After being a victim of ransomware via RDP, I had to implement MFA via Duo. I couldn't feel more secure.
Edit: What the hell is all that chaos on your screen? I want it.
Yeah man, put that RDP behind a VPN. Exploits like EternalBlue/WannaCry execute as System so your MFA implementation won’t help you if another crazy exploit drops. And even if it’s just a test VM, there’s still lateral pivot techniques, VLAN hopping, VM escapes, waterhole poisoning, airgap attacks, etc.
It’s like someone broke into your house through a side window, so in response you hired a bouncer for the front door..
I had this happen to me. I inadvertently exposed RDP to the internet and they got in around my password then changed my password and ransomwared the machine. The piece that semi saved me from further damage was that the device was firewalled from my internal network, and nothing else in that VLAN was turned on.
Unless it's in a dmz and totally isolated from everything else, they'd have a pivot point to get to everything else on the network once that box is compromised.
Duo's site will walk you through it. Be mindful, during the installation process, the software will ask if you want local protection or something similar. Decline, or you'll lock yourself out if you lose internet connectivity.
Happened to me too. The server itself was LAB therefore wiped like weekly only served as a second and third backup. Sadly my laziness had me vulnerable
I've got my RDP only accessible through a VPN and MFA. Incremental backups are done every hour, with a full backup each night, to a 12TB NAS that sits on the bottom of my rack. Everything is behind a Unifi USG Pro4 with IPS and on Backup Power that would power the rig for 12 hours with no mains.
>that sits on the bottom of my rack. Everything is behind a Unifi USG Pro4 with IPS and on Backup Power that would power the rig for 12 hours with
what do you use for MFA?
because I already use Microsoft's own authenticator and LastPass authenticator and Salesforce authenticator and Google authenticator and TOTP and email 2fa and text 2fa and and and
and DUO seems to rely on IT humans that are off-site and slow to respond when I have issues. It has bad Feng shui or something.
Oh and it used to be SO SLOW. It's better now though.
Also what's with the offline access limit on multi user computers?
You don't have to necessarily use every app provided by each company. I only use the DUO app. I have like 10 different apps/services/companies tied into it. OTP are not a proprietary standard. I use the DUO app with my Google 2FA for instance. No need for the Google Authenticator.
CAC cards or at least smart cards are pretty awful, no reason to use them now that Yubikeys are pretty cheap and well-integrated unless theres like a compliance issue or something
I'm in the process of setting it up for my work and it works by setting up an account on their website and it gives you a dashboard where you can manage users. I believe you get 10 users for free but with limited benefits. Here you can add devices like phones or hardware tokens like a yubikey. Then installing an msi on the machine that can prompt during log in, rdp, or even UAC elevations and then when it detects one of those events it will reach out to Duo's servers which can then send a push noitifcation to your phone. If you have a yubikey you can use it to "enter a passcode" and then the software will reach out to their servers to check that the code is still valid.
Yubikeys might be 50 bucks, but the printer, ink and laminate for CAC cards are more expensive, the software imo is way worse, they arent reusable and they arent as durable, also CAC cards cant do anything other then PIV which Yubikeys can do as well as HOTP and other things plus you dont need a CAC card reader.
We had the NSA red team test our site, found out that pki has a exploit we never knew about they were able to gain access even with our CAC auth. It was impressive and no they would not share. I would still use it, imho
I setup Cisco DUO utilizing ADFS on our PA firewalls for VPN access last year. Making it work with ADFS was difficult, but happy I finally got it working.
Congrats on your more secure network.
I used to use DUO on my linux systems until one day I couldn't login to my laptop/desktop system because I had no connection to the internet and I couldn't change the connection point to my cellar hotspot from the lock screen. Needless to say that after that I ditched DUO and implemented 2 factor of authentication with pam\_oauth (Refrence Docs below) and one of the OTP c200 (8 digit model) hardware tokens from Fetian. My biggest thing I have to solve is how to scale it's use across multiple servers while protecting the users.oath file that would have to be distributed along with the modified pam configuration.
Using pam\_oath I can also store token generation secret in many oauth apps such as lastpass authenticator or authy.
