OpenVPN: configure 2FA with Google Authenticator

 Fonte: https://binsec.wiki/en/security/howto/protect-hardening/authorization-and-authentication/openvpn-configure-2fa-google-authenticator/

This article explains how to configure 2FA (two factor authentication) for OpenVPN via the google authenticator PAM plugin. The configuration example below is done on a Debian bullseye Server. If you do this on a remote connection, you should have backup access to the server if something goes wrong during configuration.

Install libpam-google-authenticator on the server

After installing and configuring openvpn in general, install the package libpam-google-authenticator:

sudo apt install libpam-google-authenticator

Create a OpenVPN specific PAM configuration:

cat /etc/pam.d/openvpn < EOF
@include common-account
auth required pam_google_authenticator.so
EOF

This configuration will enable the google authenticator PAM module for the OpenVPN daemon.

In the OpenVPN configuration the following line has to be added:

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

Configure google-authenticator for a user

To enable the google authenticator for the VPN user, the user has to run google-authenticator on the server. The following questions during configuration setup should be answered according to your needs.

google-authenticator

Do you want authentication tokens to be time-based (y/n) y

<QRCODE>

Your new secret key is: <secret>
Your verification code is: <number>
Your emergency scratch codes are:
  <number>
  ....
Do you want me to update your "/home/user/.google_authenticator" file? (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

y default, a new token is generated every 30 seconds by the mobile app.
In order to compensate for possible time-skew between the client and the server,
we allow an extra token before and after the current time. This allows for a
time skew of up to 30 seconds between authentication server and client. If you
experience problems with poor time synchronization, you can increase the window
from its default size of 3 permitted codes (one previous code, the current
code, the next code) to 17 permitted codes (the 8 previous codes, the current
code, and the 8 next codes). This will permit for a time skew of up to 4 minutes
between client and server.
Do you want to do so? (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting? (y/n) y

Connect google authenticator on your smartphone

The QR-Code can now be scanned by a mobile app like Google Authenticator or similar applications on your smart phone. If a YubiKey is available, the Yubico Authenticator could also be used.

The emergency codes should be stored on a safe place e.g. a password manager like pass. They could be used to access the VPN if the access to the 2FA device get's lost.

Updating openvpn client config for google authenticator

In the openvpn client configuration, the following line has to be added:

auth-user-pass

With this line, the openvpn client will ask for a additional password before the connection is established. Now you can enter the 6 digit code on your smartphone app.

Continue reading →

How to Install KVM on Ubuntu 22.04 (Jammy Jellyfish)

 Fonte: https://www.linuxtechi.com/how-to-install-kvm-on-ubuntu-22-04/

KVM, an acronym for Kernel-based Virtual Machine is an opensource virtualization technology integrated into the Linux kernel. It’s a type 1 (bare metal ) hypervisor that enables the kernel to act as a bare-metal hypervisor.

KVM allows users to create and run multiple guest machines which can be either Windows or Linux. Each guest machine runs independently of other virtual machines and the underlying OS ( host system ) and has its own computing resources such as CPU, RAM, network interfaces, and storage to mention a few.

This guide shows you how to install KVM on Ubuntu 22.04 LTS (Jammy Jellyfish). At the tail end of this guide, we will demonstrate how you can create a virtual machine once the installation of KVM is complete.

1) Update Ubuntu 22.04

To get off the ground, launch the terminal and update your local package index as follows.

$ sudo apt update

2) Check if Virtualization is enabled

Before you proceed any further, you need to check if your CPU supports KVM virtualization. For this to be possible, your system needs to either have a VT-x( vmx ) Intel processor or an AMD-V (svm) processor.

This is achieved by running the following command. if the output is greater than 0, then virtualization is enabled. Otherwise, virtualization is disabled and you need to enable it.

$ egrep -c '(vmx|svm)' /proc/cpuinfo

From the above output, you can deduce that virtualization is enabled since the result printed is greater than 0. If Virtualization is not enabled, be sure to enable the virtualization feature in your system’s BIOS settings.

