How to show and clear DHCP bindings on the LAN Huawei VRP (Versatile routing platform) CLI

This is a quick reference guide for clearing DHCP bindings Huawei VRP CLI.

1. display ip pool

The following command will display all the dhcp bindings depending on how it is configured. It will either be interface or pool name. DHCP can either be configured on the interface or globally.

Cisco equivalent “sh ip dhcp binding

display ip pool interface vlanif21 used

display ip pool name testdhcp used

[Huawei]display ip pool ?
   interface     Information of interface pool
   name          Pool name
   vpn-instance  Show IP pool bind the VPN-instance
   |             Matching output

display ip pool interface vlanif21 used  
   Pool-name      : vlanif21
   Pool-No        : 0
   Lease          : 1 Days 0 Hours 0 Minutes
   Domain-name    : -
   DNS-server0    : 8.8.8.8         
   DNS-server1    : 8.8.8.4         
   NBNS-server0   : -               
   Netbios-type   : -               
   Position       : Interface       Status           : Unlocked
   Gateway-0      : 192.168.1.254   
   Mask           : 255.255.255.0
   VPN instance   : --
 
      Start           End     Total  Used  Idle(Expired)  Conflict  Disable
 
  192.168.1.1   192.168.1.254   253     1        252(0)         0        0
 
 Network section : 
 
 Index              IP               MAC      Lease   Status  
 
 252   192.168.1.253    5489-9877-235d      78724   Used

2. Reset ip pool

Cisco equivalent would be “clear ip dhcp binding“.

reset ip pool interface vlanif21 ?
   X.X.X.X   Start IP address
   all       All IP address
   conflict  Conflict IP address
   expired   Expired IP address
   used      Used IP address

or

By pool name

reset ip pool ?
   interface  Interface pool
   name       Pool name




Thank you for reading – please feel free to leave a comment

How to remove a user from 2FA Google authentication on Ubuntu 20.04

This is a quick reference guide on how to remove a user from Google 2FA authentication on Ubuntu 20.04

Simple remove the file .google_authenticator from the users home directory

root@VPS:~# rm /home/vpsuser/.google_authenticator

Remove root from 2FA Authentication is as follows:

root@VPS:~# rm .google_authenticator

Thank you for reading and please feel free to leave any feedback.

How to configure 2FA authentication using Google authenticator on Ubuntu 20.04 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Ubuntu 20.04.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

root@testssh:/etc/ssh# adduser authtest

2. Edit /etc/ssh/sshd_config

root@testssh:/etc/ssh# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

3. Install Google Authenticator

root@testssh:/etc/ssh#apt-get update
root@testssh:/etc/ssh# apt-get install libpam-google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

root@testssh:/etc/ssh# su authtest
authtest@testssh:/etc/ssh$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

rm /home/authtest/.google_authenticator

To remove from root

root@VPS:~# rm .google_authenticator

5. Change back to root and edit /etc/pam.d/common-auth

authtest@testssh:/etc/ssh$ exit
exit
root@testssh:/etc/ssh#
nano /etc/pam.d/common-auth

add the following line to the bottom of the file:

auth required pam_google_authenticator.so nullok

6. Restart sshd

root@testssh:/etc/ssh# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

Thank you for reading and please feel free to leave any feedback.

How to configure 2FA authentication using Google authenticator on Ubuntu 18.04 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Ubuntu 18.04.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

root@testssh:/etc/ssh# adduser authtest

2. Edit /etc/ssh/sshd_config

root@testssh:/etc/ssh# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

3. Install Google Authenticator

root@testssh:/etc/ssh#apt-get update
root@testssh:/etc/ssh# apt-get install libpam-google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

root@testssh:/etc/ssh# su authtest
authtest@testssh:/etc/ssh$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

rm /home/authtest/.google_authenticator

To remove from root

root@VPS:~# rm .google_authenticator

5. Change back to root and edit /etc/pam.d/common-auth

authtest@testssh:/etc/ssh$ exit
exit
root@testssh:/etc/ssh#
nano /etc/pam.d/common-auth

add the following line to the bottom of the file:

auth required pam_google_authenticator.so nullok

6. Restart sshd

root@testssh:/etc/ssh# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

Thank you for reading and please feel free to leave any feedback.

