Re: [gentoo-user] {OT} backups... still backups....
You're welcome. A pull system does rely on the server being secure, which is why I don't use it for offsite backups to the cloud :-O Wouldn't a push/pull combination be a good compromise? The remote servers push their backups to their own location on a staging server. The backup-storage server then pulls the backups from there. The staging can then be a VM with the real backups being moved onto host-storage where the VM has no access to. This way, when the staging is compromised, only the latest backup can be accessed. When the remote server is compromised, only the latest backup can potentially be overwritten. But, the actual backups can not be accessed as the host will not have any outgoing connectivity and when the backups are being pulled, the VM will be stopped to allow access to the disk containing the backups. Following would be the steps: 1) remote server(s) push backup to the VM 2) host shuts down VM 3) host mounts backup-store of VM locally 4) host takes a backup of the backup-store 5) host starts VM By using LVM snapshots, the downtime of the VM can be significantly reduced. Additionally, the VM OS and software can be restored from a known-good copy prior to each restart and the VM can be configured to only be running during the backup-window of the remote systems. This would then significantly reduce the window of opportunity for any security breach attempts. I think I follow. :) Do you think that would be better than having the clients push to the backup server via rsync, then having the backup server update an rdiff-backup repository that the clients have no access to, then having another system pull from the backup server's rsynced data and create its own rdiff-backup repository? To me that seems like it would have the right combination of security, redundancy, and simplicity. - Grant
Re: [gentoo-user] Locking down a user with a shell account and SSH access
My backup user needs a shell on the backup server in order to execute rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in order to SSH in. My authorized_keys file is locked-down. The second field for the user in /etc/shadow is an exclamation point which I think means the user can not log in with a password. Should I take any additional steps to prevent that user from logging in and not being subject to the authorized_keys restrictions? What about PasswordAuthentication no? Can that be set for a single user? I have a normal user who needs to log in via SSH with a password and a backup user who only needs to run rsync via SSH keys. If not, does the exclamation point in /etc/shadow prevent the user from logging in without the SSH key? Depends. The user doesn't have a Unix password, so if the system prompts for one it cannot succeed and the login fails. But sshd has other implementations for authentication to, not just classic Unix. If it uses PAM, then PAM could in theory do anything, even using AD to authenticate with a password. So if your sshd config uses Unix passwords and keys ONLY (this is the norm), then what you describe above does what you want. To be sure, you need to audit sshd_config and your pam setup Here is my entire sshd_config: PasswordAuthentication no UsePAM yes PrintMotd no PrintLastLog no Subsystem sftp /usr/lib64/misc/sftp-server AllowUsers user1 user2 That must be the Gentoo-default except for the last line, correct? How is this config if I want user1 to login with a password and user2 has no password in /etc/shadow and automatically logs in via authorized_keys to rsync? - Grant
Re: [gentoo-user] Locking down a user with a shell account and SSH access
On 18/07/2013 18:21, Grant wrote: My backup user needs a shell on the backup server in order to execute rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in order to SSH in. My authorized_keys file is locked-down. The second field for the user in /etc/shadow is an exclamation point which I think means the user can not log in with a password. Should I take any additional steps to prevent that user from logging in and not being subject to the authorized_keys restrictions? What about PasswordAuthentication no? Can that be set for a single user? I have a normal user who needs to log in via SSH with a password and a backup user who only needs to run rsync via SSH keys. If not, does the exclamation point in /etc/shadow prevent the user from logging in without the SSH