In addition, you can verify if KVM virtualization is enabled by running the following command:

$ kvm-ok

For this to work, you need to have installed the cpu-checker package, otherwise, you will bump into the error ‘Command ‘kvm-ok’ not found’.

Directly below, you will get instructions on how to resolve this issue, and that is to install the cpu-checker package.

Therefore, install the cpu-checker package as follows.

$ sudo apt install -y cpu-checker

Then run the kvm-ok command, and if KVM virtualization is enabled, you should get the following output.

$ kvm-ok

3) Install KVM on Ubuntu 22.04

Next, run the command below to install KVM and additional virtualization packages on Ubuntu 22.04.

$ sudo apt install -y qemu-kvm virt-manager libvirt-daemon-system virtinst libvirt-clients bridge-utils

Let us break down the packages that we are installing:

• qemu-kvm  – An opensource emulator and virtualization package that provides hardware emulation.
• virt-manager – A Qt-based graphical interface for managing virtual machines via the libvirt daemon.
• libvirt-daemon-system – A package that provides configuration files required to run the libvirt daemon.
• virtinst – A  set of command-line utilities for provisioning and modifying virtual machines.
• libvirt-clients – A set of client-side libraries and APIs for managing and controlling virtual machines & hypervisors from the command line.
• bridge-utils – A set of tools for creating and managing bridge devices.

 4) Enable the virtualization daemon (libvirtd)

With all the packages installed, enable and start the Libvirt daemon.

$ sudo systemctl enable --now libvirtd
$ sudo systemctl start libvirtd

Confirm that the virtualization daemon is running as shown.

$ sudo systemctl status libvirtd

In addition, you need to add the currently logged-in user to the kvm and libvirt groups so that they can create and manage virtual machines.

$ sudo usermod -aG kvm $USER
$ sudo usermod -aG libvirt $USER

The $USER environment variable points to the name of the currently logged-in user.  To apply this change, you need to log out and log back again.

5) Create Network Bridge (br0)

If you are planning to access KVM virtual machines outside from your Ubuntu 22.04 system, then you must map VM’s interface to a network bridge. Though a virtual bridge named virbr0, created automatically when KVM is installed but it is used for testing purposes.

To create a network bridge, create the file ‘01-netcfg.yaml’ with following content under the folder /etc/netplan.

$ sudo vi /etc/netplan/01-netcfg.yaml
network:
  ethernets:
    enp0s3:
      dhcp4: false
      dhcp6: false
  # add configuration for bridge interface
  bridges:
    br0:
      interfaces: [enp0s3]
      dhcp4: false
      addresses: [192.168.1.162/24]
      macaddress: 08:00:27:4b:1d:45
      routes:
        - to: default
          via: 192.168.1.1
          metric: 100
      nameservers:
        addresses: [4.2.2.2]
      parameters:
        stp: false
      dhcp6: false
  version: 2

save and exit the file.

Note: These details as per my setup, so replace the IP address entries, interface name and mac address as per your setup.

To apply above change, run ‘netplan apply’

$ sudo netplan apply

Verify the network bridge ‘br0’, run below ip command

$ ip add show

6) Launch KVM Virtual Machines Manager

With KVM installed, you can begin creating your virtual machines using the virt-manager GUI tool. To get started, use the GNOME search utility and search for ‘Virtual machine Manager’.

Click on the icon that pops up.

This launches the Virtual Machine Manager Interface.

Click on “File” then select “New Virtual Machine”. Alternatively, you can click on the button shown.

This pops open the virtual machine installation wizard which presents you with the following four options:

• Local install Media ( ISO image or CDROM )
• Network Install ( HTTP, HTTPS, and FTP )
• Import existing disk image
• Manual Install

In this guide, we have downloaded a Debian 11 ISO image, and therefore, if you have an ISO image, select the first option and click ‘Forward’.

In the next step, click ‘Browse’ to navigate to the location of the ISO image,

In the next window, click ‘Browse local’ in order to select the ISO image from the local directories on your Linux PC.

As demonstrated below, we have selected the Debian 11 ISO image. Then click ‘Open’

Once the ISO image is selected, click ‘Forward’ to proceed to the next step.

