From 504e0d5ff1a8eff12f2b84ffcee8cc7ae0b7fabb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alexander=20Sch=C3=A4ferdiek?= Date: Wed, 29 Mar 2023 18:16:29 +0200 Subject: [PATCH] Manual backup: 2023-03-29 18:16:29 --- .obsidian/workspace.json | 29 ++++++++++++++----- KB/Android/ADB Backup.md | 4 +-- KB/Linux/Desktop/Archinstall.md | 2 -- KB/Linux/Desktop/Audio/EQ.md | 20 ++++++------- KB/Linux/Desktop/Audio/aptx and pulseaudio.md | 2 -- KB/Linux/Desktop/Fonts.md | 2 -- KB/Linux/Desktop/GPG - PGP.md | 8 ++--- KB/Linux/Desktop/KDE/KDE Tiling.md | 2 -- KB/Linux/Desktop/KDE/KDE.md | 10 +++---- KB/Linux/Desktop/Surface.md | 2 -- KB/Linux/Desktop/Theming Qt and Gtk.md | 2 -- KB/Linux/Desktop/Tweaks.md | 18 +++++------- KB/Linux/Desktop/i3.md | 2 -- KB/Linux/Desktop/sway.md | 2 -- KB/Linux/Desktop/systemd.md | 2 -- KB/Linux/Server/Bootstrap.md | 12 ++++---- KB/Linux/Server/DNS.md | 6 ++-- KB/Linux/Server/Domains.md | 2 -- KB/Linux/Server/Hetzner/Storagebox.md | 2 +- KB/Linux/Server/Hetzner/Upgrades.md | 2 -- KB/Linux/Server/PostgreSQL.md | 10 +++---- KB/Linux/Server/Remote unlocking at boot.md | 2 -- KB/Linux/Server/SSH Guard, iptables.md | 12 ++++---- KB/Linux/Server/Security hardening.md | 12 ++++---- _Templates/Note Template.md | 2 +- 25 files changed, 69 insertions(+), 100 deletions(-) diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json index 5fd48d6..fc75abb 100644 --- a/.obsidian/workspace.json +++ b/.obsidian/workspace.json @@ -4,11 +4,11 @@ "type": "split", "children": [ { - "id": "021e344303bcc5ab", + "id": "69404306ef47591b", "type": "tabs", "children": [ { - "id": "cd2f7f5f4235c327", + "id": "3020d37493983f72", "type": "leaf", "state": { "type": "empty", @@ -120,20 +120,33 @@ "templater-obsidian:Templater": false } }, - "active": "cd2f7f5f4235c327", + "active": "3020d37493983f72", "lastOpenFiles": [ - "KB/Linux/Server/Hetzner/Storagebox.md", "README.md", - "KB/Linux/Disk Speed.md", - "KB/Linux/AMD.md", - "KB/Linux/Desktop/Audio/EQ.md", + "KB/Android/ADB Backup.md", "KB/Linux/Desktop/Audio/aptx and pulseaudio.md", + "KB/Linux/Desktop/Audio/EQ.md", + "KB/Linux/Desktop/KDE/KDE.md", "KB/Linux/Desktop/KDE/KDE Tiling.md", "KB/Linux/Desktop/Archinstall.md", + "KB/Linux/Desktop/Fonts.md", + "KB/Linux/Desktop/GPG - PGP.md", + "KB/Linux/Desktop/i3.md", "KB/Linux/Desktop/Steam.md", + "KB/Linux/Desktop/Surface.md", + "KB/Linux/Desktop/sway.md", + "KB/Linux/Desktop/systemd.md", + "KB/Linux/Desktop/Theming Qt and Gtk.md", + "KB/Linux/Desktop/Tweaks.md", + "KB/Linux/Server/Hetzner/Storagebox.md", + "KB/Linux/Server/Hetzner/Upgrades.md", + "KB/Linux/Server/Bootstrap.md", "KB/Linux/Server/DNS.md", "KB/Linux/Server/Domains.md", "KB/Linux/Server/PostgreSQL.md", - "KB/Linux/Server/Remote unlocking at boot.md" + "KB/Linux/Server/Security hardening.md", + "KB/Linux/Server/SSH Guard, iptables.md", + "KB/Linux/Server/Remote unlocking at boot.md", + "_Templates/Note Template.md" ] } \ No newline at end of file diff --git a/KB/Android/ADB Backup.md b/KB/Android/ADB Backup.md index 92f2d96..dc1ecb0 100644 --- a/KB/Android/ADB Backup.md +++ b/KB/Android/ADB Backup.