Blog hébergé par Yves et Iris :-)

Aller au contenu | Aller au menu | Aller à la recherche

jeudi 20 avril 2017

Git is available again

When I setup gitolite on my server for Git access through SSH, of course I did test that cloning worked from outside my network. That was for my Paperweb project.

Later I configured port-knocking on the server to get rid of bot-based authentication attempts that were polluting my log files. Unfortunately, at this time, the “outside” server on which I have an account was down, so I could not leave my network to check that all was fine; from the inside of the network, all worked like a charm, though!

Same situation when someone asked me for the Paperweb code by e-mail because they could not get it the normal Git way. I had no idea that port-knocking was the problem: from my side of the firewall, all worked correctly…

Lire la suite...

mercredi 8 juin 2016

Light-weight port-knocking to protect SSH

A bit more than a year ago, I hardened my SSH server, which resulted in the near-disappearance of automated SSH login attempts. Alas, the script-kiddie tools have finally caught up with the current state of cryptography; or at least with the level of cryptography that I dare require, and still maintain compatibility with most devices that I use.

Fail2ban, although dormant all this time, still ran like the ever-vigilant Argos, and resumed its usual work as the attacks came back. But I do not like relying solely on fail2ban. So I decided to add port-knocking as a protection.

Lire la suite...

lundi 3 août 2015

Synchronisation de fichiers légère, pour ownCloud et WebDAV

J’ai récemment commencé à utiliser ownCloud pour la synchronisation de fichiers. En fin de compte, malgré quelques problèmes à la marge, l’expérience est vraiment satisfaisante, à tel point que j’ai déplacé sur ownCloud tout mon « nuage personnel », précédemment sur un partage NFS. Néanmoins, si le client ownCloud standard convient lorsqu’il est disponible, il ne l’est pas toujours. En particulier :

  • Je transporte avec moi sur clef USB un bureau Linux léger basé sur TinyCore Linux, et pour lequel ce client n’existe pas.
  • Je possède aussi un vieil ordinateur portable qui doit se contenter d’un système d’exploitation obsolète à cause d’un composant vidéo bogué, qu’aucun système plus récent ne supporte (bien que cette même référence de composant graphique sur un autre ordinateur portable soit parfaitement supportée…).

Pour de telles situations, j’ai essayé d’utiliser DavFS, qui s’est avéré bien trop lent ; cela reste toutefois un bon second choix. Puis j’ai essayé le programme Java WebDAV-Sync, mais bien que celui-ci ait correctement effectué l’import initial, on ne peut pas dire que la synchronisation ait vraiment fonctionné : l’ensemble des données était à nouveau intégralement téléchargé à chaque nouvelle tentative de synchronisation !

Donc j’ai créé mon propre outil de synchronisation, dont les seules dépendances sont curl et bash, et optionnellement ssh. Ces dépendances sont disponibles partout, même sur Windows et quelques systèmes embarqués ;-)

This article is also available in English.

Lire la suite...

dimanche 2 août 2015

Lightweight file synchronization for ownCloud and WebDAV

I recently began using ownCloud for file synchronization. All in all, although there are some minor hindrances, the experience is really satisfying. So much so, that I moved all my “personal cloud” data to ownCloud, from the previous NFS share. However, although the regular ownCloud client is just fine where available, it is not available everywhere. In particular:

  • I carry around on a USB stick a lightweight Linux desktop based on TinyCore Linux, for which the client is not available.
  • I also have an old laptop that is stuck with an obsolete operating system because the video chipset is buggy, and no newer OS will support it (even though the “same” chipset reference in another laptop works just fine…).

For these situations, I tried using DavFS, but this solution was much too slow; it is a great fall-back, though. Next I tried the Java program WebDAV-Sync, but although the initial download went fine, sync did not work all that well: the whole share was fully downloaded again each time!

So I created my own synchronization tool, the only dependencies of which are curl and bash, and optionally ssh. These dependencies are available everywhere, including Windows and some embedded systems ;-)

Cet article a été traduit en français.

Lire la suite...

mardi 13 janvier 2015

Hardened SSH server

I strongly suggest that you heed the advice from stribika’s page on securing the Secure Shell (SSH), the aim of which is to make your SSH server safe from the NSA; or so they say…

Cet article est aussi disponible en français.

Lire la suite...

lundi 12 janvier 2015

Un serveur SSH endurci

Je vous conseille vivement de suivre les recommandations de la page de stribika sur le « Secure Secure Shell », ou « Secure SSH », qui visent à rendre le serveur SSH suffisamment sécurisé pour résister à la NSA, disent-ils…

This article has been translated to English.

Lire la suite...

samedi 22 février 2014

Multiplex SSH and HTTPS on a single port

I want to allow both SSH and HTTPS on port 443 of my server, because port 22 is often blocked by firewalls. The usual tool for this task is the excellent sslh tool, which can recognize SSH and HTTPS connections, but also HTTP, OpenVPN, tinc, and XMPP! Besides, sslh does not rely only on the “who speaks first, server or client?” technique, which makes it compatible with more SSH clients; an excellent port multiplexer indeed!

There is one drawback, though: sslh listens to a port on the server, receives an incoming connection from a remote client, detects the protocol, and then forwards packets for this connection to the adequate service; the problem is that the latter is seeing packets coming from the server itself (usually localhost), not from the IP address of the remote client.

Lire la suite...