Next, define the RAM and the number of CPU cores for your virtual machine and click ‘Forward’.

In the next step, define the disk space for your virtual machine and click ‘Forward’.

To associate virtual machine’s nic to network bridge, click on ‘Network selection’ and choose br0 bridge.

Finally, click ‘Finish’ to wind up setting the virtual machine.

Shortly afterward, the virtual machine creation will get underway.

Once completed, the virtual machine will start with the OS installer displayed. Below is the Debian 11 installer listing the options for installation. From here, you can proceed to install your preferred system.

Conclusion

And that’s it. In this guide, we have demonstrated how you can install the KVM hypervisor on Ubuntu 22.04. Your feedback on this guide is much welcome.

Continue reading →

PIHOLE-EXPORTER INSTALL

 fonte: https://jarrodstech.net/how-to-pihole-exporter-install-with-prometheus-and-grafana-on-ubuntu-20-04/

Releases: https://github.com/eko/pihole-exporter/releases/

 useradd --system --shell=/usr/sbin/nologin pihole_exporter

sudo mkdir /opt/pihole_exporter

mover o binario para esta pasta criada

sudo chmod -R 500 pihole_exporter/

sudo chown -R pihole_exporter:pihole_exporter pihole_exporter/

sudo nano /lib/systemd/system/pihole_exporter.service

1. Paste in the following code, replace 10.0.0.4 and xyz with your pihole IP and password.

[Unit]
Description=pihole_exporter

[Service]
ExecStart=/opt/pihole_exporter/pihole_exporter-linux-amd64 -pihole_hostname 10.0.0.4 -pihole_password xyz WorkingDirectory=/opt/pihole_exporter
Restart=always
User=pihole_exporter

[Install]
WantedBy=multi-user.target

10. Press ctrl + x and type y then enter to save the file
11. Reload the system daemon systemctl daemon-reload
12. Run the service service pihole_exporter start
13. Enable it to run at start up systemctl enable pihole_exporter
14. Lastly check the status systemctl status pihole_exporter – press q to exit this view

Continue reading →

Criando interface bridge para o virt-manager com nmcli

 Fonte: Criando interface bridge para o virt-manager com nmcli | SinergicaIT BLOG

Criando a interface bridge

o nmcli Network Manager Comand Line Interface, é p comando que faremos uso para criar e remover as interfaces bridgers

sudo nmcli connection  add type bridge ifname laboratorio1 autoconnect yes

Substitua o eth1 pela sua interface de rede que deseja fazer a bridger

sudo nmcli connection add type bridge-slave  ifname eth1  master  bridge-laboratorio1  autoconnect yes

Agora precisaremos desabilitar a Conexão cabeada 1, que está gerenciando o dispositivo eth1 para em seguida habilitar a nova conexão bridge-laboratorio1

Desabilitando a Conexão cabeada 1

nmcli connection down "Conexão cabeada 1"

Habilitando a bridge-laboratorio

nmcli connection up  "bridge-laboratorio1"

sudo systemctl  restart network-online.target

sudo systemctl  restart network.service

Caso tenha o networkd basta apenas restartá-lo

sudo systemctl  restart networkd.target

Apresentando a bridge ao virsh e virt-manager

Agora registraremos a nova interface para que seja visível durante a escolha de interfaces no virt-manager.

Este comando criará um arquivo xml chamado config-bridge.xml, contendo as informações necessárias para declarar uma interface no virsh e virt-manager.

cat <<EOF> config-bridge.xml
<network>
    <name>laboratorio1</name>
    <forward mode="bridge" />
    <bridge  name="laboratorio1" />
</network>
EOF

Os procedimentos abaixo, consistem em definir, iniciar, programar para auto iniciar durante o boot e também listar as novas interfaces

sudo virsh  net-define config-bridge.xml 

sudo virsh  net-start --network laboratorio1

sudo virsh net-autostart laboratorio1 

sudo virsh net-list --all

Continue reading →

Install Prometheus and node_exporter on Debian 11|10

 Fonte: Install Prometheus and node_exporter on Debian 11|10 | ComputingForGeeks

How To Install Prometheus on Debian 11| Debian 10 Linux?. Prometheus is a free and open source monitoring system that enables you to collect time-series data metrics from any target systems. Its web interface enables you to perform powerful queries, visualize collected data, and to configure alerts.

