change-your-ssh-server-port-to-reduce-brute-force-attacks.webp

Change your SSH server port to reduce brute force attacks

Reduce SSH brute force attacks by changing your default SSH server (sshd) port from port 22 to a different one. Below is a sshd log example of a brute force attacks. Changing the port You can change the default port by editing the sshd configuration file. sudo nano /etc/ssh/sshd_config Find the line that say #Port. Remove the # symbol and set the port number you prefer. Refer to the image below as reference. ...

December 27, 2022 · John Pili
rsync-with-different-ssh-port.webp

Rsync with different SSH port

Some Linux servers were security hardened by changing the default SSH port from port 22 to a different port number. To use rsync with a different SSH port, add ‘ssh -p 12345’ in the rsync parameters. Push rsync -azvP -e 'ssh -p 12345' SOURCE USER@HOST:DEST Pull rsync -azvP -e 'ssh -p 12345' USER@HOST:SOURCE DEST

December 26, 2022 · John Pili
golang-with-recaptcha.webp

Golang with reCAPTCHA

Google’s reCAPTCHA is one of the tool we can use to stop malicious internet bots from abusing our web applications. It comes in two versions, reCAPTCHA v2 and v3. Version 3 uses a score-based method with no user interaction. Version 2 uses a checkbox that will require users to answer a question. In this tutorial we will focus on reCAPTCHA v2. Prerequisite This tutorial requires the following: Registered Google webmaster account Domain registered property in Google webmaster Created Google reCAPTCHA account – https://www.google.com/recaptcha/admin/ Knowledge of Go’s build toolchain Required site and secret keys ...

December 18, 2022 · John Pili
embed-resources-in-go.webp

Embed Resources in Go

The go:embed feature was introduce in Go 1.16. It lets you embed resources into the compiled application. Prior to version 1.16, developers uses external tooling to do this. With go:embed you can embed images, webpages, email templates, predefined SQL statements or an entire directory. That’s neat! Usage Examples Embedding a text file in a string //go:embed version.txt var version string Embedding a binary file //go:embed product-catalog.pdf var catalog []byte Embedding a directory filesystem //go:embed template/* var templateFS fs.FS Embedded resources in httprouter Project Structure ...

December 18, 2022
Python batch file MD5 checksum generator and checker

Python batch file MD5 checksum generator and checker

I am backing-up a large number of files to another computer when this idea came to me to write a Python script that generate and validate batch MD5 checksum. Feel free to customize the script according to your needs.

March 2, 2022 · John Pili
python-rename-files-that-begins-with-matching-string.webp

Python rename files that begins with matching string

Do you want to rename a number of files that begins with a specific name or string? I wrote this small Python script that does that. Of course, you can also do this with Bash or Powershell. I hope somebody might find it useful. import os import sys from os import path parameters = sys.argv[1:] if len(parameters) == 0: print(f"usage: {sys.argv[0]} <startswith-string>") sys.exit(0) if len(parameters) > 0: for file in os.listdir(): if file.startswith(parameters[0]) and path.isfile(file): old_name = file new_name = file[len(parameters[0]):] print(f"Renaming {old_name} -> {new_name}") os.renames(old_name, new_name)

February 27, 2022 · John Pili
active-directory-useraccountcontrol-flags_2.webp

Active Directory userAccountControl flags

I was creating an Active Directory (AD) security auditing tool in Go and Python when I stumbled upon the UserAccountControl flags. This attribute can hold multiple statuses like ACCOUNTDISABLE, NORMAL_ACCOUNT, or DONT_EXPIRE_PASSWORD. It uses a bit-field; a bit-field is a group of bits with each bit representing a value. It is an efficient way of handling multiple statues of a record. A tool that helps identify the property flags. Since a bit-field can hold a range of values, I need a tool that can help me look up the value it represents. I created a simple JavaScript application that converts decimal values and maps them to corresponding property flags. ...