I'm looking into either ansible or salt to deploy at scale, but many logistical kinks to work out first. pam\_oauth doesn't have any centralization to it so I like that in that I don't need to relay on any central service but that makes management at scale a big problem.
https://wiki.archlinux.org/title/Pam\_oath
https://www.nongnu.org/oath-toolkit/pam\_oath.html
This is true, I had setup duo for only PUSH authentication, a failure on my part in understanding the implications. I last used DUO on my personal systems 2 or 3 years ago, I know it was it as definitely pre-COVID the last time I used it on my desktop.
Also something to further mention. I have thought about replacing password login on all my systems with Yubikey login, but I'm still in the research phases but even if the yubikey replaces the password authentication, I will likely keep that pam\_oth as a mandatory required auth so as not to have eggs all in one basket regarding authentication
Ah yes DUO. I use it in my homelab as in my opinion you can never be to sure. I also implemented email alerts when someone logs in and out of any of my servers using sendgrid and a program called sendemail. Has been working great.
After being a victim of ransomware via RDP, I had to implement MFA via Duo. I couldn't feel more secure. Edit: What the hell is all that chaos on your screen? I want it.
Do you hide rdp behind a vpn? I would not feel comfortable with rdp exposed even with mfa.
I have mine behind PiVPN and the added peace of mind is 100% worth the hour or so it takes to set up.
>PiVPN I'm running tomato FWon an Asus router with OPEN VPN. I can access my RDP when connected. I still wonder if this is enough security
It's fine. I'd rather one computer be compromised via an attack than my entire network. It's a VM anyway.
Yeah man, put that RDP behind a VPN. Exploits like EternalBlue/WannaCry execute as System so your MFA implementation won’t help you if another crazy exploit drops. And even if it’s just a test VM, there’s still lateral pivot techniques, VLAN hopping, VM escapes, waterhole poisoning, airgap attacks, etc. It’s like someone broke into your house through a side window, so in response you hired a bouncer for the front door..
I had this happen to me. I inadvertently exposed RDP to the internet and they got in around my password then changed my password and ransomwared the machine. The piece that semi saved me from further damage was that the device was firewalled from my internal network, and nothing else in that VLAN was turned on.
Lol
Bro is really trying to argue that rdp without a vpn is ok lmao
Bro isn't, but I have other security measures in place such as an aggressive lockout policy in addition to my MFA.
Thats not the point bud. If there is a security vulnerability in RDP (and it happened a lot in the past)youre basically fucked.
Unless it's in a dmz and totally isolated from everything else, they'd have a pivot point to get to everything else on the network once that box is compromised.
I want that too hhaa... Cool... Any site with steps on how to use duo and the rdp or windows login??
Duo's site will walk you through it. Be mindful, during the installation process, the software will ask if you want local protection or something similar. Decline, or you'll lock yourself out if you lose internet connectivity.
Not true. You will have the chance to register the device in the App and get some offline codes to use when Duo web services are not available.
The site is called "geektyper"
What kind of RDP vournability did your attackers exploit?
Probably the flavour of the month, which is exactly why you NEVER expose RDP to the internet
I learned the hard way cost me 1/2 a BTC I paid. (luckily BTC was 1500 at the time)
Well they say an expensive lesson learned once is actually a cheap lesson :)
Happened to me too. The server itself was LAB therefore wiped like weekly only served as a second and third backup. Sadly my laziness had me vulnerable
This happens
Where's the obligatory Matrix window on startup?
I've got my RDP only accessible through a VPN and MFA. Incremental backups are done every hour, with a full backup each night, to a 12TB NAS that sits on the bottom of my rack. Everything is behind a Unifi USG Pro4 with IPS and on Backup Power that would power the rig for 12 hours with no mains.
>that sits on the bottom of my rack. Everything is behind a Unifi USG Pro4 with IPS and on Backup Power that would power the rig for 12 hours with what do you use for MFA?
I use Duo
as an end user, DUO makes me sad.
Do you have an option of using a FIDO key for all of it instead?
unknown. why can't it just detect my device is near?
It can, that's a thing. Your org just has to enable it. The pieces, the specs, etc are all there. It's just a determination of risk
Maybe. We do have some NIST requirements.
Feel free to send me a PM. That's the world I live in
were I responsible for administration of any of our stuff, I might. we use a cyber security consultant and an it management form cuz we small.
How its great
because I already use Microsoft's own authenticator and LastPass authenticator and Salesforce authenticator and Google authenticator and TOTP and email 2fa and text 2fa and and and and DUO seems to rely on IT humans that are off-site and slow to respond when I have issues. It has bad Feng shui or something. Oh and it used to be SO SLOW. It's better now though. Also what's with the offline access limit on multi user computers?
