Two new-to-me techniques for keeping your server free from SSH brute force attacks by tuning up your /etc/ssh/sshd_config file. I know that using IP Address based security is probably more secure, but I wanted to find a solution that could yield higher security without limiting IP addresses. I like to be able to access the machines I need to access without having to be at a specific location, or have a vpn, or ssh through a couple machines before I can access the machine I need. I recognize those solutions are likely more secure but, I’m trying to avoid, IP based security restrictions if possible.

Stop people from attempting to login as root

Add (or find and modify the this line:
PermitRootLogin no
This simply doesn’t allow people to login directly to your box under the root user. Simple enough. Not letting people log in directly as root takes away one of the well known users that people will attempt to login as. This means that everyone who wants to gain root will first have to login as another (more obscure) user on the system, which leads me to.

Only Allow Logins from specified users

Add (or find and modify the this line:
AllowUsers username1 username2
This means that only these users are allowed to login. Every other user cannot. This is handy because it eliminates all those other user accounts that are created on the system, which probably aren’t but might currently have ssh access.

Neither of these techniques strike me as silver bullet solutions, but as I’m realizing there are no silver bullet solutions in keeping a machine secure. So consider these two more possibilities for further guarding the machines. Like a moat around the castle walls.

Simple problem. I have a bluetooth keyboard, I want to use it at work (Thinkpad T61) and home (eeePC 1001P), both machines running Debian (hardware and OS details). I want to find a good way to get this keyboard connected and running full time. Here goes.

Bluetooth Doesn’t Seem To Be Working At All!

First I install blueman. Start it up, most everything is disabled (greyed out). Ok, why is that?

hmm… maybe hcitool will tell me something different
$ hcitool scan
Device is not available: No such device

ok… I guess that means there is no device available, check the startup via
$ dmesg | grep Blue
lots of Bluetooth entries there.

next check the bluetooth kernel module is loaded
$ lsmod | grep blue
bluetooth 41795 6 sco,bnep,rfcomm,l2cap
rfkill 13012 4 bluetooth,cfg80211

Looks like the module is loaded. Time to Google my error message
http://forum.soft32.com/linux/Bluetooth-ftopict440233.html
Provides a hint that I need to install the userspace package, in Debian this means
$ sudo aptitude install bluetooth
that installed a bunch of packages. Trying my tests again
$ hcitool scan
(same result)
Blueman (same result)

$ /etc/init.d/bluetooth restart
(maybe it’ll help… nope)
Hmmm.. sort of feels like the bluetooth adaptor is turned off. The 1001P doesn’t really have a hardware switch that I can see for turning bluetooth on.

Further Googling is talking making me feel like I should really have an entry in the output of lsusb that says something pretty clear about bluetooth, and I’m not seeing that. This really makes me think it isn’t on.

I know I shouldn’t have to… but I”ll try a reboot to get a fresh dmesg to look at and this laptop has been in and out of suspend a lot, I see that has fouled others up in that past. Nope that didn’t help.

eeePC Gotcha: Bluetooth is Controlled in the BIOS

Okay, Got a tip from a site that bluetooth on the 1001P can only be controlled via the bios (are you serious!?!) So I boot into the bios and sure enough under Advanced -> Onboard Settings (I think) there is Onboard Bluetooth and it is disabled. Enable that, save and exit. Reboot.

$ lsusb
now has an extra line in it… promising.
Bus 005 Device 002: ID 0b05:1788 ASUSTek Computer, Inc.

Bluetooth is Working, Now for the Keyboard

Straight for the throat, starting blueman, YES we have an adapater. Double checking with hcitool.
$ hcitool scan
Scanning....
alright!!

Now just to get the keyboard working. Put the keyboard into discovery mode.

Into Blueman, and searching for the device. It shows up! Good sign. Attempt to pair with the device. My secret code is requested. I enter it. “1111″ (the usual) and I go to the keyboard type “1111″ Enter. Looks like we’re paired. Uh oh it looks like it disconnected. Hmm… reconnect, which works, and then click on the trust icon. Still connected good, good. Start typing, it’s working!! (I’m sure this could all be done from the command line with hcitool as well, I’m not exactly sure how.)

Awesome.

Testing, The Use Cases

Now the two remaining tests. At work I’m doing some frustrating hack using
hidd --connect MAC ADDRES GOES HERE
and if I leave the computer for 10-20 minutes the keyboard dies. It totally sucks. Secondarily, if I restart the computer the keyboard isn’t connected. Both of these things didn’t weren’t a problem in the past, but they are now. So let’s see if the problem is the same here.

1. Coming back the next morning and it is still working!!
2. Suspending and restoring and it is still working.
3. And it even works (with a minor delay after a reboot) in the gdm screen.

