chrooted sftp only 
useradd -s /bin/false -m SFTPUSER
mkdir /home/SFTPUSER/.ssh
ssh-keygen -t rsa -b 2048 -N '' -f /home/SFTPUSER/.ssh/id_rsa
chown -R SFTPUSER:SFTPUSER /home/SFTPUSER/.ssh
chmod 600 /home/SFTPUSER/.ssh/id_rsa

/etc/ssh/sshd_config:
Subsystem       sftp    internal-sftp

Match user SFTPUSER
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot
chown root:root /chroot
mkdir /chroot/SFTPUSERDIR
chown SFTPUSER:SFTPUSER /chroot/SFTPUSERDIR

echo "put FILENAME" | \
sftp -oIdentityFile=/home/SFTPUSER/.ssh/id_rsa \
-oTCPKeepAlive=no -oServerAliveInterval=15 \
SFTPUSER@localhost:SFTPUSERDIR


[ view entry ] ( 2260 views )   |  print article
secure rsync to only one directory 
I want to rsync to a remote host to a given directory.

local-host:
ssh-keygen -t rsa
keyfilename: ~/.ssh/rsync
ssh-copy-id -i .ssh/rsync rsyncuser@remote-host

rsync files with ssh:
rsync -vaHxr --delete \
-e "ssh -i ~/.ssh/rsync -c arcfour -o Compression=no -x" \
LOCALDIR rsyncuser@remote-host:

remote-host

/home/rsyncuser/.ssh/authorized_keys:
from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh",
no-pty,no-agent-forwarding,no-port-forwarding
ssh-dss 012345678...
limit access with from (optional).
On sucessfully ssh login command is executed.
Read More...

[ view entry ] ( 2265 views )   |  print article
block ssh brute force attacs / prevent synflooding 
With iptables module recent you can limit the count of tcp connection attempts. In my case i allow only 3 ssh connection attempts per minute. This stops script kiddies doing ssh brute force attacs.
iptables -N synflood
iptables -A synflood -p tcp --dport ssh -m recent --set --name SSH
iptables -A synflood -p tcp --dport ssh -m recent --update \
--seconds 60 --hitcount 4 --name SSH -j DROP

iptables -A INPUT -p tcp -m state --state NEW -j synflood
iptables -A FORWARD -i $OUT -p tcp -m state --state NEW -j synflood


[ view entry ] ( 646 views )   |  print article
Wildcard certificate with virtual hosts and one IP 
apache
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:443>
ServerName one.domain.at

SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.at.pem
SSLCertificateKeyFile /etc/ssl/private/domain.at.key

CustomLog /var/log/apache2/one.access.log combined
ErrorLog /var/log/apache2/one.errors.log
.
.
.
</VirtualHost>

<VirtualHost *:443>
ServerName two.domain.at

SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.at.pem
SSLCertificateKeyFile /etc/ssl/private/domain.at.key

CustomLog /var/log/apache2/two.access.log combined
ErrorLog /var/log/apache2/two.errors.log
.
.
.
</VirtualHost>
lighttpd
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.at.pem"
ssl.ca-file = "/etc/lighttpd/ssl/cacert.pem"
$HTTP["host"] == "one.domain.at" {
server.name = "one.domain.at"
server.errorlog = "/var/log/lighttpd/one_error.log"
accesslog.filename = "/var/log/lighttpd/one_access.log"
server.document-root = "/var/www/one"
}

$HTTP["host"] == "two.domain.at" {
server.name = "two.domain.at"
server.errorlog = "/var/log/lighttpd/two_error.log"
accesslog.filename = "/var/log/lighttpd/two_access.log"
server.document-root = "/var/www/two"
}
}


[ view entry ] ( 662 views )   |  print article
fast sftp 
sftp -o Ciphers=blowfish-cbc USER@HOST

[ view entry ] ( 581 views )   |  print article

<<First <Back | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | Next> Last>>