Some random notes as to keep track of tips/tricks for myself and to share.
Sun 10 Feb 2019
I used to have a quite elaborate setup to protect my ssh server from bruteforce attacks. All iptables based, with increasing drops depending on the time passed and count of ssh connect attempts. However, last week my rpi server was under attack of quite a large and distributed brute force attempt. Nothing to worry about, but it annoyed me ;-) I ended up with huge failed login attempt logs (check your
lastb) of over 25k attempts per day ..
After initially trying to find a solution with geoip (too complex, required to add tcp wrappers around ssh etc, did not want to go there), and changing outside ssh listening port (too simple and easily re-discoverd), I decided to implement a ‘knock’ before entering setup. Briljantly simple, hard to discover and easy to extend to a more complex setup when required.
old: So instead of ssh ratelimiting (relevant part of iptables-restore script):
# ratelimit accept ssh -N SSHBF -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -m recent --name sshbf --set -j SSHBF -A SSHBF -m recent --name sshbf --rcheck --hitcount 4 --seconds 300 -j DROP -A SSHBF -m recent --name sshbf --rcheck --hitcount 6 --seconds 7200 -j DROP -A SSHBF -m recent --name sshbf --rcheck --hitcount 12 --seconds 345600 -j DROP -A SSHBF -m recent --name sshbf --rcheck -j LOG --log-prefix "NFssh: " --log-level info -A SSHBF -m recent --name sshbf --rcheck -j ACCEPT
new: I setup a ssh port knock, replace the
your-knock-port in below lines with your preferred knock port, eg any port between 1025 and 65535.
# ssh knock knock -A INPUT -p tcp --dport <add your-knock-port here> --syn -m recent --name knock --set -j DROP -A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -m recent --name knock --rcheck --seconds 30 -m limit --limit 6/hour --limit-burst 1 -j ACCEPT -A INPUT -p tcp --dport 22 -j DROP
The above lines drop all ssh traffic from ip’s that try to access my ssh server without knocking first, knock before you enter ;-) As an extra any traffic coming through is still ratelimited but in a simpler setup with just one
Daily use is pretty simple. Use telnet, ssh - anything capable of sending a tcp syn to the knock port - and connect to your ssh port as usual.
telnet <your-host> <your-knock-port>
Stop this session with Ctrl-C; you have just knocked on the door, and ssh will be open for 30secs. Follow up by:
ssh <your-host> -p <your-ssh-port>
and login as usual. The ssh port will remain accessible for 30secs in my setup, you can change this if needed.
Result: Where the ratelimiting setup still had unsolicited access from outside, this simple knock setup reduced it to zero attempts coming through!! And since nothing was visible on the outside ports anymore even all unsolicited ssh login attempts reduced to almost nothing :-)
Note: Although this setup will help in further hiding your ssh server you still should follow all the SSH hardening howto’s (no PermitRoot, use keys etc) and not rely on ssh knocking alone!
Sun 10 Feb 2019
A realy short one ;-)
I was using a gpg encrypt setup with one of my projects to protect api keys and secrets. The setup worked, but required manual work which I tended to forget. So trying to find a lightweight alternative .. and found git-crypt which solved the issue pretty easily. No use of explaining how to install this sinces it’s all on above link. If you need some encryption for your git projects I suggest you take a look at git-crypt. Note that in order to make git-crypt work I had to symlink
gpg2, it’s apparently using
for future reference:
git-crypt init: initialize git-crypt in a git repository
.gitignore-like file, to define what files to encrypt. My
.gitattributes, anything with key or secure in the filename is pushed encrypted:
*.key.* filter=git-crypt diff=git-crypt *.secure.* filter=git-crypt diff=git-crypt
git-crypt gpg-add-user <user-email> to enable an extra user to decrypt your uploaded files. Make sure you already have the users publick key in your gnupg keyring.
Sun 13 Jan 2019
I have been struggling a bit with steam and a multiuser desktop. I definitely wanted to share the games and preferably also the steam install, while also let all users loging at their own account. After checking out multiple distro’s and virtual machine setup etc I settled for a simple setup where all users use
sudo to switch to user
steam to start steam gaming. This however requires some small hacks on your system, shared here.
steam start script
New steam script in
/usr/local/bin/steam, thereby overruling the default steam start script (note: the overruling can depend on your
/usr/local/bin should be before
/usr/bin in your
#!/bin/sh xhost +SI:localuser:steam sudo LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1' PULSE_SERVER="unix:/tmp/pulse-socket-$USER" -u steam /usr/bin/steam "$@" xhost -SI:localuser:steam
This script allows localuser steam to use the graphical desktop (xhost) and starts steam from sudo. Note that the
LD_PRELOAD comes from me running void; I guess this part can be removed if you don’t need it.
sudo setup for steam
Defaults env_keep +="LD_PRELOAD DISPLAY PULSE_SERVER" %users ALL = (steam) NOPASSWD: /usr/bin/steam
PULSE_SERVER from the users environment to the steam environment and allows all users in group
sudo steam and run
Pulseaudio per user
Add the following in
### TCP/Unix socket required for steam slave (choose one) #TCP socket (greater overhead) #load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1 #unix socket (less overhead) load-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket-<add user here>
steam.desktop to start
/usr/local/bin/steam instead of
/usr/bin/steam from the Desktop menus. Copying to
/usr/local/share/applications will make sure the change survives steam updates from your distro. Note that this step is optional if you are used to starting steam from cli.
cp /usr/share/applications/steam.desktop /usr/local/share/applications
And update first
Exec= to point to
So there we are, steam, nothing double installed, all games avaible, done ;-)
Some drawbacks though:
Sat 22 Dec 2018
Bought a new machine work in progress