Merge pull request #102 from hellresistor/AddDoublePasswordSec

Add panic/secondary password security

README.md

@@ -23,6 +23,7 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach
   - [Installing Linux](#installing-linux)
   - [Pre/Post Installation Requirements](#prepost-installation-requirements)
   - [Other Important Notes](#other-important-notes)
+  - [Using Ansible Playbooks to secure your Linux Server](#using-ansible-playbooks-to-secure-your-linux-server)
 - [The SSH Server](#the-ssh-server)
   - [Important Note Before You Make SSH Changes](#important-note-before-you-make-ssh-changes)
   - [SSH Public/Private Keys](#ssh-publicprivate-keys)
@@ -39,6 +40,7 @@ An evolving how-to guide for securing a Linux server that, hopefully, also teach
   - [Force Accounts To Use Secure Passwords](#force-accounts-to-use-secure-passwords)
   - [Automatic Security Updates and Alerts](#automatic-security-updates-and-alerts)
   - [More Secure Random Entropy Pool (WIP)](#more-secure-random-entropy-pool-wip)
+  - [Add Panic/Secondary/Fake password Login Security System](#add-panic-secondary-fake-password-login-security-system)
 - [The Network](#the-network)
   - [Firewall With UFW (Uncomplicated Firewall)](#firewall-with-ufw-uncomplicated-firewall)
   - [iptables Intrusion Detection And Prevention with PSAD](#iptables-intrusion-detection-and-prevention-with-psad)
@@ -73,6 +75,8 @@ This guides purpose is to teach you how to secure a Linux server.
 
 There are a lot of things you can do to secure a Linux server and this guide will attempt to cover as many of them as possible. More topics/material will be added as I learn, or as folks [contribute](#contributing).
 
+Ansible playbooks of this guide are available at [How To Secure A Linux Server With Ansible](https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible) by [moltenbit](https://github.com/moltenbit).
+
 ([Table of Contents](#table-of-contents))
 
 ### Why Secure Your Server
@@ -97,8 +101,6 @@ I've never found one guide that covers everything -- this guide is my attempt.
 
 Many of the things covered in this guide may be rather basic/trivial, but most of us do not install Linux every day and it is easy to forget those basic things.
 
-IT automation tools like [Ansible](https://www.ansible.com/), [Chef](https://www.chef.io/), [Jenkins](https://jenkins.io/), [Puppet](https://puppet.com/), etc. help with the tedious task of installing/configuring a server but IMHO they are better suited for multiple or large scale deployments. IMHO, the overhead required to use those kinds of automation tools is wholly unnecessary for a one-time single server install for home use.
-
 ([Table of Contents](#table-of-contents))
 
 ### Other Guides
@@ -267,6 +269,52 @@ Where applicable, use the expert install option so you have tighter control of w
 - Read the whole guide before you start. Your use-case and/or principals may call for not doing something or for changing the order.
 - Do not **blindly** copy-and-paste without understanding what you're pasting. Some commands will need to be modified for your needs before they'll work -- usernames for example.
 
+([Table of Contents](#table-of-contents))
+
+### Using Ansible playbooks to secure your Linux Server
+Ansible playbooks of this guide are available at [How To Secure A Linux Server With Ansible](https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible).
+
+Make sure to edit the variables according to your needs and read all tasks beforehand to confirm it does not break your system. After running the playbooks ensure that all settings are configured to your needs!
+
+1. Install [Ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)
+2. git clone [How To Secure A Linux Server With Ansible](https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible)
+3. [Create SSH-Public/Private-Keys](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server#ssh-publicprivate-keys)
+  ```
+  ssh-keygen -t ed25519
+  ```
+   
+5. Change all variables in *group_vars/variables.yml* according to your needs.
+6. Enable SSH root access before running the playbooks:
+   
+  ```
+  nano /etc/ssh/sshd_config
+  [...]
+  PermitRootLogin yes
+  [...]
+  ```
+
+7. Recommended: configure static IP address on your system.
+8. Add your systems IP address to *hosts.yml*.
+
+ 
+
+Run the requirements playbook using the root password you specified while installing the server:
+
+    ansible-playbook --inventory hosts.yml --ask-pass requirements-playbook.yml
+
+ 
+
+Run the main playbook with the new users password you specified in the *variables.yml* file:
+
+    ansible-playbook --inventory hosts.yml --ask-pass main-playbook.yml
+
+ 
+
+If you need to run the playbooks multiple times remember to use the SSH key and the new SSH port:
+
+    ansible-playbook --inventory hosts.yml -e ansible_ssh_port=SSH_PORT --key-file /PATH/TO/SSH/KEY main-playbook.yml
+
+
 ([Table of Contents](#table-of-contents))
 
 ## The SSH Server
@@ -1363,6 +1411,97 @@ WIP
     - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-encryption-using_the_random_number_generator
     - https://wiki.archlinux.org/index.php/Rng-tools
 