How to configure ssh key authentication for root Linux (Ubuntu | Debian | Centos) CLI.

This is a quick reference guide on how to configure ssh key authentication for root on Linux Based Operating Systems.

1. Generate a public and private key pair using puTTYgen

Please see examples of the public and private key – you can use these to test.

Public Key

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA0Xw9YhMethjXaHrTWK+Iys3g8Iiu6xCsQMD812s1KzYXeuVZFc1GFF5V48aTZdlv6UucQA4V0tQ0zOGJC3S8jBrtxzTFTTB8PZE10K/Xl60rwJOIS2FC/QqP37kk13RVVIliKwUSbafeq19tWd8yJ1SpIH44EjUZFpDcakukpO1R9QdPtaN9VJJMb1MrPTdLEYpSOtcrniZSlE9aB/CABFYFBcTsMNDz8BAEntpZEUM+KoaQ1GAPo4qYywrFr9sCdhAvhjwYpytSneWwcpPvb0DLVevJO7b0DaGPKOKD4EFxzHnkJVFOKtyvUyuchAhNn0dd85wtbA2vr5uyz/PT0Q== rsa-key-20190521

Private key

2. Paste the public key string into /.ssh/authorized keys

root@VPS:~/.ssh# ls
authorized_keys
root@VPS:~/.ssh# nano authorized_keys

3. Configure passwordless SSH

root@VPS:~# cd /etc/ssh/
root@VPS:/etc/ssh# ls
moduli                  ssh_host_ed25519_key      ssh_import_id
ssh_config              ssh_host_ed25519_key.pub  sshd_config
ssh_host_ecdsa_key      ssh_host_rsa_key          sshd_config.ucf-dist
ssh_host_ecdsa_key.pub  ssh_host_rsa_key.pub
root@VPS:/etc/ssh# nano sshd_config
PasswordAuthentication no
PermitRootLogin without-password

4. Restart sshd

root@VPS:/etc/ssh# service sshd restart

5. Configure Putty

You will need to select the private key for authentication. Just select the private key file you have generated using puTTYgen. You can use the file TEST that I have inserted into this document to test. Please note that you need a key pair to authenticate, so a public key on your server and the private key configured on your putty.

Once this is configured you connect normally using ssh and entering the username root.

You will get the following error if you do not have a private key configured on your putty session.

Thank you for reading and please feel free to leave any feedback.

How to configure 2FA authentication using Google authenticator on Centos 7 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Centos 7.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

[root@vpscen ~]# adduser authtest
[root@vpscen ~]# passwd authtest
Changing password for user authtest.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

2. Edit /etc/ssh/sshd_config

[root@vpscen ~]# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

3. Install Google Authenticator

[root@vpscen ~]#yum update
[root@vpscen ~]# yum install google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

[root@vpscen ~]# su authtest
[authtest@vpscen root]$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

[root@vpscen ~]#rm /home/authtest/.google_authenticator

To remove from root

[root@vpscen ~]#rm .google_authenticator

5. Change back to root and edit /etc/pam.d/sshd

[authtest@vpscen ssh]$ exit
exit
[root@vpscen ssh]#
nano /etc/pam.d/sshd

add the following line to the bottom of the file:

auth required pam_google_authenticator.so nullok

6. Restart sshd

[root@vpscen ssh]# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

How to remove a user from 2FA Google authentication on Ubuntu 18.04

This is a quick reference guide on how to remove a user from Google 2FA authentication on Ubuntu 18.04

Simple remove the file .google_authenticator from the users home directory

root@VPS:~# rm /home/vpsuser/.google_authenticator

Remove root from 2FA Authentication is as follows:

root@VPS:~# rm .google_authenticator

Thank you for reading and please feel free to leave any feedback.

