linux

Disable password authentication on sshd

/ chirale / Leave a comment

To disallow password authentication on ssh, adduser –disabled-password will not disable openSSH password.

To disable the password authentication, you have to put these values on /etc/ssh/sshd_config to:

PasswordAuthentication no
UsePAM no
PermitRootLogin no

Then you’ve to:

systemctl restart sshd

to apply changes.

Connection will not be reset so before logout try to login on a different terminal to check you can login.

Actually PermitRootLogin disable the root login for any method, but it’s an useful addition. Remember to add at least one user to the sudo group or you will not be able to operate as super-user without using su – root.

To check if password auth is disabled:

ssh -o PreferredAuthentications=password USER@HOST

Exprected output is:

USER@HOST: Permission denied (publickey).

Use external mail server for mdadm

/ chirale / Leave a comment

mdadm is the utility to check and report failures on RAID disks. The usual way this Linux application send its message is a plain old e-mail. In this howto you’ll find the instruction to use an external mail server with mdadm.

First, replace sendmail with an external email account. After you’ve configured and tested msmtp you’re ready to configure mdadm.

Configure mdadm with the new SMTP

Change /etc/mdadm/mdadm.conf to

# instruct the monitoring daemon where to send mail alerts
# MAILADDR root
MAILADDR alertrecipient@example.com
MAILFROM senderaddress@example.com

Where:

  • senderaddress@example.com is your FROM e-mail, the email or alias you’re sending emails from.
  • alertrecipient@example.com is your recipient TO e-mail. It must be a frequently-used e-mail since alerts of failures are sent there.

Actually, using /etc/aliases and assigning root to the right recipient should allow you to avoid this step but you’ve to test yourself.

Send test message with mdadm

Type this command to emulate a disk failure message from mdadm:

sudo mdadm --monitor --scan --test -1

If you receive the message in the alertrecipient@example.com this job is finally done!

This is an automatically generated mail message from mdadm
running on YOURSERVERHOSTNAME

A TestMessage event had been detected on md device /dev/md/1.

Faithfully yours, etc.

P.S. The /proc/mdstat file currently contains the following:

Personalities : [raid1] [linear] [multipath] [raid0] [raid6] [raid5] [raid4] [raid10]
md0 : active raid...

md1 : active raid...

unused devices:
...

See also

Automate log cleanup for GDPR: the Sentry case

/ chirale / Leave a comment

With the General Data Protection Regulation (GDPR) enforced by European Union logs have to be cleaned regularly to delete IP addresses and other information about visitors. This can be interpreted as a way to protect an emerging and discussed right, the right to be forgotten.

This new regulation is impacting every automated log system out of there. Since Sentry is a good open source error monitoring software* and it’s widely used, this guide will show how to clean Sentry logs on Linux systems according to GDPR using the sentry cleanup command line utility.

Set a time limit for logs

Before starting discover the maximum time limit a log can be kept according to the service policy you’re working on.

In the below examples, the max time a log can be kept is 26 months, one of the sizes proposed by Google Analytics on cleanup settings.

A 26 months limit for stored logs in sentry are set like this:

env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749

where /usr/local/etc/sentry is the directory where config.yml and sentry.conf.py are located or

env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749 --project 5

where 5 is the id of the project you can find in Project settings > Client Keys (DSN) as the very last part of the DSN path (always an integer number).

749 days are calculated like this:

30 days × 26 month = 780 days – 31 days = 749

31 days are a margin to safely delete logs the same day of each month.

Apparently, sentry cleanup needs to be root to access to postgres user and thus all sentry database tables so we have to put it on the cron for root.

Schedule the cleanup

  1. Login as root with su – or sudo bash
  2. crontab -e
  3. add a command line like this
. /usr/local/etc/virtualenvs/sentry/bin/activate && env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 758 --project 5 && deactivate

leading dot . is an alternative for source available on /bin/sh (environment of cron) and not only by /bin/bash. This avoid to set the environment variable SHELL=’/bin/bash’ on crontab.

The resulting cron entry would be:

20 3 28 * * . /usr/local/etc/virtualenvs/sentry/bin/activate && env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749 --project 5 && deactivate

It isn’t a bad idea to add a fallback cleanup command the day after, so if you forget to cleanup logs for a specific project it will be done automatically:

20 3 29 * * . /usr/local/etc/virtualenvs/sentry/bin/activate && env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749 && deactivate

Now even your Sentry logs are GDPR compliant. The power of this method is that you can set a different cleanup limit for every project, according to its policies. And you haven’t to use any proprietary software to do this, just free/libre open source software.

