The first step to securing your SSH configuration is to configure key-based authentication and not allow password authentication at all. That topic has already been discussed. Check out my post about that: https://www.ajni.it/2020/03/configure-ssh-key-based-authentication-on-a-linux-system/

The second step is to introduce an Intrusion Detection System (IDS or IPS). Fail2ban can achieve that specific goal. It analyses SSH authentication logs (it can be also set for other services) and blacklists IP addresses after n failed attempts with the help of iptables (firewall rules). Let’s check it out.

First of all make sure to update your system:

apt update

apt upgrade

Now install fail2ban:

apt install fail2ban

Start and enable the fail2ban service:

systemctl start fail2ban

systemctl enable fail2ban

Now a “jail” can be configured for failed ssh login attempts. There is a default /etc/fail2ban/jail.conf file, but we are going to create a new config jail.local.

nano /etc/fail2ban/jail.local

Paste following parameters in the file:

[sshd]
enabled = true
port = 22
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
mode = aggressive
bantime = -1
findtime = 3600

Mode=aggressive includes failed attempts with public key authentication. Bantime = -1 is for persistent bans. Findtime indicates how far back logs are checked (now – 3600 minutes or 1 hour).

After saving the file, restart fail2ban:

service fail2ban restart

Blacklisted IPs can be viewed with

fail2ban-client status sshd

After some minutes one IP already showed up:

Or you can also view it with iptables.

iptables -L -n -v

Removing an IP from the blacklist is also easy (the command is self-explanatory)

fail2ban-client set sshd unbanip 10.10.10.1

Some other security considerations:

• Don’t log in as root and do not allow user root over SSH
• Use public-key authentication
• Change the SSH port
• Implement an IDS/IPS (fail2ban)

References:

https://www.techrepublic.com/article/how-to-install-fail2ban-on-ubuntu-server-18-04/

https://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh/686436

https://security.stackexchange.com/questions/188908/what-is-this-ssh-attack-am-i-hacked

https://www.liquidweb.com/kb/install-configure-fail2ban-ubuntu-server-16-04/

https://serverfault.com/questions/808866/get-fail2ban-to-check-findtime-every-x-minutes

So here is a challenge I had to face today: I created a virtual machine (VM) in Azure from a custom image that was previously Sysprep’d by me. The image contained several applications intended to run on a RDSH (Remote Desktop Session Host) for Citrix Virtual Apps and Desktops (former XenApp), so the RDS role was also installed. The VM was not part of the domain, it was in a Workgroup and it could not reach the RDS license server. Which meant: I could not RDP into the machine to perform Domain Join. And if you already have some experience with Microsoft Azure, you will know that there is no Remote Console like in VMware or Hyper-V.

The VM was still reachable over the network. So here are four PowerShell commands that allowed me to remotely perform a Domain Join on that particular machine. Nothing fancy, but it might come in handy.

$Server=”10.10.10.10″

Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value $Server -Confirm:$false -Force

This credential variable stores the local username and password of the computer. Something like computername\admin along with the password.

$Cred = Get-Credential

Add-Computer -DomainName “ajni.lab” -Restart

After executing the last command you will be prompted to insert domain credentials. The user obviously must have the right to create computers in the domain.

Have you ever wondered what this setting in Citrix Workspace App does?

Well, today I figured out: you can set multiple virtual desktops for your session in a split-screen fashion. Just like this:

The session must be in full-screen mode. Here is how it looks:

Saving credentials and secrets inside your code is a very bad idea and should be avoided. PowerShell has built-in commands to export and import encrypted data in your code.

There might be a lot of ways to achieve this, but this is how I like to do it. This is very elegant and easy to implement.

Let’s say we have a secret password that we want to secure and avoid saving in the source code.

$secretPW = “SecretPassword” | ConvertTo-SecureString -AsPlainText -Force

We can export this variable to an encrypted XML file with

$secretPW | Export-Clixml -Path .\secret.xml

The password is not human readable:

To import this file use

$secretPW = Import-Clixml -Path .\secret.xml

The plain-text password can be obtained through (I had to split the command into two lines)

[System.Runtime.InteropServices.Marshal]::
PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($secretPW))

Just outputting the variable won’t show the password, because the variable is a System.Security.SecureString object.

Credentials can also be saved this way:

$credentials = Get-Credential

You can show the plain-text password with

$credentials.GetNetworkCredential().password

$credentials | Export-Clixml -Path .\credentials.xml

Only the username is shown in clear text.

Same thing again with the import

$credentials = Import-Clixml -Path .\credentials.xml

$credentials.GetNetworkCredential().password

The password can be decrypted by the same user that created the XML file on that specific computer.

References:

https://devblogs.microsoft.com/scripting/decrypt-powershell-secure-string-password/

https://pscustomobject.github.io/powershell/functions/PowerShell-SecureString-To-String/

A while ago I wrote an article that described all the steps necessary to obtain a free SSL certificate with a validity of 90 days. Check it out: https://www.ajni.it/2019/06/claiming-a-free-ssl-certificate-for-your-website/

While it’s good to know how things work, the task gets boring and repetitive if you have to do it every 3 months and in my case for two different domains. This is why I wrote a small and straightforward script in Python3 that does that all for me.

ZeroSSL offers an API that allows us to automate this task by making some HTTP calls with an API key obtainable after registering.

I have uploaded the script on GitHub, check it out:

https://github.com/ajnik/ZeroSSL-CertRenew

There are some variables that must be changed:

• Line 19: API key
• Line 20: Domain name
• Line 43 to 52: Request paramteres (O, OU, L, ST, C)

Execute the script with

python3 ZeroSSL_CertRenew.py

The script does no exception handling. I might improve it in the future.

Let me know if you have any suggestions. I am pretty new to Python programming so every tip is welcome.