Category: Sysadmin

System administration is a special are of IT. It also has a special place in my heart. It is an interesting mixture of all the other disciplines, both common across the whole industry, and at the same time unique for each person, company, and geographical location. When I have something to say or share about system administration, I use this category.

SSH dynamic black list

Slashdot runs the post on how bots are now trying higher ports for SSH password guessing.  This is not a problem for those who do key-based authentication, but for those who have to have password authentication enabled, there is plenty of good advice in the comments to the post.  One of the comments provides this handy iptables-based dynamic black list:

iptables --new-chain SSHTHROTTLE
iptables --append SSHTHROTTLE --match recent --name bad_actors --update --seconds 86400 --jump DROP
iptables --append SSHTHROTTLE --match hashlimit --hashlimit-name ssh_throttle --hashlimit-upto 5/hour --hashlimit-mode srcip --hashlimit-burst 2 --jump ACCEPT
iptables --append SSHTHROTTLE --match recent --name bad_actors --set --jump DROP
iptables --append INPUT --in-interface ext+ --proto tcp --match conntrack --ctstate NEW --dport 22 --syn --jump SSHTHROTTLE

I haven’t tried it out myself yet, but I’m saving it here for the next time I have a server with password-based authentication SSH.

Redmine email notifications with Exim

When configuring Redmine project management to send email notifications, using Exim MTA, you might end up with test emails bouncing due to no recipients specified.  It’s a bit tricky to debug, but, fortunately, quite easy to fix.  The problem comes from different implementations of “-t” option handling for /usr/sbin/sendmail.  Redmine uses this option to specify on the command line to specify message recipients   However, Exim by default uses a different behavior, where it gets recipients from the message headers, and removes from that list recipients which are provided using the “-t” command line option.

The solution to the problem is a very simple – just add the following line to your /etc/exim/exim.conf file, as per this FAQ:

extract_addresses_remove_arguments = false

DriveDroid

DriveDroid

This seems handy.  Description from the app page:

DriveDroid allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go… without the need to burn different CDs or USB pendrives.

DriveDroid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone.

You can also create USB-images which allows you to have a blank USB-drive where you can store files in. Another possibility is to use tools on your PC to make a bootable USB-drive out of the blank image that DriveDroid created.

Installing Linux on the Chromebook Pixel

Installing Linux on the Chromebook Pixel

From this point forward, every time you boot, it’s going to say that Chrome OS can’t be found or something similarly alarming like that, just ignore and hit Ctr-D or wait 30 seconds to boot into Chrome OS. But that won’t be relevant for long as we’re going to wipe it off the machine below :-)