SL7: fastest mirrors

to enable the automatic checking for fastest mirrors within yum install the following plugin: $ sudo yum install yum-plugin-fastestmirror

check that plugins are enabled:

$ cat /etc/yum.conf
<truncated>
plugins=1

check that the config file contains the following:

$ cat /etc/yum/pluginconf.d/fastestmirror.conf
[main]
verbose = 0
socket_timeout = 3
enabled = 1
hostfilepath = /var/cache/yum/timedhosts.txt
maxhostfileage = 1

src: wiki.centos.org, techiecorner.com/

sshd: secure config file

the ssh daemon is a entry point to many servers. it should be secured!!

the following /etc/ssh/sshd_config is secure and very restrivtive:

# ============================================================
# COPIED FROM: https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Modern_.28OpenSSH_6.7.2B.29
# Supported HostKey algorithms by order of preference.
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com

# Password based logins are disabled - only public key based logins are allowed.
AuthenticationMethods publickey

# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
LogLevel VERBOSE

# Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
Subsystem sftp  /usr/lib/ssh/sftp-server -f AUTHPRIV -l INFO

# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
#
# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
# Additionally, only tools such as systemd and auditd record the process session id.
# On other OSes, the user session id is not necessarily recorded at all kernel-side.
# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
PermitRootLogin No

# Use kernel sandbox mechanisms where possible in unprivileged processes
# Systrace on OpenBSD, Seccomp on Linux, seatbelt on MacOSX/Darwin, rlimit elsewhere.
UsePrivilegeSeparation sandbox

# ============================================================

Port <PORT>
Protocol 2

# only 60s at login prompt
LoginGraceTime 60

# restrive ssh folder settings
StrictModes yes

# no gui X11 features
X11Forwarding no

# only specific users
AllowUsers <USER1>  ...

# only ipv4
AddressFamily inet

# which authorized keys
AuthorizedKeysFile %h/.ssh/authorized_keys

PrintMotd no

# no password login
PasswordAuthentication no

# no tcp forwarding
AllowTcpForwarding no

# login msg
Banner /etc/issue

synology: ssh

the synology’s nas boxes have their own will concerning ssh.

enable ssh service:

  1. at first one needs to enable the ssh service within the web-gui (link: synology.com)
  2. now login with the user: admin

the admin user has root privileges within the web-gui but inside the console only user privileges, but with sudo one can gain root privileges.

to enable ssh for other users. (note: this works only temporarily bc. after reboot the system resets the passwd file – crazy?!)

  1. open passwd file: sudo vim /etc/passwd
  2. change shell for specific user
    1. last column of the specific user’s row: /sbin/nologin -> /bin/sh

to make it a lot more secure one should login via ssh keyfiles. this needs setup within the the sshd config file. (note: ssh needs restrictive rights for the personal ~/.ssh folder and the setup on my box was somehow screwed up (synologys acl?). that’s why: StrictMode no… )

  1. open sshd config: sudo vim /etc/ssh/sshd_config
  2. change following properties:
    1. enable authentication by keyfile: PubkeyAuthentication yes
    2. load allowed client list: AuthorizedKeysFile %h/.ssh/authorized_keys
    3. disable folder’s rights checking: StrictModes no
    4. disable login via password: PasswordAuthentication no
  3. copy one’s public key (from the client machine) (link: digitalocean.com)
    • from linux: ssh-copy-id
    • from mac: scp
    • from windows: ?
  4. restart sshd on the synology box
    • synology fucked up the underlying OS such that one cannot restart the service via commandline (no init.d scripts, and their own commands (synosystemctl or so) doesnt do the job. the ssh service didnt restart…)…
    • two options:
      • restart the whole box
      • disable and enable the ssh service inside the web-gui

 

rsync backup only over night

it is kinda nice to have a rsync job running while the bandwidth is not needed otherwise.

  1. start a main script each night (using cron)
  2. the main script uses timeout to overlook the actual rsync script
#!/bin/bash

# duration when the command should be killed
TIME=15
TIMEUNIT="m"

# which kill signal should be given
# 1: gracefully
# 9: hard?
KILLCMD=1

timeout -s $KILLCMD \
    ${TIME}${TIMEUNIT} \
    /some/path/rsyncer.sh

rsync script as in this post rsync backup script