Initial Setup of Debian 10 on Digital Ocean (Part 1)

Two people in front of laptops setting up a server.

This is part 1 of the Initial Setup of a Debian 10 server on Digital Ocean.

This is a complement to Initial Server Setup with Debian 10 over on the DigitalOcean tutorials page. The tutorial linked provides an excellent base setup for your to springboard off of on to your own customer setup. That being said, there are always settings, configurations, and utilities that will be helpful for almost any setup. Some of the information below comes from How To Secure A Linux Server and The Book of Secret Knowledge (this is one of favourite repos).

Note: I will do my best to introduce anything that we change so that you can understand what that change might affect. All setups are different so don’t install or configure anything that you don’t need or want. This will just lead to you forgetting about it, it becoming outdated and a security issue.

Text that is highlighted with purple text should be updated with your specific values.

Logging In

If you’re a Windows user then I recommend Solar-PuTTY as a Command Line Client. (Shout to Greg for the find). Otherwise you can use the built-in terminal on your MacOS or Linux OS. Here is how we connect to our server via command line interface (CLI).

 justin@home:/$ ssh root@111.133.134.199

Replace the IP Address with the IP of your new server.

At this point you’ll either a) be asked for the password that you set for the root account or b) the server will be expecting an SSH key if you chose to use SSH keys for logging in. If correct, you’ll be logged in.

Creating a User and Granting Administrator Privileges

You should only use the root account in special circumstances. It’s recommended that you create a standard account that has the ability to elevate to have administrative privileges, when necessary. We’re going to create a secondary account called bastion and then we’ll add it to the sudo group.

 justin@home:/$ adduser bastion
     Adding user `bastion' ...
     Adding new group `bastion' (1000) ...
     Adding new user `bastion' (1000) with group `bastion' ...
     Creating home directory `/home/bastion' ...
     Copying files from `/etc/skel' ...
       New password: <Enter Password>
       Retype new password: <Re-enter Password>
     passwd: password updated successfully
     Changing the user information for bastion
     Enter the new value, or press ENTER for the default
        Full Name []: Bastion
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
     Is the information correct? [Y/n] Y

You’ll be prompted to set and confirm a password on the new account. You can optionally add information such as a Room Number and Home Phone to the account.

 justin@home:/$ usermod -aG sudo bastion     

The usermod command allows us to modify existing accounts. We use the -a switch to append to the account, and the -G switch allows us to to select the Group(s) in which to append to the account. Members of the sudo group (superuser do) are able to run commands with the security privileges of another user. By default, it’s the superuser account.

Now we can append sudo to the beginning of our commands when logged in as bastion. Commands that make system changes, including software installs and uninstalls require elevated privilege that a standard account normally wouldn’t have.

Setting Up The Uncomplicated Firewall

A basic firewall goes a long way. Uncomplicated Firewall or UFW is a simple software firewall for Linux. Let’s install it, and then add a firewall rule for SSH so that we can still access it remotely.

justin@home:/$ apt install ufw

 justin@home:/$ sudo apt install ufw

 justin@home:/$ sudo ufw app list
 
 justin@home:/$ sudo ufw allow OpenSSH

 justin@home:/$ sudo ufw enable
 Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
 Firewall is active and enabled on system startup 

Once you’ve enabled UFW with that last command it will present you with a warning about losing your current SSH connection. As long as you allowed the OpenSSH app on line 3 above, you’re good. You can use the command sudo ufw status numbered to see the currently listed rules.

 justin@home:~# sudo ufw status numbered
 Status: active

      To                         Action      From
      --                         ------      ----
 [ 1] OpenSSH                    ALLOW IN    Anywhere
 [ 2] OpenSSH (v6)               ALLOW IN    Anywhere (v6)

Copying Existing SSH Keys

SSH is attacked all the time. It’s very, very common. If you’ve setup your accounts with SSH keys already, then you may wish to skip the next couple of sections. If you’re going to use the same SSH Keys that you created for your root account, read on.

SSH keys on the root account are stored at ~/.ssh/authorized_keys on your server. If you plan on using the same SSH keys on your bastion account you can simply copy this file over to your bastion account home directory and update the permissions of the .ssh folder recursively. (When copying from your root user, login as your root user)

 justin@home:/$ cp -r ~/.ssh /home/bastion
 

 justin@home:/$ chown -R bastion:bastion /home/bastion/.ssh

Creating SSH Keys (Using PuttyGen)

If you don’t have any SSH keys currently, or wish to create a new set a SSH keys for this new bastion user, we’ll use PuTTY Key Generator to do that. The image below shows the sequence of buttons you’ll press.

