Friday, 15 September 2023

Import SSH Private Key to Yubikey (PIV) for SSH Authentication

Introduction: This guide will walk you through the process of importing your SSH private key to a Yubikey (PIV) for SSH authentication on your Mac.

Step 1: Install "yubico-piv-tool" Install the "yubico-piv-tool" on your Mac by running the following command:

brew install yubico-piv-tool

Step 2: Convert SSH Private Key to PEM Format Convert your SSH private key to PEM format without a passphrase using the following command:

bash
openssl rsa --in ~/.ssh/id_rsa -outform pem > ~/.ssh/id_rsa.pem

Step 3: Import PEM File to Yubikey Import the PEM file into your Yubikey with the following command:

bash
yubico-piv-tool -s 9a -a import-key -i ~/.ssh/id_rsa.pem

Authentication to Remote Server with Yubikey To authenticate with a remote server using your Yubikey, use the following SSH command: (for other OS: https://developers.yubico.com/PGP/SSH_authentication)

bash
ssh myhost -I /opt/homebrew/Cellar/yubico-piv-tool/2.3.1/lib/libykcs11.2.3.1.dylib

(Optional) Add Yubico-PIV (or other smart card) driver lib path to ssh configuration Add driver path to file .ssh/config (https://ubuntu.com/server/docs/security-smart-cards-ssh). Then you don't need to identify a library path every time.

vim .ssh/config
PKCS11Provider /opt/homebrew/Cellar/yubico-piv-tool/2.3.1/lib/libykcs11.2.3.1.dylib

Friday, 14 April 2023

Route OSPF with BIRD (Dual stack)

BIRD is an open-source router daemon for Linux OS. BIRD can exchange IP routes between BIRD servers and routers. this post shows an example of BIRD's configuration for OSPF peering with other routers.  This configuration is compatible with  Cisco L3 switches and routers.

router id 10.255.255.10;


protocol device {

        scan time 10;

}


protocol static  {

        ipv4{

                export all;

        };

        check link;

        route 10.10.1.0/26 via "tun0";

}


protocol static  {

        ipv6{

                export all;

        };

        check link;

        route 2001:db08:1010:1::/64 via "tun0";

}


protocol ospf 100 {

        ipv4{

                export all;

                import all;

        };

        area 7 {

                stub no;

                interface "ens192" {

                        type broadcast;

                        hello 10;

                        dead 40;

                        wait 40;

                        retransmit 5;

                        authentication none;

                };

        };

}


protocol ospf v3 101 {

        ipv6{

                export all;

                import all;

        };

        area 100 {

                interface "ens192" {

                        type broadcast;

                        hello 10;

                        dead 40;

                        wait 40;

                        retransmit 5;

                        authentication none;

                };

        };

}

Tuesday, 24 January 2023

DoS Detection for NTP server with Iptables

NTP service is one of the most popular target services. Almost Linux servers install an Iptables firewall by default that we can config Iptables to detect or block NTP flooding packets. This topic shows you an example use case of Iptables for handling DoS traffic. 

Example 1.  Logging flood by source IP address (without limit logging rate).

In this example, we create a new firewall chain named NTP in the 1st line, append the rate limit rule to allow normal usage in the 2nd line, and log abnormal packets in the 3rd line.

iptables -N NTP

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto  10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP -j LOG --log-prefix "NTP-DoS: " 

iptables -A NTP -j ACCEPT

iptables -A INPUT -p udp --dport 123  -j NTP

Example 2. Logging flood by source IP address with limit log output.

In 3rd line, we set the rate limit for logging at a rate of 1 event per second.

iptables -N NTP

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j ACCEPT

iptables -A INPUT -p udp --dport 123  -j NTP

Example 3. Logging and Dropping flood packet.

In the 4th line, Iptables will drop a packet that incoming packet more than a threshold in the 2nd line.

iptables -N NTP

iptables -A NTP --match match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j DROP

iptables -A INPUT -p udp --dport 123  -j NTP


Example 4. Block flood source IP address for 5 minutes with ipset

Create a blacklist source IP address set with an Ipset name NTP-BLOCK. every item added in this set will countdown from 300 seconds, and will remove when the counter is over. 

ipset create NTP-BLOCK hash:ip family inet hashsize 8182 maxelem 65536 timeout 300


2nd line: Apply blocking rules with an option  "-m set --match-set" with a set named "NTP-BLOCK"  for the source IP address of the incoming packet.
6th line: Update item in "NTP-BLOCK" set with option "-j SET --add-set" to push source IP of a packet that matches this rule.

iptables -N NTP

iptables -A NTP  -m set --match-set NTP-BLOCK src -j DROP

iptables -A NTP --match match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j SET --add-set NTP-BLOCK src

iptables -A INPUT -p udp --dport 123  -j NTP




Wednesday, 12 October 2022

Show server hardware "Product Name" and "Serial Number" from shell

Just secure shell to server and run this command as a root permission

sudo dmidecode | egrep -i 'manufacturer|product|Serial'

The result will show information such as Manufacturer,  Product Name, Serial Number, etc.

Manufacturer: Dell Inc.

Product Name: PowerEdge R430

Serial Number: xxxxxx

Manufacturer: Dell Inc.

Product Name: zzzz

Serial Number: .xxx.yyy.

Manufacturer: Dell Inc.

Serial Number: xxxx

Sunday, 22 May 2022

อย่าลืมปิด Multicast Snooping บน Bridge Interface ถ้าจะติดตั้ง KVM โดยเชื่อมต่อเครือข่ายผ่าน Bridge เพราะอาจะมีปัญหาการใช้งาน IPv6 ของ Guest OS

โดยปกติการติดตั้ง Virtural Machine บน Linux OS หรือ KVM รอบรับใช้งานเครือข่ายระดับ Layer 2 ของ Guest OS ผ่าน Bridge ของ Linux Kernel ซึ่ง Bridge บน Host OS ทำหน้าที่เป็น Switch เชื่อมต่อ Guest OS กับเครือข่าย โดยมี Physical Interface บน Host OS ทำหน้าที่เป็น Uplink port ของ Switch 

แต่เนื่องจาก Bridge ของ Linux มีการเปิด Multicast Snooping เป็นค่าเริ่มต้น โดยนี้จะปิดกั้นการส่ง Multicast บางประเภทไม่ให้ส่งข้าม Bridge ซึ่งฟีเจอร์ Multicast Snooping อาจจะทำให้เครื่อง Guest OS ไม่สามารถเชื่อมต่อกับเครือข่ายผ่าน Bridge ด้วย IPv6 ได้ เนื่องจาก Multicast Snooping ไปปิดกั้นแพคเก็ตของ Neightbor Discovry Protocol (ND) ทำให้ไม่สามารถค้นหาเครื่องที่อยู่อีกฝากของเครือข่ายได้

ดังนั้นเพื่อป้องกันปัญหาได้กลาวมาข้างต้นนั้น จำเป็นต้องปิด Multicast Snooping ด้วยคำสั่งดังนี้

echo -n 0 > /sys/class/net/<brif>/bridge/multicast_snooping


Source : https://askubuntu.com/questions/460405/ipv6-does-not-work-over-bridge


Friday, 15 October 2021

How to enable serial console KVM guest os.

 1. Enable serial console with command :

 systemctl enable --now serial-getty@ttyS0.service  

2. Connecting to guest OS from KVM with command:

 virsh console [VM_NAME]  

ref: ostechnix.com

Import SSH Private Key to Yubikey (PIV) for SSH Authentication

Introduction: This guide will walk you through the process of importing your SSH private key to a Yubikey (PIV) for SSH authentication on y...