Difference between revisions of "Short Notes on Security"
(→Apache) |
(→Using RSync together with SSH) |
||
(6 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
− | == | + | == Password Generators == |
− | + | * '''PHP''' - replace the '16' with length of the generated password (28 is most you can get): | |
+ | <pre>$password = substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);</pre> | ||
+ | or, terminal version: | ||
+ | <pre>$ php -r "echo substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);" | ||
+ | 1hlNxRwBr4mCZWQF</pre> | ||
− | ''' | + | * '''Bash''' - replace the '64' with length of the generated password (no real limit here), and change the characters class in <tt>tr -d</tt> as you please, to control what characters can be contained in the password; the characters class presented here are all characters that are treated as a part of the word in terminal (i.e. you can double-click the word and it gets selected as a whole): |
+ | <pre>$ cat /dev/urandom | tr -d -c "a-zA-Z0-9@#%&\-\_+=:,.?/" | head -c 64; echo | ||
+ | uQ,XGSG4qPtE4.&UQT,jPA#=a8j-mhy+qjQUg:m#s7g1@c2-#J8D-,3zQFd+o_-W</pre> | ||
− | + | == SSH Access using pubkey's for Authentication == | |
− | + | You can make your system's remote login way safer with just 3 simple steps: | |
+ | # Create your public-private key pair of files. | ||
+ | # Register your public key on the server you want to access. | ||
+ | # [''optional and recommended''] Allow only login using the pubkey on the server. | ||
− | + | === Create public-private key pair === | |
− | + | To generate the public-private key pair, use <tt>ssh-keygen -t rsa</tt>. | |
− | + | You’ll be prompted for where to save the pubkeys, then for passphrase (either empty, or 5+ letters), repeat if non-empty, and the keys get generated. Just as with passwords, it's important to use strong passphrases. | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | You should <tt>chmod 600</tt> both key files, and be very careful about them. | |
− | + | Highly recommended is to hold them in a [http://www.truecrypt.org/ truecrypt] partition or the like, if you carry them around. If you need to write down the passphrase somewhere, again, either use [http://www.truecrypt.org/ truecrypt], or use <tt>vim -x</tt>, or the likes. Don't forget, chain is only as strong as is its weakest link. | |
− | + | === Setup the server for key-based login === | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | Transfer the created ''*.pub'' file (typically called ''id_rsa.pub'') to the server you want to log into remotely. Do '''not''' transfer the private part of the pair (typically called ''id_rsa'')!! | |
− | + | Register the key on the server by appending it to list of authorized keys for the user this key belongs to, like this: | |
− | + | cat id_rsa.pub >> /home/''user''/.ssh/authorized_keys | |
+ | The <tt>.ssh/authorized_keys</tt> file should of course also be <tt>chmod 600</tt>, and the <tt>/home/''user''/.ssh</tt> folder <tt>chmod 700</tt>. | ||
− | + | ==== Test it ==== | |
− | + | Now, you should be able to login to the server using | |
+ | ssh -i ''privatekey'' ''user''@''server'' | ||
+ | e.g. ssh -i ~/.ssh/id_rsa user@example.com | ||
− | + | Server verifies your identity based on the public key, but to login you need both ''id_rsa'' and ''id_rsa.pub''. | |
− | + | === Fortify the server (optional, ''root'' rights required) === | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | Once all is up and running, and you've tested the login properly, you may choose to disable password-based login. | |
− | + | ||
− | + | ||
− | + | Edit the <tt>/etc/ssh/sshd_config</tt> file (or <tt>/usr/local/etc/sshd_config</tt> on BSD’s). Add/update the following lines: | |
+ | PasswordAuthentication no | ||
+ | RSAAuthentication yes | ||
+ | PubkeyAuthentication yes | ||
+ | AuthorizedKeysFile %h/.ssh/authorized_keys | ||
+ | Then restart <tt>`ssh`</tt> – using <tt>/etc/init.d/ssh restart</tt> (or <tt>/usr/local/etc/rc.d/ssh restart</tt> on BSD’s). | ||
− | + | You may also choose to disable ''root'' login, allowing only regular users to login, and then use <tt>sudo</tt> to become root. Simply add/update in <tt>/etc/ssh/sshd_config</tt>: | |
