lincoln avenue high flats demolition

lincoln avenue, knightswood, glasgow. two out of the six high flats are being demolished. this is the last of the two (i used to stay in the one that was first to go).

lincoln_avenue_high_flats_1

lincoln_avenue_high_flats_2

they can’t use explosives as there are houses all around.
always thought it fascinating to have a peek at people’s choice of colour scheme.

backup blues

i’ve been rather obsessive about backing up my data since i lost valuable files back around 1999.
up until recently i backed up to 2 2TB drives at home and one which i kept at my office and brought back occasionally (read: less often than i should) for a refresh. this has been working fine until i bought a NAS device (a netgear ReadyNAS 104…liking it a lot BTW) for local streaming to DLNA devices, a sonos and storage of VM snapshots and various other files.
the NAS has 4 bays and i’ve filled two of them with more 2TB drives. they’re setup as RAID 1 so that effectively gives 2TB of storage as one drive mirrors the other (i will expand this at a later date).
up until now i used a combination of deja-dup and rsync to keep things up to date…the question is how should i proceed now? should i continue my original method with the 3 externals and leave the NAS to its own devices (copying new data to it as it is created)? or should i look at backing up the NAS too? that could be to one of the various online services that i have accounts with or to another external drive (that could get costly).
the possibilities are starting to hurt my head a bit…

how big have tape drives gotten these days…

netgear_nas_and_drives

securing SSH in 3 easy steps

if you don’t want to mess about with keys there are three things you can easily do to secure SSH.

firstly, always, disallow root logins. in /etc/ssh/sshd_config you should have something like this

# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin no
StrictModes yes

secondly install fail2ban. out of the box it’ll have a decent configuration that’ll ban an IP after a certain amount of failed attempts. you can check the logs at /var/log/fail2ban

thirdly, and i think most importantly, let’s change the port that SSH listens on. again, in /etc/ssh/sshd_config, look for the line # What ports, IPs and protocols we listen for and change the port to something more obscure (go for a high port that isn’t used for anything else like port 2984) and restart SSH. make sure your firewall rules are updated to reflect this change too. you will have to log in specifying this new port like ssh user@whatever.server -p 2984

also if you’re changing the port number that some firewalls will block port 2984 outgoing so you won’t be able to connect. this is the case at my place of work for example. i had to use a VPN tunnel via another server to connect to SSH when it was listening on port 2984

errors with tor relay on centos 7

recently spun up a centos 7 VPS to run a tor relay
when issuing
service tor start
i got errors along the lines of
Starting tor (via systemctl): Warning: Unit file of tor.service changed on disk, 'systemctl daemon-reload' recommended.
digging deeper with
systemctl status tor.service -l
showed
tor.service - SYSV: Onion Router - A low-latency anonymous proxy
Loaded: loaded (/etc/rc.d/init.d/tor)
Active: failed (Result: exit-code) since Mon 2015-03-23 06:30:15 EDT; 42s ago
Process: 12436 ExecStart=/etc/rc.d/init.d/tor start (code=exited, status=3)
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.176 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.176 [notice] Read configuration file "/etc/tor/tor-rpm-defaults-torrc".
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.177 [notice] Read configuration file "/etc/tor/torrc".
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.182 [warn] Failed to parse/validate config: Nickname 'flag_waver' is wrong length or contains illegal characters.
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.182 [err] Reading config failed--see warnings above.
Mar 23 06:30:15 dime tor[12436]: /usr/bin/torctl start: tor could not be started
Mar 23 06:30:15 dime tor[12436]: [FAILED] Mar 23 06:30:15 dime systemd[1]: tor.service: control process exited, code=exited status=3
Mar 23 06:30:15 dime systemd[1]: Failed to start SYSV: Onion Router - A low-latency anonymous proxy.
Mar 23 06:30:15 dime systemd[1]: Unit tor.service entered failed state.

so i removed the _ from the relay name and things are fine when tor starts now.

stormtrooper

stormtrooper

i don’t post many pictures here any more. that’s probably because i don’t take many pictures these days. quite liked this one though. stormtrooper lamp. f/1.8 with my 35mm lens.

munin client denied by server configuration

after issuing a

ln -s /var/cache/munin/www

i was still getting a 403 error when attempting to access the stats page of munin and apache’s logs were showing ‘client denied by server configuration’. in debian add the following to apache.conf in /etc/apache2

<Directory /var/cache/munin/www>
Order allow,deny
Require all granted
</Directory>

service apache2 restart

permanently ban an IP with fail2ban

it’s easy to permanently ban an IP with fail2ban though it might not seem that way at first. the jail you’re configuring (often SSH) should contain lines a bit like this:

bantime = 600
findtime = 600
maxretry = 3

the trick is to put a minus sign before the bantime seconds. so if you want to ban an IP permanently you should change it to look like this:

bantime = -600
findtime = 600
maxretry = 3

then you’ll need to restart the service with

service restart fail2ban

or whatever.

Bear