In this guide, we will cover the installation of Prometheus and node_exporter on Debian 11 / Debian 10. Since this is a binary installation method, there is no required dependency to continue with the setup.

Step 1: Create Prometheus system user / group

We’ll create a dedicated Prometheus system user and group. The  -r or –system option is used for this purpose.

sudo groupadd --system prometheus
sudo useradd -s /sbin/nologin --system -g prometheus prometheus

This creates a system user which doesn’t need /bin/bash shell, that’s why we used -s /sbin/nologin.

Step 2: Create configuration and data directories

Prometheus needs directories to store data and configuration files. Create all required directories using the commands below.

sudo mkdir /var/lib/prometheus
for i in rules rules.d files_sd; do sudo mkdir -p /etc/prometheus/${i}; done

Step 3: Download and Install Prometheus onDebian 11 / Debian 10

Let’s download the latest release of Prometheus archive and extract it to get binary files. You can check releases from Prometheus releases Github page.

sudo apt-get update
sudo apt-get -y install wget curl
mkdir -p /tmp/prometheus && cd /tmp/prometheus
curl -s https://api.github.com/repos/prometheus/prometheus/releases/latest|grep browser_download_url|grep linux-amd64|cut -d '"' -f 4|wget -qi -

Extract the file.

tar xvf prometheus*.tar.gz
cd prometheus*/

Move the prometheus binary files to /usr/local/bin/

Since /usr/local/bin/ is in your PATH, let’s copy binary files to it.

sudo mv prometheus promtool /usr/local/bin/

Move prometheus configuration template to /etc directory.

sudo mv prometheus.yml  /etc/prometheus/prometheus.yml

Also move consoles and console_libraries to /etc/prometheus directory:

sudo mv consoles/ console_libraries/ /etc/prometheus/
cd ~/
rm -rf /tmp/prometheus

Step 4: Create/Edit a Prometheus configuration file.

Prometheus configuration file will be located under /etc/prometheus/prometheus.yml.

cat /etc/prometheus/prometheus.yml

The default configuration file looks similar to below.

# my global config
global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
    - targets: ['localhost:9090']

Step 5: Create a Prometheus systemd Service unit file

To be able to manage Prometheus service with systemd, you need to explicitly define this unit file.

sudo tee /etc/systemd/system/prometheus.service<<EOF
[Unit]
Description=Prometheus
Documentation=https://prometheus.io/docs/introduction/overview/
Wants=network-online.target
After=network-online.target

[Service]
Type=simple
User=prometheus
Group=prometheus
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/prometheus \
  --config.file=/etc/prometheus/prometheus.yml \
  --storage.tsdb.path=/var/lib/prometheus \
  --web.console.templates=/etc/prometheus/consoles \
  --web.console.libraries=/etc/prometheus/console_libraries \
  --web.listen-address=0.0.0.0:9090 \
  --web.external-url=

SyslogIdentifier=prometheus
Restart=always

[Install]
WantedBy=multi-user.target
EOF

Change directory permissions.

Change the ownership of these directories to Prometheus user and group.

for i in rules rules.d files_sd; do sudo chown -R prometheus:prometheus /etc/prometheus/${i}; done
for i in rules rules.d files_sd; do sudo chmod -R 775 /etc/prometheus/${i}; done
sudo chown -R prometheus:prometheus /var/lib/prometheus/

Reload systemd daemon and start the service.

sudo systemctl daemon-reload
sudo systemctl start prometheus
sudo systemctl enable prometheus

Confirm that the service is running.

