Category Archives: Tech Solutions

Using MFA for Sudo Only

Passwords are weak, we know this and so often methods such as key based authentication is used for connections like SSH. However once SSH’d in to the system using a password to elevate to root seems like a weak point just where you want to be more secure.

# sudo apt-get install libpam-google-authenticator
# sudo google-authenticator

This will then prompt you with a number of choices. The first you should answer yes to enable TOTP.

To enable MFA codes to be used for authentication for sudo add the following line to /etc/pam.d/sudo just before the @ includes.

# nano /etc/pam.d/sudo
Comment out these lines:
#@include common-auth
#@include common-account
#@include common-session-noninteractive

And add these
auth       required pam_google_authenticator.so nullok
auth       required pam_permit.so

Once set up and tested you can disable the password on your account using

# passwd -l

Make sure you think thru the possible scenarios for using this technology and securely take a copy of your backup keys incase you lose your MFA device etc.

You can remove the nullok once all users have been set up with a secret key via google-authenticator

woman draw a light bulb in white board

Finally Solved – Nextcloud SMB Not Working on Ubuntu 20.04

After banging my head against this problem from a different server, as WSL is not there yet for running as personal production services, I finally managed to hit the right keywords to google fu the answer. php-smbclient has been dropped from the officially repositories and so can only be installed via a PPA.

Installing using the following commands finally sorted it for me, credit to Markus (linked below for this solution)

echo "deb http://ppa.launchpad.net/ondrej/php/ubuntu $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/php.list
apt-key adv --recv-keys --keyserver hkps://keyserver.ubuntu.com:443 4F4EA0AAE5267A6C        
apt-get update && apt-get install php-smbclient
phpenmod smbclient
service apache2 restart 


https://markus-blog.de/index.php/2020/06/10/how-to-install-nextcloud-19-on-ubuntu-20-04-with-postgresql-12-php7-4-fpm-apache2-and-http-2/

Checking an Certificate Chain

Use the following one liner to check the a certificate chain in detail:

openssl crl2pkcs7 -nocrl -certfile chained.crt | openssl pkcs7 -print_certs -text -noout | less

Use this command to produce a simple list of the chain in order:

echo "" | openssl s_client -connect www.google.com:443 2>&1 | grep -A 6 "Certificate chain"

#If your testing a local server which is listening on the same port for different headers use this:
echo "" | openssl s_client -connect 172.217.169.4:443 -servername www.google.com 2>&1 | grep -A 6 "Certificate chain"

Solved: RKHunter Useful information in emails

I was trying to get this working by configuring the MAIL_CMD like so: echo -e “Subject: [rkhunter] Warnings found for ${HOST_NAME}\n\n” $(egrep -x “^\[.*\] Warning:.*” /var/log/rkhunter.log) | sendmail
It works but included a little extra part of the egrep command for some reason.

I couldn’t get around this but then I remembered we were going to be calling this using cronic ( https://habilis.net/cronic/ )
So I just changed my crontab to: cronic rkhunter –check –rwo –no-mail-on-warning
Now I get the warnings in a beautiful emails like so: ============================================

Cronic detected failure or error output for the command:
rkhunter –check –rwo –no-mail-on-warning

RESULT CODE: 1

ERROR OUTPUT:

STANDARD OUTPUT:
Warning: The file properties have changed:
         File: /usr/bin/mail
         Current inode: 18331    Stored inode: 18308
         Current file modification time: 1574699160 (25-Nov-2019 16:26:00)
         Stored file modification time : 1574686593 (25-Nov-2019 12:56:33)
Warning: The file properties have changed:
         File: /usr/bin/mail.mailutils
         Current inode: 18320    Stored inode: 18297

START TIME: Mon Nov 25 16:28:01 UTC 2019
END TIME:   Mon Nov 25 16:28:34 UTC 2019

=========================================

blur bright business codes

Running Byobu by Default on Zsh

To make Byobu default on your local machine

Byobu-enable only currently modifies your .bashrc and .bash_profile, to get byobu launching by default with Zsh you need to follow these instruction

Add the following line to the bottom of your ~/.zshrc
_byobu_sourced=1 . /usr/bin/byobu-launch 2>/dev/null || true

To make Byobu default when SSH’ing into a machine

Add the same line to the bottom of ~/.zprofile

Update: I’ve not been able to get this working on AWS. I’m using Ubuntu… anyone got any additional tips

linux tux penguin logo

Favourite Linux CLI Tools

This will be a continually updated list of my favourite Linux CLI tools

  • ZSH with OhMyZsh installed
  • Disk Usage
    • NCurses Disk Usage – CLI graphical and browseable disk space explorer.
    • sudo apt install ncdu
    • Can also write output to a file to explore at a different time to scanning the disk
  • Text Editor
  • Shell Management
    • Byobu
    • Absolutely love how easy this makes running a complex multi-pane, multi-window set up. Makes my life a lot easier and more productive