First, click the generate button. The Key window asks you to move your mouse around the blank Key area, randomly. This provides a pseudo-random input, kind of like an initial password to create the SSH key with. Once that’s done it will generate a key!

The Key fingerprint and Key comment are already filled in. A Key passphrase adds an additional layer of security to your SSH Key by requiring a passphrase every time that it’s used. The passphrase is optional, but may secure your SSH keys from being used, if they are ever stolen.

Copy the text in the ‘Public key for pasting into OpenSSH authorized_keys file’ field to a Notepad. Click Save public key and Save private key to save the respective key(s) to your computer. The file extensions don’t matter in this instance, however, you may wish to use the following extensions on your key files:

id_rsa.pub (Public Key)
id_rsa.key or id_rsa.ppk (Private Key)

Keep these safe and secure. Make sure that you keep backups.

Create a third-file called authorized_keys and paste the text that you saved in Notepad, previously.

Uploading SSH Keys

The easiest way to copy SSH keys to your server is by using the ssh-copy-id command, however, ssh-copy-id isn’t available on Windows. I’ll show you the ssh-copy-id way of uploading your SSH public key to your new server, as well as the scp command (Secure Copy).

SSH-copy-id

The ssh-copy-id command is by far the easiest method of moving your SSH public key from your local machine, to your new server. It handles all of the dirty work for us. Dirty work that you’ll see in the scp command below it.

 justin@home:/$ ssh-copy-id -i ~/.ssh/authorized_keys root@111.133.134.199



 justin@home:/$ ssh-copy-id -i ~/.ssh/authorized_keys bastion@111.133.134.199

 # We can also not utilize the -i switch and ssh-copy-id will attempt to find your keys for you, automatically.

 justin@home:/$ ssh-copy-id bastion@111.133.134.199    

The ssh-copy-id command requires very little input. I’ve given it a path to my SSH public key, and then I finish the command with my root login @ my new server. You’ll be prompted for your password after pressing enter. Once it completes your public key will be dropped in the ~/.ssh/authorized_keys file for the user that you logged in with. This example is uploading a public key for the root user.

SCP (Secure CoPy)

Unlike ssh-copy-id, the secure copy (scp) command is available on both the Windows Command Prompt, and PowerShell. Also, unlike ssh-copy-id, the scp command will completely overwrite your authorized_keys file with the contents of your public key.

 justin@home:/$ scp C:\Users\Justin\.ssh\authorized_keys root@111.133.134.199:~/.ssh/

SSH Copy

Here is a third example of copying SSH keys to your server using the SSH command. This is the most explicit way of copying your SSH keys as you are going to be piping several simpler commands together.

 justin@home:/$ cat C:\Users\Justin\.ssh\id_rsa.pub | ssh root@111.133.134.199 "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"

Secure Remote SSH

By default, the SSH service allows everyone to attempt to connect to it, and to attempt to login with a username and password. Since we’re now using SSH Keys for all of the potential remote users on our server there are several configurations that we now must do in order to secure SSH.

  • Disable Root Logins Using Passwords
  • Disable Password Authentication
  • Change the default SSH port

All of our the configuration for the SSH service is contained within /etc/ssh/sshd_config. Open that file with nano or your favourite editor and change the following settings. I’ve placed a comment character (#) next to the old setting.

# Port 22
Port 2222

# PermitRootLogin yes
PermitRootLogin without-password

# PasswordAuthentication may not be listed in your sshd_config file. If it’s missing, simply add the configuration line to the end of the file.
# PasswordAuthentication yes
PasswordAuthentication no

After you save ssd_config, you’ll want to allow traffic to the new port before restarting the SSH service.

 justin@home:/$ ufw allow 2222/tcp
 
 justin@home:/$ service ssh restart

You might be wondering why we’re changing the default SSH port? SSH is a commonly attacked service with the default port being 22. Servers and computers connected to the Internet are constantly being scanned to find out if this port is open. Changing the port doesn’t prevent attacks, but it adds an extra layer of difficulty as an attacker would need to identify the correct port and adjust their attacks appropriately. It’s not worth the effort to focus on one such server.

We’ll be digging into some more in depth system settings in part 2.

I highly recommend DigitalOcean if you’re looking for discount VPS.

