That’s a heck of an ask, isn’t it? I’ve been a LastPass customer for a very, very long time.. I use it to share secrets with my family, I use it on my mobile device to log into apps. It’s a safe bet to say it’s a critical piece of how I operate, and they have never once let me down. That said, if they asked for money to continue using their service, I’d have to pay. If they had a security event where secrets were compromised or if they lost my data, I’d be in very, very bad shape.

In this article, I will talk about how to set up a WebDAV share that’s protected by HTTPS using Traefik, Let’s Encrypt, and a WebDAV container on your own server, and use it to sync your secrets with devices.

Before I begin, it’s important to understand that using WebDAV isn’t the only way to sync your secrets with Enpass. There are others:

• Dropbox
• Google Drive
• OneDrive (Personal/Business)
• iCloud
• Box
• Folder sync

Base Server Set Up

Get a VPS

First thing we need is a server that is public internet facing. The easiest way to do this is to use a service that provides virtual private servers. I like Vultr because of their price/performance/feature availability ratio. They are cheaper than DigitalOcean and AWS, as easy, if not easier to manage, and have the scale you need to put your data pretty much wherever you want. If you do use Vultr, please do me a favor and use this link to sign up. I’ll get a little kickback, but you’ll get $100 USD to use on the site in your first month.

The OS doesn’t really matter, as long as you can install docker on it. A very small VPS will suffice, and mine costs $3.50 USD/Month.

Harden the OS

I won’t go into very much depth with this subject, but here are a few general guidelines:

• Disable root login via SSH
• Require public key authentication for SSH sessions
• Enable multi factor authentication for your remote user
• Only install packages you need
• Ensure all updates are installed, and continue to do so on a regular basis

Set Up Docker, Traefik, and WebDAV

All code is on the GitHub repository I use to share all code for this site. You can find it here: https://github.com/jonhowe/Virtjunkie.com/tree/master/DitchLastPass

First and foremost, this will not be a tutorial on how to administer Docker, WebDAV, or especially Traefik, but I’ll give you the exact steps and code for setting this up yourself, and provide some links at the end you can use to learn more about these topics.

All of the following steps will be executed on your VPS, so please sure you are connected to it via SSH or a similar terminal window.

docker network create proxy

Create Traefik Configuration

First of all, let’s create the directory structure we’ll need for Traefik (line 1). We’ll also be creating a file that will be used for storing SSL certificates (line 2), and setting permissions on it (line 3).

mkdir -p $HOME/docker/traefik/data
touch $HOME/docker/traefik/data/acme.json
chmod 600 $HOME/docker/traefik/data/acme.json

Create Traefik Configuration

Create a new file in the traefik/data directory we just created called traefik.yml with the contents below.

Changes Required:

• Line 24: Modify your email address

#File Path
#$HOME/docker/traefik/data/traefik.yml

#http://www.virtjunkie.com/ditch-lastpass-for-enpass-webdav-https-traefik/
#https://github.com/jonhowe/Virtjunkie.com/tree/master/DitchLastPass

api:
  dashboard: false

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  http:
    acme:
      email: your.email@domain.com
      storage: acme.json
      httpChallenge:
        entryPoint: http

Define Traefik Container

Create a new file in the traefik/data directory called docker-compose.yml

Changes Required:

• Line 30: Modify to fit the hostname of your server
• Line 31: Add in credentials compatible with basic auth. You can use the output from the command below to achieve this.
  • echo $(htpasswd -nb [your user] [your pass]) | sed -e s/\$/\$\$/g
• Line 35: Modify to fit the hostname of your server

#File Path
#$HOME/docker/traefik/docker-compose.yml

#http://www.virtjunkie.com/ditch-lastpass-for-enpass-webdav-https-traefik/
#https://github.com/jonhowe/Virtjunkie.com/tree/master/DitchLastPass

version: '3'

services:
  traefik:
    image: traefik:v2.0
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./data/traefik.yml:/traefik.yml:ro
      - ./data/acme.json:/acme.json
      - ./data/logs/:/logs/
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`custom.hostname.com`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=traefikuser:htpasswd-encrypted-string"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`custom.hostname.com`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"

networks:
  proxy:

Start Traefik Container

cd $HOME/docker/traefik
docker-compose up -d

Create WebDAV Configuration

Before we begin, we need to create the directory structure for the WebDAV container. Use the following command to do so.

mkdir -p $HOME/docker/webdav/dav/

We’ll be using a container authored by bytemark for this project. It’s essentially just apache with the webdav module installed. As of today, the container is less than 100MB.

Define WebDAV Application Configuration

Changes Required:

• Line 15: Username used to authenticate to the WebDAV service.
• Line 16: Password you’ll use to authenticate to the WebDAV service. This is stored in plaintext in this example, but storing the variable in an external file is best practice.
• Line 17: Modify to fit the hostname of your server
• Line 27: Modify to fit the hostname of your server
• Line 31: Modify to fit the hostname of your server

#File path
#$HOME/docker/webdav/docker-compose.yml

#http://www.virtjunkie.com/ditch-lastpass-for-enpass-webdav-https-traefik/
#https://github.com/jonhowe/Virtjunkie.com/tree/master/DitchLastPass

version: '3'
services:
  webdav:
    image: bytemark/webdav
    container_name: webdav
    restart: unless-stopped
    environment:
      AUTH_TYPE: Basic
      USERNAME: your-username
      PASSWORD: secure-passsword
      SERVER_NAMES: your-dav.domain.com
    networks:
      - proxy
    security_opt:
      - no-new-privileges:true
    volumes:
      - ./dav:/var/lib/dav
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webdav.entrypoints=http"
      - "traefik.http.routers.webdav.rule=Host(`your-dav.domain.com`)"
      - "traefik.http.middlewares.webdav-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.webdav.middlewares=webdav-https-redirect"
      - "traefik.http.routers.webdav-secure.entrypoints=https"
      - "traefik.http.routers.webdav-secure.rule=Host(`your-dav.domain.com`)"
      - "traefik.http.routers.webdav-secure.tls=true"
      - "traefik.http.routers.webdav-secure.tls.certresolver=http"
      - "traefik.http.routers.webdav-secure.service=webdav"
      - "traefik.http.services.webdav.loadbalancer.server.port=80"
      - "traefik.docker.network=proxy"
networks:
  proxy:
    external: true

Start the WebDAV Container

Run the following command to bring up the webdav container

cd $HOME/docker/webdav
docker-compose up -d

Bringing it all together

Summary

At this point you should have two containers running on your VPS. Traefik is acting as a reverse proxy for the WebDAV container, and is providing SSL encryption to it. The SSL certificate is provided by Let’s Encrypt.

Final Directory Structure

user@webdav-server:~/docker$ tree
.
├── traefik
│   ├── data
│   │   ├── acme.json
│   │   └── traefik.yml
│   └── docker-compose.yml
└── webdav
    ├── dav
    │   ├── data
    │   │   └── Enpass
    │   │       └── vault.enpassdbsync
    │   ├── DavLock
    │   ├── DavLock.dir
    │   └── DavLock.pag
    └── docker-compose.yml

6 directories, 8 files

Migrate to Enpass Using WebDAV

Now that we’ve got a functional and secure WebDAV instance, we just need to migrate to it. These steps are pretty easy, but I want to include them to be comprehensive.

Export Secrets From Lastpass

To make our transition from Lastpass as seamless as possible, we’ll export our secrets so we can import them into Enpass. The easiest way to do this is from the Lastpass Vault.

Step 1 – Open Your Vault

Step 2 – Export Secrets

1. Select “More Options”
2. Select “Advanced”
3. Select “Export”
4. If prompted, enter your Master Password, and note where the CSV export file name and path.

Import Secrets To Enpass

Pretty easy stuff here, just open enpass, and kick off the import.

Import Steps:

1. Open Enpass
2. Select Menu
3. Select File
4. Select Import
5. When prompted to “Select from where you want to import your data into Enpass”, select Lastpass
6. Navigate to the directory you exported the CSV to
7. Select continue to finish the import

Connect EnPass To WebDav Share

At this point you’ve got a functioning WebDAV service protected by SSL, as well as a local instance of Enpass that has your lastpass secrets. We just need to connect EnPass to your Webdav instance to allow us to sync to it. Once you have EnPass Installed, follow the steps below to connect it to your WebDAV Service.

Connection Steps:

1. Open Enpass
2. Select Settings
3. Select Vaults
4. Select the Vault you’d like to sync
5. Enter the URL of your server, and ensure to include the https:// prefix
6. Enter the username and password created in Section 2.2.1
7. Ensure that the checkbox for “Bypass SSL Certificate Validation” is unchecked. We want to validate the SSL certificate since we are using Let’s Encrypt.

Risks

There are some things that LastPass does for us that we don’t get with this solution. In particular, we are somewhat exposed to brute force attempts to the webdav service. Also, LastPass has a number of email notifications that go out when things happen in your vault. We are really only notified when a new client joins the vault in Enpass.

Trafeik Resources

https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5
https://containo.us/blog/traefik-2-0-docker-101-fc2893944b9d/

The post Set Up Enpass With HTTPS Protected WebDAV and Ditch LastPass appeared first on VirtJunkie.

It’s pretty simple, you just have a few parts to the command string.  The first command argument tells ssh to forward a local port (LP) to a remote machine Remote) on a remote port (RP).  The second part is something you’re probably familiar with, the destination that you’re connecting to (Destination).

