Profile Details

Toggle Sidebar
Recent updates
  • Stassen
    Stassen replied to a discussion, Advise on Certificates used (SSHD)

    Nick Howitt wrote:

    I know Ubuntu do something wit a more or less secure option. The more secure option does not allow 2048 bit RSA keys, but I have not managed to work out how they do that unless it is by setting their own internal RSA key to something longer (4096 bit).

    If you don't know what you are doing, be careful playing around as you could inadvertently create something less secure.


    Nick,

    I agree that everybody needs to be carefull. Make a backup, document you changes in the config files while you are working on it (I add the url used in a comment-line in the config file, to retrieve the info used). After a restart of the service I use Greenbone scanner (via docker) to probe/scan my new security for that machine even these are behind the firewall without ports open to the internet.

  • Stassen
    Stassen replied to a discussion, Advise on Certificates used (SSHD)

    I think I understand my own mistake, but still wondering why this did not pop-up upfront while restarting sshd. Nevertheless I use for the moment the following

    # Ciphers and keying
    #RekeyLimit default none

    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

    Protocol 2

  • Stassen
    Stassen started a new discussion, Advise on Certificates used (SSHD)

    Advise on Certificates used (SSHD)

    I used openvas to check my security and started to modify my sshd_config to exclude know risks. I though I managed to increase the level by lowering the risk via this config.
    But I ran into a challenge tonight where I was not able to login anymore via SSH (after a power failure on the machine). In the end everything was working except SSH. Via the cmdline and systemctl -xe I found that the lines starting with a ? were causing the issue. Currently not active, so I have access, but I still would like to have a secure platform.
    I know that these settings are part of the situation you are in (in reference to algo's used on other machines), but I don't have that.

    Most of the info on the internet (how to set up incl examples) don't provide a date-stamp. In other words it can be outdated. Can someone advise what is the best config at the moment (March 2022)?



    AddressFamily inet

    HostKey /etc/ssh/ssh_host_rsa_key
    #HostKey /etc/ssh/ssh_host_dsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key

    # Ciphers and keying
    #RekeyLimit default none

    #ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
    ?MACs AnyStd:
    #MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160
    ?KexAlgorithms AnyStd:
    # KexAlgorithms diffie-hellman-group-exchange-sha256, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group1-sha1
    ?SSLProtocol all -SSLv2 -SSLv3
    ?SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:!EXP:+eNULL:!SSLv2:!SSLv3
    ?ssl_prefer_server_ciphers off;

  • @Nick,

    I deleted the symbolic links and was able to recreate this via a very long way.

    Due to the fact that bash was working anymore I needed an alternative to create this symbolic link. I found the sash executable (https://altlinux.pkgs.org/p10/classic-x86_64/sash-3.4-alt2.qa2.x86_64.rpm.html), which I was able to extract and make it executable.

    Due to the fact that my flexshares were still up and running I was able to get this executable in my platform without shutting down. Meanwhile my only ssh terminal session was still working although I could have done this also via my local terminal access.
    Still had to find out how to deal with the sash commands but in the end I was able to copy sash to my root and use it there to re-create the symbolic links lib->/usr/lib and lib64->/usr/lib64.

    That made my day ! Finally can access everything again.

    Hopefully this method can help someone else that makes the same mistake ;-)

  • Correcting a major user mistake in my OS - /lib64/ld-linux-x86-64.so.2:

    I've made a mistake by deleting 2 ln's in my root directory running into a major issue.

    I can't execute most of the commands anymore on my machine because I get almost constant "/lib64/ld-linux-x86-64.so.2: bad ELF interpreter:" errors.

    eg:

    trying to execute $ln
    -bash: /usr/bin/ln: /lib64/ld-linux-x86-64.so.2: bad ELF interpreter: No such file or directory

    Can't even excute ls or yum to correct this.

    Have still access via ssh (and directly via a keyboard/monitor).

    is there a way that I can add these libraries to my path or is there another solution to resolve this ?

  • Nick Howitt wrote:

    Ouch. If it is a single share, you could possibly investigate the SetUID or SetGID bit. Or can you put a recursive "chown" or "chuser"/"chgrp" at the end of your cron job? Otherwise you'll need to investigate giving "flexshare" some of root's permissions in /etc/sudoers or under /etc/sudoers.d/. The second option is probably the easiest. You wouldn't even need your flexshare user as you could use a proper user and/or group.


    After more investigation and tests, I decided to plan a chown on that particular directory at the end of every day ;-) . Thanks for helping again !

  • If I run this as root, the script stores the content as root. Not a problem, but when I access this flexshare as a normal user, I don't have the "root" rights to delete or rename this item. Running this script with user flexshare eliminates this issue. BTW if I start the cronjob manually (I use webmin to start that job), this is working fine also. But if started via cron itself I have this issue.

  • Can't shedule a cronjob with user flexshare

    To make my life easy, I scheduled a cronjob for user flexshare

    in /var/spool/cron/flexshare

    0 12 * * 0 /install/script/recordingstart.sh

    Cron.log

    Nov 21 12:00:01 CROND[29827]: (flexshare) CMD (/install/script/recordingstart.sh)
    Nov 21 12:00:01 CROND[29827]: (CRON) ERROR chdir failed (/dev/null): Not a directory

    I did create a local home directory for flexshare

    /home/flexshare (owner flexshare), but did does not do the job,., With user root everything is working as designed,

    Any ideas ?

  • Stassen
    Stassen replied to a discussion, Crontab is not executing script.

    Nick Howitt wrote:

    Ok so you went for sh and not bash but that is a personal choice. The issue is a known issue with cron/crontab and presumably appears somewhere in its documentation (but is not in "man crontab"). The internet has references like https://stackoverflow.com/questions/2388087/how-to-get-cron-to-call-in-the-correct-paths.

    Anyway, it is working now.


    I found that article also and is helpful. My solution was adding the full path in the script. Only then it was working. Hopefully someone will run into this solution in the future when running into the same.

  • Stassen
    Stassen replied to a discussion, Crontab is not executing script.

    I have success with the following mod to the script when used in crontab.

    #!/bin/sh

    PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

    /usr/local/bin/streamripper http://x.x.x.x:8000 -d "/var/flexshare/shares/vol4/1. Streamrecordings/" -o larger -t --quiet -u "FreeAmp/2.x


    Just learned something again. Would be nice if there was a better way of tracing these issues, but I'm happy that I got result. @Nick: Thanks for supporting me during this process ;-)