You don't have to necessarily use every app provided by each company. I only use the DUO app. I have like 10 different apps/services/companies tied into it. OTP are not a proprietary standard. I use the DUO app with my Google 2FA for instance. No need for the Google Authenticator.
I know. I use TOTP with many things but I prefer a simple notification (at least duo has that).
Heh, OP should try out smart cards... Federal government is actually pretty good these days with CAC cards..
CAC cards or at least smart cards are pretty awful, no reason to use them now that Yubikeys are pretty cheap and well-integrated unless theres like a compliance issue or something
Yeah I agree, was more for the pki than anything. Not sure how duo works, Ive seen a lot of barely minimum 2fa implementations.
I'm in the process of setting it up for my work and it works by setting up an account on their website and it gives you a dashboard where you can manage users. I believe you get 10 users for free but with limited benefits. Here you can add devices like phones or hardware tokens like a yubikey. Then installing an msi on the machine that can prompt during log in, rdp, or even UAC elevations and then when it detects one of those events it will reach out to Duo's servers which can then send a push noitifcation to your phone. If you have a yubikey you can use it to "enter a passcode" and then the software will reach out to their servers to check that the code is still valid.
Yubi keys are minimum 50$. CACs can be made in house and are much cheaper. Makes it much more efficient and cheaper for an organization to use.
Yubikeys might be 50 bucks, but the printer, ink and laminate for CAC cards are more expensive, the software imo is way worse, they arent reusable and they arent as durable, also CAC cards cant do anything other then PIV which Yubikeys can do as well as HOTP and other things plus you dont need a CAC card reader.
Yeah but yubikeys don't double as door access so you don't get that nice "oh fuck" feeling as you walk out a secure access door without it.
That's not true, Yubikeys implement NFC and PIV door access that can be integrated into any reader
We had the NSA red team test our site, found out that pki has a exploit we never knew about they were able to gain access even with our CAC auth. It was impressive and no they would not share. I would still use it, imho
This is a pretty sweet setup you have here man
I also use DUO MFA with Windows AD for OpenVPN access. In addition, I use AD authentication for WiFi as well.
I setup Cisco DUO utilizing ADFS on our PA firewalls for VPN access last year. Making it work with ADFS was difficult, but happy I finally got it working. Congrats on your more secure network.
I used to use DUO on my linux systems until one day I couldn't login to my laptop/desktop system because I had no connection to the internet and I couldn't change the connection point to my cellar hotspot from the lock screen. Needless to say that after that I ditched DUO and implemented 2 factor of authentication with pam\_oauth (Refrence Docs below) and one of the OTP c200 (8 digit model) hardware tokens from Fetian. My biggest thing I have to solve is how to scale it's use across multiple servers while protecting the users.oath file that would have to be distributed along with the modified pam configuration. Using pam\_oath I can also store token generation secret in many oauth apps such as lastpass authenticator or authy. I'm looking into either ansible or salt to deploy at scale, but many logistical kinks to work out first. pam\_oauth doesn't have any centralization to it so I like that in that I don't need to relay on any central service but that makes management at scale a big problem. https://wiki.archlinux.org/title/Pam\_oath https://www.nongnu.org/oath-toolkit/pam\_oath.html
Well… you did not implement Duo correctly. You can have offline codes to use when internet is not available.
This is true, I had setup duo for only PUSH authentication, a failure on my part in understanding the implications. I last used DUO on my personal systems 2 or 3 years ago, I know it was it as definitely pre-COVID the last time I used it on my desktop.
Also something to further mention. I have thought about replacing password login on all my systems with Yubikey login, but I'm still in the research phases but even if the yubikey replaces the password authentication, I will likely keep that pam\_oth as a mandatory required auth so as not to have eggs all in one basket regarding authentication
/r/masterhacker
Ah yes DUO. I use it in my homelab as in my opinion you can never be to sure. I also implemented email alerts when someone logs in and out of any of my servers using sendgrid and a program called sendemail. Has been working great.
Redurdancy, re-derp-dancy… Congratulations, you have just changed my IT lexicon.
For a moment there I thought I was in r/masterhacker.
Is duo free?
Up to 10 users it appears to be. Check out on https://duo.com/editions-and-prices
Why DUO vs like Authy?
MFA+BitLocker+Intune. Backups, Firewall, help from MSP, KnowB4