SearchNameVirtualHost *:80lighttpd
NameVirtualHost *:443
<VirtualHost *:443>
ServerName one.domain.at
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.at.pem
SSLCertificateKeyFile /etc/ssl/private/domain.at.key
CustomLog /var/log/apache2/one.access.log combined
ErrorLog /var/log/apache2/one.errors.log
.
.
.
</VirtualHost>
<VirtualHost *:443>
ServerName two.domain.at
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.at.pem
SSLCertificateKeyFile /etc/ssl/private/domain.at.key
CustomLog /var/log/apache2/two.access.log combined
ErrorLog /var/log/apache2/two.errors.log
.
.
.
</VirtualHost>
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.at.pem"
ssl.ca-file = "/etc/lighttpd/ssl/cacert.pem"
$HTTP["host"] == "one.domain.at" {
server.name = "one.domain.at"
server.errorlog = "/var/log/lighttpd/one_error.log"
accesslog.filename = "/var/log/lighttpd/one_access.log"
server.document-root = "/var/www/one"
}
$HTTP["host"] == "two.domain.at" {
server.name = "two.domain.at"
server.errorlog = "/var/log/lighttpd/two_error.log"
accesslog.filename = "/var/log/lighttpd/two_access.log"
server.document-root = "/var/www/two"
}
}[ view entry ] ( 841 views ) | print article
sftp -o Ciphers=blowfish-cbc USER@HOST
[ view entry ] ( 743 views ) | print article
aa-genprof can not connect to internet, therefore i do it manually
/etc/apparmor.d/usr.bin.program:
#include <tunables/global>
/usr/sbin/program flags=(complain) {
#include <abstractions/base>
}
start program and use it
aa-logprof -f /var/log/syslog -m "STARTSCAN-TIMESTAMP FROM SYSLOG"
Answer the questions and save it.
if no audit logs occur remove "flags=(complain)"
reload a rule: apparmor_parser -r usr.bin.program
[ view entry ] ( 759 views ) | print article
I want to rsync on my local-host via ssh from a remote host without a ssh enabled root account but full access to the whole filesystem.
local-host:
ssh-keygen -t rsacopy ~/.ssh/id_dsa.pub to remote-host:/home/rsyncuser/.ssh/authorized_keys
rsync files with ssh:
rsync -vaHxr --numeric-ids --delete --rsync-path=rsync_wrapper.sh \
-e "ssh -c arcfour -o Compression=no -x" \
rsyncuser@remote-host:REMOTEDIR LOCALDIR
remote-host (source of files to rsync):
groupadd -g 3001 rsyncuser/home/rsyncuser/.ssh/authorized_keys:
useradd -u 3001 -g rsyncuser -s /bin/bash -m rsyncuser
from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh"limit access with from (optional).
ssh-dss 012345678...
On sucessfully ssh login command is executed.
/home/rsyncuser/validate-rsync.sh:
#!/bin/sh/usr/bin/rsync_wrapper.sh:
case "$SSH_ORIGINAL_COMMAND" in
*\&*)
echo “Rejected”
;;
*\;*)
echo “Rejected”
;;
*\(*)
echo “Rejected”
;;
*\{*)
echo “Rejected”
;;
*\<*)
echo “Rejected”
;;
*\`*)
echo “Rejected”
;;
rsync\ --server*)
$SSH_ORIGINAL_COMMAND
;;
*)
echo "Rejected"
;;
esac
#!/bin/sh/etc/sudoers:
/usr/bin/sudo /usr/bin/rsync "$@";
rsyncuser ALL = NOPASSWD: /usr/bin/rsync
[ view entry ] ( 813 views ) | print article
dnssec-keygen -a RSAMD5 -b 1024 -n HOST -k -r /dev/urandom home.domain.org
put content of XXX.key into your zonefile
move xxx.key and xxx.private to your client with sftp
/etc/ppp/ip-up.d/ip_update:
#!/bin/sh
TTL=60
SERVER='NAMESERVER'
ZONE='DOMAIN'
HOSTNAME='HOSTNAME.DOMAIN'
KEYFILE='PATH/KEYFILENAME without endings (.key)'
[ -n "$PPP_LOCAL" ] || exit 0
logger "ip_update: Updating dynamic IP $PPP_LOCAL on $SERVER"
RESULT=$(nsupdate -v -k $KEYFILE 2>&1 << EOF
server $SERVER
zone $ZONE
update delete $HOSTNAME A
update add $HOSTNAME $TTL A $PPP_LOCAL
send
EOF)
RC=$?
[ $RC != 0 ] && \
logger "ip_update $PPP_LOCAL on $SERVER failed ($RC/$RESULT)"
exit $RC
Manual update a zonefile with bind 9.3:
rndc freeze zone
edit the zone
rndc unfreeze zone
References:
secure-ddns-howto
running-a-secure-ddns-service-with-bind
[ view entry ] ( 576 views ) | print article
<<First <Back | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | Next> Last>>