key? Depends. The user doesn't have a Unix password, so if the system prompts for one it cannot succeed and the login fails. But sshd has other implementations for authentication to, not just classic Unix. If it uses PAM, then PAM could in theory do anything, even using AD to authenticate with a password. So if your sshd config uses Unix passwords and keys ONLY (this is the norm), then what you describe above does what you want. To be sure, you need to audit sshd_config and your pam setup Here is my entire sshd_config: PasswordAuthentication no UsePAM yes PrintMotd no PrintLastLog no Subsystem sftp /usr/lib64/misc/sftp-server AllowUsers user1 user2 That must be the Gentoo-default except for the last line, correct? How is this config if I want user1 to login with a password and user2 has no password in /etc/shadow and automatically logs in via authorized_keys to rsync? Gentoo default uses a conventional PAM setup so set PasswordAuthentication yes PubkeyAuthentication yes and it should work. I don't know of any way to configure per-user auth types in sshd_config itself, so I recommend you define exactly what you want to accomplish: do you want to give one user a password and no key, and the other user a key but no password, and have it just work regardless? This would be the convenience approach or do you want to enforce the auth method that a specific user must use? This would be the security approach and is considerably more difficult -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] Locking down a user with a shell account and SSH access
On Mon, Jul 1, 2013 at 6:24 PM, Grant emailgr...@gmail.com wrote: My backup user needs a shell on the backup server in order to execute rsync and needs to be included in /etc/ssh/sshd_config AllowUsers in order to SSH in. My authorized_keys file is locked-down. The second field for the user in /etc/shadow is an exclamation point which I think means the user can not log in with a password. Should I take any additional steps to prevent that user from logging in and not being subject to the authorized_keys restrictions? There are a few distinct problems and solutions that come to mind. Here's my take as an uncertified non-expert: Problem: I want different SSHD config for different users Solution: use the Match directive in sshd_config (as Adam already pointed out) and enable or disable password authentication for users who are exceptions to the system-wide setting Problem: I don't want the backup user to be able to login using a password anywhere except ssh Solution 1: set the password to an * in /etc/shadow (disabled password login permanently) Solution 2: prefix the existing password with an ! in /etc/shadow (this disables pw login temporarily, remove the ! to restore the password) Solution 3: set the user's shell to /sbin/nologin in /etc/passwd Note: there are slight differences between these approaches, see man 5 passwd for details Problem: backup user should only be allowed to run the rsync command Solution 1: set a forced command in sshd_config for that user Solution 2: set a forced command in authorized_keys for that key I think if you combine that with what you've already done, that user should be well and truly locked down. That is based on using the standard Gentoo configuration... I'm sure there are 1000 different ways to do it and probably a lot of them better than what I suggested, so take it FWIW. :)
[gentoo-user] SSD partitioning and migration
hello list, i want to migrate my system, currently in a HD, to a new SSD. i thought it would be easy, but i decided to read a little before partitioning the disk (my first SDD) and now i'm really confused... i intend to have only two partitions in the SSD: one for / and the other for /home. i have another HD for storage, where i'm going to put swap. apparently it's better to use a GPT partitioning. are there any catches i should take into account? what about grub, can i just install it later on the ssd? thanks for any comment or pointers, i found so many different guides saying different things that i'm really confused. best, lj
Re: [gentoo-user] SSD partitioning and migration
