Random notes
I needed a quick email to go out from my server so I decided to install mailx.
Found out that s-nail is the new package name.
I’m the only one for this system so I went ahead with a global setting.
1.) dnf -y s-nail
2.) vi /etc/s-nail.rc
#v15 settings compatibility
set v15-compat
#smtp config
set mta=smtp://USERNAME:PASSWORD@SMTP_HOSTNAME \
smtp-use-starttls
set from="mail@mail.com"3.) Test sending an email out
echo "Body Here" | s-nail -s "Subject Here" Recipient@mail.comThe best solution to counter brute force attacks would to maintaining a allowed list of static IPs + limiting ssh access to ssh key pairs. This was the plan until I wanted to use Github actions to remote into my server. I decided to counter the ssh brute force attacks with fail2ban.
---1 install package
dnf install fail2ban
---2 enable service and check status
systemctl enable fail2ban
systemctl start fail2ban
systemctl status fail2ban
---3 setup configuration file (/etc/fail2ban/jail.local)
----- Change values accordingly. action= is taken from the conf
----- action templates from (/etc/fail2ban/action.d/)
/etc/fail2ban # cat jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
# 3600 1 hour
findtime = 3600
#bantime = 3600
bantime = 604800
action = firewallcmd-rich-rules[blocktype=reject, protocol=tcp]
---4 restart fail2ban
systemctl restart fail2ban
systemctl status fail2ban
You could manually test ban/unban to see check if firewall rules have changed.
fail2ban-client set sshd banip IPADDRESS
fail2ban-client set sshd unbanip IPADDRESS
firewall-cmd --list-rich-rules— I used keychain for the ssh-agent wrapper to load key. (dnf install keychain)
1.) Create ssh key pair.
2.) Add ssh pub key to your github’s “SSH and GPG keys” (.pub file) Configure permission settings as needed.
3.) Test github connection using the ssh key you’ve created earlier.
4.) Edit your .bashrc file to have your session load the key everytime you login.
(Not secure to store key locally, but the way I see it, you are toast if you’re system has been hacked.)
5.) Login and check if keychain is loaded and github connection is working properly.
1.) ssh-keygen to create ssh key pair.
btro@~/.ssh $ ssh-keygen -t ed25519 -C "test@test.com"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/btro/.ssh/id_ed25519): test_ed25519
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test_ed25519
Your public key has been saved in test_ed25519.pub
The key fingerprint is:
SHA256:mYiX0FNr4dKdwRHNYbW/uk8Nzoy9n9pKQklTuKZk0po test@test.com
The key's randomart image is:
+--[ED25519 256]--+
| o.+=++. |
| . + +.=+ . |
| . + * oo. . |
| o B *.oo . |
| . + S oo . .|
| . E .. * .o|
| ...=o.|
| o +..|
| =*=.|
+----[SHA256]-----+
btro@~/.ssh $ ls | grep test
test_ed25519
test_ed25519.pub
2.) Go to your “Settings” and “SSH and GPG keys” and add new SSH Key. Choose the .pub file you created in step 1.
3.) Once you’ve set your .pub file, test the connections from your host to github.
btro@~/.ssh $ ssh -i ./test_ed25519 git@github.com
PTY allocation request failed on channel 0
Hi! You've successfully authenticated, but GitHub does not provide shell access.4.) For persistent ssh key loading to your ssh-agent, add the following to your .bashrc’s end of file.
btro@~ $ cat .bashrc | grep eval
eval `keychain --eval --agents ssh ~/.ssh/test_ed25519`5.) Logout and log back in to your host, and confirm “ssh git@github.com” is responsive with the same results of step 3.