Short Notes on Security

From PaskvilWiki
Jump to: navigation, search

Password Generators

  • PHP - replace the '16' with length of the generated password (28 is most you can get):
$password = substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);

or, terminal version:

$ php -r "echo substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);"
  • Bash - replace the '64' with length of the generated password (no real limit here), and change the characters class in tr -d as you please, to control what characters can be contained in the password; the characters class presented here are all characters that are treated as a part of the word in terminal (i.e. you can double-click the word and it gets selected as a whole):
$ cat /dev/urandom | tr -d -c "a-zA-Z0-9@#%&\-\_+=:,.?/" | head -c 64; echo

SSH Access using pubkey's for Authentication

You can make your system's remote login way safer with just 3 simple steps:

  1. Create your public-private key pair of files.
  2. Register your public key on the server you want to access.
  3. [optional and recommended] Allow only login using the pubkey on the server.

Create public-private key pair

To generate the public-private key pair, use ssh-keygen -t rsa.

You’ll be prompted for where to save the pubkeys, then for passphrase (either empty, or 5+ letters), repeat if non-empty, and the keys get generated. Just as with passwords, it's important to use strong passphrases.

You should chmod 600 both key files, and be very careful about them.

Highly recommended is to hold them in a truecrypt partition or the like, if you carry them around. If you need to write down the passphrase somewhere, again, either use truecrypt, or use vim -x, or the likes. Don't forget, chain is only as strong as is its weakest link.

Setup the server for key-based login

Transfer the created *.pub file (typically called to the server you want to log into remotely. Do not transfer the private part of the pair (typically called id_rsa)!!

Register the key on the server by appending it to list of authorized keys for the user this key belongs to, like this:

cat >> /home/user/.ssh/authorized_keys

The .ssh/authorized_keys file should of course also be chmod 600, and the /home/user/.ssh folder chmod 700.

Test it

Now, you should be able to login to the server using

ssh -i privatekey user@server
e.g. ssh -i ~/.ssh/id_rsa

Server verifies your identity based on the public key, but to login you need both id_rsa and

Fortify the server (optional, root rights required)

Once all is up and running, and you've tested the login properly, you may choose to disable password-based login.

Edit the /etc/ssh/sshd_config file (or /usr/local/etc/sshd_config on BSD’s). Add/update the following lines:

PasswordAuthentication no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Then restart `ssh` – using /etc/init.d/ssh restart (or /usr/local/etc/rc.d/ssh restart on BSD’s).

You may also choose to disable root login, allowing only regular users to login, and then use sudo to become root. Simply add/update in /etc/ssh/sshd_config:

PermitRootLogin no

Using RSync together with SSH

Using password-based authentication:

$ rsync -avz -e ssh user@server:/remote/dir /this/dir/

Using pubkey-based authentication:

$ rsync -avz -e "ssh -i /path/to/id_rsa" user@server:/remote/dir /this/dir/

External Links