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,android,adb,backup] --- -# ADB Backup - A small tutorial on how to backup Android _application data_ via the `adb` tool. Currently, this is the only mechanism to backup the _entire_ device. If defaults won't work for you, have a look at the options for `adb` in the scripts. Defaults are that only _app data_ of installed and systems apps will be backed up. **NOT THE STORAGE ITSELF!** @@ -38,7 +36,7 @@ You need the `adb` tools in order for this to work: Currently there's no script provided for restoring a backup as this is a single command in your command line. When your device is connected and in debug mode, use the following command pointing to the backup file you like to restore: -``` +```shell # Windows ( + r, type 'cmd', press ENTER) adb restore C:\Users\\mybackup.ab diff --git a/KB/Linux/Desktop/Archinstall.md b/KB/Linux/Desktop/Archinstall.md index 344565d..bcc5a04 100644 --- a/KB/Linux/Desktop/Archinstall.md +++ b/KB/Linux/Desktop/Archinstall.md @@ -3,8 +3,6 @@ creation date: 2022-09-03 tags: [note,arch,linux,archlinux,install] --- -# Archinstall - It has never been easier to install arch. Simply use the `archinstall` command! * Make a bootable USB stick with `dd bs=4M if=path/to/archlinux-version-x86_64.iso of=/dev/sdx conv=fsync oflag=direct status=progress` diff --git a/KB/Linux/Desktop/Audio/EQ.md b/KB/Linux/Desktop/Audio/EQ.md index c2c5f24..7dfb997 100644 --- a/KB/Linux/Desktop/Audio/EQ.md +++ b/KB/Linux/Desktop/Audio/EQ.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,audio,pipewire,pulse,pulseaudio,linux,archlinux] --- -# Audio - EQ - * See [[KB/Linux/Desktop/Audio/pipewire.txt]] for packages * See [[KB/Linux/Desktop/Audio/pulseaudio.txt]] for packages @@ -29,14 +27,14 @@ There are some very convenient settings you probably want to set. * In `/etc/pipewire/media-session.d/media-session.{conf|confpause}` comment out `suspend-node` to enable suspending feature * In `/etc/pipewire/media-session.d/alsa-monitor.conf` set a timeout so that your DAC/output device is able to always receive a signal if you like. - ```sh + ```shell node.pause-on-idle = false session.suspend-timeout-seconds = 0 # or any number as seconds ``` * If you like, set a default _sample rate_ in `/etc/pipewire/pipewire.conf`, e.g. for 44.1kHz - ```sh + ```shell default.clock.rate = 44100 ``` @@ -46,7 +44,7 @@ There are some very convenient settings you probably want to set. * Allow direct communication to device for PulseAudio. Edit ALSA configuration `/etc/asound.conf`. - ```sh + ```shell # Use PulseAudio plugin hw pcm.!default { type plug @@ -56,7 +54,7 @@ There are some very convenient settings you probably want to set. * (**OPTIONAL, DO IF YOU WANT A REMAPPED VERSION OF MAIN AUDIO DEVICE IN sink_name=**) Add some _default_ sink names (remap them) in PulseAudio `/etc/pulse/default.pa`. Use `pacmd list-sinks` and `pacmd list-sources` to list your devices and insert as _master_ below. Any user could use `sink_main` and `src_microphone` instead of the specific device as `sink_name=`. This is **OPTIONAL** if you use direct sink name in any user specific file later instead of "sink_main" and "src_microphone" - ```sh + ```shell # create remapped sink/sources with proper names and description # pacmd list-sinks load-module module-remap-sink sink_name="sink_main" master="alsa_output.pci-0000_31_00.4.iec958-stereo" sink_properties=device.description="Toslink" remix=no @@ -66,7 +64,7 @@ There are some very convenient settings you probably want to