Server security is one of those topics that there’s a lot of different opinions flying around. How secure do you want to be? It really comes down to how much you want to inconvenience your users (and yourself). While there are many different ways to secure a server, this article focuses on an implementation of something I think is a nice cross between convenience and security. For a more in depth view on server security, I would recommend looking at Racker Hacker’s Blog.
However this post is for configuring ppp-pam.
What is PPP, PPP-Pam and why should I care?
PPP, or Perfect Paper Passwords, is a security model for a one time password, similar to RSA Secur ID. It was developed by the Gibson Research Corporation. You can read more about it Here. PPP-Pam, as the name implies, is a Pluggable Authentication Module incorporating PPP into PAM. A lot of services use PAM, notably SSH.
This allows you to have an extra layer of security, while only mildly inconveniencing your users. This, in combination with other good practices such as disabling root login, allows your server to happily do it’s thing without much worry of being compromised.
So how do I set it up? What do I need?
PPP-Pam seems to have very little work done on it, and the version is actually labeled 0.2, so it’s technically beta. However, I haven’t had any problems with it once installed and it’s a cheaper solution then implementing RSA SecurID.
First things first, lets get the things we need to get started.
This is assuming an Ubuntu server, as I like ubuntu. These packages should be in some form in the Red Hat/CentOS/Fedora/Etc repositories as well.
Install our packages:
# aptitude install make gcc g++ libc6-dev uuid-dev libpam0g-dev
And next we need to download PPP-Pam.
# wget http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz
Extract the tarball and change to the directory.
# tar -xvf ppp-pam-0.2.tar.gz # cd ppp-pam
Now you can try and run the configure script and make, however mine could not build and I had to modify the MakeFile. Try
./configure make make test make install
if this fails (more then likely with an error about -fPIC after the “make” command) you will need to modify the MakeFile
make clean vim MakeFile
in this file search for CFLAG and change the MYCFLAG line to have -fPIC on the end of it, like this:
MYCFLAGS = -I./$(srcdir)/rijndael -I./$(srcdir)/sha2 -I./$(srcdir)/mpi \ -Wall -O3 -funsigned-char -fPIC
Now that we’ve done that, we can finish building and installing:
make make test make install
Now, PPP-Pam is installed, but not quite configured. First we need to modify pam to tell it to use it.
vim /etc/pam.d/sshd
fine the @include common-auth and add the following:
@include common-auth auth required pam_ppp.so
Next, in your /etc/ssh/sshd_config, make sure the following options are set to Yes
ChallengeResponseAuthentication yes UsePAM yes
You will need to restart SSHD with
service ssh restart
Now we’re almost done. As each user, you will need to run the following:
$ pppauth --key $ pppauth --text -next 1
the second will output a table of keys, similar to this:
Nginx-test [1] A B C D E F G 1: ZWxF cXDN Fm6: Dc+h X!ep rk7i sZmG 2: %id= U7M% Lu?k 9KsJ f7b= vs+t Tj%P 3: xnT6 LwD@ VRH8 RNJZ GV9V +m:6 t3jC 4: U:ts EdBd Y2mn VPcr PnUD qDoR UzJX 5: %r4v LGHS 2Mmp ng=x @6!r :32C 6DG: 6: 9z=+ PC5h G=3p NNt7 rw38 BzW% PRmA 7: @YvP yDew vDKb gaeP UsJf G?+% L2pa 8: fkHY L72# YMmb G?SA PBB+ owvv oZ4d 9: J=V! #6JF xr5N tX=+ :R!o ts5G ZSJ6 10: HN7z 965Y kx2J @4hj ?9jy h@qi RDqZ
Now we’ll test it. Open a SECOND ssh client/window. It is very important you don’t close the first one until you are 100% positive everything works. Otherwise you might be poking around a console trying to revert changes or at worst rebuilding the server.
dewey@dewey-desktop:~$ ssh testuser@nginx.failverse.com Password: Passcode 1B [1]:
In this case it wanted the code “cXDN” as the on time password. With this in place as well as other common security practices such as not allowing root login and software like fail2ban, your server will be much more resilient to attacks from people you’d much rather not be on your system.
« Automating Cloud Servers to Cloud FIles Backups on the Rackspace Cloud Manually creating a Cloud Server from a Cloud Files image »
Nice one dude, I’ll give that a shot on our CentOS servers at work next week. 😀