The most annoying and consistently ignored prompt when using SSH is that stupid “The authenticity of host blah, blah, blah can’t be established” and then a fingerprint that no one ever has or ever will bother to authenticate. Be honest, you’ve skipped this message more times than you can count and just answer ‘yes’ so you can get on with life, right? Maybe it’s time we changed that.
Your intentions are good, rotating your fail2ban log file. You are rotating your fail2ban log file, right? I mean, it’s not done by default for some weird reason so I’d forgive you if you aren’t. They get big and they should be trimmed and archived. If you’re already rotating your fail2ban log file or you’ve tried doing it in the past, did you ever notice that fail2ban stops using those rotated files? How rude! Let’s fix that.
Need to update a user’s UID/GID for whatever reason? Sometimes it’s just something you need to do when conforming with a new management scheme or when you’re moving to a new LDAP server, for example. This doesn’t have to be as difficult an undertaking as you might think.
Passwords are great and a strong password is definitely the first line of defense against unauthorized access. But, if you think your Facebook account is important enough to warrant another layer of security so people can’t hack pictures you posted about your lunch, then surely you can understand why your Linux console could use another security wrapper too, right? Let’s add second factor authentication (2FA) to your console, su, sudo and SSH access all in just a few easy steps.
For most of my Linux projects, and a lot of the tutorials on this site, I fire up a virtual machine on Hyper-V and load a minimal Debian system. Working with a Debian system gives me a stable, clean, platform I can easily customize as needed. If you were interested in a similar setup, here’s a walkthrough.
There are lots of times when you need a static IP, especially for server systems. It’s pretty simple on Debian, we only have to edit a few files and run a few simple commands.
Despite being around for a while, DANE has been only been slowly catching on in the last few years. But, that’s finally starting to change as encrypted DNS gets more popular and people have started to realize the advantages DANE offers. Want to implement it using free certificates from Let’s Encrypt? You should! Let’s do it…
If you run a server of any kind, you know the importance of making sure your clients can securely connect. Many people rely on Let’s Encrypt since they issue free certificates that make these secure connections possible. However, those certificates are only good for 90 days and then have to be renewed… that’s a hassle! Enter Certbot…
Have a server that’s offering services that need to be secured with TLS but you can’t install a web server, can’t open port 80 or have something using that port you can’t shutdown? How do you get free Let’s Encrypt certificates? If you’re using Cloudflare for your DNS we can use certbot and automate the whole thing including renewals! If you’re using another DNS server provider, the basic process still works too.
There’s lots of instances where you need a certificate for a non-web server system. Popular examples of this include database servers, git-servers, docker-repos, etc. However, free providers like Let’s Encrypt usually validate your server by means of an HTTP lookup for a specific file and that means you need a way to serve that file but, we aren’t running a web server. Catch-22? Not necessarily…
If you’re running a Linux system, you need SSH access. It’s just a fact for any administrator. More over, you need quick, secure access with a minimum of security prompts. It’s not hard to get that set up and use the latest elliptical-curve security to boot!
Generating self-signed certificates is a common task that every admin needs to do from time to time for any number of reasons. Here’s how to make an OpenSSL configuration file to generate properly formed certificates quickly.
If you’ve been using Linux for any amount of time or even just getting your feet wet in the world of administering a Linux system, you’ve definitely seen references to ‘sudo’ or been told to use ‘sudo’ when executing certain commands. But, what is ‘sudo’, why should you use it and how do you install and set it up?
Most every program you install and run, especially services, generate some form of log file and nearly everyone only checks those logs when something bad happens. Why? Because there are so many logs to check! Well, that’s where a log parsing program can be a lifesaver. I like using Logwatch on my Debian/Ubuntu systems. Logwatch is a nice, lightweight, easy-to-use program that generates a summary report that can be emailed nightly or on whatever schedule you choose.
Sometimes you’re running a server to provide a specific service and you need it to send you status updates via email but do NOT need the overhead and complexity of having it run a mailserver or complicated MTA.