My Techie-Thoughts

The most annoying and consistently ignored prompt when using SSH is that stupid “The authenticity of host blah, blah, blah can’t be established” and then a fingerprint that no one ever has or ever will bother to authenticate. Be honest, you’ve skipped this message more times than you can count and just answer ‘yes’ so you can get on with life, right? Maybe it’s time we changed that.

Your intentions are good, rotating your fail2ban log file. You are rotating your fail2ban log file, right? I mean, it’s not done by default for some weird reason so I’d forgive you if you aren’t. They get big and they should be trimmed and archived. If you’re already rotating your fail2ban log file or you’ve tried doing it in the past, did you ever notice that fail2ban stops using those rotated files? How rude! Let’s fix that.

Ever had a program that keeps asking for administrator rights to run even though you know it doesn’t need them? I hate when developers are too lazy to do things the right way and figure “I’ll just run as the admin and then do what I need to do!” Yeah, great idea, nevermind the giant security issues it poses or the fact that regular users like employees can’t use the program anymore! I could continue, but I’ll say something nasty. Let’s bypass this unnecessary admin request.

Need to update a user’s UID/GID for whatever reason? Sometimes it’s just something you need to do when conforming with a new management scheme or when you’re moving to a new LDAP server, for example. This doesn’t have to be as difficult an undertaking as you might think.

Passwords are great and a strong password is definitely the first line of defense against unauthorized access. But, if you think your Facebook account is important enough to warrant another layer of security so people can’t hack pictures you posted about your lunch, then surely you can understand why your Linux console could use another security wrapper too, right? Let’s add second factor authentication (2FA) to your console, su, sudo and SSH access all in just a few easy steps.

For most of my Linux projects, and a lot of the tutorials on this site, I fire up a virtual machine on Hyper-V and load a minimal Debian system. Working with a Debian system gives me a stable, clean, platform I can easily customize as needed. If you were interested in a similar setup, here’s a walkthrough.

There are lots of times when you need a static IP, especially for server systems. It’s pretty simple on Debian, we only have to edit a few files and run a few simple commands.

Despite being around for a while, DANE has been only been slowly catching on in the last few years. But, that’s finally starting to change as encrypted DNS gets more popular and people have started to realize the advantages DANE offers. Want to implement it using free certificates from Let’s Encrypt? You should! Let’s do it…

If you run a server of any kind, you know the importance of making sure your clients can securely connect.  Many people rely on Let’s Encrypt since they issue free certificates that make these secure connections possible.  However, those certificates are only good for 90 days and then have to be renewed… that’s a hassle!  Enter Certbot…

Have a server that’s offering services that need to be secured with TLS but you can’t install a web server, can’t open port 80 or have something using that port you can’t shutdown? How do you get free Let’s Encrypt certificates? If you’re using Cloudflare for your DNS we can use certbot and automate the whole thing including renewals! If you’re using another DNS server provider, the basic process still works too.

There’s lots of instances where you need a certificate for a non-web server system. Popular examples of this include database servers, git-servers, docker-repos, etc. However, free providers like Let’s Encrypt usually validate your server by means of an HTTP lookup for a specific file and that means you need a way to serve that file but, we aren’t running a web server. Catch-22? Not necessarily…

If you’re running a Linux system, you need SSH access. It’s just a fact for any administrator. More over, you need quick, secure access with a minimum of security prompts. It’s not hard to get that set up and use the latest elliptical-curve security to boot!

Generating self-signed certificates is a common task that every admin needs to do from time to time for any number of reasons. Here’s how to make an OpenSSL configuration file to generate properly formed certificates quickly.

If you’ve been using Linux for any amount of time or even just getting your feet wet in the world of administering a Linux system, you’ve definitely seen references to ‘sudo’ or been told to use ‘sudo’ when executing certain commands. But, what is ‘sudo’, why should you use it and how do you install and set it up?

Sometimes you need your guest VMs to have secure access to the internet and your host machine without all the fuss and complexity of typical Hyper-V networking. Here’s an easy way to do just that by creating a separate NAT virtual network.

Although it’s been around for a while, the Hyper-V Default Switch is often misused or not given the credit it actually deserves. Let’s take a quick look at what it does, how it works and when you should use it.

Most every program you install and run, especially services, generate some form of log file and nearly everyone only checks those logs when something bad happens.  Why? Because there are so many logs to check!  Well, that’s where a log parsing program can be a lifesaver.  I like using Logwatch on my Debian/Ubuntu systems. Logwatch is a nice, lightweight, easy-to-use program that generates a summary report that can be emailed nightly or on whatever schedule you choose.

Sometimes you’re running a server to provide a specific service and you need it to send you status updates via email but do NOT need the overhead and complexity of having it run a mailserver or complicated MTA.

Recently, I’ve had my OneDrive seem to uninstall or break itself.  That’s annoying.  The icon in Explorer reverts to a regular folder and nothing syncs because the client program isn’t running in the background.  Fortunately, it’s an easy fix and everything resets itself without a restart.  Here’s the quick and dirty way to get it done…

Starting with the May cumulative Windows 10/Server 2016 update, you may have run into a CredSSP error when trying to connect via Remote Desktop Protocol (RDP) to another computer.

Sometimes, especially on a Small Business Server (SBS) machine, you will run into a situation where having more than one IP address linked to your server is very helpful.  This especially applies if you are only using one NIC in your machine and need to address it ‘logically’ by several IPs.

Backing up to one drive is just silly.  Everyone knows you have to rotate your backups, so why does Windows Backup make this so difficult?  Command-line to the rescue, it’s actually really easy…