Using ModSecurity Rules with nginx

I wanted to make note of this page, because it was a huge help getting the ModSecurity OWASP rule set working with nginx.

LinuxBabe: How to Set Up ModSecurity with Nginx on Debian/Ubuntu

Then to start exempting specific pages from specific rule ID’s, you’ll using these three commands quite a bit:

`tailf /var/log/modsec_audit.log`
`sudo nano /etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf`
`sudo nginx -t`
`sudo systemctl reload nginx`

Malwarebytes Labs: Relax. Internet password books are OK

Source: Malwarebytes Labs: Relax. Internet password books are OK

So this was posted on April Fools’ Day, but I do believe it’s a serious post & I agree with the content. The author brings up the point early: Whether using a physical password book is a good thing depends on your threat model & risk. If you are not good with computers & can’t figure out how to use a password manager (see some of my other posts about passwords: Don’t Change that Pa$$w0rd, FINALLY: A Good Password Management Article, & ANOTHER GOOD article about passwords) & you don’t have to worry about someone you live with abusing access to the book, then this is a great way to store passwords without remembering them or re-using the same one over & over. Having the details saved in a book that’s kept in a drawer at your desk is a good way for some people to store different passwords. And it would obviously stay safer if the book stays at home, versus keeping it with you at all times & potentially losing it while out & about. That of course leads to other questions like “What do I do if I am away from home & need a password?”, but that will have to be answered by the user: Is it worth carrying the book with you at all times or is it really something that can wait until you get home & can access the book.

Protecting Linux Login with 2FA

This is definitely not the first time I’ve tried getting this working, but glad I was finally able to. Looks like if I had read a bit more, I never would have run into issues…

By the second or third time I ran into problems, I at least figured out why: with my home directory being encrypted, the “secret” 2FA files could not be accessed & verified.

Now for the fun part… It looks like Google had the instructions for encrypted home directories in the README the whole time.

Encrypted home directories
If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:

auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location.

In addition to “${USER}”, the secret= option also recognizes both “~” and ${HOME} as short-hands for the user’s home directory.

When using the secret= option, you might want to also set the user= option. The latter forces the PAM module to switch to a dedicated hard-coded user id prior to doing any file operations. When using the user= option, you must not include “~” or “${HOME}” in the filename.

The user= option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.

So, after getting through that tedious “reading” thing, I followed their suggestion, & created the “unencrypted-home” directory, moved the ~/.google_authenticator file there, edited /etc/pam.d/common-auth & included the path to the file at the encrypted location. After that… Working as expected!

user@Hostname:~$ cat /etc/pam.d/common-auth | tail -n 1
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator

Password “Complexity” Requirement

I actually forget what web site this one, but found this little gem while trying to setup a new account:

I guess my password doesn’t meet their requirements?
Then I decide to use this instead.

No, I didn’t actually make my password “password123” but I would have thought a site warning my against it wouldn’t allow “password”+< something >. The fact that it wouldn’t accept my random password probably should have been my first hint that it was not going to go well.

Moving from Authy to Another 2FA App

Despite the convenience of having Authy’s ability to sync across devices, I decided I wanted to change my 2FA app to Android’s andOTP. To do this (without unenrolling & re-enrolling myself in 2FA for my 50+ services), I needed to find a way to export my secrets from Authy. I did find a few posts on the topic, but didn’t have any luck with those guides. Most seemed to be a variation on the same process of getting the secrets from the Authy Chrome extension.

GitHubGist: Generating Authy passwords on other authenticators

What I did end up finding that finally worked, was to pull the XML containing details on each entry in Authy, thanks to this post: GBATemp: extract your totp keys from authy using chrome:

Good job, this tutorial is great for people who need to extract their keys out of Authy without needing a rooted Android/Jailbroken iPhone to grab them from the mobile app.

For people with rooted Android phones, the totp keys are stored here:
/data/data/com.authy.authy/shared_prefs/com.authy.storage.tokens.authenticator.xml

The filepath is what I was looking for

In the past, when I was using Google Authenticator, you had the ability to pull the database from the Android app, assuming you were rooted. The above process seems to be similar, just for the Authy app, instead of Google Authenticator: /data/data/com.google.android.apps.authenticator2/databases/databases.

This post is for my own reference, & for anyone else that may want to move from Authy, to another authenticator app.

Scammers Using Microsoft’s Support Site

I just came across this video (posted yesterday), where scammers are leveraging Microsoft’s legitimate support site at https://support.microsoft.com/help. This was after I received a fake Microsoft support call. Unfortunately, I didn’t have a dummy VM ready to waste their time, but glad I found out about the use of Microsoft’s site. Because Microsoft uses LogMeIn, their support site seems to just forward the code to LogMeIn to start the session.

See the video below for how the site is used: