As someone with administrator responsibilities on several AWS accounts, I have MFA (multi-factor authentication) enabled for lots of AWS identities – IAM users and root users. I use a virtual MFA device – i.e., a mobile phone running Google Authenticator. The QR codes that AWS displays when activating MFA have some irritating properties…
Way back in 2003, I bought a ThinkPad T30. Yesterday, July 10 2017, I turned it off for probably the last time.
If you use AWS, you probably have a root user and one or more administrator users. If you are following best practice you have secured all logins with MFA, and you rarely if ever use the root user. Instead, you log in as one of the administrator users. The problem with that is that as long as you are logged in, you can do anything – including make disastrous mistakes. Wouldn’t it be nice to have all the power of an administrator at your fingertips, but only when you actually need it?
The online world has become too dangerous for us to keep protecting ourselves with no more than a username and a password. Especially when most of us choose stupidly simple passwords. Even if you choose a good one – upper and lower case, special characters, letters and numbers – you now need such a long one that no human can remember it. Tools like LastPass are great, but only if you also use ridiculously long passwords. Pretty much the best protection you can give yourself is a simple thing called two factor authentication. It’s simple, it’s free, and it’s very effective.
The matter of data centre security was raised recently on a network mailing list I subscribe to. Someone was wondering if data centres checked incoming equipment for “bad stuff” – explosives and what-not.
The reaction from some was “don’t talk about that, we don’t want to give people ideas”. What a muddle-headed response!
The situation: You have a computer with no wifi, and you have an access point. No wifi, so no Internet. Sad face. But if you have a MikroTik router with a wifi interface and a couple of Ethernet interfaces, you can set up a private Ethernet network and connect your computer to wifi through the MikroTik.
ssh is just about the most secure way you can provide access to a system. But even ssh is subject to attacks. You can reduce the likelihood of a breach even further with a few fairly simple steps. The specifics below are for Ubuntu 16.04, but the principles are the same for any modern Unix.
After using my electric toothbrush I always rinse the whole detachable head, dry the bristles, remove the head and tap out any water. Yesterday when I tapped out the water (from the open end that sockets onto the handle) a tiny black speck appeared on the white porcelain of the basin. Hm, I thought.
Recently a client decided to set up an AWS Hardware VPN to their site. The simplest way to research this seemed to be to set up a test VPN to my own router – a MikroTik 951G-2HnD running RouterOS 6.30.2. Here’s how I did it.