Random Notes

Some random notes as to keep track of tips/tricks for myself and to share.

SSH knock knock

Sun 10 Feb 2019

I used to have a quite elaborate setup to protect my ssh server from bruteforce attacks. All iptables based, with increasing drops depending on the time passed and count of ssh connect attempts. However, last week my rpi server was under attack of quite a large and distributed brute force attempt. Nothing to worry about, but it annoyed me ;-) I ended up with huge failed login attempt logs (check your lastb) of over 25k attempts per day .. After initially trying to find a solution with geoip (too complex, required to add tcp wrappers around ssh etc, did not want to go there), and changing outside ssh listening port (too simple and easily re-discoverd), I decided to implement a ‘knock’ before entering setup. Briljantly simple, hard to discover and easy to extend to a more complex setup when required.

old: So instead of ssh ratelimiting (relevant part of iptables-restore script):

# ratelimit accept ssh
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -m recent --name sshbf --set -j SSHBF
-A SSHBF -m recent --name sshbf --rcheck --hitcount  4 --seconds    300 -j DROP
-A SSHBF -m recent --name sshbf --rcheck --hitcount  6 --seconds   7200 -j DROP
-A SSHBF -m recent --name sshbf --rcheck --hitcount 12 --seconds 345600 -j DROP
-A SSHBF -m recent --name sshbf --rcheck -j LOG --log-prefix "NFssh: " --log-level info
-A SSHBF -m recent --name sshbf --rcheck -j ACCEPT

new: I setup a ssh port knock, replace the your-knock-port in below lines with your preferred knock port, eg any port between 1025 and 65535.

# ssh knock knock
-A INPUT -p tcp --dport <add your-knock-port here> --syn -m recent --name knock --set -j DROP
-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -m recent --name knock --rcheck --seconds 30 -m limit --limit 6/hour --limit-burst 1 -j ACCEPT
-A INPUT -p tcp --dport 22 -j DROP

The above lines drop all ssh traffic from ip’s that try to access my ssh server without knocking first, knock before you enter ;-) As an extra any traffic coming through is still ratelimited but in a simpler setup with just one -m limit. Daily use is pretty simple. Use telnet, ssh - anything capable of sending a tcp syn to the knock port - and connect to your ssh port as usual.

telnet <your-host> <your-knock-port> 

Stop this session with Ctrl-C; you have just knocked on the door, and ssh will be open for 30secs. Follow up by:

ssh <your-host> -p <your-ssh-port>

and login as usual. The ssh port will remain accessible for 30secs in my setup, you can change this if needed.

Result: Where the ratelimiting setup still had unsolicited access from outside, this simple knock setup reduced it to zero attempts coming through!! And since nothing was visible on the outside ports anymore even all unsolicited ssh login attempts reduced to almost nothing :-)

Note: Although this setup will help in further hiding your ssh server you still should follow all the SSH hardening howto’s (no PermitRoot, use keys etc) and not rely on ssh knocking alone!

Secure git repository with git-crypt

Sun 10 Feb 2019

A realy short one ;-) I was using a gpg encrypt setup with one of my projects to protect api keys and secrets. The setup worked, but required manual work which I tended to forget. So trying to find a lightweight alternative .. and found git-crypt which solved the issue pretty easily. No use of explaining how to install this sinces it’s all on above link. If you need some encryption for your git projects I suggest you take a look at git-crypt. Note that in order to make git-crypt work I had to symlink gpg to gpg2, it’s apparently using gpg.

for future reference:

Steam multiuser setup for Linux

Sun 13 Jan 2019

I have been struggling a bit with steam and a multiuser desktop. I definitely wanted to share the games and preferably also the steam install, while also let all users loging at their own account. After checking out multiple distro’s and virtual machine setup etc I settled for a simple setup where all users use sudo to switch to user steam to start steam gaming. This however requires some small hacks on your system, shared here.

My requirements:

steam start script

New steam script in /usr/local/bin/steam, thereby overruling the default steam start script (note: the overruling can depend on your $PATH, /usr/local/bin should be before /usr/bin in your $PATH ):

xhost +SI:localuser:steam
sudo LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1' PULSE_SERVER="unix:/tmp/pulse-socket-$USER" -u steam /usr/bin/steam "$@"
xhost -SI:localuser:steam

This script allows localuser steam to use the graphical desktop (xhost) and starts steam from sudo. Note that the LD_PRELOAD comes from me running void; I guess this part can be removed if you don’t need it.

sudo setup for steam

%users ALL = (steam) NOPASSWD: /usr/bin/steam

It adds DISPLAY and PULSE_SERVER from the users environment to the steam environment and allows all users in group users to sudo steam and run steam.

Pulseaudio per user

Add the following in ~/.config/pulse/default.pa: .include /etc/pulse/default.pa

### TCP/Unix socket required for steam slave (choose one)
#TCP socket (greater overhead)
#load-module module-native-protocol-tcp auth-ip-acl=
#unix socket (less overhead)
load-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket-<add user here>

Note the above! This is a config change per user, mainly because switching between users causes trouble (socket still existing) if configured on host level. Depends on your desktop use.


Adjust steam.desktop to start /usr/local/bin/steam instead of /usr/bin/steam from the Desktop menus. Copying to /usr/local/share/applications will make sure the change survives steam updates from your distro. Note that this step is optional if you are used to starting steam from cli.

cp /usr/share/applications/steam.desktop /usr/local/share/applications

And update first Exec= to point to /usr/local/bin/steam

So there we are, steam, nothing double installed, all games avaible, done ;-)

Some drawbacks though:

New machine

Sat 22 Dec 2018

Bought a new machine work in progress

html generated with neovim and markdown © de-neef.net