If you are in a hurry to publish privacy policies and you have a dedicated hosting, give a try to JournaKit legalazy on GitHub.

* Plus it’s written on top of Django.

How to import .ovpn files on Ubuntu Linux network manager

/ chirale / Leave a comment

On Linux you don’t need to install OpenVPN because it’s already installed. However, configuration especially via the network manager can be tricky.

Install this additional package on your distro to display a new OpenVPN option in the network manager:

sudo apt-get install network-manager-openvpn-gnome

If you’re migrating from Windows and you’ve already a Windows installation of OpenVPN you can copy .key, .crt, .conf and .ovpn files from the OpenVPN location. Copy these files to your Linux home (e.g. ~/openvpn/) and reshape permissions to allow the access only to the owner.

After you’ve the .ovpn, .crt, .key files locally, you can test the connection using these commands:

cd ~/openvpn/;
sudo openvpn my-openvpn-file.ovpn

Type the sudo password, wait and the connection should be established successfully. Press Ctrl+C to stop the VPN from command line.

Now you can configure the Network Manager to accept the .ovpn file.

Click on the network icon on the top right corner of the screen, click current connection, select settings and look for VPN Settings from the opened window.

Click the + icon aside the VPN title and select Import from file…

Select the my-openvpn-file.ovpn you’ve checked before. A form containing user certificate, CA, private key and the gateway will be automatically filled. Input the password in the last field when needed.

It’s very important to select .ovpn and not .conf since the latter will not work.

If the private key is password protected you can also type the password and on Advanced you can do some fine tuning but it’s usually unnecessary.

On the Details tab, uncheck the automatic connection option if you don’t want to start the VPN at every login and choose if you want to allow other users to access the connection.

On IPv4 and IPv6 you can disable a specific protocol or limit the connection to “Use this connection only for resources on its network“. This last step is particularly important because using VPN can limit network connection.

Press Apply and you should be able to connect pressing the network icon on the top right corner > VPN > your VPN name.

To list saved connections:

 nmcli c

Programmatically connect / disconnect to VPN

If you need to write a script to use this imported connection, you can use openvpn command but you have to set all the parameters manually.

To reuse the saved connection instead, you can simply use nmcli to connect:

 nmcli con up id my-connection-name

And disconnect:

 nmcli con down id my-connection-name

 

Tested on Ubuntu 17 and 18.

 

10 essentials steps to use Elementary OS as media station

/ chirale / Leave a comment

I was looking for an easy and good alternative for Windows 7 on a laptop used as a media station to watch Netflix and Crunchyroll and I choose Elementary OS.

This GNU/Linux distribution is based on Ubuntu and it’s relatively easy to install. Anyway, it needs some steps to work great as media station. Here we go:

  1. Make AppCenter Work
    1. Click on Applications on the top left corner of the screen
    2. Click on Terminal
    3. On the console type these commands: 
      sudo dpkg --configure -a
sudo apt update
  2. Update your system
    1. Open the AppCenter moving the mouse at the bottom on the screen, then click on the store icon
    2. Click on Updates on the top of the window
    3. Click on Update All and wait until all packages are installed
    4. When finished, click on the Power icon in top right corner of the screen and restart
  3. Update language (if different than English)
    1. Go to the System settings on the bottom bar
    2. Choose Language & Region
    3. A yellow box should appear telling the language installation is not complete: click on Complete installation
    4. Type the user password you’ve choosen during the installation
    5. Click on Unlock
    6. Select your language, region and format
    7. Log out using the top right power button and log in again. The OS is now translated.
    8. Click on Update names to change home directories names according to the selected language (or keep it in the English version)
  4. Install VLC
    1. Go to AppCenter
    2. On the top right corner of the AppCenter search “vlc”
    3. Click Install
  5. Install your preferred browser
    1. On the top right corner of the AppCenter look for your favourite browser:
      1. If you’re looking for Firefox, type “firefox” and install it
      2. If you’re looking for Chrome, type “chromium” and install it. It’s the open source alternative of Chrome.
  6. Make your browsers ready to watch streaming shows:
    1. If you’re using Firefox, go to Menu > Preferences > Content > and flag Play DRM content checkbox. It will allow services using this meh technology.
    2. Optional: Install Flash Player for Linux if needed (automatically installed in Firefox):
      https://get.adobe.com/it/flashplayer/otherversions/
  7. Optional: Translate your browser
    1. On Firefox, type about:addons in the address bar
    2. Search for your language and install
      1. Language pack
      2. Dictionary
  8. Optional: Install Office Productivity Tools:
    1. On AppCenter, search for LibreOffice, LibreOffice Writer and LibreOffice calc and install them (one by one) to open Word and Excel files or Open Office files.
  9. Optional: get new wallpapers automatically
    1. In the AppCenter search for “Variety
    2. Install and configure it
    3. You can add nice quotes and a clock to the desktop editing Preferences
  10. Switch the sound to the TV when the HDMI cable is plugged into the port:
    1. By default, when you plug the HDMI cable to the PC you can hear the sound coming from PC speakers
    2. To solve this issue open the Terminal and type 
      sudo bash

      And type your password.

