Disable annoying features in console vim
Mouse
If you like to copy text in vim to another software, such as browser, another shell window, etc., disable Mouse VISUAL.
set mouse=
set ttymouse=Paste
To paste text into vim window, do
set pasteFix NextCloudPi Security & setup warnings
Fix NextCloudPi Security & setup warnings
Following warnings appear by default:
- No
default_phone_regionconfigured - Imagick missing in PHP
Missing default_phone_region
Add following line in nextcloud/config/config.php:
...
'default_phone_region' => 'SG',
}Restart NextCloudPi.
Imagick missing in PHP
Install php-imagick package:
# docker exec -it nextcloudpi bash
# apt install php-imagickRestart NextCloudPi.
Then new issue
Got following warning
Module php-imagick in this instance has no SVG support. For better compatibility it is recommended to install it.Then run following commands
# docker exec -it nextcloudpi bash
# apt-get install libmagickcore-6.q16-6-extraRestart NextCloudPi
References
Configuration Parameters
Imagick missing - version php 7.3
How to enable SVG for php-imagick
Split Home Network
Split Home Network
Note: Tested using KVM network only
Let's say, you want to have a network which is different than the one ISP setup for you.
Why
- You may want to have a guest network, which outside your home network for guests.
- You may want to have a network with full functional network devices, firewall, DNS server, DHCP server, etc.
- You may want to monitor the network inbound and outbound traffic.
- You may want to setup PXE, iPXE, BOOTP environment, configure DHCP options such as TFTP server, etc.
- You may want the VMs running on KVM routable network provide services to all machines, including Internet.
- You may want to have more IPs, want to have IP segments.
- You may want to have a more secure environment. In fact, if your router was setup by ISP, then they got full control of it, not you.
So, can you setup your own router to replace ISP route? Yes, you can, but you need to know whether you are allowed to do so by ISP. For my case, they asked me sign new agreement to say, service level drop and no technique support provided.
Before split
- You have a network which connect to ISP via the ISP route, which have DHCP and DNS service.
Requirement
- The ISP route can add route.
- One device or router with two network interfaces, and they are or can be on separate LAN.
Simple solution
If you have another router, let's say RouterA
- Connect WAN port of RouterA to ISP route LAN port
- Configure ISP LAN IP on RouterA's WAN port, such as 192.168.1.100,
- Make sure RouterA is in router mode, with it's own LAN, such as 192.168.100.0/24
- Add a route in ISP Route, network 192.168.100.0/24 gateway 192.168.1.10.
Done.
Difficult solution
Replace RouterA with your own home build router in the simple solution.
Enable 2FA for TrueNAS Core
Enable 2FA for TrueNAS Core
The 2FA in TrueNAS Core uses pam_oath.so module, supports Two-factor time based (TOTP) SSH authentication.
Setup
Enable 2FA
-
Go to Credentials => 2FA
-
Click on Enable Two-Factor Authentication
-
Click on Show QR, use Authy to record it. This is token for root account.
-
Save
Test GUI
Use another browser login with user name, password, and pin code (Authy generated).
Make sure it is working.
Enable SSH
-
Go to Credentials => 2FA
-
Select Enable Two-Factor Auth for SSH
-
Save
Enable root login
-
Go to System Settings => Services
-
Select Configure button, which is a pencil icon
-
Check Log in as Root with Password
-
Save
Test root login with 2FA
Use terminal
$ ssh host.example.com
Password:
One-time password (OATH) for 'root':
Linux truenas.bx.net 5.10.70+truenas #1 SMP Wed Nov 3 18:30:34 UTC 2021 x86_64Test root login successful.
Disable root login
-
Go to System Settings => Services
-
Select Configure button, which is a pencil icon
-
Uncheck Log in as Root with Password
-
Save
Setup for normal user
After enable 2FA, normal user can not login, got error in /var/log/auth.log as below:
error: PAM: User not known to the underlying authentication module for ...Use these steps to enable 2FA for user.
Note: If you lost SSH connection, the root shell can be accessed from GUI, System Settings => Shell
Generate a random code
# head -10 /dev/urandom | md5sum | cut -b 1-30
15ad027b56c81672214f4659ffb432Get oath configuration file name
The usersfile name can be found using following command:
# grep oath /etc/pam.d/sshd
auth required pam_oath.so usersfile=/etc/users.oath window=0Update /etc/users.oath
Setup the oath seed in /etc/users.oath:
HOTP/T30/6 user - 15ad027b56c81672214f4659ffb432Install oathtool
Use another linux server, such as ubuntu server:
ubuntu# apt install oathtoolI chose another server, because TrueNAS server is not fully customized debian server, better don't change it structure and packages.
