Apple has updated its free Shell Scripting Premier Guide, which is freely downloadable from Mac OS X Developer Library website.
Chapters included in the freely downloadable Shell Scripting Premier:
Fail2ban is a security tool used for preventing brute-force attack and Distributed Denial of Service (DDoS) attack to your GNU/Linux box.
Fail2ban monitors failed login attempts and subsequently blocks the ip address from further logins. Although Fail2ban can also be used to secure other services in Ubuntu server, in this post, I will only focus on securing SSH server.
Step 1: Install Fail2ban and (optionally) sendmail
sudo apt-get install fail2ban sudo apt-get install sendmail-bin
Step 2: Setting up Fail2ban
Next, you need to configure fail2ban by creating a copy of ‘jail.conf’ to ‘jail.local’
cd /etc/fail2ban sudo cp jail.conf jail.local
Step 3: General fail2ban configuration
Edit fail2ban configuration file using your favorite text-edito (I personally use ‘nano’)
sudo nano /etc/jail.local
You can set IP address for fail2ban to ignore, IP addresses can be separated by space.
Bantime is the duration of time that you want fail2ban to block suspicious attempt, the value is in seconds
Maxretry is the number of failed attempts before fail2ban block the IP-address, in this case 3600 means 1-hour ban
# "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1 192.168.1.1 bantime = 3600 maxretry = 3
Step 4: Enabling ssh and ssh-ddos protection
Find ssh configuration under [ssh] heading, and enable it.
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3
Similarly, you can also enable [ssh-dos] protection by changing the enabled value to “enabled = true”
[ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2
Step 5: Enable Sending Notification Email (optional)
Optionally you can have fail2ban sends you notification email in case of suspicious login detected. To do that, you need to locate destemail settings and changed it to your email
destemail = email@example.com
Fail2ban can use ‘sendmail’ and ‘mail’ application to send notification email
Step 6: (Re-)start Fail2ban
After all is done, you may save the file, and (re)start the fail2ban service
sudo /etc/init.d/fail2ban restart
You can test the configuration by trying to login into your box. You may also check fail2ban log in /var/logs/auth.log (or in other directory specified in jail.local)
For more information about fail2ban, you can read : the official fail2ban manual
Here’s how to setup public-key (or passwordless) authentication in Ubuntu or any other Linux based operating system that use OpenSSH.
First make sure you’ve remote SSH server running and accepting connection. Then you need to generate ssh key on local server (I prefer RSA). You can enter passphrase for added security, or leave it blank for passwordless authentication.
local:~$ ssh-keygen -t rsa
Enter passphrase (empty for no passphrase):
The command will generate id_rsa and id_rsa.pub files. The files will be save in ~/.ssh/ directory. Then copy id_rsa.pub file to the remote server using SCP. Read How to use SCP on Linux or other UNIX-based Environment for more information about SCP
local:~$ scp id_rsa.pub firstname.lastname@example.org:~/
Then you have to connect to the remote host and append the id_rsa.pub public key file to the list of “authorized_keys“. Don’t forget to chmod the authorized_keys file and .ssh directory, or OpenSSH won’t work correctly
local:~$ ssh email@example.com
#now we are on remote server!
remote:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
remote:~$ chmod 644 ~/.ssh/authorized_keys
remote:~$ chmod 700 ~/.ssh
Make sure you have edited the “/etc/ssh/sshd_config” file to allow Public key authentication and RSA authentication.
Save and restart sshd server daemon by running the following command.
remote:~$ sudo /etc/init.d/ssh restart
After that, logout from the remote host to test the Public-key authentication
Testing the SSH public-key authentication
To test the public-key authentication, simply connect to remote server normally using ssh, and if things have gone smoothly you’ll be prompted to enter your passphrase, instead of password.
local:~$ ssh firstname.lastname@example.org
Enter passphrase for key '/home/username/.ssh/id_rsa':
Note that you will not be prompted to enter passphrase/password if you’ve generated a key with “blank passphrase“, effectively making your login “passwordless”. For added security, it is advised that you disable normal interactive-keyboard password option and rely fully on public-key authentication by changing sshd_config line from:
p/s: this tutorial was adapted from Shortest passwordless ssh tutorial, ever with updated notes for latest OpenSSH release
A nice twitter client for those who are working in CLI environment.
A Windows alternative is also available at : Twitter Windows Command Line Client.
Alternatively you can try a cURL hack to post your update to twitter from command line.
btw my twitter id is ‘mypapit’. Happy twittering.