Free Two-Factor Auth for your Servers and VPNs

Last week, I wrote about bitcoin and its reliance on exchanges such as Mt. Gox. A few days later, Mt. Gox had a few more “issues” including their entire user database being leaked to the Internet.

In various online discussions afterwards, the use of two-factor authentication came up repeatedly. I wondered if there was a cheap, reliable way to handle two-factor authentication for my own systems.

Fortunately, there is.

As some of you surely know, I prefer to use anything besides Windows whenever possible. I have a few servers at home which run Linux, my primary machine is a MacBook Pro, and this web server now runs Debian GNU/Linux (I recently converted it from FreeBSD).

I access the server remotely using SSH, of course, mostly from home. I have a static IP address, which makes it easy to firewall off SSH so that attacks against it are impossible. There are times, though, that I sometimes need to be able to SSH in from other places: from friend’s homes, when I’m out-of-town visiting family, or travelling, for example. In those cases, I usually just open up SSH from everywhere and run it on a non-standard port.

From my home machines and my laptop, I use SSH public key authentication. This works wonderfully, except if I’m somewhere else and don’t have my laptop with me. In those cases, I have to use someone else’s computer (an “untrusted” device) and possibly give up my password to any malware it may contain.

While looking into my options for two-factor authentication, I discovered Duo Security.

Duo Security’s two-factor authentication uses your mobile phone as the “something you have” piece. They advertise a “15-minute configuration for most SSL VPNs (Juniper, Cisco, SonicWALL), Unix systems, and web applications”. Even better for us: it’s completely free for up to 10 users!

I don’t use an SSL VPN at home anymore, but I decided to experiment with Duo Unix. Duo Unix provides two-factor authentication for SSH and PAM logins.

I first set up Duo Unix on one of my Debian boxes at home. Getting set up with an account on their site and creating my first “integration” took just a few moments. They don’t (appear to) provide pre-compiled binaries but it just took a moment to build the software from source and get it installed. Adding the integration key, secret key, and API hostname took maybe 30 seconds.

On this particular machine, I usually log in via the console and not SSH, so I configured PAM to use two-factor authentication and tested it. I first had it send passcodes to my mobile phone (currently an HTC Incredible loaded up with Cyanogenmod) via SMS:

Once I knew everything worked, I “un-configured” this system. I don’t need two-factor authentication on a server at home.

I ran through pretty much the same steps on my web server, except that I configured SSH to use two-factor authentication. The only time I log in via the console (via VNC-over-SSH to a console server) is if “something bad happened” or I don’t have network connectivity, which would probably make the two-factor authentication fail.

Configuring SSH took only a few seconds and consisted of adding one line to the /etc/ssh/sshd_config file and restarting the SSH server.

Now, when I SSH into the webserver, I first get prompted for my password if I’m not using a public key. Either way, once the password or public key authentication succeeds, I’m given a choice:

I can use the Duo Mobile application on my phone to authorize an authentication request, have the system call me on my mobile phone, or use one of the passcodes that was previously sent to me via SMS.

In the example above, you can see that I simply entered in the next passcode from the list I was given. The software then verifies the passcode and logs me in.

I haven’t tried using the application with any SSL VPNs (I don’t use those at home anymore), but I have no doubt that it will work just as easily. With Duo Web, you can also configure your own web applications (they even have a WordPress plugin!) to use two-factor authentication. Pretty much everyone reading this article should be able to find a use.

For those of you looking for two-factor authentication for your remote servers or VPNs, I’d encourage you to look into Duo. As mentioned, it’s free for up to 10 users. Even if you were to exceed that, pricing is pretty acceptable.

Related posts:

  1. Aggregating and analyzing logs from multiple web servers
  2. Free CCNP TSHOOT Webcast
  3. Want a free shot at the SolarWinds Certified Professional exam?

How To Make Your Routers Reload Faster

Stopwatch

When doing labs, one thing that really annoyed me was how long it took some of my routers to reload. After doing a lab exercise, I would always erase the configuration and reload in order to start from a “blank” configuration.

I just recently discovered a way to speed up this process. It’s pretty basic and, since the feature has been around since 12.3(2)T, I’m not sure how I hadn’t heard about it. Since I hadn’t, I will assume somebody else out there hasn’t either, so here’s the details.

NOTE: Be sure to check Feature Navigator to see if it’s available on your hardware. It’s available on the gear that most of us would have in our home/test labs, with the exception of 2600XMs and 3640s (it IS available on the 2650XM and 2651XM, though).

Warm Reload

Cisco describes the feature as follows:

The Warm Reload feature allows users to reload their routers without reading images from storage. That is, the Cisco IOS image reboots without ROM monitor mode (ROMMON) intervention by restoring the read-write data from a previously saved copy in the RAM and by starting execution without either copying the image from flash to RAM or self-decompression of the image. Thus, the overall availability of your system improves because the time to reboot your router is significantly reduced.