+ | PermitRootLogin no | ||
− | + | == Using RSync together with SSH == | |
− | + | ||
− | + | ||
− | == | + | Using password-based authentication: |
+ | $ rsync -avz -e ssh ''user''@''server'':/''remote''/''dir'' /''this''/''dir''/ | ||
+ | Using pubkey-based authentication: | ||
+ | $ rsync -avz -e "ssh -i /''path''/''to''/id_rsa" ''user''@''server'':/''remote''/''dir'' /''this''/''dir''/ | ||
+ | |||
+ | == External Links == | ||
* [http://blogs.sun.com/jkini/entry/how_to_scp_scp_and How To scp, ssh and rsync without prompting for password] | * [http://blogs.sun.com/jkini/entry/how_to_scp_scp_and How To scp, ssh and rsync without prompting for password] |
Latest revision as of 16:05, 18 September 2012
Contents
Password Generators
- PHP - replace the '16' with length of the generated password (28 is most you can get):
$password = substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);
or, terminal version:
$ php -r "echo substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);" 1hlNxRwBr4mCZWQF
- Bash - replace the '64' with length of the generated password (no real limit here), and change the characters class in tr -d as you please, to control what characters can be contained in the password; the characters class presented here are all characters that are treated as a part of the word in terminal (i.e. you can double-click the word and it gets selected as a whole):
$ cat /dev/urandom | tr -d -c "a-zA-Z0-9@#%&\-\_+=:,.?/" | head -c 64; echo uQ,XGSG4qPtE4.&UQT,jPA#=a8j-mhy+qjQUg:m#s7g1@c2-#J8D-,3zQFd+o_-W
SSH Access using pubkey's for Authentication
You can make your system's remote login way safer with just 3 simple steps:
- Create your public-private key pair of files.
- Register your public key on the server you want to access.
- [optional and recommended] Allow only login using the pubkey on the server.
Create public-private key pair
To generate the public-private key pair, use ssh-keygen -t rsa.
You’ll be prompted for where to save the pubkeys, then for passphrase (either empty, or 5+ letters), repeat if non-empty, and the keys get generated. Just as with passwords, it's important to use strong passphrases.
You should chmod 600 both key files, and be very careful about them.
Highly recommended is to hold them in a truecrypt partition or the like, if you carry them around. If you need to write down the passphrase somewhere, again, either use truecrypt, or use vim -x, or the likes. Don't forget, chain is only as strong as is its weakest link.
Setup the server for key-based login
Transfer the created *.pub file (typically called id_rsa.pub) to the server you want to log into remotely. Do not transfer the private part of the pair (typically called id_rsa)!!
Register the key on the server by appending it to list of authorized keys for the user this key belongs to, like this:
cat id_rsa.pub >> /home/user/.ssh/authorized_keys
The .ssh/authorized_keys file should of course also be chmod 600, and the /home/user/.ssh folder chmod 700.
Test it
Now, you should be able to login to the server using
ssh -i privatekey user@server e.g. ssh -i ~/.ssh/id_rsa user@example.com
Server verifies your identity based on the public key, but to login you need both id_rsa and id_rsa.pub.
Fortify the server (optional, root rights required)
Once all is up and running, and you've tested the login properly, you may choose to disable password-based login.
Edit the /etc/ssh/sshd_config file (or /usr/local/etc/sshd_config on BSD’s). Add/update the following lines:
PasswordAuthentication no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile %h/.ssh/authorized_keys
Then restart `ssh` – using /etc/init.d/ssh restart (or /usr/local/etc/rc.d/ssh restart on BSD’s).
You may also choose to disable root login, allowing only regular users to login, and then use sudo to become root. Simply add/update in /etc/ssh/sshd_config:
PermitRootLogin no
Using RSync together with SSH
Using password-based authentication:
$ rsync -avz -e ssh user@server:/remote/dir /this/dir/
Using pubkey-based authentication:
$ rsync -avz -e "ssh -i /path/to/id_rsa" user@server:/remote/dir /this/dir/