• 30.Dec.08
    rsync with ssh-rsa+authorized_keys security, shell | pfortuny | (0)
    Much like explained in a previous post, one can use a passwordless RSA key to set up a cron job doing an rsync of one's computer on a remote server, via ssh. The relevant part of the authorized_keys file is (everything in the same line): command="rsync --server -vlogDtpr . /home/pfortuny/backup/",no-port-forwarding, no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa ..... Taking into account that the -vlogDtpr depends on the specific options of the rsync command you issue. In my case, the script is simply (right now) $ cat ./bin/ #!/bin/sh cd /home/pfortuny /usr/bin/rsync -av -e "ssh -i /home/pfortuny/.ssh/backup_key" --filter ": .rsync.dirs" \ ~/ pfortuny@remote.server.mine:"~/backup/" Comments: The option -av is expanded to -vlogDtpr on the server, ...
  • 18.Dec.08
    Cron job every 5 minutes automated, cmd, security | pfortuny | (0)
    $ cat < /var/cron/tabs/pfortuny */5 * * * * /usr/bin/my_task The specified task is run every 5 minutes.
  • 20.Nov.08
    pf, OpenBSD’s [p]acket [f]ilter (2) network, security | pfortuny | (1)
    We introduced OpenBSD's pf in a previous post. In the present one, we are going to start commenting a full-featured firewall configuration which uses quite a few of pf's functionalities: macros, lists, anchors... As we said then, OpenBSD's FAQ contains the complete and detailed documentation. Here is the complete set [but for those related to authpf] of firewall rules, usually stored at /etc/pf.conf (bear with me for the long quote, but I'd rather comment a complete file than do it in parts). # 0) Start: macros and tables ext_if="rl0" int_if="vr0" ext_services = "{smtp www 222}" in_services = "{ssh smtp domain www}" always_open ...
  • 02.Nov.08
    pf, OpenBSD’s [p]acket [f]ilter (1) network, security | pfortuny | (1)
    When anyone has asked me in the last two years about installing a firewall at his LAN's border, I have always recommended them OpenBSD's packet filter pf. I discovered OpenBSD a couple of years ago while designing a hall of residence's local network and firewall. I was by then quite tired of Linux's netfilter/iptables and the first time I read about pf, I fell in love with it. We are now more accustomed to this, but when I saw that you could write firewall rules like pass in on $ext_if proto tcp from any port 80 to $ext_if I knew I had found ...
  • 27.Oct.08
    Encryption the old-fashioned way: ccrypt security | pfortuny | (0)
    For encrypting small text files, I use ccrypt, a nifty utility which uses Rijndael-256 (aka AES-256) and just does it work as it is supposed to do. $ ccrypt -e my_file Asks you for a password twice, encrypts my_file (naming the new encrypted file my_file.cpt) and overwrites the old my_file (however, notice that journaling filesystems like ext3 or non-block filesystems might keep some or all the data elsewhere). $ ccrypt -d my_file.cpt Asks for the password and, if correct, decrypts my_file.cpt as my_file (and deletes my_file.cpt). A more useful option for small text files is: $ ccrypt -c my_file.cpt which, after asking for the password, sends the ...
  • 17.Oct.08
    DHCP, inverted commas and ssh with RSA automated, security | pfortuny | (1)
    There is a server I manage (called alex) which has not a fixed IP. As you know, I have a shell at the best Unix server out there (by the way, it is almost free. The problem is to keep an up-to-date record of the first server's IP address. I do it as follows (and yes, I know timtowtdi). What I did was: Create an RSA public/private key pair at alex: alex $ ssh-keygen -N'' -f 'id_alex' -t rsa which creates the files id_alex and Create a cron job for my account at alex which looks like 5,10,15,20,25,30,35,40,45,50,55,0 * * * * /usr/bin/ssh -i ...