sshd restrict group by address and IP - sshd

I've searched for several days for a clear answer on this, hoping asking it my own way will lead to some clarity on this common feature.
we have one single group of users that we want to restrict to logging in only from a single specific host and no where else. So basically, restrict ssh access by group AND by IP. This user can only log in from hostA, they are denied when they try to log in from any where else.
I've read working with PAM, iptables, sshd deny groups / deny users / allow groups / allow users / match / using the "from" column in the authorized keys...
I'd prefer to of course just deal with sshd configs rather than try to do this with 3 other applications... I've tried editing the sshd configs (and after restarting) none of the "deny / allow / match" parameters seem to work to restrict a user from this group from logging onto the host.
### deny group deployment from everywhere except hostA
Match Address !12.34.56.78/32
DenyGroups deployment
Any advice greatly appreciated! thanks!

I also had a desire to do this - and the closest I could come to a solution is to use iptables with the cgroup extension.
man iptables-extensions
The command woupd look something like:
iptables -A INPUT -p tcp --sport 22 -m cgroup ! --cgroup $iprestrictedusergroup -j DROP
Good luck

Related

My website can’t be reached, but nothing wrong on GCP

Error message: webiz.johocen.com took too long to respond.
But there is nothing wrong on GCP VM instance.
ping webiz.johocen.com got 0% lost 169ms average response
My website is a WordPress multisite on GCP via bitnami. This happened before, reset the VM will solve the problem, but will happen again sometimes later.
Any suggestion where I should look into?
Thanks
Bitnami Engineer here,
Sometimes, if you are experiencing poor performance, it is because you are being attacked by Internet bots. The reason for these attacks is that they are trying to find a security bug in your application code or in the software itself.
To know if you are being attacked, run the commands below:
cd /opt/bitnami/apache2/logs/
tail -n 10000 access_log | awk '{print $1}'| sort| uniq -c| sort -nr| head -n 10
This will show you the number of times that an IP address connected to your Web server. If you see that some IP addresses have many more connections than others, run the following command (remember to modify ATTACKER_IP with the correct IP):
cd /opt/bitnami/apache2/logs/
grep "ATTACKER_IP" access_log
If you see that the IP address is always attempting to connect to the same location, if it is a URL that you don’t know, or if it is trying to run binaries or scripts directly, it is likely that IP address is a bot.
To deny connections to these attackers, the easiest way is with your Apache configuration file. Follow these steps:
Edit the file at /opt/bitnami/apps/wordpress/conf/httpd-app.conf. The example below shows how to reject the 1.2.3.4 IP address in WordPress:
<Directory /opt/bitnami/apps/wordpress/htdocs>
deny from 1.2.3.4
...
</Directory>
Restart the Apache web server:
sudo /opt/bitnami/ctlscript.sh restart apache
More information here: https://docs.bitnami.com/google/apps/wordpress/troubleshooting/deny-connections-bots/

fail2ban whitelist dynamic ip update hostname's associated ip

this is my first question here so I apologize if don't comply with the best practices.
Recently I've been a victim of a POST HTTP slow DDoS attack using different IPs on similar and different ranges on my server.
I've managed to mitigate it using fail2ban by creating a personalized filter for my specific needs:
[Definition]
failregex = ^<HOST> .*POST .*xmlrpc\.php.*
^<HOST> .*HEAD .*m.y.i.p.:80.*
ignoreregex =
These two were the most recursive attempts at my server: 'POST xmlrpc.php' request and a 'HEAD http://m.y.i.p/{phpmyadmin|phpwhatevervariation|etc...}'.
I successfully managed to block them using my local jail as this
[nginx-xmlrpc]
enabled = true
filter = nginx-xmlrpc
action = route
logpath = /var/log/nginx/access.log
maxretry = 3
findtime = 10800
bantime = 86400
The problem is that I was keeping myself locked out every so often during development. So I decided to whitelist myself. Unfortunately, my ISP provides dynamic ips, so I had to associate a hostname to zonomi and use DDNS to update my subdomain with my new assigned IP addresses every so often. I then added my hostname to my ignoreip entry on the local jail as this:
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8 my.hostname.sub.domain
Today I was working on the webserver and I got blocked, so I checked my hostname and it hasn't updated my IP. I manually did it and after the DNS spread over and the hostname's ip changed, I tried to access my website/server with no success.
It appears to me that either: (1) once the ban was set I would have to restart fail2ban to flush the block on my IP (which I dislike due to the fact that all the other IP's blocked are forgotten, the real threats) or (2) somehow fail2ban wasn't able to update my hostname's associated IP.
My question is: If it's (1), is there a way to lift the block automatically without restarting fail2ban or, in case it's (2), is there a way to update my hostname's ip automatically?
Does fail2ban uses IPTABLES? Should I cron a chain flush with my hostname's IP on iptables every minute?
Kindly,
A.
Fail2Ban uses iptables. As per fail2ban's documentation, it allows whitelisting based on hostname or ip addresses:
http://www.fail2ban.org/wiki/index.php/Whitelist
You should use a Dynamic DNS service, set a small TTL for your hostname (like 600 which amounts for 10 minutes). You can go even with 300 (it's not complaint with the standard but it will the job). Then check and see. If your DDNS hostname was created with a default TTL which in most of the cases for A records is between 3600 and 14400 (1 hour - 4 hours) then that might be the reason.

Does my golang webserver need to be run as the root user in order to support HTTPS/TLS?