    3. Follow this howto to automatically redirect sound to the TV when it’s plugged in. To create or edit files you can use: 
      nano /path/to/file

With these steps your brand new media station is ready for watching streaming relying on the strong security implemented in GNU/Linux systems.

Free SSL certificates and how to install on nginx in 10 steps

/ chirale / 1 Comment

Here how you can get free SSL cerificates using Let’s Encrypt. Forget about the expire of certificates using the auto-renewal script. A complete reference to install a Let’s Encrypt certificate is this Digital Ocean’s howto. Here there’s a quick guide based on it, plus some additional suggestions. Here we go!

The following code download the script and make it executable. (1)

cd /usr/local/sbin  # CentOS
cd /usr/local/bin  # Ubuntu / Debian
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/local/sbin/certbot-auto

Logout and login again to make the certbot-auto script available as a command without typing the entire path.

The following code create a path for ssl certificate. Change /usr/local/etc/my/files/path/ssl_cert with a path for where you’ll store certificates, you can select a path not in your document root. (2)

mkdir /usr/local/etc/my/files/path/ssl_cert

Now edit your /etc/nginx/conf.d/mysites.conf and add this into the server {…} directive to make available example.com/.well-known url (3):

server {
listen 80;
server_name example.com www.example.com mysite.com www.mysite.com;
        location ^~ /.well-known {
                alias /usr/local/etc/my/files/path/ssl_cert/.well-known;
                allow all;
        }
        location / {
                # redirect all other path to the HTTPS version
                return   301 https://www.mysite.com$request_uri;
        }
}

At this time you’ve to make available .

Check syntax and reload nginx:

nginx -t
systemctl reload nginx

Now execute the script to install certificates for your domains. Remember to use the command with -d domain-without-www -d www-domain in this order. (4)

  1. Install all needed dependencies for your system (via yum on RedHat based distro and apt on Debian based)
  2. Generate a valid certificate
certbot-auto certonly -a webroot --webroot-path=/usr/local/etc/my/files/path/ssl_cert -d example.com -d www.example.com -d mysite.com -d www.mysite.com

An auto check will be performed and you will get a Congratulation message.

Now generate a strong Diffie-Hellman group with this command (5):

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Check syntax and if ok reload the nginx server to apply changes and . (6)

nginx -t
systemctl reload nginx

Auto-renewal

A certificate will be valid for a short period of time, e.g. 3 months.

To auto-renew the certificate for all of your domains, you should add the auto-renewal command to cron.

You can read how to renew certificates on cron here.

Enable SSL on nginx

To enable SSL on nginx, if you have already a mysite.conf file mapped for uncrypted connection on port 80. Inside the /etc/nginx/conf.d directory, copy the file as mysite_ssl.conf and:

Change all occurrences of:

listen 80;

to:

listen 443 ssl;

In this way nginx will listen to 443 port on SSL. Ensure you have this port available externally (firewall and/or Selinux audit2allow). (8)

In the original file, mysite.conf, you can delete all entries but you have to keep the well-know part (step 3). This will avoid errors by Let’s Encrypt script.

Add and enable cyphers. Here there’s a good cyphers list, reliable for compatibile but secure using TLS only. (9)

server {
    # the port your site will be served on
    listen      443 ssl;
    # the domain name it will serve for
    server_name example.com; # substitute your machine's IP address or FQDN
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
    ##### Cyphers and SSL fine tuning #####
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security max-age=15768000;
    ##### END Cyphers and SSL fine tuning #####
    # charset     utf-8; etc...
}

Test nginx syntax with:

nginx -t

and then reload nginx to apply changes (10), on CentOS:

systemctl restart nginx

Update 12/2018:

Better than using the acme authentication, you can use the standalone mode. This mode requires to stop the server first, then certbot will put up a webserver to verify the domain and get the certificates, all in a single command using –pre-hook and –post-hook to put down nginx.

sudo certbot certonly --standalone --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx" -d example.com