$ systemctl status prometheus.service 
* prometheus.service - Prometheus
     Loaded: loaded (/etc/systemd/system/prometheus.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-05-22 23:42:43 EAT; 19s ago
       Docs: https://prometheus.io/docs/introduction/overview/
   Main PID: 5790 (prometheus)
      Tasks: 6 (limit: 9303)
     Memory: 16.5M
        CPU: 45ms
     CGroup: /system.slice/prometheus.service
             `-5790 /usr/local/bin/prometheus --config.file=/etc/prometheus/prometheus.yml --storage.tsdb.path=/var/lib/prometheus --web.console.>

May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.219Z caller=tls_config.go:232 level=info component=web msg="Listening on" addres>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.219Z caller=tls_config.go:235 level=info component=web msg="TLS is disabled." ht>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.220Z caller=head.go:748 level=info component=tsdb msg="WAL segment loaded" segme>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.220Z caller=head.go:785 level=info component=tsdb msg="WAL replay completed" che>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.221Z caller=main.go:1037 level=info fs_type=EXT4_SUPER_MAGIC
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.221Z caller=main.go:1040 level=info msg="TSDB started"
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.221Z caller=main.go:1220 level=info msg="Loading configuration file" filename=/e>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.221Z caller=main.go:1257 level=info msg="Completed loading of configuration file>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.222Z caller=main.go:1001 level=info msg="Server is ready to receive web requests>
May 22 23:42:43 grafana prometheus[5790]: ts=2023-05-22T20:42:43.222Z caller=manager.go:995 level=info component="rule manager" msg="Starting rul>
root@grafana:~# 

Access Prometheus web interface on URL http://[ip_hostname]:9090.
Step 6: Install node_exporter onDebian 11 / Debian 10

Download node_exporter archive.

curl -s https://api.github.com/repos/prometheus/node_exporter/releases/latest| grep browser_download_url|grep linux-amd64|cut -d '"' -f 4|wget -qi -

Extract downloaded file and move the binary file to /usr/local/bin.

tar -xvf node_exporter*.tar.gz
cd  node_exporter*/
sudo cp node_exporter /usr/local/bin
cd

Confirm installation.

$ node_exporter --version
node_exporter, version 1.5.0 (branch: HEAD, revision: 1b48970ffcf5630534fb00bb0687d73c66d1c959)
  build user:       root@6e7732a7b81b
  build date:       20221129-18:59:09
  go version:       go1.19.3
  platform:         linux/amd64

Create node_exporter service.

sudo tee /etc/systemd/system/node_exporter.service <<EOF
[Unit]
Description=Node Exporter
Wants=network-online.target
After=network-online.target

[Service]
User=prometheus
ExecStart=/usr/local/bin/node_exporter

[Install]
WantedBy=default.target
EOF

Reload systemd and start the service.

sudo systemctl daemon-reload
sudo systemctl start node_exporter
sudo systemctl enable node_exporter

Confirm status:

$ systemctl status node_exporter.service
* node_exporter.service - Node Exporter
     Loaded: loaded (/etc/systemd/system/node_exporter.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-05-22 23:45:06 EAT; 6s ago
   Main PID: 5872 (node_exporter)
      Tasks: 5 (limit: 9303)
     Memory: 2.2M
        CPU: 5ms
     CGroup: /system.slice/node_exporter.service
             `-5872 /usr/local/bin/node_exporter

May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=thermal_zone
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=time
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=timex
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=udp_queues
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=uname
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=vmstat
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=xfs
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=node_exporter.go:117 level=info collector=zfs
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=tls_config.go:232 level=info msg="Listening on" address=[::]:9100
May 22 23:45:06 grafana node_exporter[5872]: ts=2023-05-22T20:45:06.996Z caller=tls_config.go:235 level=info msg="TLS is disabled." http2=false a>

Once we confirm the service to be running, let’s add the node_exporter to the Prometheus server.

sudo vim /etc/prometheus/prometheus.yml

Add new job under scrape_config section.

scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: "prometheus"
    static_configs:
      - targets: ["localhost:9090"]
  - job_name: 'node_exporter'
    static_configs:
      - targets: ['localhost:9100']

Restart Prometheus:

sudo systemctl restart prometheus

You now have Prometheus installed onDebian 11 / Debian 10 Linux system. Check our Prometheus monitoring guides.

Continue reading →