set. * Adapt `.config/pulse/daemon.conf` -```sh +```shell flat-volumes = no default-sample-channels = 2 @@ -93,7 +91,7 @@ Create and adapt configuration for dsp. See example below. Use EQ presets for yo * Basic file structure - ```sh + ```shell .config/ladspa_dsp ├── config_beyerdynamic_dt1990 └── eq @@ -101,14 +99,14 @@ Create and adapt configuration for dsp. See example below. Use EQ presets for yo ``` * The main configuration for an additional Pulse sink `.config/ladspa_dsp/config_beyerdynamic_dt1990` - ```sh + ```shell LC_NUMERIC=C effects_chain=@eq/beyerdynamic_dt1990.conf ``` * The EQ settings derived from the target curve found for your headphones, e.g. `.config/ladspa_dsp/eq/beyerdynamic_dt1990.conf` - ```sh + ```shell # Beyerdynamic DT 1990 # preamp gain gain -4.0 @@ -120,7 +118,7 @@ Create and adapt configuration for dsp. See example below. Use EQ presets for yo * Add a new sink _based on above remapped sink_main_ for the EQ present in `.config/pulse/default.pa` (also some other reasonable default settings) - ```sh + ```shell # load system defaults .include /etc/pulse/default.pa diff --git a/KB/Linux/Desktop/Audio/aptx and pulseaudio.md b/KB/Linux/Desktop/Audio/aptx and pulseaudio.md index 862477b..8b7de7d 100644 --- a/KB/Linux/Desktop/Audio/aptx and pulseaudio.md +++ b/KB/Linux/Desktop/Audio/aptx and pulseaudio.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,archlinux,aptx,pulseaudio,bluetooth] --- -# aptx and pulseaudio - Inspect BT packages: * Install [bluez-utils-compat](https://aur.archlinux.org/packages/bluez-utils-compat/) diff --git a/KB/Linux/Desktop/Fonts.md b/KB/Linux/Desktop/Fonts.md index 8d004a9..7138eb7 100644 --- a/KB/Linux/Desktop/Fonts.md +++ b/KB/Linux/Desktop/Fonts.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,archlinux,fonts] --- -# Fonts - Probably you want the following installed: ```shell diff --git a/KB/Linux/Desktop/GPG - PGP.md b/KB/Linux/Desktop/GPG - PGP.md index c1c9635..207277c 100644 --- a/KB/Linux/Desktop/GPG - PGP.md +++ b/KB/Linux/Desktop/GPG - PGP.md @@ -3,8 +3,6 @@ creation date: 2022-01-12 tags: [note,linux,gpg,pgp] --- -# GPG - ## Creation **Really, set up an expiration date, otherwise you'll end up with non-revokable keys!** @@ -20,7 +18,7 @@ Generate at least 3072 bit key with an expiration date, e.g. with Seahorse or `g ## gpg.conf -``` +```shell keyserver hkp://keys.gnupg.net keyserver hkps://keys.openpgp.org keyserver hkp://pool.sks-keyservers.net:11371 @@ -31,13 +29,13 @@ keyserver hkp://pgp.mit.edu:11371 Search and edit with dconf `.../keyserver`: -``` +```shell ['hkp://keys.gnupg.net', 'hkps://keys.openpgp.org', 'hkp://pool.sks-keyservers.net:11371', 'hkp://pgp.mit.edu:11371'] ``` ## Export/Revoke -``` +```shell export MY_GPG_ID=theID gpg --armor --output public-key.gpg --export $MY_GPG_ID gpg --armor --output private-key.gpg --export-secret-keys $MY_GPG_ID diff --git a/KB/Linux/Desktop/KDE/KDE Tiling.md b/KB/Linux/Desktop/KDE/KDE Tiling.md index 69d4d90..0d68624 100644 --- a/KB/Linux/Desktop/KDE/KDE Tiling.md +++ b/KB/Linux/Desktop/KDE/KDE Tiling.