An example with the abbreviations above would be:

ssh -L LP:Remote:RP Destination

Say for example, you ran the command “ssh -L 1234:myInternalServer.com:80 myExternalServer”.  In order to access port 80 on myInternalServer.com you’d open up your web browser and point it to It’s as easy as that!

The post SSH Local Port Forwarding Made Easy appeared first on VirtJunkie.

Your best course of action in doing this is to download a bootable linux cd. The one that I tested this with is a worthwhile download even if you’re just reading this for fun.

There are x steps involved with removing grub passwords:

1. Boot Backtrack Live Cd
2. Log in, and navigate to the “/mnt” directory
3. Then go to the partition that corresponds to your hard drive (if you only have one hard drive it’s likely “hda1“, or “/mnt/hda1“
4. Within that directory, navigate to “boot/grub”, and open “menu.lst” in a text editor
5. Comment out all lines that start with “password“
6. Restart Computer, and enjoy a password-less grub bootloader.

Feel free to leave your mind in the comments and I’ll get back to you as soon as I can.

Jon

The post HowTo Restore Grub Boot Password In Ubuntu Dapper appeared first on VirtJunkie.

It’s located here.

Later,
Jon Howe

The post Scan a File with Multiple AV Scanners at once Online appeared first on VirtJunkie.

The other day I decided to take a look at my server logs, which is something that I should have been doing all along. I found out that more than one host has been brute force / dictionary scanning my ssh server. I decided that even though my passwords are strong, that I really didn’t want people to have the ability to do that. Fortunately for me there are some tools out there that work great for this very purpose. The one that I chose is called DenyHosts.

Basically how denyhosts works is it scans your security log (there are several options as to what distro type) for different strings, and if more than X number of failed access attempts occur the attacking host is added to your hosts.deny file.

Now, this functionality is found in a number of programs. The great thing about denyhosts is that (optionally) every hour your list is synchronized with a server so that you’re protection is increased greatly.

I used this tutorial to install it on my computer. The only change that I would make to it is to use denyhosts 2.4 instead of 2.0, which can be found at the denyHosts site.

I got started on security and I didn’t want to stop quite yet. I also set up a portscan detector that blocks hosts that portscan you with iptables. It’s called portsentry, and can be installed with apt using:
apt-get install portsentry.

I set up both of these utilities to email me immediately when an event occurs.

One note that I should add is that when I set up denyhosts for the first time it parsed through my existing security log and found that my current address had more than the threshold of incorrect passwords, so it blocked me from making a ssh connection to my server. To fix this just make sure that you check through your security log and make sure that you have less than the maximum amount of denied login attempts before you terminate the ssh connection.

As always, if you have any questions email me at howe -dot- jon -at- gmail -dot- com.

Later,
Jon Howe

The post Protecting Your Server From SSH Bruteforce Attacks and Portscans appeared first on VirtJunkie.

The network is not easily accessed directly though. The easiest way to utilize tor as a functional service for your network is to use something called Privoxy. Privoxy acts as a middleman between tor and the computers on your network.

We’ll talk more about the configuration of these later, but first we need to install them.

I’m going to assume, as usual, that you’re Debian as your distribution.

Note: I had some problems getting tor to install properly with apt. In order to fix this I needed to add the following lines to my /etc/apt/sources.list file:
testing

deb http://ftp.egr.msu.edu/debian/ testing main non-free contrib

deb-src http://ftp.egr.msu.edu/debian testing main non-free contrib

I also added the following lines to my /etc/apt/prefrences file to make it so that apt doesn’t try to get packages from the testing branch all of the time:

Package: *
Pin: release a=testing
Pin-Priority: 999

Stay tuned for a tutorial on how to use the previous process, which is called apt pinning.

Next we install Privoxy and Tor using the following command:
apt-get -t testing tor privoxy

Now add the following line to your /etc/privoxy/config:
forward-socks4a / localhost:9050 .

If you’re installing this on your own computer then you can leave this as it is. Otherwise change the listen-address from 127.0.0.1 to the ip address that the interface that goes to the network uses. This line reads: listen-address 192.168.3.2:8118 in my config file.

Now just start the daemons:
/etc/init.d/tor start
/etc/init.d/privoxy start

All that’s left is configuring your applications to use the proxy. Every app has different methods of using a proxy, and some don’t even have a way to access a proxy. If you’re trying to run something like firefox anonymously, then just go to connection settings and change the Http Proxy and the Https Proxy to the IP address and the port that privoxy is running on. If you want to use something like Aol Instant Messenger you can use tor directly by going into the settings and changing the Socks 4 proxy to the IP address that tor is running on and the port number 9050.

After doing this all connections will be running through the anonymous tor network. If you have any questions feel free to leave me a comment, and I will answer.

Later,
Jon Howe

The post How to Use the Tor Network for Application Anonymity appeared first on VirtJunkie.