Tag Archives: security

A dashboard for digging through break-in attempts

While I have been between jobs lately (no, not that kind. The good kind where I have been fortunate to get some time to relocate etcetera) I have been hacking a bit on something to visualize and dig through the data of failed login attempts of a blog I run. I send all login attempts that does not come over SSL to a pseudo login page that just logs it, that is the kind of thing I do for fun -what do other people do?

So I have been collecting this data set and I was running some shell scripts on it, but I wanted a dashboard.
Boring story cut short I threw some Bootstrap, jqplot, PHP, a shell script for importing my log and a sqlite3 database at the wall and this is what stuck.

One of the nice things with using Bootstrap is that people are spared from my web design, and also that I get a responsive layout for free.

Lilith dashboard version 0.1

This is where it is at right now, this first version however just gave me a thousand more ideas of features I want to add to it in the future.

It has already given me some interesting insight into the patterns of the -presumedly- bots trying to log in, such as that 72% of the IPs only appear once and that Sunday is by far the most busy day. Another interesting pattern is that most login attempts keep coming in threes from different IPs at almost the same time trying the same combination(see the last section with the last 10 rows from the log).

I plan on making this available as open source, but there is some major cleanup needed first..

Sounds good? Let me know in the comments. I do like feedback, but please keep it above the belt!


Google authenticator on Raspberry Pi

Google authenticator logoAfter adding ssh keys as I try to always do on my systems I went on to installing the Google authenticator module.

Install and setup
construct:~# apt-cache search google-authenticator
libpam-google-authenticator - Two-step verification
construct:~# apt-get install libpam-google-authenticator

then as my user I just run google-authenticator to set it up:
henrik@construct ~ $ google-authenticator
Continue reading


Google authenticator on FreeBSD

I wanted to give this a quick try and this is how I did:
(not much deviate from any other howto on the subject..)

Compile the port
test3# uname -a
FreeBSD test3.xxxxx.se 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
test3# cd /usr/ports/security/pam_google_authenticator/
test3# make all install distclean && rehash
I just used the default settings while compiling.

Add the pam module
auth required /usr/local/lib/pam_google_authenticator.so

To /etc/pam.d/sshd

I then went to /etc/ssh/sshd_config and removed the comment on
ChallengeResponseAuthentication yes

Restart sshd
test3# /etc/rc.d/sshd restart
Stopping sshd.
Starting sshd.

Set up the user
> google-authenticator
google-authenticator: Command not found.
> rehash
> google-authenticator
Your new secret key is: PKZ2JNIV6JXXX3SEC
Your verification code is 1266323
Your emergency scratch codes are:

Do you want me to update your "~/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) y

If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y

Setup the phone
Scan the QR code in the url above or add it manually to google authenticator on your phone and you are good to go.

And finally, login and get prompted for the otp code
[mbp:~] henrik% ssh
Verification code:

Easy peasy!