Tips for Hardening Your LastPass Account

LastPass is a great service, one I don’t mind paying for because I know the value obtained and time it saves, it’s worth it. It’s nice to be able to generate reliably secure passwords with easy and save them to a secure encrypted online vault.

The security of the LastPass Master account will be of the utmost importance, as these are the keys to the kingdom. Therefore, enabling a few features in LastPass can make your account much more secure. Some of these features might require additional setup outside LastPass, additional hardware/service, like the Yubikey, and/or Premium/Enterprise subscription, which can occur costs.

Country and Tor Restrictions

To start, let’s allow only logins to your LastPass account from select countries. Countries you know you will require access to your LastPass account. Also, disallow logins from VPN/Anonymous proxies and Unknown locations.

Click Show Advanced Settings if you don’t see the options in the screenshot below.

Disallow logins from Tor networks is a separate option.

LastPass Security Options

Adjust your security preferences as you see fit.

Two Factor Authentication

Enabling Two Factor Authentication (2FA) to have a physical device like YubiKey or virtual authenticator apps like LastPass Authenticator. Free accounts can use only virtual tokens.

LastPass Multifactor Options

Without providing the access code and credentials, access will be denied to the vault and account.

LastPass supports an array of 2FA methods. LastPass’s own authenticator. Salesforce. Google and Microsoft authenticators. Grid, a paper password type system. Smartcards, fingerprint readers, and more.

Session Management

LastPass has settings for auto log-off of other devices on login, preventing a session trail.

Proactive Steps

Click the Destroy sessions button under the Tools heading, this will open another tab to Your Active LastPass Sessions page.

Feb 9th, 2019 • Filed under Best Practices, Management, Security

OPNsense Security Device Build

Just back from a security conference. The major themes of the conference were passwords suck, phishing, policies, and solutions. The conference was great, good food and lots of information taken from the talks.

Scene

All this security talk got me to thinking about my own setup, a very old Cisco ASA and Cisco Wireless Router pair meets, but doesn’t give much visibility in to the network, and the number of exploits for this hardware / software must be longer than my arm at this point, so time to upgrade.

Cisco ASA needs to be replaced because it’s software isn’t current, and protecting against newer attacks isn’t possible. Cisco E4200 has to be replaced because it doesn’t support newer Wi-Fi standards.

Build

This post and some that follow will be about a security device build I have ongoing. The journey begins at picking a hardware platform, which there are a lot to choose from. I wanted to keep close to router-style as possible, so I opt for a board with no VGA or other display technologies and had a serial port (yes, RS232).

Bought a bundle that contains board, case, and power adapter. Basically, the only part required is storage, this can be an SD card or USB flash drive. I will be using mSATA drive for log storage (/var). The board I have has three mPCIe slots, but only one will work with mSATA drives, it’s label accordingly.

PC Engines APU2D4 (Without SD and SSD)

Connecting to the serial port will require a serial port, USB adapter or physical, Null modem cable, terminal software. Null modem cable you can purchase or make.

The terminal software is usually provided with the OS, but you can also use PuTTY if performing this build on Windows. Unix-based OS can use utilities like cu, minicom, and screen. I had the most success with the command cu, your mileage may vary.

sudo cu -s 115200 -l /dev/tty.usbserial

Once you connect, you might see memtest86 performing tests. I let my board perform these tests for a day or so, just to make sure the hardware was solid, and that I didn’t damage it putting it together.

Install

Download latest OPNsense and image it to a USB flash drive. Boot from this flash drive, and follow instructions on the serial console to install to SD/mSATA. SD card will hold the OS and the mSATA will hold /var.

Once you answer the questions regarding interfaces and the installation has finished you can reboot, remove the flash drive, and boot from SD card. I have found booting from SD card a little slower, but it’s not a device I will reboot often, so not a concern.

Connect to the web management on the LAN interface IP address. Login using the default, root/opnsense credentials and complete the setup from the browser.

OPNsense Finished Initial Configuration Screen

Add mSATA After Installation

Once the mSATA SSD drive has been installed, you need to do the following to use it for /var:

  • Drop to runlevel 1
  • Rename /var directory to /var.old
  • Make new /var directory
  • Create partition using gpart on new mSATA drive (usually ada0)
  • Format new partition using newfs
  • Mount newly formatted partition to /var
  • and lastly, copy the contents of /var.old to /var.
  • Add a line to /etc/fstab file to make changes permanent

The mount points should look like the following

[email protected]:~ # mount
/dev/gpt/rootfs on / (ufs, local, noatime, soft-updates)
devfs on /dev (devfs, local, multilabel)
/dev/gpt/gpvarfs on /var (ufs, local, noatime, soft-updates)
devfs on /var/unbound/dev (devfs, local, multilabel)
devfs on /var/dhcpd/dev (devfs, local, multilabel)

After making changes like this, I like to reboot just to make sure everything will return after a cold boot.

Configuration

The initial configuration I am going with is a WAN and two LAN ports for clients and servers respectively. The WAN port has my Fiber connection and the client/server ports have switches for port expansion.

The WAN port setup is a little different, in that I add a VLAN interface with the WAN as a parent interface. In my case VLAN 35. Like I had done with my Cisco ASA years ago.