I used ssd from workstation to server. I created partitions with fdisk and then I usually push all in with dd from the old disk. For the grub you can install it like a normal disk. If you want you can install a new system and then copy the home directory. The only directory that you can put on a normal disk is the portage's temp compiling dir. I saw on the WWW that someone are still working to a new filesystem that can be better to use with the ssd but I never test it. Good work. Davide Il giorno 18/lug/2013 23:23, luis jure l...@internet.com.uy ha scritto: hello list, i want to migrate my system, currently in a HD, to a new SSD. i thought it would be easy, but i decided to read a little before partitioning the disk (my first SDD) and now i'm really confused... i intend to have only two partitions in the SSD: one for / and the other for /home. i have another HD for storage, where i'm going to put swap. apparently it's better to use a GPT partitioning. are there any catches i should take into account? what about grub, can i just install it later on the ssd? thanks for any comment or pointers, i found so many different guides saying different things that i'm really confused. best, lj
Re: [gentoo-user] SSD partitioning and migration
on 2013-07-18 at 23:40 Davide De Prisco wrote: I created partitions with fdisk and then I usually push all in with dd from the old disk. For the grub you can install it like a normal disk. did you use GPT or plain old MBR? so there's nothing special with grub and gpt partitioned disks? thanks for your answer, lj
[gentoo-user]
Date: Thu, 18 Jul 2013 19:16:01 -0300 From: pizta...@crow.satelite.com To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] SSD partitioning and migration Message-ID: 20130718221601.gc31...@crow.satelite.com References: 20130718182232.5c1301ce@acme7.acmenet cagn2eowebvf++wvaq__c-ug2txtzb+k_gazp0-ajji3y1dk...@mail.gmail.com 20130718190832.2a85f9f7@acme7.acmenet MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol=application/pgp-signature; boundary=32u276st3Jlj2kUU Content-Disposition: inline In-Reply-To: 20130718190832.2a85f9f7@acme7.acmenet User-Agent: Mutt/1.5.21 (2010-09-15) --32u276st3Jlj2kUU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable fdisk isnt compatible whit GTP. --- On Thu, Jul 18, 2013 at 07:08:32PM -0300, luis jure wrote: on 2013-07-18 at 23:40 Davide De Prisco wrote: =20 =20 I created partitions with fdisk and then I usually push all in with dd from the old disk. For the grub you can install it like a normal disk. =20 did you use GPT or plain old MBR? so there's nothing special with grub and gpt partitioned disks? =20 thanks for your answer, =20 =20 lj =20 =20 - Kyd - --32u276st3Jlj2kUU Content-Type: application/pgp-signature; name=signature.asc Content-Description: Digital signature -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iF4EAREIAAYFAlHoaSEACgkQ64Mu3eck0IAgvgD/Y6T/iqW/+6umwNh7WN/31iAw 7Z23GCOsD/blVnrM4C8A/RGkD82C97TIesYqL9zMfG147bMoKJdz6BjTW0eKbEk2 =GIiz -END PGP SIGNATURE- --32u276st3Jlj2kUU--
Re: [gentoo-user] SSD partitioning and migration
On Thu, Jul 18, 2013 at 4:22 PM, luis jure l...@internet.com.uy wrote: hello list, Hi! i want to migrate my system, currently in a HD, to a new SSD. i thought it would be easy, but i decided to read a little before partitioning the disk (my first SDD) and now i'm really confused... i intend to have only two partitions in the SSD: one for / and the other for /home. i have another HD for storage, where i'm going to put swap. Sounds like a good plan. I used the same strategy here. apparently it's better to use a GPT partitioning. are there any catches i should take into account? what about grub, can i just install it later on the ssd? GPT is not required, if you use MBR it should work just as well. If you use GPT you must enable GUID partition table support in your kernel and ensure your boot loader supports it. thanks for any comment or pointers, i found so many different guides saying different things that i'm really confused. Here are the basic steps I used for doing the same thing: 1. partition SSD (start sector at a multiple of 1MB to ensure proper alignment) 2. format new partitions using discard-capable filesystem like ext4, xfs, btrfs 3. mount them in a temporary mount point 4. rsync your filesystem from old drive to new drive 5. edit /etc/fstab on the new drive to use the new mount points 6. edit boot loader config to point to correct drive 7. install boot loader on new drive if it becomes your new boot device 8. (optionally) swap drive cables so the new drive shows up first if it is your new boot device Depending on whether you use UUID, labels, or device names you may not need to change names or swap cables in your computer so drives show up in the correct order. Good luck :)
