Contact our honeypot department if you are desperate to get blacklisted.

Monday, June 27, 2011

BackupPC client quickstart with improved security

To embellish and improve upon http://backuppc.sourceforge.net/faq/ssh.html#how_can_client_access_as_root_be_avoided I've been using the following procedure:


  1.  Add the 'mybackuppc' user to the machine that is being backed up.  I try to avoid using "backuppc" as the username in case a common dictionary attack occurs. Then,  create a SSH key pair on the client as the 'mybackuppc' user (do not enter a password):
    useradd mybackuppc -c "Backup User"
    su - mybackuppc
    ssh-keygen -t rsa
    exit

  3. Add the 'mybackuppc' user to the client's sudoers file using visudo to give the user sudo rights as follows:
    mybackuppc ALL=(ALL) NOPASSWD: /usr/bin/rsync --server *
    Defaults:mybackuppc !requiretty




  4. Copy 'backuppc' users public key from the backup server:
    /var/lib/backuppc/.ssh/id_rsa.pub) to the mybackuppc's auth keys file on the client (/home/mybackuppc/.ssh/authorized_keys


  5. SSH from the BackuPC server to the client once as the backuppc user (su - backuppc; ssh -l mybackuppc $host) to get the RSA fingerprint into the backup server's /var/lib/backuppc/.ssh/known_hosts file:
    bash-3.2$ /usr/bin/ssh -l mybackuppc client-host
    The authenticity of host 'client-host (x.x.x.x)' can't be established.
    RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'client-host, x.x.x.x' (RSA) to the list of known hosts.
    [mybackuppc@client-host ~]$ exit
    logout

    Connection to client-host closed.


  6. Use the BackupPC web interface to add a new host. Notice in the comments at the bottom of the page that you can easily copy an existing host, or just add one from scratch with the defaults. You don't have to use an valid name available via DNS if you make sure the name is in /etc/hosts on the backup server. Alternatively, you could create a config file on the Backup Server in /etc/BackupPC/pc/ and then add them to /etc/BackupPC/hosts file.


  7. Use the BackupPC server's web interface to initiate a full backup of the new client machine.


Posted by Unknown at 9:17 PM
Labels: ,

Site to Site VPN Worksheet

Periodically I find myself working with another party to establish a LAN to LAN, or Site to Site, IPSEC VPN tunnel and there are various parameters which must be agreed upon.  I have found that exchanging a VPN worksheet ahead of time helps both parties think through the process better and speeds up the VPN configuration.  This is preferable under all scenarios, but especially when one or more parties are paying by the hour to have someone configure it for them.  Feel free to download, alter and use it as you see fit:

https://docs.google.com/leaf?id=0Bw0IToZ5AnXTMjAzMzJiYmEtOWRjOC00OTY0LTg4ZjUtYzk4ZTk4MjViNTEx&hl=en_US&authkey=CMbmnecO
Posted by Unknown at 9:01 PM
Labels: , ,

Cisco ASA Remote Access VPN for IPSEC client

Here's a basic template for Remote Access VPN using the Cisco IPSEC VPN client. It includes a pool for address assignment, and an ACL to provide remote clients access to a few RDP servers. This also features PPPoE dialer for the WAN interface. 

interface Vlan1
 description LAN
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 description OUTSIDE
 nameif outside
 security-level 0
 ip address pppoe setroute
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network remoteVPNGroup
 network-object 172.16.0.0 255.255.255.0
object-group network insideNetworks
 network-object 10.0.0.0 255.255.255.0
object-group network RDP-Servers
 network-object host 10.0.0.6
 network-object host 10.0.0.14
 !
access-list inside_nat0_outbound extended permit ip object-group RDP-Servers object-group remoteVPNGroup
!
ip local pool RAGenPool 172.16.0.2-172.16.0.30 mask 255.255.255.0
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
!
crypto isakmp policy n
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
!
group-policy RAGeneral internal
group-policy RAGeneral attributes
 vpn-tunnel-protocol IPSec
 group-lock value RAGeneral
 split-tunnel-policy tunnelall
 address-pools value RAGenPool
 !
username testuser password ************** encrypted
username testuser attributes
 vpn-group-policy RAGeneral
 group-lock value RAGeneral
username superadmin password ********** encrypted privilege 15
!
tunnel-group RAGeneral type ipsec-ra
tunnel-group RAGeneral general-attributes
 address-pool RAGenPool
 default-group-policy RAGeneral
tunnel-group RAGeneral ipsec-attributes
 pre-shared-key * 
!
vpdn group PPPOE-WAN request dialout pppoe
vpdn group PPPOE-WAN localname my_ppp_username
vpdn group PPPOE-WAN ppp authentication pap
vpdn username my_ppp_username password *********
Posted by Unknown at 8:52 PM
Labels: , , ,
Subscribe to: Posts (Atom)