I want to use golang's built in ListenAndServeTLS() function to serve up my webserver (it's a very simple one), and I need to show it where my keys are stored. The keys are stored in a location only the root user can access (Let's Encrypt did this by default) and I can't listen to port 80 or 443 unless I'm the root user.
Does this mean I have to be running the script as root all the time? Is that not insecure?
To blatantly quote the well-written Caddy FAQ:
No. On Linux, you can use setcap to give Caddy permission to bind to
low ports. Something like setcap cap_net_bind_service=+ep ./caddy
should work. Consult the man pages of your OS to be certain. You could
also use iptables to forward to higher ports.
Privilege de-escalation is another option, but it is not yet a
reliable solution. It will be implemented as soon as this becomes a
robust possibility. Concerned readers are encouraged to get involved
to help this become a reality.
To add to #ma_il's answer, you can use setcap but you still would have to change the permissions of the cert.
Or build your app then run it as root, example: go build && sudo ./app

How to hide celery flower tornado server if use nginx

I user celery flower as a daemon, and nginx as proxy for it.
Flower uses port 5555.
Nginx serves it on url flower.mysite.com, and uses basic auth.
But flower still avaiable on mysite.com:5555, how could I make this url secure?
If you have nginx and your daemon on the same server, simply make your daemon listen on 127.0.0.1 and make nginx forward the requests to that address. It won't be available to any other user besides localhost. Simple and effective.
You need to block incoming connections using iptables if you google it you'll find a simple line to do it.
Sorry I don't know iptables syntax, I usually just google it my self
what's your operating system? If you're running Ubuntu you can just use ufw. I usually have the following roles in my provisioning scripts for servers:
ufw allow ssh
ufw allow http
ufw allow https
ufw logging off
echo 'y' | ufw enable
Expanding on the answer from alfredocambera:
Starting flower with a specific address will bind it to that address only, e.g.:
flower --address=127.0.0.1

Can't start site in IIS (use by another process)

When I try to start a site in IIS it says:
the process can't access the file because it used by another process
I searched in Google and found that another site may have been using Port 80 but in MyIIS I see that only this site is using Port 80. What else could be using Port 80 or is there another issue involved?
Check using netstat -aon or netstat -aon | findstr 0.0:80 in a command prompt to see which Process Id is LISTENING to port :80 and then watch for that Process Id (PID) in Task Manager with view->select columns-> process id checked. End that process, restart IIS and you are done. (Note: if you have Skype installed, try exiting that process first.)
In a modern Task Manager, you need to go on the Details tab to search for the PID. Or, as mentioned by #Nikita G in the comments, you can use this command to find the task from your command prompt:
tasklist /FI "PID eq 123"
Note: change 123 with the PID returned from the first command.
It is happening because a different process is using port 80, it may be a chat application on your PC like Skype.
First, change the default web site port which was 80 to some unused port (e.g. 8087). To achieve this right click the application and then click on 'Edit Binding'.
After this port change restart again.
Now you can identify which process is blocking the IIS Port 80. To check this use netstat command which displays the details of port along with the process ID.
Sign out of Skype and try again. I have experienced the same issue and I just logged out of Skype and then reset my IIS. It worked for me.
You can also run this command to find out which application or service is using the port and then trace it down in Task manager (Provided it's not the Web Deploy Agent Service).
netstat -o -n -a | findstr 0.0:80
Then open Task manager, go to Processes, click the "Show processes for all users" checkbox and then click the View menu and Go to the Columns, add the PID column.
Match the Process ID from the netstat command to the PID in task manager and you will find the service or application that's using the port.
As others have said, something else may be using port 80 or 443. It was VMWare Workstation Server for me, but check other answers for how to use netstat.
I think this link gives a pretty good explanation and fix of this problem http://support.microsoft.com/KB/890015
Most of the time; it's caused by one of the two reasons:
1) port 80 is being used by something else and as suggested by others you can use netstat -o -n -a |findstr 0.0:80 to see whether this is the case. If yes then kill the process from task manager (tick show processes from all users)
2) if port 80 is not used, the second cause is potentially an invalid ip address in the ListenOnlyList filed in the registry key of HTTP->Parameters. If you follow the link to set the key manually or in fact you can use (xp and server 2003) httpcfg delete iplisten -i ipaddress to delete the invalid ip address.
You must restart the http once you edit the ipaddress!
In my case, it was the "Sync Share Service" (SyncShareSvc) that was running and using port 80.
netstat showed 80 as free, though. I could get the site to run on another port, but not 80. if I added a Host name, IIS would allow me to start the site, but I'd get prompted for Digest authentication when browsing to localhost (or any host name I added). Only Anonymous and Forms Auth were enabled in IIS...
I also found that, after stopping IIS, http://localhost still prompted me for Digest authentication.
The solution - in my case - was to remove File and Storage Services > Files and iSCSI Services >
"Work Folders" from the services installed (restart required).
After removing the "Work Folders" service and restarted, IIS worked as expected.
My case was after installing RD Web Access, the original default websites couldn't be started. Removed the RD Web Access role still same. Removed port 443 binding solved the issue.
Most times when this happens by web developers is the reason apache, so if you go to the config file from apache! open it up and search with ctrl + f to 80 and change the ip you will see to 8080 and the sentence beneath there with 80 to 8080 and you need to confige that in you xampp, or the program u are using currently
Hope I'll help u guys out
In order to get more meaningful information, one way is to also get ownership information when issuing netstat so that you know the process which is using either 80 (default http binding) or 443 (if https binding is defined):
netstat -ab
In my case the culprit was vmware:
TCP 0.0.0.0:443 ComputerName:0 LISTENING
[vmware-hostd.exe]
netstat can be piped into find to search for ports 80 or 443 (e.g. find ":443"), but these particular active connection will show at the beginning of the list at they are easy to see.

Resources