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,kde,archlinux,wm,tiling] --- -# Config Tiling - * Install Krohnkite and visit the GitHub page to enable settings * Set proper shortcuts using suffix `(tiling)` * See hints at [https://github-wiki-see.page/m/esjeon/krohnkite/wiki/Tips](https://github-wiki-see.page/m/esjeon/krohnkite/wiki/Tips) \ No newline at end of file diff --git a/KB/Linux/Desktop/KDE/KDE.md b/KB/Linux/Desktop/KDE/KDE.md index d476e88..e782a31 100644 --- a/KB/Linux/Desktop/KDE/KDE.md +++ b/KB/Linux/Desktop/KDE/KDE.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,kde,linux,archlinux] --- -# KDE - A guide how to setup KDE similar to GNOME experience. * Install packages `plasma` (all and maybe uninstall `discover` later) @@ -22,21 +20,21 @@ A guide how to setup KDE similar to GNOME experience. * Different uses of _meta_ key * Native _"show all"_ windows - ```sh + ```shell kwriteconfig5 --file ~/.config/kwinrc --group ModifierOnlyShortcuts --key Meta "org.kde.kglobalaccel,/component/kwin,org.kde.kglobalaccel.Component,invokeShortcut,ExposeAll"; qdbus org.kde.KWin /KWin reconfigure; ``` * Native _"show current workspace"_ windows - ```sh + ```shell kwriteconfig5 --file ~/.config/kwinrc --group ModifierOnlyShortcuts --key Meta "org.kde.kglobalaccel,/component/kwin,org.kde.kglobalaccel.Component,invokeShortcut,Expose"; qdbus org.kde.KWin /KWin reconfigure; ``` * kwin script _Parachute_ to simulate behavior which requires https://github.com/tcorreabr/Parachute (via _AUR_) - ```sh + ```shell kwriteconfig5 --file ~/.config/kwinrc --group ModifierOnlyShortcuts --key Meta "org.kde.kglobalaccel,/component/kwin,org.kde.kglobalaccel.Component,invokeShortcut,Parachute"; qdbus org.kde.KWin /KWin reconfigure; ``` @@ -44,7 +42,7 @@ A guide how to setup KDE similar to GNOME experience. * Use systemd start instead of boot scripts: `kwriteconfig5 --file startkderc --group General --key systemdBoot true` * Maybe sync the following configuration files to track changes - ```sh + ```shell .config/kdeglobals .config/kglobalshortcutsrc .config/khotkeysrc diff --git a/KB/Linux/Desktop/Surface.md b/KB/Linux/Desktop/Surface.md index e7fc5e0..2375320 100644 --- a/KB/Linux/Desktop/Surface.md +++ b/KB/Linux/Desktop/Surface.md @@ -3,8 +3,6 @@ creation date: 2022-09-02 tags: [surface,linux,sp8,microsoft] --- -# Surface - A guide for the [Surface Pro 8](https://github.com/linux-surface/linux-surface/wiki/Surface-Pro-8). Based on https://github.com/linux-surface/linux-surface/wiki. This guide is for [ArchLinux](https://archlinux.org/) and improves the instructions to be more structured and suited for the SP8. diff --git a/KB/Linux/Desktop/Theming Qt and Gtk.md b/KB/Linux/Desktop/Theming Qt and Gtk.md index 6b4dd71..e3b9785 100644 --- a/KB/Linux/Desktop/Theming Qt and Gtk.md +++ b/KB/Linux/Desktop/Theming Qt and Gtk.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,qt,gtk,linux,archlinux] --- -# Theming Qt and Gtk - Based on [ArchLinux Wiki](https://wiki.archlinux.org/title/Uniform_look_for_Qt_and_GTK_applications). Unify Qt5/Qt6 and GTK2/GTK3/GTK4 design. diff --git a/KB/Linux/Desktop/Tweaks.md b/KB/Linux/Desktop/Tweaks.md index cb954c3..fac7aa1 100644 --- a/KB/Linux/Desktop/Tweaks.md +++ b/KB/Linux/Desktop/Tweaks.