How to configure 2FA authentication using Google authenticator on Debian 9 CLI.

This is a quick reference guide on how to configure 2FA authentication using Google authenticator on Debian 9.

WARNING: Please be extremely cautious when configuring this as you could potentially lock yourself out of your system if mis-configured.

In this guide I will create a separate user for 2FA authentication and leave root as password authentication only.

1. Create a new user

root@testssh:/etc/ssh# adduser authtest

2. Edit /etc/ssh/sshd_config

root@testssh:/etc/ssh# nano /etc/ssh/sshd_config

Change ChallengeResponseAuthentication to yes

3. Install Google Authenticator

root@testssh:/etc/ssh#apt-get update
root@testssh:/etc/ssh# apt-get install libpam-google-authenticator

4. Change to user and run Google Authenticator

IMPORTANT: Only run this command in the user account that you would like to authenticate using 2FA Authentication.

root@testssh:/etc/ssh# su authtest
authtest@testssh:/etc/ssh$ google-authenticator

Once you have run the google-authenticator command and answered some questions about your preferences, you will receive your token information to set up your token used to generate your OTP.

If by accident you run this command in the wrong user account: To revert this you can delete this from the users home directory by running the following command.

rm /home/authtest/.google_authenticator

To remove from root

root@VPS:~# rm .google_authenticator

5. Change back to root and edit /etc/pam.d/common-auth

authtest@testssh:/etc/ssh$ exit
exit
root@testssh:/etc/ssh#
nano /etc/pam.d/common-auth

add the following line to the bottom of the file:

auth required pam_google_authenticator.so nullok

6. Restart sshd

root@testssh:/etc/ssh# service sshd restart

7. Test Authentication

At this point I would open a duplicate putty window and test that root still has password authentication.

To test the 2FA authentication – you will be prompted for you password and then your OTP that is generated using your google Authenticator app.

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Thank you for reading and please feel free to leave any feedback.

Setting up 2FA using GoogleAuthenticator for SSH Access – Ubuntu

To get you up and running with a Virtual Server to set this up on please check out the following post:

Deploying a Virtual Machine on Piggybank’s cloud platform – The ultimate guide

Easy 2FA for your server

Setting up 2FA is usually a long process however if you just want something for a server or two here is a good way to get started.

The Google AUthenticator is actually free so we can just use PAM via SSH to plug into this.

First update the apt repositories

sudo apt-get update

Install the Package using apt-get

sudo apt-get install libpam-google-authenticator

Edit the ssh daemon PAM file

we will add the .so file which is a shared object file essentially a compiled binary file a bit like a windows DLL

nano /etc/pam.d/sshd

Add the following to the file

auth required pam_google_authenticator.so

Edit the sshd config file

This is the SSH config file for our Virtual server, we need to allow challengeResponse Authentication, this basically lets the server Ask us for a code so we enter our password then it can request more, so it challenged the user

nano /etc/ssh/sshd_config

Find the line:

ChallengeResponseAuthentication no

and change to

ChallengeResponseAuthentication yes

uncomment if need be (E.g. if its commented out delete the #)

Restart the SSH server

Now we have made changes we need to restart the SSH daemon / service this will ensure the new config is applied.

sudo service ssh restart

Generate a OTP (one time password) account

Now we need to create the seed which will essentially generate the same OTP on the server and then on the client.

Login as the user and run:

google-authenticator

If you need to change user e.g. you are root then run

su SOMEUSER

This will change you to that user.

Now we can import the google authenticator account onto our device, its a soft token so its all done via software, simply download the APP from android marketplace or IOS apple store and click import, you can just scan the QR code you see on your screen, you will see it simply keeps generating one time passwords.