Test pin code for SSH
Open another terminal, and run following command, and run second command in the linux server when prompting OATH code.
$ ssh host.example.com
Password:
One-time password (OATH) for 'user':Now, quickly run following command,
ubuntu# oathtool --totp -v 15ad027b56c81672214f4659ffb432
960776Input OATH code in SSH login terminal. The code should be accepted.
Get Base32 secret
In the previous ubuntu server, install qrencode package
ubuntu# apt install qrencodeRun following command to collect Base32 secret:
ubuntu# oathtool --totp -v 15ad027b56c81672214f4659ffb432
Hex secret: 15ad027b56c81672214f4659ffb432
Base32 secret: CWWQE62WZALHEIKPIZM77NBS
...
329770Generate QR code
qrencode -t ansiutf8 "otpauth://totp/user@host.example.com?secret=CWWQE62WZALHEIKPIZM77NBS"Save into Authy
Use Authy scan QR code, then type in TrueNAS in textbox to search icon, then save it.
Persistent change
As TrueNAS is a fully customized OS, it has startup process to regenerate /etc/users.oath file, results only root id stays.
In order to overcome this issue, create a startup command in System Settings => Advanced => Init/Shutdown Scripts, add following command:
Name: Append oath codes
When: POSTINIT
Command:
echo "HOTP/T30/6\t<user_name>\t-\t<user_code>" >> /etc/users.oathNote: There are many ways to archive this, such as backup users.oath files you created, and restore it. I just chose the most easy and maintenance free way.
TrueNAS GUI
I could not find any place to setup in TrueNAS GUI for user, and the user id I created in TrueNAS can not login to GUI at all. In fact, TrueNAS doesn't support normal user login to GUI.
Possible enhancements
There are the limitations of pam_oath.o implemenation
Only one usersfile
Only one usersfile can be specified in pam_oath.o, there are some suggestions, such as:
- Enhance source code to allow
pam_oath.oaccepts%has usersfile parameter's value to point to user's home directory.
Missing entry allowed
If the user is not in usersfile, then they can not login, this makes administrator very busy.
I like one example implementation as below:
WARNING: I didn't test the following codes which downloaed from Two-Factor Authentication with OTP (Admin Guide), just for reference.
- Create a group called
otpusers, the users are not in this group do not require 2FA. This implemented in PAM
auth [success=2 default=ignore] pam_succeed_if.so uid = 0 # skip 2 lines for root
auth [success=1 default=ignore] pam_succeed_if.so user notingroup otpusers # ignore users not yet in otpusers
auth requisite pam_oath.so usersfile=/var/security/auth/users.oath window=20 # accept one of 20 consecutive keys
(in case clocks of user and server are out of sync)
```
* Create profile script to check whether the user is in `otpusers` group, if not, create oath code and allow user save it.
*WARNING: The below script that I copied from Internet got syntax error, and I didn't test it as well.*
`/etc/profile.d/create_secret.sh`:
/bin/bash
RRZK, 2015-12-10 (CO)
OATH_FILE="/var/security/auth/users.oath"
OTPGROUP="otpusers"
ME=$(/usr/bin/whoami)
ME=${PAM_USER}
HOST=${HOSTNAME}
RET=0
/usr/bin/id -Gn ${ME}|/bin/grep ${OTPGROUP} >/dev/null 2>&1
RET=$?
if [ ! ${ME} = "root" ] && [ ${RET} -ne 0 ]; then
Disable CTRL-C
trap '' 2
/bin/echo -e "
Hello ${ME}
I will generate a TOTP (time based) OATH Secret for you...
"
generate secret
/bin/echo "... generating secret"
SECRET=$(/usr/bin/head -10 /dev/urandom | /usr/bin/sha512sum | /bin/cut -b 19-50)
generate base32 secret
/bin/echo "... generating base32 secret"
BASE32=$(/usr/bin/oathtool --totp -v ${SECRET}|/bin/grep 'Base32'|/bin/awk '{print $NF}')
generate qrcode
/bin/echo "... generating qrcode"
/usr/bin/qrencode -l H -v 1 --background=FFFFFF -o ${ME}_oath.png "otpauth://totp/${ME}@${HOST}?secret=${BASE32}"
insert secret in oath database
/bin/echo "... adding secret to oath database"
/bin/echo "... adding user to otpuser group"
TMPFILE=$(/bin/mktemp ) || exit 1
/bin/echo -e "HOTP/T30/6\t${ME}\t-\t${SECRET}" > $TMPFILE
/usr/bin/sudo -u root /usr/local/sbin/add_secret.sh ${TMPFILE} ${OTPGROUP} ${ME}
/bin/rm -f TMPFILE
/bin/echo "... finished"
echo "Secret: ${SECRET}
BASE32 Secret:${BASE32}" > ${ME}_oath.dat
/bin/echo "
Your Secret is: ${SECRET}
Your BASE32 Secret is ${BASE32}
Your QR-Code is: ${ME}_oath.png
Enter your secret in your OTP Token (enter BASE32 without the trailing '=')
or
Display this file and scan it with your OTP Token APP. (X11Forward only)
"
/bin/echo "To display your QR-Code, press
read INPUT
if [ "$INPUT" = "d" ]; then
/usr/bin/display ${ME}_oath.png
fi
logout
fi
* Then add oath code into *usersfile*.
