Join the community today
Become a Member

Security Sysadmin Google Authenticator

Discussion in 'System Administration' started by Jimmy, Feb 6, 2017.

  1. FluxTux

    FluxTux New Member

    25
    5
    3
    Sep 22, 2019
    Ratings:
    +9
    Local Time:
    12:55 AM
    Sounds familiar - latest development in my end is that I now cannot login to server via SSH. However, opposed to you I don't even get any password prompting in the shell whatsover. Operation simply times out on first attempt. Connection refused on second 5 minutes later.

    Calling the cavalry @eva2000 ... or anyone?
     
    Last edited: Oct 16, 2019
  2. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    seriously test unknown stuff on test vps servers first ;)

    If you can't access SSH, you need to hope your web host has out of band console/kvm access. Otherwise, you won't be able to SSH in anymore. Copy and paste below for lost SSH key access is basically the same for some web host providers which have out of band console access detailed below:

    Before you look into ssh key only (+disable password authentication), make sure your web host is setup with features that allow you to regain access to your server if you ever loose your ssh key's private key and that you know how to use those features to regain access.

    If you don't know how to use those features, setup a test instance/VPS with that web host and test it out. If you're with web host with hourly billed VPSes like Linode, DigitalOcean, and Vultr then it is relatively cheap to test out for a few hours on a test VPS.

    Here's a example text you can use to ask your web host to be sure

    There's numerous how to use ssh key login guides online, but not many go beyond that to explain what to do if you loose your ssh private key and are unable to use password logins. And that can come down to your web host and what measures they have in place i.e. out of band console access etc and recovery ISO/cds available.

    And some relevant guides with different web hosts about setting up SSH key authentication and also about recovery as well general need to know info.

    DigitalOcean



    Has out of band console access

    Linode



    Has out of band console access called Lish

    Vultr



    Has out of band console access

    OVH


    RamNode


    Others


     
  3. FluxTux

    FluxTux New Member

    25
    5
    3
    Sep 22, 2019
    Ratings:
    +9
    Local Time:
    12:55 AM
    Thanks for clarifying Eva2000.

    Just a quick followup to clarify how this issue turned out. In case other CMM newbies stray down the same path as me in order to harden their CMM setup.

    Based on my experience I'd say - don't setup TFA for the time being (unless someone can refer to a bulletproofed setup procedure somewhere else?).

    This issue indeed locked me out of the server.

    To regain access I first tried to bypass using the VPS console acces via the VPS host. However, due to a mix of bad practice on my part (somehow forgot to note root password due to RSA key usage) I was unable to login as my RSA key passphrase was not accepted like one could hoped.

    Had this not been a test server I'd probably have looked into attempting VNC acces as this can be activated via the VPS host panel.

    However, honestly I was unsure of how to rectify the above SSH changes to the server via a VNC client.

    So instead I decided to restart all from scratch with a new CMM server. The server I got logged out from was only 3 weeks old with only 4 domains hosted and I got a little extra unexpected best practice out of this setting CMM up on server 2 while improving my personal procedural notes for setup (it now states TFA? HellNo!!)

    Also allowed me to tryout to migrating SSL-enabled domains from old to new server even with CF origin pulls enabled and the whole shebang... fortunately the domain part seem works out fine after having rectified the IP address in the A records at CF DNS settings to reflect the new servers IP.

    Domain on the new server loads up fine and the SSL cert resolves without issues. Rating on the new server is a A+ according to SSL labs so all is good I guess.

    My suggestion @eva2000 would be to enable a TFA setup option for server admins via CMM in order to be able to harden the server further. Somehow bet there's a reason why it has not been done thus far though (?) ;-)
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    problem is not all servers/vps have out of band console/vnc/kvm console access so if their TFA setups don't work for whatever reason, they won't be able to gain access. For example, if server time/clock is out of whack, 2FA/TFA will not work. Security is nice but sometimes you need to weigh up which is worse - compromised access to server versus total loss of access to server :)
     
  5. runos

    runos Member

    42
    13
    8
    Dec 17, 2019
    Ratings:
    +16
    Local Time:
    6:55 AM
    1.17.6
    10
    Tried this and nearly got locked out myself. I had similar issue to FluxTux. Quickly removed GA and edit sshd_config to get back to normal. Whew!

    Currently using the 6 suggested steps by eva listed here to protect root access:
    https://community.centminmod.com/threads/protect-root-user-over-ssh.7123/

    I also took the extra step to create a super user and disable root.

    That should protect me against 99% of the common shh attacks right? :p
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    8:55 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod isn't fully supported for regular sudo users it expects full root user for centmin.sh menu etc. So things could break with normal sudo users you created in 123.08stable. In 123.09beta01 there is post install sudo user support somewhat experimental but not for initial installs.

    Centmin Mod 123.09beta01 and higher have a tools/addsudousers.sh script created to properly setup sudo users for elevation to root user. You can add a new sudo user i.e. george via below commands
    Code (Text):
    cd /usr/local/src/centminmod/tools
    ./addsudousers.sh george
    

    But again it's still experimental as Centmin Mod expects full root user

    if you don't use addsudousers.sh to create your sudo users, then centmin menu and some path/programs and command shortcuts/aliases will break as Centmin Mod installs some software where regular sudo created users don't have permissions to look for them unlike if you create them via addsudousers.sh
     
  7. runos

    runos Member

    42
    13
    8
    Dec 17, 2019
    Ratings:
    +16
    Local Time:
    6:55 AM
    1.17.6
    10
    Thanks for the heads up!