[gentoo-user] syslog-ng segfaults
I saw that there were a couple of syslog-ng threads recently, but neither of them mentioned any segfaulting which I am currently experiencing. My log file (dmesg and /var/log/messages) is full of lines like this: syslog-ng[32015]: segfault at 44d8 ip 7f4f3fa23c83 sp 7fffb233b940 error 4 in libsyslog-ng.so.0.0.0 (deleted)[7f4f3f9eb000 +67000] Has anybody else seen anything like that? -- R
Re: [gentoo-user] SSD partitioning and migration
On 19/07/13 06:23, Paul Hartman wrote: On Thu, Jul 18, 2013 at 4:22 PM, luis jure l...@internet.com.uy wrote: hello list, Hi! i want to migrate my system, currently in a HD, to a new SSD. i thought it would be easy, but i decided to read a little before partitioning the disk (my first SDD) and now i'm really confused... i intend to have only two partitions in the SSD: one for / and the other for /home. i have another HD for storage, where i'm going to put swap. Sounds like a good plan. I used the same strategy here. apparently it's better to use a GPT partitioning. are there any catches i should take into account? what about grub, can i just install it later on the ssd? GPT is not required, if you use MBR it should work just as well. If you use GPT you must enable GUID partition table support in your kernel and ensure your boot loader supports it. thanks for any comment or pointers, i found so many different guides saying different things that i'm really confused. Here are the basic steps I used for doing the same thing: 1. partition SSD (start sector at a multiple of 1MB to ensure proper alignment) 2. format new partitions using discard-capable filesystem like ext4, xfs, btrfs 3. mount them in a temporary mount point 4. rsync your filesystem from old drive to new drive 5. edit /etc/fstab on the new drive to use the new mount points 6. edit boot loader config to point to correct drive 7. install boot loader on new drive if it becomes your new boot device 8. (optionally) swap drive cables so the new drive shows up first if it is your new boot device Depending on whether you use UUID, labels, or device names you may not need to change names or swap cables in your computer so drives show up in the correct order. Good luck :) Apple laptop (ssd only) - boot, swap and /. btrfs, very fast and stable but only gets light use. Storage server for data and VM's with an (intel) ssd for boot, swap and OS with data on WD 2G green drives (ceph cluster). btrfs was a disaster, etx4 is holding up ok but being an ssd I cant use reiserfs which is my first choice, particularly where a filesystem gets hammered. I tried a number of configurations and the ceph journals are a lot faster on ssd, and swap on ssd is also a big speedup (including hibernate/resume). Been running for few months now. With the apple I dont get a choice where to put swap (which even with 8G ram gets used) but tests between the server ssd and a 1rpm spinner sees the ssd win hands down most of the time. The ceph journals are definitely slower on spinner ... but did seem less prone to disaster. My main point is ssd's are fast, but make sure you have good backups if you are stressing them :) BillK
Re: [gentoo-user] syslog-ng segfaults
On Thu, 2013-07-18 at 18:41 -0400, Randy Barlow wrote: I saw that there were a couple of syslog-ng threads recently, but neither of them mentioned any segfaulting which I am currently experiencing. My log file (dmesg and /var/log/messages) is full of lines like this: syslog-ng[32015]: segfault at 44d8 ip 7f4f3fa23c83 sp 7fffb233b940 error 4 in libsyslog-ng.so.0.0.0 (deleted)[7f4f3f9eb000 +67000] I forgot to mention my version: $ equery list syslog-ng * Searching for syslog-ng ... [IP-] [ ] app-admin/syslog-ng-3.4.2:0 -- R
Re: [gentoo-user] syslog-ng segfaults
On Thu, Jul 18, 2013 at 06:41:14PM -0400, Randy Barlow wrote: I saw that there were a couple of syslog-ng threads recently, but neither of them mentioned any segfaulting which I am currently experiencing. My log file (dmesg and /var/log/messages) is full of lines like this: syslog-ng[32015]: segfault at 44d8 ip 7f4f3fa23c83 sp 7fffb233b940 error 4 in libsyslog-ng.so.0.0.0 (deleted)[7f4f3f9eb000 +67000] Has anybody else seen anything like that? Try changing the version at the top of the config file to the present version. -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-user] syslog-ng segfaults
