Import SSH Private Key to Yubikey (PIV) for SSH Authentication

Introduction: This guide will walk you through the process of importing your SSH private key to a Yubikey (PIV) for SSH authentication on your Mac.

Step 1: Install "yubico-piv-tool" Install the "yubico-piv-tool" on your Mac by running the following command:

brew install yubico-piv-tool

Step 2: Convert SSH Private Key to PEM Format Convert your SSH private key to PEM format without a passphrase using the following command:

bash
openssl rsa --in ~/.ssh/id_rsa -outform pem > ~/.ssh/id_rsa.pem

Step 3: Import PEM File to Yubikey Import the PEM file into your Yubikey with the following command:

bash
yubico-piv-tool -s 9a -a import-key -i ~/.ssh/id_rsa.pem

Authentication to Remote Server with Yubikey To authenticate with a remote server using your Yubikey, use the following SSH command: (for other OS: https://developers.yubico.com/PGP/SSH_authentication)

bash
ssh myhost -I /opt/homebrew/Cellar/yubico-piv-tool/2.3.1/lib/libykcs11.2.3.1.dylib

(Optional) Add Yubico-PIV (or other smart card) driver lib path to ssh configuration Add driver path to file .ssh/config (https://ubuntu.com/server/docs/security-smart-cards-ssh). Then you don't need to identify a library path every time.

vim .ssh/config
PKCS11Provider /opt/homebrew/Cellar/yubico-piv-tool/2.3.1/lib/libykcs11.2.3.1.dylib

Route OSPF with BIRD (Dual stack)

BIRD is an open-source router daemon for Linux OS. BIRD can exchange IP routes between BIRD servers and routers. this post shows an example of BIRD's configuration for OSPF peering with other routers.  This configuration is compatible with  Cisco L3 switches and routers.

router id 10.255.255.10;

protocol device {

        scan time 10;

}

protocol static  {

        ipv4{

                export all;

        };

        check link;

        route 10.10.1.0/26 via "tun0";

}

protocol static  {

        ipv6{

                export all;

        };

        check link;

        route 2001:db08:1010:1::/64 via "tun0";

}

protocol ospf 100 {

        ipv4{

                export all;

                import all;

        };

        area 7 {

                stub no;

                interface "ens192" {

                        type broadcast;

                        hello 10;

                        dead 40;

                        wait 40;

                        retransmit 5;

                        authentication none;

                };

        };

}

protocol ospf v3 101 {

        ipv6{

                export all;

                import all;

        };

        area 100 {

                interface "ens192" {

                        type broadcast;

                        hello 10;

                        dead 40;

                        wait 40;

                        retransmit 5;

                        authentication none;

                };

        };

}

DoS Detection for NTP server with Iptables

NTP service is one of the most popular target services. Almost Linux servers install an Iptables firewall by default that we can config Iptables to detect or block NTP flooding packets. This topic shows you an example use case of Iptables for handling DoS traffic. 

Example 1.  Logging flood by source IP address (without limit logging rate).

In this example, we create a new firewall chain named NTP in the 1st line, append the rate limit rule to allow normal usage in the 2nd line, and log abnormal packets in the 3rd line.

iptables -N NTP

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto  10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP -j LOG --log-prefix "NTP-DoS: " 

iptables -A NTP -j ACCEPT

iptables -A INPUT -p udp --dport 123  -j NTP

Example 2. Logging flood by source IP address with limit log output.

In 3rd line, we set the rate limit for logging at a rate of 1 event per second.

iptables -N NTP

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j ACCEPT

iptables -A INPUT -p udp --dport 123  -j NTP

Example 3. Logging and Dropping flood packet.

In the 4th line, Iptables will drop a packet that incoming packet more than a threshold in the 2nd line.

iptables -N NTP

iptables -A NTP --match match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j DROP

iptables -A INPUT -p udp --dport 123  -j NTP

Example 4. Block flood source IP address for 5 minutes with ipset

Create a blacklist source IP address set with an Ipset name NTP-BLOCK. every item added in this set will countdown from 300 seconds, and will remove when the counter is over. 

ipset create NTP-BLOCK hash:ip family inet hashsize 8182 maxelem 65536 timeout 300

2nd line: Apply blocking rules with an option  "-m set --match-set" with a set named "NTP-BLOCK"  for the source IP address of the incoming packet.

6th line: Update item in "NTP-BLOCK" set with option "-j SET --add-set" to push source IP of a packet that matches this rule.

iptables -N NTP

iptables -A NTP  -m set --match-set NTP-BLOCK src -j DROP

iptables -A NTP --match match hashlimit --hashlimit-mode srcip  --hashlimit-upto 10/sec  --hashlimit-burst 20  --hashlimit-name conn_rate_limit  -j ACCEPT

iptables -A NTP --match hashlimit --hashlimit-mode srcip  --hashlimit-upto 1/sec --hashlimit-burst 1  --hashlimit-name log_limit  -j LOG --log-prefix "NTP-DoS: "

iptables -A NTP -j SET --add-set NTP-BLOCK src

iptables -A INPUT -p udp --dport 123  -j NTP