Quicker Recovery From Software Crashes

If it hasn’t happened to you yet, it will. You’ll encounter some software bug in IOS that forces a crash. These never happen at a good time and it often seems like it takes forever for a router to reload when this happens. Alerts start going off, your phone starts ringing, and users begin complaining. There’s nothing you can do except wait.

The warm reload feature also allows the router to recover from these crashes much quicker.

Enabling Warm Reload

Enabling Warm Reload is easy as pie:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# warm-reboot
Router(config)# end
Router#

Note that you’ll need to perform a cold reboot for it to take effect, though.

Tweaking Warm Reload

By default, IOS will force a cold reboot after five warm reboots due to crashes. Also, if a crash happens before the router has been up less than five minutes, well, it’s doing to do a cold reboot. These values can be changed:

Router# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# warm-reboot count 10 uptime 7
Router(config)# end
Router#

Here we’ve configured the router to allow 10 warm reboots and at least seven minutes in between warm reboots due to those crashes.

Verifying Warm Reload Configuration

To view the configuration, use show warm-reboot:

Router# show warm-reboot

Warm Reboot is enabled
Maximum warm reboot count is 10
Uptime after which warm reboot is safe in case of a crash is 7 (min)

Statistics:

0 warm reboots due to crashes and 2 warm reboots due to requests have
taken place since the last cold reboot
2844 KB taken up by warm reboot storage

Performing A Warm Reboot

To perform a warm reboot, you simple use the keyword “warm” when issuing the reload command:

Router# reload warm

If you forget the “warm” keyword, a normal (a.k.a. cold, a.k.a. sloooow) reboot will occur.

Measuring Reload Time

75% of the way through writing this post, I discovered that Ivan (@ioshints) also wrote an article on this exact subject (beating me to it by over four years!). In Ivan’s testing, the time to reload a 2800 decreased from 135 seconds to 54 seconds after enabling the warm reload feature.

What kind of speed-ups are you seeing after enabling warm reload?

Related posts:

  1. Cisco 1941, 2900sm, 2901, and 3900 routers!?
  2. Basic NTP Configuration for Cisco Routers
  3. New Cisco ISR G2 routers (slides)

Archive Gallery: The Telephone

The Elastic Telephone Cord
Coiling cords, cellular phones, and the rest of the history of talking to each other at a distance

Without question, Alexander Graham Bell’s master invention changed our lives and revolutionized the way we communicate. But science is never satisfied, and so we began a steady stream of improvements to the telephone that took it from rotary dials and operators to the unique problems of autocorrect and Siri’s witty retorts. Today, we take a look back at the ever-evolving history of the telephone.

Click here to launch our gallery

First we coiled the cord, keeping it from tangling up our important papers, then we learned to keep our babies from teething on it, and then we removed it entirely. We created area codes so that we could make long distance calls without relying on operators and we replaced the rotary dial with buttons to make the process even faster. Some innovations didn’t catch on, like the picturephone, and some, like the carphone, just needed a little time to reach their full potential. Learn about all these and more in our archive gallery.

Torsocks 1.2 Released – Socks friendly ssh and irssi with Tor

Torsocks 1.2 Released – Socks friendly ssh and irssi with Tor
Torsocks is an application for Linux, BSD and Mac OSX that allows you to use network applications such as ssh and irssi with Tor. Torsocks allows you to use most socks-friendly applications in a safe way with Tor. It ensures that DNS requests are handled safely and explicitly rejects UDP traffic from the application you’re

Abusing HTTP Status Codes to Expose Private Information

When you visit my website, I can automatically and silently determine if you’re logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that I can tell you’re logged into GMail, but would you care if I could tell you’re logged into one or more porn or warez sites? Perhaps http://oppressive-regime.example.org/ would like to collect a list of their users who are logged into http://controversial-website.example.com/?

Ignoring the privacy implications for a second, as a website developer, you might like to know if your visitors are logged into GMail; you could use that information to automatically fill the email fields in your forms with “@gmail.com”… Perhaps you might want to make your Facebook “like” buttons more prominent if you can tell your visitor is logged into Facebook at the moment? Here’s how I achieve this:

…read more

CodeSOD: The Query of Despair

Jeroen's colleague had the misfortune of being assigned to debug an intermittent, unspecified error in the one of the oldest of the legacy applications. "The good news is that I've isolated it to a database query," he told Jeroen, "the bad news is that I've isolated it to a database query."

Knowing that his colleague wasn’t a big fan of databases, Jeroen offered his assistance. In response, he received the following image.

"I don't think anyone can help me," the his colleague wrote.