search

Post

Hardening SSH configurations Thu, Oct 26, 2023 01:00 CEST

Install ssh-audit: pacman -S ssh-audit Server Audit the current server configuration: ssh-audit localhost If any fail or warn level log line appear, try implementing the following sections. Explicitly allow only selected algorithms Restrict key exchange algorithms, ciphers, message authentication codes, and asymmetric keys: # File: /etc/ssh/sshd_config.d/01-ssh-audit_hardening.conf # Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com # hardening guide. KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com Force usage of public key authentication and prevent root login # File: /etc/ssh/sshd_config.

Automated snapshots with Btrfs Sun, Oct 1, 2023 02:00 CEST

Install snapper pacman -S snapper Make sure to have followed snapper’s recommendations regarding Btrfs subvolumes layout. Note that snapper creates a subvolume for snapshots at /.snapshots but with an unnecessary parent dependency on @. To allow snapper to go through the configuration step, make sure you have unmounted any subvolume (or other) mounted at /.snaphosts and deleted any corresponding directory. umount /.snapshots rm -r /.snapshots Create configuration for the root subvolume

Remote LUKS unlocking with TinySSH Wed, Oct 20, 2021 01:00 CEST

Goodbye keyboards and monitors!

Encrypted Install on Btrfs with Arch Linux on UEFI Sat, May 1, 2021 01:00 CEST

So easy!

Encrypt user home with eCryptfs Sun, Apr 11, 2021 02:00 CEST

We encrypt a user home directory with eCryptfs. The consequence is that the contents of this directory are only accessible if at least one of the following is true:

  • You know the user’s password.
  • The user is logged in* AND you have read permission to the user’s directory (if you are root for instance).

* or has processes surviving logout (for instance lingering services).

This may increase privacy, depending on how the system is used.

If the user home is not encrypted, it would suffice to be root (without the user necessarily being logged in). Note that being root on another system and mounting the partition hosting the user’s home suffices.

Configure microcode with GRUB Fri, Dec 25, 2020 01:00 CET

All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.

Configure microcode with systemd-boot Fri, Dec 25, 2020 01:00 CET

All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.

Bluetooth on Arch Linux Mon, Dec 21, 2020 15:52 CET

Install software pacman -S bluez bluez-utils If you want bluetooth to power on the chip as soon as bluetooth.service is running /etc/bluetooth/main.conf [Policy] AutoEnable=true Enable and start the bluetooth service systemctl enable --now bluetooth Connect bluetooth headset/speaker. pacman -S pulseaudio-bluetooth systemctl --user restart pulseaudio bluetoothctl agent on bluetoothctl power on bluetoothctl scan on bluetoothctl pair ... bluetoothctl connect ... Tip: Instead of typing bluetoothctl for each command you can start a REPL by calling bluetoothctl without arguments.

Automatically Mount LUKS Encrypted Device with Crypttab and Fstab Thu, Nov 12, 2020 20:00 CET

Put that second drive to use!

NGiИX hostname resolution boot crash Tue, Aug 18, 2020 02:00 CEST

NGiИX crashes on boot when proxying via hostname resolution.