peterh - Linux - Blog - ssd optimizations

secure rsync to only one directory

Thursday, July 2, 2009, 12:03 - Network, Security
Posted by Administrator

I want to rsync to a remote host to a given directory.

local-host:

ssh-keygen -t rsa

keyfilename: ~/.ssh/rsync
ssh-copy-id -i .ssh/rsync rsyncuser@remote-host

rsync files with ssh:

rsync -vaHxr --delete \
      -e "ssh -i ~/.ssh/rsync -c arcfour -o Compression=no -x" \
      LOCALDIR rsyncuser@remote-host:

remote-host

/home/rsyncuser/.ssh/authorized_keys:

from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh",
 no-pty,no-agent-forwarding,no-port-forwarding
 ssh-dss 012345678...

limit access with from (optional).
On sucessfully ssh login command is executed.
Read More...

[ view entry ] ( 2489 views ) | print article

block ssh brute force attacs / prevent synflooding

Tuesday, October 28, 2008, 09:49 - Network, Security
Posted by Administrator

With iptables module recent you can limit the count of tcp connection attempts. In my case i allow only 3 ssh connection attempts per minute. This stops script kiddies doing ssh brute force attacs.

iptables -N synflood
iptables -A synflood -p tcp --dport ssh -m recent --set --name SSH
iptables -A synflood -p tcp --dport ssh -m recent --update \
                     --seconds 60 --hitcount 4 --name SSH -j DROP

iptables -A INPUT -p tcp -m state --state NEW -j synflood
iptables -A FORWARD -i $OUT -p tcp -m state --state NEW -j synflood

[ view entry ] ( 810 views ) | print article

Wildcard certificate with virtual hosts and one IP

Wednesday, October 15, 2008, 15:47 - Web, Security
Posted by Administrator

apache

NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:443>
    ServerName one.domain.at

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/domain.at.pem
    SSLCertificateKeyFile /etc/ssl/private/domain.at.key

    CustomLog /var/log/apache2/one.access.log combined
    ErrorLog  /var/log/apache2/one.errors.log
.
.
.
</VirtualHost>

<VirtualHost *:443>
    ServerName two.domain.at

    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/domain.at.pem
    SSLCertificateKeyFile /etc/ssl/private/domain.at.key

    CustomLog /var/log/apache2/two.access.log combined
    ErrorLog  /var/log/apache2/two.errors.log
.
.
.
</VirtualHost>

lighttpd

$SERVER["socket"] == "0.0.0.0:443" {
  ssl.engine = "enable"
  ssl.use-sslv2 = "disable"
  ssl.pemfile = "/etc/lighttpd/ssl/domain.at.pem"
  ssl.ca-file = "/etc/lighttpd/ssl/cacert.pem"
  $HTTP["host"] == "one.domain.at" {
    server.name = "one.domain.at"
    server.errorlog  = "/var/log/lighttpd/one_error.log"
    accesslog.filename = "/var/log/lighttpd/one_access.log"
    server.document-root = "/var/www/one"
  }

  $HTTP["host"] == "two.domain.at" {
    server.name = "two.domain.at"
    server.errorlog = "/var/log/lighttpd/two_error.log"
    accesslog.filename = "/var/log/lighttpd/two_access.log"
    server.document-root = "/var/www/two"
  }
}

[ view entry ] ( 873 views ) | print article

fast sftp

Friday, September 5, 2008, 12:15 - Network, Security
Posted by Administrator

sftp -o Ciphers=blowfish-cbc USER@HOST

[ view entry ] ( 761 views ) | print article

apparmor create a new profile

Wednesday, May 28, 2008, 16:41 - Security
Posted by Administrator

aa-genprof can not connect to internet, therefore i do it manually

/etc/apparmor.d/usr.bin.program:

#include <tunables/global>
/usr/sbin/program flags=(complain) {
  #include <abstractions/base>
}

start program and use it

aa-logprof -f /var/log/syslog -m "STARTSCAN-TIMESTAMP FROM SYSLOG"

Answer the questions and save it.

if no audit logs occur remove "flags=(complain)"

reload a rule: apparmor_parser -r usr.bin.program

[ view entry ] ( 775 views ) | print article

<<First <Back | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | Next> Last>>