*WARNING: The below script that I copied from Internet got syntax error, and I didn't test it as well.*
`/usr/local/sbin/add_secret.sh`:
/bin/bash
RRZK, 2015-12-10 (CO)
OATH_FILE=/var/security/auth/users.oath
TMPFILE=$1
OTPGROUP=$2
USER=$3
/bin/cat ${TMPFILE} >> ${OATH_FILE}
/usr/sbin/usermod -a -G ${OTPGROUP} ${USER}
exit 0
## References
[pam_oath](https://wiki.archlinux.org/title/Pam_oath)
[Two-factor time based (TOTP) SSH authentication with pam_oath and Google Authenticator](https://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml)
[How to Create QR Codes From the Linux Command Line](https://www.cloudsavvyit.com/8382/how-to-create-qr-codes-from-the-linux-command-line/)
[How to generate a QR Code for Google Authenticator that correctly shows Issuer displayed above the OTP?](https://stackoverflow.com/questions/34520928/how-to-generate-a-qr-code-for-google-authenticator-that-correctly-shows-issuer-d)
[Enable user to login to webui](https://www.truenas.com/community/threads/unable-to-login-to-gui-with-non-admin-root-user.19921/)
[Two-Factor Authentication with OTP (Admin Guide)](https://hpc-wiki.info/hpc/Admin_Guide_Two-Factor_Authentication_with_OTP)
[sshd: How to enable PAM authentication for specific users under](https://serverfault.com/questions/222637/sshd-how-to-enable-pam-authentication-for-specific-users-under)Enable 2FA for Ubuntu
Enable 2FA for Ubuntu
Steps
Note: Do not logout from system before testing completed
- Installing the Google Authenticator PAM module
sudo apt install libpam-google-authenticator- Configuring SSH
Add the following line at end of /etc/pam.d/sshd file
auth required pam_google_authenticator.so- Enable Challenge Response Authentication
Modify /etc/ssh/sshd_config
ChallengeResponseAuthentication yes- Disable password authentication
Modify /etc/ssh/sshd_config
PasswordAuthentication no- Restart the sshd daemon
sudo systemctl restart sshd.serviceConfiguring authentication for user
In a terminal, run following command:
google-authenticatorAnwser using recommended configuration:
Make tokens “time-base””: yes
Update the .google_authenticator file: yes
Disallow multiple uses: yes
Increase the original generation time limit: no
Enable rate-limiting: yesUse Authy scan QR code and save it.
Testing
- Disable user authorized_keys using root account
cd ~user
mv .ssh/authorized_keys .ssh/authorized_- Connect as the user using SSH
Note: Use Authy generate Verification code.
ssh host.example.com
Password:
Verification code:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)- Enable authorized_keys
mv .ssh/authorized_ .ssh/authorized_keys- Exit
exit- Connect as the user again using SSH
$ ssh host.example.com
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-90-generic x86_64)- Test
sudo
$ sudo -i
[sudo] password for user:
#Consolution
-
Disable SSH PasswordAuthentication is not effected, password is still required.
-
Enable public key authentication using authorized_keys will disable 2FA key, this is good for service account
-
Do not configure sudo,
/etc/pam.d/sudois not modified, especially when using it for none password execution, such as running in services. -
Console access will not using 2FA, because this confiugration is for SSH.
References
Configure SSH to use two-factor authentication
How To Set Up Multi-Factor Authentication for SSH on Ubuntu 20.04
Note: This was not successful, the document is wrong at following point. I think the second publickey should not be there
AuthenticationMethods publickey,password publickey,keyboard-interactiveEnable 2FA for WordPress
Enable 2FA for WordPress
To enable 2FA for WordPress, first download the plugin. The WP 2FA can be used easily without any issue. It can select enable for all user or specific users, exceptions, and give graceful period for existing users.
