New Blog Software and OS 2
Since this is a technology blog, I figure some of you may be interested in a major change that happened out of necessity here today.
This is the very first blog article on our new physical server, running in a completely different virtual machine. For the next week, everything here is a test.
Due to some sort of outage issue earlier today, I was forced to upgrade everything involved with this blog. I had attempted to perform this upgrade previously and failed. As you can see, this time, there was success. Nobody was shocked more than I.
Easy Technique for Secure, Easy to Type Passwords - Size Matters 4
Updated 10/2015 – just the minimal length suggestion, not the speed or GPU costs.
The ladies have always known that size matters. We need to apply that knowledge to passwords. Password security experts know that
- a longer password is better
- a password with as many different types of characters is important – call it a large alphabet
- a password that cannot be found through a dictionary attack
- a password that hasn’t been cracked before
These rules seem to be conflicting with the most important things from a user’s perspective. A user wants:
- a memorable password
- an easy to type / enter password
So what’s the solution? A long, but easy to type and easy to remember password. Below is how to get all 6 of these requirements, easily.
Finding Large Files On a Linux/UNIX
If you are like me, you are always running low on disk storage. After all, a hard drive that isn’t nearly full isn’t living up to the full potential. About every month, I need the find the largest files and clean them up – taking me back to 75% full on the “temporary storage” HDD.
Here’s a little script to make finding the largest files on your system easy. I call it hogs.sh.
$ find /home -type f -size +2G -exec ls -lh {} \; | cut -d" " -f5,8 | sort -t" " | tee ~/hogs.txt
May I suggest:
- Drop these commands into a bash/sh file
- Call this from the root crontab weekly, perhaps 3am Mondays
- Redirect the output into a file for later viewing as needed
- Overwrite the file with every run
The script isn’t perfect. The sorting fails but does group files nicely. It also takes awhile to complete, so running it at 3am is nice. Tweak the directory and files-larger-than parameters for your location.
Git DVCS Server Setup and Use in a Team
It seems that all the software developers are using git DVCS these days. I haven’t done serious software development in many years, so I’ve been using RCS all this time for my system admin scripting needs. With my new development work, I need to upgrade my toolset to a DVCS – Distributed Version Control System. There are many reasons to do this even if you don’t want to publish all your code on the internet. Below I’ll show how to setup an internal git server that can be shared inside a company or just between friends on the internet.
I’ll assume:
- Your git server will be on a Linux/Unix system someplace where
- all the developers will have ssh connection access.
- You have git installed on the server and the clients already.
Those server connections may allow full shell access or be limited to support just git. Regardless, setting up ssh-keys – Ssh Config Setup – is a good idea between the client(s) and the server computers.
Keep reading to learn about Git setup.
Perlbrew for Self-Contained Perl Installations 1
For years scripting languages like perl and add-ons like perl modules were supposed to be installed as part of the OS. This worked when the server administrator was the primary programmer on the system who could control all that stuff. In these days of role-based administration, the users and the administrators are hardly ever the same person. Administrators have different needs for systems than users or programmers and often those needs conflict.
How do we solve this problem for Perl scripts? Perlbrew.
Securing ssh Connections and Blocking Failures
Updated 10/2019
Use ed25519 keys, if you can:
ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519.pub userid@remoteUpdated 10/2015
If you have an ssh server running on your network that is accessible to the outside world, on the internet, chances are your systems are being attacked. If you aren’t aware of this, just take a look at your ssh logs in /var/log/auth.
$ egrep -i Failed /var/log/auth.log*
We can do better from a security standpoint. Regardless, ssh definitely still rocks and should be used daily, constantly. Before I moved ssh to a higher, non-standard, port and install Fail2Ban, I was seeing over 1,000 ssh attempts daily in the log files. What’s the saying … ignorance is bliss? Not when it comes to systems security.
This article is for Linux/UNIX users, but the ideas should apply to any OS running an ssh daemon.
Ssh Setup For Higher Security
The order below based on how easy it is to accomplish or setup. None of these configuration changes are hard. All of them can be accomplished in under 5 minutes if you know what you’re doing or 15 minutes if you need to read up a little.
- Listen on a non-standard port
- Use ssh-key-based connections
- No remote root logins with a password – without-password
- Allow only key-based logins from non-LAN IPs (basically any remote ssh connection cannot use a password)
- Lock account after X failed attempts – Fail2Ban
- Automatically block IPs with login failures – Fail2Ban
- Monitor hack attempts – Fail2Ban
Readers Ask About ... VPNs
Below is the 6th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization |
Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email |
Part 5 – Reverse Proxies
duijf asks:
Q6: It seems desirable to be able to VPN in to my network at any time, if I decide to set up said service, does any device in my internal network need to connect before it is discoverable?
Sorry, but I don’t understand the question entirely. Discoverable? That confuses me. This isn’t a game console. Your VPN client and server will need to know about each other explicitly. Not to worry, that isn’t very difficult to setup. There are just a few details.
Googlebot Random HTTP-GET Requests 1
I was going through the blog server logs today looking for odd, unexpected requests. Attended a Linux Security Meeting last evening that has me thinking … I see all the normal myphpadmin / dbadmin requests and other hack attempts for tools that we don’t use here. All the index.php requests are worthless / harmless. In the 404 list were lots of random strings requested at the top level of the blog. To me, these strings look like passwords from some password management tool. Hummm.
Readers Ask About ... Reverse Proxy Servers
Below is the 5th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization |
Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email
duijf asks:
Q5: Do I need a reverse proxy if I ? I’ve read about proxy servers on TheFu’s blog that filter internal traffic (if you read this, in the end I liked the idea a lot more than at first). Is this even the same thing? If this is to happen, is it correct that I’d need two NICs and bridge the connection from the router to the internal network? If so, can I get rid of the router? We do use it for telephone access too.
Readers Ask About ... Hosting Email
Below is the 4th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)
Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization | Part 3 – Virtualizing Media Storage
duijf asks:
Q4: Maybe I’ll host the email for my own domain, what do I have to know? (ISPs, configuration, internal mail)