On Thu, Jul 18, 2013 at 06:41:14PM -0400, Randy Barlow wrote: I saw that there were a couple of syslog-ng threads recently, but neither of them mentioned any segfaulting which I am currently experiencing. My log file (dmesg and /var/log/messages) is full of lines like this: syslog-ng[32015]: segfault at 44d8 ip 7f4f3fa23c83 sp 7fffb233b940 error 4 in libsyslog-ng.so.0.0.0 (deleted)[7f4f3f9eb000 +67000] Has anybody else seen anything like that? If it wasn't clear before: router ~ # diff /etc/syslog-ng/syslog-ng.conf /etc/syslog-ng/syslog-ng.conf~ 1c1 @version: 3.4 --- @version: 3.3 Cheers, Bruce -- Happy Penguin Computers ') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ supp...@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting
Re: [gentoo-user] syslog-ng segfaults
On Thu, 2013-07-18 at 17:49 -0500, Bruce Hill wrote: Try changing the version at the top of the config file to the present version. It's at 3.4, and I have the gentoo default config. Thanks for the suggestion! -- R
Re: [gentoo-user] syslog-ng segfaults
On Thu, 2013-07-18 at 18:41 -0400, Randy Barlow wrote: Has anybody else seen anything like that? I'll add in that this seems to be happening to all three of my x86_64 hosts. It does not appear to happen on my x86 host. -- R
Re: [gentoo-user] [Solved] syslog-ng segfaults
Randy Barlow wrote: I'll add in that this seems to be happening to all three of my x86_64 hosts. It does not appear to happen on my x86 host. I rebooted one of the hosts that was experiencing this issue, and it did not return afterwards. This surprises me, as restarting the service did not solve the problem. I don't really know what was the cause, but it does appear to have gone away. I know that I have not rebooted since I upgraded to that particular version, so perhaps there is something odd that requires more than just a restart of syslog-ng. Thanks to Bruce for help! -- R
Re: [gentoo-user] SSD partitioning and migration
on 2013-07-18 at 17:23 Paul Hartman wrote: Hi! hi paul, thanks for your detailed answer! 1. partition SSD (start sector at a multiple of 1MB to ensure proper alignment) 2. format new partitions using discard-capable filesystem like ext4, xfs, btrfs yes and yes (using ext4) 4. rsync your filesystem from old drive to new drive yes, i found some info on that. i'm at that right now. 5. edit /etc/fstab on the new drive to use the new mount points yes, i'm using labels, so that part is easy. 6. edit boot loader config to point to correct drive 7. install boot loader on new drive if it becomes your new boot device well, it's been a long time since i last installed a new system... i'll have to re-check the docs about that. best, lj
Re: [gentoo-user] [Solved] syslog-ng segfaults
On 19.07.2013 02:53, Randy Barlow wrote: Randy Barlow wrote: I'll add in that this seems to be happening to all three of my x86_64 hosts. It does not appear to happen on my x86 host. I rebooted one of the hosts that was experiencing this issue, and it did not return afterwards. This surprises me, as restarting the service did not solve the problem. I don't really know what was the cause, but it does appear to have gone away. I know that I have not rebooted since I upgraded to that particular version, so perhaps there is something odd that requires more than just a restart of syslog-ng. Question: Is this a physical host or is it a virtual host running under qemu? Reason for my question ist that recently the CPU-Id presented from quemu in the guest has changed and if you have CFLAGS=-march=native then some newly compiles SW could fail. One way to solve this is to change the CFLAGS to -mtune=native and recompile the affected SW (or world). -- Dan Johansson, http://www.dmj.nu *** This message is printed on 100% recycled electrons! *** 0x2FB894AD.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] syslog-ng segfaults
2013/7/19 Randy Barlow ra...@electronsweatshop.com: I saw that there were a couple of syslog-ng threads recently, but neither of them mentioned any segfaulting which I am currently experiencing. My log file (dmesg and /var/log/messages) is full of lines like this: syslog-ng[32015]: segfault at 44d8 ip 7f4f3fa23c83 sp 7fffb233b940 error 4 in libsyslog-ng.so.0.0.0 (deleted)[7f4f3f9eb000 +67000] Has anybody else seen anything like that? Yes, I had the same issue last Sunday. At x86_64 XEN-based VPS. It's gone after the reboot too. What is CFLAGS there, I don't remember. I'll check it. -- Regards, Alex