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,archlinux] --- -# Tweaks - **TAKEN FROM:** https://gist.github.com/lbrame/1678c00213c2bd069c0a59f8733e0ee6 This is a collection of the tweaks and modification I've made to my Arch Linux installation over the months. These may be applicable to other distros, but please check first before doing anything. I also included Arch Wiki references for all the procedures I mentioned. My recommendation is not to blindly follow this gist but to always check with the Arch Linux wiki first. Things move fast and by the time you're reading this my gist may be out of date. Lastly, the golden rule: never execute a command you don't understand. @@ -99,8 +97,8 @@ systemctl enable tlp.service --now `powertop` is a powerful commandline program to keep track of battery consumption. It also allows the user to quickly alter some system settings that have an impact on battery life. You can use it to make a quick tuning: -``` -# powertop --auto-tune +```shell +powertop --auto-tune ``` However, don't enable `powertop`'s service if you already use TLP. @@ -115,16 +113,16 @@ Arch Wiki reference: https://wiki.archlinux.org/index.php/Systemd/ Systemd's system journal's size can go out of control. There are some things you can do to keep it in control: -``` -# journalctl --vacuum-size=100M -# journalctl --vacuum-time=2weeks +```shell +journalctl --vacuum-size=100M +journalctl --vacuum-time=2weeks ``` ### Forwarding the journal to /dev/tty12 This is very simple. Just create the file `/etc/systemd/journald.conf.d/fw-tty12.conf` and fill it like this: -``` +```shell [Journal] ForwardToConsole=yes TTYPath=/dev/tty12 @@ -133,8 +131,8 @@ MaxLevelConsole=info Then, restart the service: -``` -# systemctl restart systemd-journald.service +```shell +systemctl restart systemd-journald.service ``` ## Microcode diff --git a/KB/Linux/Desktop/i3.md b/KB/Linux/Desktop/i3.md index 7e80bcd..d9d0fcc 100644 --- a/KB/Linux/Desktop/i3.md +++ b/KB/Linux/Desktop/i3.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,wm,archlinux,i3] --- -# i3 - i3 is a tiling WM for X.org. Use [[KB/Linux/Desktop/sway]] for Wayland. Install i3 packages diff --git a/KB/Linux/Desktop/sway.md b/KB/Linux/Desktop/sway.md index dd28894..5e92d4d 100644 --- a/KB/Linux/Desktop/sway.md +++ b/KB/Linux/Desktop/sway.md @@ -3,8 +3,6 @@ creation date: 2022-02-06 tags: [note,sway,i3,linux] --- -# sway - Sway is a replacement for [[KB/Linux/Desktop/i3]] but for _Wayland_. ## Install diff --git a/KB/Linux/Desktop/systemd.md b/KB/Linux/Desktop/systemd.md index dafc7e6..7b06c17 100644 --- a/KB/Linux/Desktop/systemd.md +++ b/KB/Linux/Desktop/systemd.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,systemd,linux,archlinux] --- -# systemd - Arch Wiki reference: https://wiki.archlinux.org/index.php/Systemd/ ## Taming the journal's size diff --git a/KB/Linux/Server/Bootstrap.md b/KB/Linux/Server/Bootstrap.md index f02eee5..61f2032 100644 --- a/KB/Linux/Server/Bootstrap.md +++ b/KB/Linux/Server/Bootstrap.md @@ -3,11 +3,9 @@ creation date: 2022-01-08 tags: [note,linux,archlinux,install] --- -# Bootstrap - 1. Install some packages: - ``` + ```shell pacman -S docker docker-compose pacman-contrib git reflector htop dfc ps_mem nginx certbot nano zsh zsh-syntax-highlighting nano-syntax-highlighting rsync pkgfile ntp inetutils which ``` @@ -28,7 +26,7 @@ tags: [note,linux,archlinux,install] 9. Disable and uninstall services from image install - ``` + ```shell systemctl disable --now cloud-config.service cloud-final.service cloud-init-local.service cloud-init.service cronie.service pacman -Rsnc cronie ``` @@ -37,7 +35,7 @@ tags: [note,linux,archlinux,install] 11. Adjust network config in `/etc/systemd/network` and `/etc/resolv.conf` and `/etc/hosts` - ``` + ```shell # # /etc/hosts: static lookup table for host names # @@ -53,7 +51,7 @@ tags: [note,linux,archlinux,install] 14. Install AUR wrapper with `admin` - ``` + ```shell sudo su admin cd mkdir -p packages/yay-bin @@ -77,7 +75,7 @@ tags: [note,linux,archlinux,install] 20. Copy `/root/scripts` to new server. - ``` + ```shell # copy /etc/mail.rc pacman -S s-nail ``` diff --git a/KB/Linux/Server/DNS.md b/KB/Linux/Server/DNS.md index 0f7d2d3..03479b0 100644 --- a/KB/Linux/Server/DNS.md +++ b/KB/Linux/Server/DNS.md @@ -3,20 +3,18 @@ creation date: 2022-01-08 tags: [note,linux,archlinux,dns] --- -# DNS - **Please use a local unbound which is even better!** Start and enable -``` +```shell systemd-networkd systemd-resolved ``` If you desire that any network manager cannot change the DNS servers, then execute `sudo chattr -i /etc/resolv.conf; sudo nano /etc/resolv.conf; sudo chattr +i /etc/resolv.conf` to insert the following content: -``` +```shell options timeout:1 nameserver 80.241.218.68 nameserver 46.182.19.48 diff --git a/KB/Linux/Server/Domains.md b/KB/Linux/Server/Domains.md index 3ec059c..fc62757 100644 --- a/KB/Linux/Server/Domains.md +++ b/KB/Linux/Server/Domains.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,archlinux,linux,domains] --- -# Domains - Add new domains 1. Add new listen inside `systemd-boot` diff --git a/KB/Linux/Server/Hetzner/Storagebox.md b/KB/Linux/Server/Hetzner/Storagebox.md index 5909543..d5812cb 100644 --- a/KB/Linux/Server/Hetzner/Storagebox.md +++ b/KB/Linux/Server/Hetzner/Storagebox.md @@ -23,7 +23,7 @@ AA..... ## Create a compatible ssh key and transfer to the user -``` +```shell ssh-keygen-rsa id_rsa ssh-keygen -e -f .ssh/id_rsa.pub | grep -v "Comment:" > .ssh/id_rsa_rfc.pub diff --git a/KB/Linux/Server/Hetzner/Upgrades.md b/KB/Linux/Server/Hetzner/Upgrades.md index fb70067..c42d619 100644 --- a/KB/Linux/Server/Hetzner/Upgrades.md +++ b/KB/Linux/Server/Hetzner/Upgrades.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,archlinux] --- -# Upgrades - This assumes, that you have `dotfiles-system` installed. Upgrading the VM includes the following sub tasks: diff --git a/KB/Linux/Server/PostgreSQL.md b/KB/Linux/Server/PostgreSQL.md index 16c58bd..20e7df3 100644 --- a/KB/Linux/Server/PostgreSQL.md +++ b/KB/Linux/Server/PostgreSQL.md @@ -3,11 +3,9 @@ creation date: 2022-01-08 tags: [note,linux,postgres,database,postgresql,psql,archlinux] --- -# PostgreSQL - ## Commonly used -``` +```shell -- list all users \du @@ -50,7 +48,7 @@ DROP USER ; ## Updating major versions -``` +```shell systemctl start postgresql.service // if not already running chown postgres:postgres /var/lib/postgres sudo -i -u postgres @@ -75,7 +73,7 @@ exit * Backup existing instance: - ``` + ```shell // host docker-compose down cp -r @@ -93,7 +91,7 @@ exit ``` * Change major version tag of container, e.g. edit `docker-compose` * Restore old database dump - ``` + ```shell // host docker-compose up -d docker cp old_backup.sql :/old_backup.sql diff --git a/KB/Linux/Server/Remote unlocking at boot.md b/KB/Linux/Server/Remote unlocking at boot.md index e8c534e..672b400 100644 --- a/KB/Linux/Server/Remote unlocking at boot.md +++ b/KB/Linux/Server/Remote unlocking at boot.md @@ -3,8 +3,6 @@ creation date: 2022-07-18 tags: [ssh,cryptsetup,remote,unlock,crypt] --- -# Remote unlocking at boot - Guide borrowed from https://linux.fernandocejas.com/docs/guides/decrypt-luks-partition-remotely-via-ssh. 1. Install `pacman -S mkinitcpio-systemd-tool busybox cryptsetup openssh tinyssh tinyssh-convert mc` diff --git a/KB/Linux/Server/SSH Guard, iptables.md b/KB/Linux/Server/SSH Guard, iptables.md index 92e924a..d1a78b8 100644 --- a/KB/Linux/Server/SSH Guard, iptables.md +++ b/KB/Linux/Server/SSH Guard, iptables.md @@ -3,12 +3,10 @@ creation date: 2022-01-08 tags: [note,archlinux,linux,security,ssh,iptables] --- -# SSH Guard, iptables - ## SSH Disable weak ciphers by adding the following to the `sshd_config` file: -``` +```shell # Disable weak ciphers KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group14-sha256,diffie-hellman-group18-sha512 MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com @@ -25,7 +23,7 @@ Ports `22` and `2222` will be monitored in this example. Also see [here](https://wiki.archlinux.org/index.php/Sshguard#iptables). -```sh +```shell # IPv4 iptables -N sshguard iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard @@ -39,18 +37,18 @@ ip6tables-save > /etc/iptables/ip6tables.rules Start with `systemctl enable --now sshguard` or restart afterwards with `systemctl restart sshguard` to apply or `ExecStartPre=` above in sshguard's systemd file. -```sh +```shell ExecStartPre=/bin/bash -c '(while ! nc -z -v -w1 localhost 2222 > /dev/null; do echo "Waiting for port 2222 to open..."; sleep 15; done); sleep 10' ``` or create the following file and execute on every reboot with a certain, e.g. with -```sh +```shell [Timer] OnBootSec=1min ``` -```sh +```shell # IPv4 iptables -N sshguard && \ iptables -A INPUT -m multiport -p tcp --destination-ports 22,2222 -j sshguard && \ diff --git a/KB/Linux/Server/Security hardening.md b/KB/Linux/Server/Security hardening.md index 67bfc27..a73ea4d 100644 --- a/KB/Linux/Server/Security hardening.md +++ b/KB/Linux/Server/Security hardening.md @@ -3,8 +3,6 @@ creation date: 2022-01-08 tags: [note,linux,archlinux,security,hardening] --- -# Security hardening - ## ssh `ssh-guard` allowed. @@ -12,14 +10,14 @@ tags: [note,linux,archlinux,security,hardening] Execute the following -``` +```shell mkdir -p /etc/nginx/ssl openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 ``` In `nginx.conf`, set the following inside the `http` block: -``` +```shell # security hardened server_tokens off; ``` @@ -27,7 +25,7 @@ server_tokens off; For each `server` block, set the following -``` +```shell listen 443 ssl http2; # enable session resumption to improve https performance @@ -59,7 +57,7 @@ access_log off; ## PHP -``` +```shell session.cookie_secure = true session.use_only_cookies = 1 session.cookie_httponly = true @@ -69,7 +67,7 @@ session.cookie_httponly = true Set maximum journal retention in `/etc/systemd/journald.conf`: -``` +```shell MaxRetentionSec=604800 MaxFileSec=86400 ``` diff --git a/_Templates/Note Template.md b/_Templates/Note Template.md index 5b751fe..cca2b5c 100644 --- a/_Templates/Note Template.md +++ b/_Templates/Note Template.md @@ -3,6 +3,6 @@ creation date: <% tp.date.now("YYYY-MM-DD") %> tags: [note] --- -# <% tp.file.title %> +