OpenSSH Server Security tips

 Uncategorized  Comments Off on OpenSSH Server Security tips
Jul 302011
 

Small tips for securing a server with from SSH loginvisualcage.ru

1. Disable Password Login

edit /etc/ssh/sshd_config and set the following

PasswordAuthentication no

now you can only login via ssh keys.
generate your local keys using ssh-keygen -t rsa
then put your id_rsa.pub in the user account on the server
i.e. /root/.ssh/authorized_keys

2. Random Passwords

Set all user passwords to large pseudo-random strings.
i.e. I set all users on all servers with different passwords looking like this:
Z4Q7H6pI53Xtsbgs8qKC
20 random alpha-numeric characters (a-z, A-Z, 0-9)

see here for more passwords https://www.grc.com/passwords.htm
you can test the password with the brute force search space calculator with https://www.grc.com/haystack.htm

3. Login alerts by email

Everytime a user has logged in the system, you should get an email alert.
For that I do put login_alert.sh and appended it to the end of /etc/profile

At the end of the file /etc/profile numberswiki.com

add this line:

then create a file /etc/login_alert.sh

so you will get an email like this every time someone login to the server.

4. System Updates

Always keep updated. I run “aptitude full-upgrade” everyday on all debian machines.
also goes for Mac and Windows.

 Posted by more at 1:29 am
Jan 252009
 

Have you edited or tweaked your pipeline settings in Firefox?http://rpk-tramplin.ru

You can do it by typing about:config in your firefox url tab.

Most blogs and tutorial will tell you to set high values to improve the speed, such as this one: http://www.samenferforge.com/

Many people will go crazy and make values even higher such as:

network.http.pipelining.maxrequests 32
network.http.max-persistent-connections-per-proxy 128
network.http.max-persistent-connections-per-server 128
network.http.max-connections-per-server 256

These settings are very high and will create at least 32 connections to your server.

if you have many images and SSI includes, it could overload your apache webserver.
If you use apache2.2 with worker_mpm it will create 1 thread for each connection, thus you will have 32 new threads forked within just a few seconds.

Of course if you have a quad-core server with lots of ram you should not bother to read this.
But for most cheap vps and single core servers, it can really help.

so how you do it? simple, just use iptables conn_limit module

you may need to adjust the order or to insert or append like

# to apped to the end of the INPUT chain:
iptables -A input …
or
# to insert at position 10 of the input chain:
iptables -I input 10 …

I have tested this schema and work very well with firefox pipeline freaks.

the server will only then take up to 8 simultaneously connections per IP

to test the established connections you can try with netstat from the server:

Any comments, suggestions are welcome …

Update:

This can be not so good to legit users behind a proxy or firewall, because the the IP will be unique to all users behind the proxy/firewall.

in this case, you would increase the limit value.

ruby-mysql now Ruby 1.9 compatible

 Uncategorized  Comments Off on ruby-mysql now Ruby 1.9 compatible
Mar 072008
 

Tommy has just released an new mysql-ruby package.Окраска стен

Actually 2 of them:

mysql-ruby-2.7.5 and mysql-ruby-2.8pre2

They are Ruby 1.9 compatible
Requirements

* MySQL 5.0.51a
* Ruby 1.8.6, 1.9.0

here is the link http://tmtm.org/en/mysql/ruby/

Great Job

Dec 172007
 

Encrypt folders in Mac OSX with encfstrevordiy.wordpress.com

OSX already include the File Vault functionality that allows you to encrypt your whole Home Folder.
Thou the storage overhead is so small, the time to encrypt it the first time is very very long.
if you have Videos, and big files, it takes even longer.RA Grani

What if I don’t want to encrypt my big folders like Movies, Music, Pictures, Pdfs?

I only want to encrypt my Documents folder.
Be aware that VMWARE stored the virtual machine files under this folder, you should move it to outside Documents.

WARNING:

Be careful with this tutorial,
Write down your password somewhere and BACKUP your data before going further these steps.

if you forget your password, say good bye to your data.

THERE IS NO WAY TO GET YOUR DATA BACK!!!

TOOLS required:


# update your ports to get the latest encfs that runs ok on OSX10.5
$ sudo port selfupdate

# install encfs
$ sudo port install encfs

or Download macfuse and encfs from google:

http://code.google.com/p/macfuse/

and

http://code.google.com/p/encfs/

Lets move The Documents folder contents to another folder:


$ cd
$ mkdir temp_documents
$ mv Documents/* temp_documents/

Create the directory to hold the encrypted files, it can be any name.

Run this only one time. The first time to setup the folder…

$ mkdir .documents

Setup the encryption

$ encfs ~/.documents/ ~/Documents/

you will see this:

now, after you pass this step, the file system will be mounted as well .

encfs uses FuseFS, so it behaves just like a mount point

to unmount it you do


$ unmount ~/Documents

to mount it again issue this command:

$ encfs ~/.documents/ ~/Documents/
# or this way, which will look with better names and a folder icon on Desktop:
$ encfs ~/.documents/ ~/Documents/ -- -o fsname=Documents -o volname=Documents -o local

to check mounted filesystems


$ mount

you should be able to see:


encfs@fuse2 on /Users/fred/Documents (fusefs, nodev, nosuid, synchronous, mounted by fred)

or this if you used the longer command.

Documents on /Users/fred/Documents (fusefs, local, nodev, nosuid, synchronous, mounted by fred)

Now, with the encrypted folder “mounted”, mv the data from that temp folder to the new encrypted folder:

WARNING: be carefull here


$ cp temp_documents/* Documents/
$ rm -rf temp_documents/

that’s it folks.

Final overview:


# to create the encrypted folder:
$ encfs ~/.documents/ ~/Documents/
#to Mount it (enable)
$ encfs ~/.documents/ ~/Documents/
#or
$ encfs ~/.documents/ ~/Documents/ -- -o fsname=Documents -o volname=Documents -o local
#to Umount it (disable)
$ umount ~/Documents

don’t change anything inside .documents
remember the dot in the front means the folder is invisible
you won’t see it in Finder.

This also should work for Linux.

Switch to our mobile site