Hurray!! Complete Success.

Bonus: killing the Blueman applet doesn’t kill the connection, I suspected this would be true but just wanted to confirm.

Bluetooth Files

I previously had attempted to edit a bunch of files in the /etc/bluetooth/* and /etc/default/bluetooth, but none of those files appear changed in this case and the keyboard is working fine. Being curious I snooped around and found that the specific device information related to the connection with my keyboard can be found in /var/lib/bluetooth/* but looking at a few of the files. I can see that they are definitely not meant to be editted by hand. AKA leave it to the tools in this case blueman. I’m sure hcitool also refers to and edits these files although I have not confirmed that.

Hardware and Operating System Details

• Keyboard : Microsoft Wireless Entertainment Keyboard 7000
• Debian squeeze (pre stable release)
• Linux Kernel Linux 2.6.32-3-amd64
• And of course my eeePc 1001P

Now to see if I can get it working on my work computer! Thinkpad T61.

SSH Login Without Entering A Password

I tire of constantly entering my password everytime I need to login to a machine. Now that I have a system for keeping track of my passwords I no longer feel like I need to use them constantly for memory purposes. So here’s the info that I use to log in to other machines through ssh without needing to enter a password each time. This is very handy for allowing scripts to access other machines to automate your tasks. Without futher ado here’s how to allow an automatic login from host A / user a to Host B / user b.

How to do it

First log in on A as user a and generate a pair of authentication keys. Do not enter a passphrase:

a@A:~> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/a/.ssh/id_rsa):
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@A

Now use ssh to create a directory ~/.ssh as user b on B. (The directory may already exist, which is fine):

a@A:~> ssh b@B mkdir -p .ssh
b@B's password:

Finally append a’s new public key to b@B:.ssh/authorized_keys and enter b’s password one last time:

a@A:~> cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'
b@B's password:

From now on you can log into B as b from A as a without password:

a@A:~> ssh b@B hostname
B

This post is a summarized version of a post on how to login through ssh without a password, copied here for long term memory purposes

I run smbclient -L <hostname>
I see all the shares but when I try to actually get a directory listing I get a permission denied error. Grrr..

The solution from [url=http://gentoo-wiki.com/HOWTO_Setup_Samba]http://gentoo-wiki.com/HOWTO_Setup_Samba[/url]
I get a Permision denied message trying to access a Windows 2000, XP, 2003: Make sure you have Guest account enabled on Windows machines and Guest have sharing permissions over the shares. Sometimes this is not trivial due to the permissions editing of a carpet is not shown by default in some Windows systems. If it is enabled, right click on the share, pick up the Permissions section and add Guest user with the appropriate rights (probably full control full control can be security risk. "Modify" provides read/write and create/delete without the more dangerous abilities).

And now I can the website backed up. yay

You can't make the required kernel module with the sources from ATI and to get your driver up and running. Ugh… how long did it take to find that out.

However you can install the .deb files that you can get from ATI
cd /usr/src/
tar xjf fglrx-tar-bzr
cd /usr/src/modules/fglrx

then get the patch from [url=http://darcs.frugalware.org/repos/frugalware-current/source/x11-extra/fglrx/fglrx-2.6.20.patch]http://darcs.frugalware.org/repos/frugalware-current/source/x11-extra/fglrx/fglrx-2.6.20.patch[/url]

run the patch using the command
patch < /path/to/fglrx-2.6.20.patch

and then compile the modules using following steps of 4.1c here
[url=http://www.stanchina.net/~flavio/debian/fglrx-installer.html]http://www.stanchina.net/~flavio/debian/fglrx-installer.html[/url]

Lord bless the smart people that figured all this out!

From
[url=http://www.readingboy.com/]http://www.readingboy.com/[/url]

glxgears

You see people using the program to test the framerate (FPS) of their ATI cards. trying to spot imporvements… well the newest version. requires this switch

$ glxgears -iacknowledgethatthistoolisnotabenchmark

to output the fps.

Haha, you gotta love when people are that careful.

So I wanted the laptop volume buttons to work…

Turns out it is easy. In Gnome go to Desktop –> Preferences –> Keyboard Shortcuts

Then find the function you want to control, click on it, and then click on the laptop button that you want to control it.

And now it works. yaya.

Gah Finally after reading what seems like hundreds of help lists and all that I finally found the problem with my Gateway 7515 laptop sound. Sound card is an ATI IXP card with built in modem.

To make a long story short all that I needed to do was go to the alasmixer and mute the External Amplifier.

Bango, it worked.

Now if only the ocean glider I am working on would come to the surface and call home…