been standardized.

At least until quite recently. In May 2015, the FIDO Alliance – whose members include technological behemoths like ARM, Google, Microsoft and Intel, and financial heavy weights like American Express, PayPal, MasterCard and VISA – released the Universal 2nd Factor (U2F) specification. The U2F specification aims to make it possible for a single U2F device to work with any relying party supporting the protocol.

A few FIDO U2F certified products are now beginning to become available to consumers, and after doing a bit of research, I bought a YubiKey NEO from Swedish manufacturer Yubico. So how does 2FA with the YubiKey NEO stack up against, say, using Google Authenticator on a mobile phone? Let’s have a quick look at the pros and cons.

Read more

How To Enable HTTP/2 in Apache on Ubuntu 16.04

Here’s a simple guide showing how you can enable HTTP/2 in Apache on Ubuntu 16.04.

The internet is awesome. It can be used by governments to very efficiently spy on their citizens, it got Donald elected, and it’ll be mentioned in future history books as the main tool used in the second rise of fascism. There are also a few funny cat pictures.

Today’s internet connections are amazingly fast. You younglings might not believe this, but there was a time when we actually had to sit and wait for a website to appear. If you want to experience the internet speeds of the past, give 56k Emulator a try. It will give you the basic idea. And keep in mind that 56K modems were freakin’ fast when they became available.

But I digress. Sorta. Even though today’s internet connections are fast, the technology used to push propaganda around inside the tubes is old and slow. HTTP/1.1 was never intended to be used with the kind of content-heavy website we have today. Thankfully, there’s a new option available, the marvelous RFC-7540. Or HTTP/2, if you will.

HTTP/2 is a major revision of HTTP/1.1. Its main goal is to make web sites appear in your browser quicker, and with the need to send less data than with HTTP/1.1. The “number one HTTP server on the internet”, Apache 2 only has experimental support for HTTP/2. This means that it’s not available in the version Ubuntu 16.04 includes by default.

Once again, we have to turn to our PPA packaging hero Ondřej Surý for support. Not only does he maintain packages for the latest and greatest version of PHP (that we used here), he also makes sure Ubuntu users can be on the bleeding edge of Apache goodness.

Read more

The Final PRISM Break Push: Secure & Private E-Mail

Ever since whistle-blower Edward Snowden exposed government security agencies around the world as lying bastards1 who spy on our every move on the internet, I’ve gradually taken steps to tear myself away from Big Internet. In my PRISM Break series of posts, I have – over the last two and a half years – ditched the closed source browser Opera in favor of Mozilla Firefox, replaced Google with DuckDuckGo as my default search engine, and moved all the content I had on public cloud storage services to a self-hosted ownCloud server.

But there is still one thing that ties me to the prying eyes of FVEY & Friends: E-mail. For a long time, I’ve been using Google’s Gmail to cover my (declining) e-mail needs. Why? Because it’s free, has tons of storage space, and is very reliable. But Google has to earn money somehow, right? Of course. They do this by having a look-see through your private e-mail correspondence:

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

The above paragraph is copied from Google’s current terms of service (archived version). Unlike government security agencies, Google is perfectly honest about what they are doing with your data. So if you’re OK with Google snooping, then Gmail is a great service. I’m not OK with that, and about eight months ago I started the hunt for an e-mail provider that takes security and privacy seriously.

Read more

How To Secure WordPress. Again

I’ve been using WordPress to power this site for many years now, and I’m not the only one doing that: According to the WordPress Wikipedia article, the Content Management System (CMS) was used by more than 23.3% of the top 10 million websites as of January 2015. That number makes it a prime target for hackers and script kiddies around the world.

WordPress’ security record isn’t exactly great. There are many reasons for that, among them WordPress’ support for extensions like plugins and themes. Many of these plugins and themes are slapped together by developers who have no clue about the importance of securing their code against known vulnerabilities. This has often resulted in many popular extensions being wide open gates into the inner workings of WordPress, making it very easy for bad guys to ruin everyone’s day. WordPress itself also hasn’t been a stranger to having major security vulnerabilities. That it’s written in PHP hasn’t exactly helped, and security wasn’t really something the core developers put much effort into until recent years. But the latter is, thankfully, getting better. The WordPress core is now updating itself automatically, and this feature will be enabled for plugins as well soon.

But even though security has become a focus, both for the core WordPress team and at least some plugin and theme developers, you should still make a bit of an effort to enable additional layers of security to your WordPress site. Most of the work is done, rather ironically, with the help of plugins.

Read more

Copyright © 2000-2018 www.vegard.net | Privacy Policy | Statement of Audience | Hosted on vbox4.vbox-host.com