Enter Yes to all and note the scratch codes or copy and paste the link.
Once the link has been copy and pasted into a browser it will show a QR code.
Scan this on your Google Authenticator App.
Or add it using the scratch codes, (theres a PC based APP).

Login

Now you have setup your OTP and app when you log in using that user the challenge response will kick in, it will ask for your OTP once you have entered a valid username and password.

enter your username
Your UNIX password
Your OTP on your app.

Done…

All done, a very simple way of securing access, don’t lose your token and ideally its only good for the odd few accounts on a server, the better way to do this would be using a 2FA solution which we will cover next.

How to configure remote Authentication using Freeradius and SQL on Ubuntu

This is a comprehensive guide on how to configure remote Authentication using Freeradius and SQL.

1. Install Prerequisites

sudo apt-get update
sudo apt-get install php5-common php5-gd php-pear php-db libapache2-mod-php5 php-mail mysql-server

You will also create the SQL Database in the process.

R1.PNG

2. Install Freeradius packages

sudo apt-get update
sudo apt-get install freeradius freeradius-mysql freeradius-utils

3. Launch mysql

mysql -u root -p

4.Create database and grant access

create database radius;
grant all on radius.* to radius@localhost identified by "passwordinquotes";
quit;

5. Insert database schema & nas

Enter your mysql password for root

mysql -u root -p radius < /etc/freeradius/sql/mysql/schema.sql
mysql -u root -p radius < /etc/freeradius/sql/mysql/nas.sql 
Radius_SQL_3.PNG

6. Check table structure

use radius;
show tables;
Radius_SQL_34.PNG

7. Create a test user

In this example the username is test and the password is test

insert into radcheck (Username, Attribute, op, Value) VALUES ('test', 'Cleartext-Password', ':=','test');

select * from radcheck;
Radius_SQL_6.PNG

8. Create a Test NAS Client

insert into nas (nasname,shortname,type,secret,description) VALUES ('127.0.0.1','localhost','other','test','test nas for localhost');
Radius_SQL_7.PNG

9. Configure Radius

9.1 Amend the radius config

This will change the radius database from the default (flat) to a MySQL database

nano /etc/freeradius/sql.conf
    database = mysql
    login = radius
    password = passwordwesetforradiusmysqluse

9.2 Uncomment the following (remove # symbol)

This means that the line of the script can be read

nano /etc/freeradius/sql.conf
readclients = yes 
read_groups = yes 

readclients = yes << Read groups instead of having to add a fallthrough attribute for each users on the Radreply

read_groups = yes << Read groups instead of having to add a fallthrough attribute for each users on the Radreply

9.3 Uncomment the following (remove # symbol) from sql under the following headings
Accounting, Session and Post-auth-typ

nano /etc/freeradius/sites-enabled/default

9.4 Uncomment $INCLUDE sql.conf (remove # symbol)
Comment #$INCLUDE clients.conf (remove this line by commenting it #)

 
nano /etc/freeradius/radiusd.conf

10.Test

Before testing make sure you restart the service and following any additions made to the Database you will need to restart the service.

 
/etc/init.d/freeradius restart
radtest test test localhost 1812 test
Radius_SQL_9.PNG

11. A few more commands

 
 
STOP - /etc/init.d/freeradius stop
START - /etc/init.d/freeradius start
STATUS - /etc/init.d/freeradius status
RESTART -/etc/init.d/freeradius restart
RUN IN DEBUG MODE - freeradius -XXX

Create a user using an encrypted password for a FreeRadius User

First generate the encrypted string

echo -n PASSWORDYOUWANTSHA1SUMFOR | sha1sum | awk '{print $1}'

and then add it to Radius database

insert into radcheck (Username, Attribute, op, Value) VALUES ('username', 'SHA1-Password',':=','SHAPASSWORDGENERATEDABOVE')

How to Disable a FreeRadius user

INSERT INTO radcheck VALUES (null,'username','Auth-Type',':=','Reject'); 

Thank you for reading – please feel free to leave a comment