Python Regex For IP Address Matching

computer scripting on a computer screen

I was working on a Python script to find IP Addresses from a large number of JSON files. Didn’t need anything complex so my script works as follows:

  • Read in all of the JSON files in a given directory.
  • Using Regular Expressions, search the data previously read and attempt to match for IP Addresses.
  • Save a list of suspected IP Addresses to a list.
  • Check each IP Address in the list using the IPStack API. Remove any IP Addresses from the list that are not actually IP Addresses. (This gives us additional info, as well as validates what we found was an actual IP Address.)
  • Output a list of information regarding the IP Address.

This post is to provide a confirmed RegEx for IP Addresses using Python. Without further ado.

  ip_regex = r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"

Signal – Getting Started with Secure SMS

Signal

You’ve probably heard of Signal lately; on the news, on Facebook, or somewhere else on the Internet. My sister “tried” to use it, but only ended up missing a bunch of text messages from me. So this post is for my sister and anyone else interested in securing their text messages.

Why Would I Want Secure Text Messages? Are People Really Reading My Texts?

These are two of the most common questions that I get about this. A lot of you Apple users just love your iMessage. Guess what?!? Signal is, for all intents and purposes, the same thing as iMessage except for the following very big differences:

  1. It’s available on both iOS and Android, as well as your Desktop (Windows, Linux and MacOS).
  2. The messages, photos, videos, and even the calls sent between users are only viewable by those users.
  3. It’s Open Source. This means that the software code that was used to create it is freely viewable on the Internet, and anyone can contribute to the development of the program.

Getting Started with Signal

  1. Getting started with Signal is easy. The application is available on both the Play! Store on Android and the App Store on iOS. Once you’ve set it up on your mobile device you can install it on your desktop computer to send messages to other Signal users.
  2. When you first open Signal you’ll need to go through a basic registration where it will validate your phone number.

That’s it! You’re done.

You’ll want to send future texts using the Signal app so don’t forget to update the shortcuts on your phone screen. You may also need to make Signal your default SMS app, which it will prompt you to do when you launch the app.

What If My Friends Don’t Have Signal?

The Signal app allows you to send messages to everyone, even if they don’t have the Signal app. The only issue is that the messages between you and those people will not be secure, and functionality like video calling won’t work.

Easily Generate Security Keys With WordPress Salt Generator

Locked Vault

I was migrating some WordPress websites this weekend on to our new Website Hosting platform at Rogue Security. Normally I wouldn’t do a lot of it manually, but was having an issue with one of the websites and realized it would be easier to install a fresh copy of WordPress. Well, while configuring the wp-config.php I was at the Authentication Keys block, and hidden in the comments of that block is a link to the WordPress Salt Generator.

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org sec$
 * You can change these at any point in time to invalidate all existing cookies. This will force all users $
 *
 * @since 2.6.0
 */
define( 'AUTH_KEY',         '<random-characters>' );
define( 'SECURE_AUTH_KEY',  '<random-characters>' );
define( 'LOGGED_IN_KEY',    '<random-characters>' );
define( 'NONCE_KEY',        '<random-characters>' );
define( 'AUTH_SALT',        '<random-characters>' );
define( 'SECURE_AUTH_SALT', '<random-characters>' );
define( 'LOGGED_IN_SALT',   '<random-characters>' );
define( 'NONCE_SALT',       '<random-characters>' );

What is a Salt?

Great question! a salt is random data/characters that is used as additional input for one-way hashing algorithms. Yeah, that was a lot so here is an example. When you create a new account on Facebook you must enter a username and password. After submitting that information, Facebook store the username in the database as it’s written in plain-text that is human-readable. However, Facebook takes the password that you entered and adds a salt to it, encrypts it using a hashing algorithm such as MD5 of SHA256 and then they store it in the database. It doesn’t matter how or where the salt is placed in the password.

A hashing algorithm will produce the same output given the same input. In other words, every time I use the SHA256 algorithm with my name as the input, it’s going to produce the exact same output. My Python script below shows that.

46df21c3bf897655ba14e556391adf6a78fc3c5cc681d883be97de47456488ed

No matter how many times I run this script with my name as the test_string it will never generate a different string, unless I change the hashing algorithm, of course.

The salt doesn’t change your password, it changes how your password is stored. Remember how my name will generate the same hash every time I check it? Well so will your password. If a malicious actor knows the hash of your password, it can still be just as useful as the actual password, more so if it hasn’t been salted prior to encryption.

WordPress Salt Generator

The WordPress Salt Generator is a simple page for generating a complete set of secret keys for your WordPress installation. If you’re using it for WordPress security purposes then you simply load up the page linked to above, and copy the generated keys into your wp-config.php file. These keys are also automatically generated during a standard installation so you only really need to do this if you are doing a manual install. If you don’t fill them out, they will be automatically generated for you during the first run.