+([Table of Contents](#table-of-contents))
+
+### Add Panic/Secondary/Fake password Login Security System
+
+#### Why
+
+A nice tool to add extra password security, against physical attack (In-Person) Ramson/Rob/assault methods.
+
+#### How It Works
+
+The pamduress will add to the X user a secondary password(Panic password), when this password match will start run a script (this script do what you what the user do, when he logins with THESE panic password.
+
+Practical & real Example:
+"Some Robber invade a home, and steal the server (containing IMPORTANT business backups, and ownlife memories and blablabla). Not exist any disk/boot encryption. Robber have start the server on their 'safe zone' and start an bruteforce attack. He have cracked the local password by SSH with from sudoer user 'admin' success, yeah a dummy password, not THE Strong one/primary. He starts SSH session/or physical session with that cracked dummy/panic password with 'admin' sudoer. He starts feeling the server seems to much busy in less than 2 minutes until to freeze.. 'wtf!?! lets reboot and continue steal info..'.. sorry friend. all data and system was destroyed.".
+    Conclusion, the robber cracked the dummy/panic/secondary password, and with this password its associated a script will do delete all files, config, system, boot and after than start charge the RAM and CPU to force robber reboot system.  
+
+#### Goals
+
+Prevent access to malicious person to access server information when get an a password in force way (assault, gun, ransom, ...). Of course this is helpfull in other situations.
+
+#### References
+
+- Thanks to [nuvious](https://github.com/nuvious/pam-duress) for this tool
+- Thanks to [hellresistor](https://gist.github.com/hellresistor/a4c542415a2d437e21afc235260d2366) for this Lazy-Tool-Script
+
+#### Steps
+
+1. Run this (hellresistor Lazy-Tool-Script).
+
+ ```` bash
+#!/bin/bash
+myownscript(){
+#######################################################
+## ***** EDIT THIS SCRIPT TO YOUR PROPOSES *****#
+
+cat > "$ScriptFile" <<-EOF
+#!/bin/bash
+sudo rm -rf /home
+#### FINISHED OWN SCRIPT ####
+EOF
+#######################################################
+}
+echo "Lets Config a PANIC PASSWORD ;)" && sleep 1
+read -r -p "Want you REALLY configure A PANIC PASSWORD?? Write [ OK ] : " PAMDUR
+if [[ "$PAMDUR" = "OK" ]]; then
+ echo "Lets Config a PANIC USER, PASSWORD and SCRIPT ;)" && sleep 1
+ while [ -z "$PANICUSR" ]
+ do
+  read -r -p "WRITE a Panic User to your pam-duress user [ root ]: " PANICUSR
+  PANICUSR=${PANICUSR:=root}
+ done
+ if [ -z "$ScriptLoc" ]; then
+  read -r -p "SET Script Directory with FULL PATH [ /root/.duress ]: " ScriptLoc
+  ScriptLoc=${ScriptLoc:=/root/.duress}
+  ScriptFile="$ScriptLoc/PanicScript.sh"
+ fi
+else
+ echo "NOT Use PAM DURESS aKa Panic Password!!! Bye"
+ exit 1
+fi
+
+sudo apt install -y git build-essential libpam0g-dev libssl-dev
+
+cd "$HOME" || exit 1
+git clone https://github.com/nuvious/pam-duress.git
+cd pam-duress || exit 1
+make 
+sudo make install
+make clean
+#make uninstall
+
+mkdir -p $ScriptLoc
+sudo mkdir -p /etc/duress.d
+myownscript
+duress_sign $ScriptFile
+chmod -R 500 $ScriptLoc
+chmod 400 $ScriptLoc/*.sha256
+chown -R $PANICUSR $ScriptLoc
+
+sudo cp --preserve /etc/pam.d/common-auth /etc/pam.d/common-auth.bck
+
+echo "
+auth   	[success=2 default=ignore]	     pam_unix.so nullok_secure
+auth    [success=1 default=ignore]      pam_duress.so
+auth	   requisite	                    		pam_deny.so
+auth	   required	                     		pam_permit.so
+" | sudo tee /etc/pam.d/common-auth
+
+read -r -p "Press <Enter> Key to Finish PAM DURESS Script!"
+exit 0
+ ````
 
 ([Table of Contents](#table-of-contents))
 
@@ -1675,7 +1814,7 @@ And, since we're already using [UFW](#ufw-uncomplicated-firewall) so we'll follo
 - https://serverfault.com/a/447604/289829
 - https://serverfault.com/a/770424/289829
 - https://gist.github.com/netson/c45b2dc4e835761fbccc
-- Thanks to [sysadt](https://github.com/sysadt) for catching the issue ([#61](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/61)) with `psadwatchd`.
+- Thanks to [moltenbit](https://github.com/moltenbit) for catching the issue ([#61](https://github.com/imthenachoman/How-To-Secure-A-Linux-Server/issues/61)) with `psadwatchd`.
 
 #### Steps
 
@@ -3549,6 +3688,7 @@ For any questions, comments, concerns, feedback, or issues, submit a [new issue]
 - https://news.ycombinator.com/item?id=19177435#19178618
 - https://www.reddit.com/r/linuxadmin/comments/arx7xo/howtosecurealinuxserver_an_evolving_howto_guide/
 - https://www.reddit.com/r/linux/comments/arx7st/howtosecurealinuxserver_an_evolving_howto_guide/
+- https://github.com/moltenbit/How-To-Secure-A-Linux-Server-With-Ansible
 
 ([Table of Contents](#table-of-contents))