Protection

Protections from Inline Protection System (IPS) via Suricata and Malware detection via Clam. Whether you like open source or not, this is a lot of value compared to what I had before this build.

Intrusion Protection System (IPS)

I am having issues with a few of the services, most likely due to the fact that I am using a VLAN interface and the services are attempting to use the parent interface.

ClamAV

You have to enable ClamAV plugin before you can make use of it, or any of the menus will show. This can be done on the page System > Firmware > Plugins. Find os-clamav and click +Install.

Navigate to Services > ClamAV page to download the signatures before ClamAV service be started. The download can take several minutes to complete.

Virtual Private Networks

Site-to-Site VPNs for tunneling traffic to an endpoint in a different country. For example, traffic exiting a VPN tunnel could do so in the USA. This is only one use for VPNs, another would be a tunnel to an AWS Virtual Private Compute (VPC) network for development. The device can also be an OpenVPN client, saving your devices from having to establish a connection, this could be a tunnel back to the office for VoIP and other service reachability.

IPv6

At one time I tried to create an IPv4-IPv6 tunnel using old Cisco IOS router, I was successful in getting the tunnel to work, but most operating systems suffered from Happy Eyeballs and would use IPv6 endpoints regardless of speed. Resulting in slow speeds for websites that were accessible over a faster IPv4 connection.

Tunnel setup was easy and has dynamic IP service options for HE TunnelBroker service, just provide the Tunnel ID and credentials to keep the tunnel up after IP address changes.

Bonuses

Certificate Authority

The OPNsense software has a limited by fine for home use Certificate Authority (CA), you can find it under System > Trust > Authorities.

Reporting

If you have the storage or service, start Netflow monitoring. This will give you Insights into the traffic that routes through the device. The simple Web UI allows for quick overview of the traffic. For further analysis, exporting to an external service / server.

Traffic Insights for Clients Interface

Other / Future

ThingsM USB Blink device to alert on specific events, maybe.

The build was a fun project. I feel like my router is much more secure, performs better, and is much more stable.

PostgreSQL Remote Connections

The default value is localhost, which allows only local connections to be made. While client authentication allows fine-grained control over who can access the server, listen_addresses controls which interfaces listen for connection attempts, which can help prevent repeated malicious connection requests on insecure network interfaces. This parameter can only be set at server start.

To enable remote access to PostgreSQL, you have to get the server listening on an interface with routing capability and add a trust entry to permit connections from specific hosts or networks. This is done in the file /var/lib/pgsql/data/postgresql.conf.

listen_addresses = '*'

This will get the server process listening on the other interfaces. Alternatively, you could specific the IP addresses to listen, if you want only specific interfaces to listen for client connections.

listen_addresses = '192.0.2.100'

Next, add trust entries for clients that need network access. This is done in the file /var/lib/pgsql/data/pg_hba.conf.

host    all             all         192.0.2.4/32            trust
host    all             all         192.0.2.2/32            trust

This will get you started with PostgreSQL.

Oct 13th, 2018 • Filed under Databases, PostgreSQL

Django Bootstrap Extra Form Buttons

This is how I have been implementing extra buttons on my forms via Django Bootstrap.

# In context of form model
class XUpdateForm(forms.ModelForm):
...
def clean(self):
	cleaned_data = super(XUpdateForm, self).clean()

	# Add action to clean data
	cleaned_data['action'] = self.data['action']

	return cleaned_data

Now in the view responsible for this form

form = XUpdateForm(request.POST)

obj = form.save(commit=False)
obj = q_id
obj = user_id

# Process valid forms only
if form.is_valid():
	action = form.cleaned_data['action']

In the template that renders the form and buttons, we add name and value arguments to our boostrap_button calls.

{% bootstrap_button "Update" name="action" value="update" button_type="submit" %}
{% bootstrap_button "Remove" name="action" value="remove" button_type="submit" %}

Happy coding!

Dec 9th, 2017 • Filed under Django, Python

Connect to Virtual Machine Console from XenServer Command Line

Simple shell script to help with connecting to VM console from the command line.

#!/bin/sh
#
# vm-console.sh
#
DOMID=$(xe vm-list uuid=$1 params=dom-id --minimal)
HOSTUUID=$(xe vm-list uuid=$1 params=resident-on --minimal)
NAMELABEL=$(xe host-list uuid=$HOSTUUID params=name-label --minimal)
XL=$(which xl)
MYHOSTNAME=$(hostname)

if [ "${MYHOSTNAME}-" == "${NAMELABEL}-" ]; then
        echo "locally resident"
        
	ps aux | grep vnc | grep "/$DOMID/" | awk '{print $2}' | xargs kill >/dev/null 2>/dev/null
        echo "Connecting, use Ctrl-] to disconnect."
        
	$XL console $DOMID
else
        echo "resident on $NAMELABEL, domid=$DOMID"
fi

A session would something like this.

[[email protected] ~]# ./vm-console.sh 2718f399-e4b5-cbcc-e924-c9464ccaf343
locally resident
Connecting, use Ctrl-] to disconnect.
login: timed out after 60 seconds

dev login:

The script can be found in the Downloads section.

Nov 7th, 2017 • Filed under XenServer