securing SSH in 3 easy steps

if you don’t want to mess about with keys there are three things you can easily do to secure SSH.

firstly, always, disallow root logins. in /etc/ssh/sshd_config you should have something like this

# Authentication:
LoginGraceTime 120
#PermitRootLogin without-password
PermitRootLogin no
StrictModes yes

secondly install fail2ban. out of the box it’ll have a decent configuration that’ll ban an IP after a certain amount of failed attempts. you can check the logs at /var/log/fail2ban

thirdly, and i think most importantly, let’s change the port that SSH listens on. again, in /etc/ssh/sshd_config, look for the line # What ports, IPs and protocols we listen for and change the port to something more obscure (go for a high port that isn’t used for anything else like port 2984) and restart SSH. make sure your firewall rules are updated to reflect this change too. you will have to log in specifying this new port like ssh user@whatever.server -p 2984

also if you’re changing the port number that some firewalls will block port 2984 outgoing so you won’t be able to connect. this is the case at my place of work for example. i had to use a VPN tunnel via another server to connect to SSH when it was listening on port 2984

errors with tor relay on centos 7

recently spun up a centos 7 VPS to run a tor relay
when issuing
service tor start
i got errors along the lines of
Starting tor (via systemctl): Warning: Unit file of tor.service changed on disk, 'systemctl daemon-reload' recommended.
digging deeper with
systemctl status tor.service -l
showed
tor.service - SYSV: Onion Router - A low-latency anonymous proxy
Loaded: loaded (/etc/rc.d/init.d/tor)
Active: failed (Result: exit-code) since Mon 2015-03-23 06:30:15 EDT; 42s ago
Process: 12436 ExecStart=/etc/rc.d/init.d/tor start (code=exited, status=3)
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.176 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.176 [notice] Read configuration file "/etc/tor/tor-rpm-defaults-torrc".
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.177 [notice] Read configuration file "/etc/tor/torrc".
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.182 [warn] Failed to parse/validate config: Nickname 'flag_waver' is wrong length or contains illegal characters.
Mar 23 06:30:15 dime tor[12436]: Mar 23 06:30:15.182 [err] Reading config failed--see warnings above.
Mar 23 06:30:15 dime tor[12436]: /usr/bin/torctl start: tor could not be started
Mar 23 06:30:15 dime tor[12436]: [FAILED] Mar 23 06:30:15 dime systemd[1]: tor.service: control process exited, code=exited status=3
Mar 23 06:30:15 dime systemd[1]: Failed to start SYSV: Onion Router - A low-latency anonymous proxy.
Mar 23 06:30:15 dime systemd[1]: Unit tor.service entered failed state.

so i removed the _ from the relay name and things are fine when tor starts now.

stormtrooper

stormtrooper

i don’t post many pictures here any more. that’s probably because i don’t take many pictures these days. quite liked this one though. stormtrooper lamp. f/1.8 with my 35mm lens.

munin client denied by server configuration

after issuing a

ln -s /var/cache/munin/www

i was still getting a 403 error when attempting to access the stats page of munin and apache’s logs were showing ‘client denied by server configuration’. in debian add the following to apache.conf in /etc/apache2

<Directory /var/cache/munin/www>
Order allow,deny
Require all granted
</Directory>

service apache2 restart

permanently ban an IP with fail2ban

it’s easy to permanently ban an IP with fail2ban though it might not seem that way at first. the jail you’re configuring (often SSH) should contain lines a bit like this:

bantime = 600
findtime = 600
maxretry = 3

the trick is to put a minus sign before the bantime seconds. so if you want to ban an IP permanently you should change it to look like this:

bantime = -600
findtime = 600
maxretry = 3

then you’ll need to restart the service with

service restart fail2ban

or whatever.

liking the fibre broadband

when i stayed at my last place i was quite happy with the 16Mb down. new property has access to fibre broadband…suffice to say that i’m rather liking it

plusnet_speedlook at that upload rate…crikey. good service from plusnet. oh and welcome to 2015.

disruption

though you shouldn’t see any issues on the pages this site isn’t well…i may ditch wordpress for something else…but with over 500 posts that doesn’t sound like fun.

there’s something wrong with fcgi after i upgraded to wp’s latest version… 4.1. 500 internal server errors. a plugin is probably the culprit…i’m guessing w3 total cache.

–UPDATE 2/1/15–

yup…w3 total cache was to blame which is rather disappointing as i found it rather useful. i spent far too much time getting the site back end up again. will probably just continue to use cloudflare’s caching.

Bear