Other Uses

So, how else might they be useful?

The page generates 8, 64-bit strings that are pseudo-random. You could easily connect to this page with a little Python, parse the data and have a quick subset of secret keys that can be used for just about anything. Need some quick licenses created? Pull up the page, copy a key. You have yourself randomly generated license keys (just make sure you check for duplicates).

Do you like complex passwords? I do. Some of my passwords are actually 64 random characters so this is perfect for that.

What is a Non-Fungible Token?

Crypto Kitty

I want to do a larger post on cryptocurrency and blockchain technology itself, but today I want to talk about non-fungible tokens (NFT), and how they relate to it all.

Non-fungible?

Good question. fungibility is a property of a good or commodity whereby each unit is interchangeable due to the fact that each unit is generally indistinguishable, and/or shares the same set of properties. The units must be substantially equivalent for fungibility to exist.1 Money, for instance, is a fungible commodity as their is a system of interchangeable units (dollar bills and coins). If a unit of something is non-fungible, it can’t be interchanged based on its equivalence as each unit is distinguishable from another unit.2 Units can still be traded, but without any equivalence.

So what’s a non-fungible token?

A non-fungible token, simply put, is a token that is generated in blockchain. The token is unique due to how hashing algorithms work, and can often be represented as as an item, object or character.

For example, cryptokitties.co, which represents itself as a crypto-collectable as opposed to bitcoin. Crypto-collectables are a type of non-fungible token. In the example of cryptokitties, each token generates a random kitty collectable. These collectables can be breed, traded, sold and bought on the marketplace. You can even link your kitties to other projects in the “kittyverse” such as KotoWars, a card battle game where you use your own cryptokitties; catatonic.club, an autonomous kitty breeding tool; or view your kitties details over at Kittyhelper.co.

How are they related to bitcoin?

Both bitcoin and non-fungible tokens are built off of the same technology, blockchain. Where as bitcoin uses blockchain as a digital ledger for currency, non-fungible tokens use blockchain for validation of trades, creations, and sometimes even death.

Why would I want one?

Although they don’t necessarily have an interchangeable value, they still contain value. Each non-fungible token represents the value of whatever crypto currency is used as the underlying market driver.

How do I get one?

Start out by finding a crypto-collectible that you’ll enjoy collecting.

Other then cryptokitties.co, there you might want to check out HyperDragons, MLB Crypto Baseball, Blockchain Cuties, Known Origin and MegaCryptoPolls just to name a few. If you have an interest, there is likely a crypto-collectible that exists to cover you.

References

1 https://en.wikipedia.org/wiki/Fungibility
2 https://en.wikipedia.org/wiki/Non-fungible_token

International Women’s Day – March 8, 2021

I have had and have a lot of strong and amazing women in my life. I’m lucky to have them because they’ve made me who I am today. I hope that you are all celebrating the woman in your life for everything that they do, not only for us as individuals, but also for what they do to guide, educate, and innovate in today’s society while continuing to be badass and beautiful!

Find out more by heading over to internalwomensday.com.

#IWD2021 #ChooseToChallenge

Setting Timezone In Ubuntu Command Line

Hourglass In Rocks

You may have just setup your new Ubuntu Server setup, or perhaps you have a Virtual Private Server on Digital Ocean that sets up with the default UTC time zone. Regardless of your reasoning you should always have your server(s) and user(s) system time set with the appropriate time zone, and preferably synced entirely for devices that exist on the same network, check out the Cybersecurity Breakout below for more info on that, or skip it for find out how to set the time zone in Ubuntu.

Please note, these instructions should apply to most, if not all, Debian-based operating systems.

Cybersecurity Breakout

Cyber attackers have found every way feasible to successfully infiltrate their targets. This has included the use of date/time based attacks that attackers can use to create behaviour, often undesirable, in software, such as the creation of a race condition. Your Windows and MacOS computer has settings that you can configure to either manually or automatically set your time zone. Depending on your network, you may even have a device (like a router) that actually has a built-in time server known as a Network Time Protocol (NTP) server

The timedatectl Command

The timedatectl software controls your system’s date and time. It has a variety of commands, but we’ll only be touching the few that are relevant to our query. Check out the man pages for more. Without further ado, let’s get started.

How-To Set Time Zone in Ubuntu via Command Line

The following instructions assume that you already have command line access to your Ubuntu device.