References
2FA App – Authy
2FA App - Authy
There are many 2FA Apps, Microsoft, Google, Duo, etc. But I select Authy.
Pros
As an end user, I'm not the one looking at how secure a 2FA App is, it is only generating a code as expected. But I need to two major considerations as my experiences.
-
Backup - My phone was broken, then I lost all my codes, I don't even remember what they are. Very sad experience.
Yes, Authy backs up data to their own server.
-
Multiple Devices - To make sure my codes won't be lost, then they should be available via multiple locations.
Yes, Authy can be used in many devices, and can track them in devices list.
-
Offline - To make sure I got my own copy on my hand, I need it works offline.
Yes, Authy has a local copy.
-
Acceptable by others - When you hear supported by Google Authenticator, it should work.
Yes, it supports standard TOTP.
Cons
- Don't know how to remove the code from iOS App
- There is a Default device in devices list, which is quite confusing.
- How to save backup codes? No solution given.
References
Easy, 2FA for Any Account
Download Authy
8 Best Two-Factor Authentication Plugins for WordPress
Deprecating Authy for WordPress
Authy Lists an Unknown or Unrecognized Device as "Default"
Bitwarden Docker Installation
Bitwarden Docker Installation
Update: Bitwarden could not detect new and update password in browsers in most of cases. No matter how easy it can be used, without this auto detection feature, it is useless.
Bitwarden is an opensource password manager, can be self-hosted, and can be installed as docker container. It supports many browsers and OSes.
Steps
Create docker-compose.yaml
Create docker-compose.yaml, and make sure
- SIGNUPS_ALLOWED is 'true'
# docker-compose.yml
version: '3'
services:
bitwarden:
image: bitwardenrs/server
restart: always
ports:
- 8000:80
volumes:
- ./bw-data:/data
environment:
WEBSOCKET_ENABLED: 'true' # Required to use websockets
SIGNUPS_ALLOWED: 'true' # set to false to disable signupsCreate
Run following command, in the directory contains docker-compose.yaml
docker-compose up -dConfigure HTTPS in NGINX
Without HTTPS, bitwarden doesn't allow new user registration.
Add following statements in server location definition.
server {
server_name nginx_host;
listen 443 ssl;
...
location /bw {
rewrite /bw(.*) /$1 break;
proxy_pass 'http://192.168.1.222:8000';
proxy_redirect off;
proxy_set_header Host $host;
}
...
}Then the URL of bitwarden will be https://nginx_host/bw/
Register
Access https://nginx_host/bw/, and register email and password.
Disable new user creation
- Destory old bitwarden instance
docker-compose down- Update docker-compose.yaml file
SIGNUPS_ALLOWED: 'false';- Recreate instance
docker-compose up -dTrun on 2FA
In website, go to Settings => Two-step Login ...
Install clients
Go to bitwarden website to install.
References
Run Bitwarden Password Manager in Docker Container
Install and Deploy - Linux
The Best Password Managers to Secure Your Digital Life
Host your own FREE Password Manager with your Synology NAS
Install and Sync All of Your Devices
Connect Clients to your Instance
Request Hosting Installation Id & Key
NextCloud password manager – Passwords
NextCloud password manager - Passwords
NextCloud password manager, Passwords is an add-on feature of NextCloud, it can be used to save passwords.
Support
It supports Firefox, Chrome, but not Safari. It also supports iOS and Android.
It doesn\'t support OS, such as SSH.
Interface
The interface is too complex compare with other system default password saving features, not user friendly.
Pros
Have notes for password, which allows saving more info.
References
Move Docker Directory
Move Docker Directory
Docker directory is /var/lib/docker. As /var should be a system directory, and most of the files in /var are log files, security related files, etc.
Docker is a application, which contains huge container data, move /var/lib/docker to data disk should be the good practice.
Methods
The are two methods I used to move /var/lib/docker directory.
Change Docker config
In /etc/docker/daemon.json file, add following entry.
{
"data-root": "/path/to/your/docker"
}This makes the Docker implementation become non-standard, but as some other settings in this file also need to be set as well, such as Docker log file size, etc., this can be a normal practise for those system not many administrators.
Create soft link
Move /var/lib/docker to another location using mv command, then create a soft link /var/lib/docker point to new location.
This can be a simple and clear way, because system administrator can easily find the location without pre-check docker configuration, especially if predefined commands are required to be provided to others.
Drawback
For the first method, changing Docker configuration, although the non-standard configuration used, but Docker knows the location of data.
For the second method, adminstrator knows file location, but Docker doesn't know. So, if Docker likes to optimize the system, it might get wrong info.
References
How to move docker data directory to another location on Ubuntu