December 2, 2021 · John Pili
fix-raspberry-pi-ssh-freezing-issue.webp

Fix Raspberry Pi SSH freezing issue

If your SSH connection to your Raspberry Pi is freezing or unstable it could be because of OpenSSH TOS (Type of Service). To fix this, add IPQoS cs0 cs0 in the sshd configuration file. Open your /etc/ssh/sshd_config and add IPQoS cs0 cs0 at the bottom of the file. Please refer to the example configuration file below. # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server IPQoS cs0 cs0

November 9, 2021 · John Pili
setup-static-ip-address-in-debian-linux.webp

Setup Static IP Address in Debian Linux

Setting up a static IP address in Debian Linux is straightforward. In this guide, I will be configuring the IP address using the old way (ifconfig) and requires that you have system administration rights to do the following steps: Open the network interface file with the following command: sudo vi /etc/network/interfaces Once opened, you might see something similar like this Your interface label might be different from the example but in this case we are interested in making interface ens33 to have a static IP. I configured interface ens33 as follows: ...

June 12, 2021 · John Pili
Allow user or group to run sudo on specific applications in Linux

Allow user or group to run sudo on specific applications in Linux

In some situation, we may want to delegate a sudo capability to Linux users or groups without completely giving them full access to the operating system. We can achieve this by using User_Alias inside the /etc/sudoers configuration file. I will share the simple settings that I used in my RHEL server. ## Sudoers allows particular users to run various commands as ## the root user, without needing the root password. ## ## Examples are provided at the bottom of the file for collections ## of related commands, which can then be delegated out to particular ## users or groups. ## ## This file must be edited with the 'visudo' command. ## Host Aliases ## Groups of machines. You may prefer to use hostnames (perhaps using ## wildcards for entire domains) or IP addresses instead. # Host_Alias FILESERVERS = fs1, fs2 # Host_Alias MAILSERVERS = smtp, smtp2 ## User Aliases ## These aren't often necessary, as you can use regular groups ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname ## rather than USERALIAS # User_Alias ADMINS = jsmith, mikem User_Alias POWERUSERS = piotr.pawlowski, martin.marshall POWERUSERS ALL=(ALL) NOPASSWD: /sbin/reboot ## Command Aliases ## These are groups of related commands... ## Networking # Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool ## Installation and management of software # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services # Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb ## Storage # Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount ## Delegating permissions # Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes # Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall ## Drivers # Cmnd_Alias DRIVERS = /sbin/modprobe # Defaults specification # # Refuse to run if unable to disable echo on the tty. # Defaults !visiblepw # # Preserving HOME has security implications since many programs # use it when searching for configuration files. Note that HOME # is already set when the the env_reset option is enabled, so # this option is only effective for configurations where either # env_reset is disabled or HOME is present in the env_keep list. # Defaults always_set_home Defaults match_group_by_gid # Prior to version 1.8.15, groups listed in sudoers that were not # found in the system group database were passed to the group # plugin, if any. Starting with 1.8.15, only groups of the form # %:group are resolved via the group plugin by default. # We enable always_query_group_plugin to restore old behavior. # Disable this option for new behavior. Defaults always_query_group_plugin Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" # # Adding HOME to env_keep may enable a user to run unrestricted # commands via sudo. # # Defaults env_keep += "HOME" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin ## Next comes the main part: which users can run what software on ## which machines (the sudoers file can be shared between multiple ## systems). ## Syntax: ## ## user MACHINE=COMMANDS ## ## The COMMANDS section may have other options added to it. ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL ## Allows members of the 'sys' group to run networking, software, ## service management apps and more. # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS ## Allows people in group wheel to run all commands %wheel ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL ## Allows members of the users group to mount and unmount the ## cdrom as root # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom ## Allows members of the users group to shutdown this system # %users localhost=/sbin/shutdown -h now %psi ALL=(ALL) NOPASSWD: /bin/systemctl start db-replication.service %psi ALL=(ALL) NOPASSWD: /bin/systemctl stop db-replication.service %psi ALL=(ALL) NOPASSWD: /bin/systemctl restart db-replication.service %psi ALL=(ALL) NOPASSWD: /bin/systemctl status db-replication.service ## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) #includedir /etc/sudoers.d The configuration before handles the individual User_Alias. It assigns users under the alias name POWERUSERS and we let those user reboot the system without asking for password. ...

May 2, 2021 · John Pili