Total Time Needed :

15

Minutes

Steps to Setting The Time Zone In Ubuntu Via Command Line

timedatectl software

Step 1 – Check Current Time Zone

You probably already know that the time zone is incorrect, but you need proof. Using the status command, you can find out how your current time is configured. (Running the timedatectl software without any commands will produce the same output.

bastion@server:~# timedatectl status

set-timezone command

Step 2 – Set A New Time Zone

The timedatectl software has a command called set-timezone that can be used to modify the time zone of your Ubuntu server without having to modify any files. You’ll need the appropriate time zone format for the time zone that your device exists in. Make sure that if you’re device is in Toronto, then is gets the America/Toronto time zone even if you live in Phoenix, Arizona. You’re setting the time zone for the device, not yourself. You can find a list of time zones on the Ubuntu man pages.

bastion@server:~# timedatectl set-timezone America/Toronto

The set-timezone command will update the time zone as found in /etc/timezone. After running the set-timezone command you can review that file to ensure the proper changes were made.

bastion@server:~# cat /etc/timezone
America/Toronto

show-timesync command

Step 3 – Turn On Time Sync

Setting your time zone is now done, but you may also wish to have your time synced with an external service like we mentioned previously. Not a problem, timedatectl, can help us with that too.
the show-timesync, and set-ntp commands will help us here.

bastion@server:~# timedatectl show-timesync

show-timesync provides you with details in regards to your current time sync configuration. You’ll want to confirm that you have servers listed under SystemNTPServers.

bastion@server:~# timedatectl set-ntp true

The set-ntp command turns time syncing with your NTP server, on.

Congratulations, you’re done! You don’t need to reboot for these changes to take effect, however, I always recommend you do so when making system changes.

What is Net Zero Emissions?

Thawing icebergs in the ocean.

My local paper, today, has a story about the U.S. and Canada working towards net-zero emissions by 2050; and it got me thinking, as everything does. What does achieving net-zero emissions? How is it done? and What does it achieve? Let’s chat.

As you can see it’s not as simple as it sounds, but it’s easier to do then it looks. Whether you’re a consumer, business or other organisation, we can all do something to help offset carbon and other greenhouse gas emissions.

If you’re interested in purchasing offsets as an individual, business, or other; check out Purchasing Carbon Offsets Guide for Canadians. Produced by the David Suzuki Foundation and The Pembina Institute, you’ll find a table on page 10 that provides a list of vendors along with assessed offset results.

References

https://en.wikipedia.org/wiki/Carbon_neutrality
https://www.offsetguide.org/understanding-carbon-offsets/
http://www.offsetguide.org/understanding-carbon-offsets/what-is-a-carbon-offset/
https://www.cbc.ca/news/technology/faq-carbon-offsets-1.5008339

WordPress Stuck in Maintenance Mode

WordPress Stuck in Maintenance Mode

This one caught me a little off guard. I was working on updating a client WordPress site this morning; it had 2 themes that we hadn’t removed that needed an update. Instead of deleting them, I chose to update them. Without thinking I clicked away to another part of of the WordPress administrator area and ended up getting stuck with the following on every load and reload of the page. I even restarted NGINX in a desire to find a quick fix.

I’ve now learned that WordPress has a built-in maintenance mode that it kicks itself into during updating of plugins and themes. We would rarely ever see a reference to it as updates typically go very quickly, and without a problem. Except when they don’t. Luckily, the WordPress developers built a very simple mechanism for driving this maintenance mode that anyone with access to the WordPress website files can access.

How To fix wordpress stuck in built-in maintenance mode

In order to fix this error you must have access to the underlying WordPress website files. You may have access to these files via File Transfer Protocol (FTP) or through your Web Hosts Control Panel.
The solution to this problem is to delete the .maintenance file from the root folder of your WordPress install, in other words, the top most directory on your web host with WordPress files.

Total Time Needed :

5

Minutes

Steps to remove .maintenance file from wordpress

Step 1 – Navigate to your WordPress Directory

Login to your Web Hosting Control Panel, FTP Client, or SSH Client and navigate to the top-most WordPress directory that is hosting your website. On my web host, my files are located at /<server_directories>/roguesecurity.ca/public_html/.

Step 2 – Delete .maintenance file

Look for a file called .maintenance (The period before the word is required). Once found, simply delete this file from the directory.
Once you delete this file, return to your web browser and clear your browser cache, and reload your website.

Congratulations. That’s it! If your website is still displaying a maintenance mode message after deleting this file, double check that you’ve cleared your browsers cache. You can also try a different browser. If it works in a different browser then we know the fix worked, and the not working browser will correct itself over time.