Protection against some types of XSS attacks can be mitigated by OWASP ModSecurity Core Rule Set (CRS). You can install in AlmaLinux 8 using yum as below:

yum install mod_security_crs

The error may be caused by an incorrect entry in the /etc/hosts file added by the provisioning script. To resolve this error;

• Remove SSSD from the AD domain

realm leave webconn.tech

• Rename the host to use FQDN hostname

hostname set-hostname metal.webconn.tech

• Ensure /etc/hosts have correct entries for hosts or create forward and reverse DNS records of the server.

192.168.1.1 metal.webconn.tech metal

• Re-join SSSD to AD domain with the following command;

realm join webconn.tech

You get following error output by ntpd and docker in CentOS 7

Dec 2 16:12:11 server1 ntpd[xxxx]: ./../lib/isc/unix/interfaceiter.c:248: unexpected error:
Dec 2 16:12:11 server1 ntpd[xxxx]: br-22eee3e444b: getting interface flags: No such device

The above error message is harmless if ntpd is not listening on this interface. The best solution is to use chronyd, which is preferred and default in CentOS 7.

Overview:

The Secure shell, also called the SSH protocol, is used to make reliable and secure communication between two servers connected to a local or public network. The SSH protocol supports various authentication methods and uses strong encryption to protect exchanged data on the network. It is highly recommended to use SSH-based communication instead of clear-text communication protocols (rlogin, rsh, telnet) and unencrypted file transfer protocol (FTP). SSH protocol can also be used for X forwarding, tunneling a port, forwarding a port, as SOCKS proxy, VPN, and secure remote mounts.

Steps of SSH authentication:

Following steps are taken by server and client to establish a secure connection.

• Create a TCP-based connection between server and client.
• Check the compatibility of server and client SSH versions.
• Use the Diffie-Hellman algorithm to exchange encryption keys.
• Client systems inform the server system of the username and password it will use to authenticate itself.
• The client system verifies the server’s public key to protect itself from MITM attacks.
• Server and client systems agree on common methods of client authentication.
• The client system authenticates, and a secure communication line is established between the server and the client system.

SSH authentication methods:

There are different authentication methods in SSH protocol.

Password authentication:

The client requests a password from the user, and encrypts this password, and uses this to authenticate itself to the server.

Public Key authentication:

The client system uses a key pair to authenticate itself to the server. The server looks for the key in file authorized_keys in ~/.ssh folder.

Host-based authentication:

In this authentication method, the client uses a key and should be in the list of allowed hosts on the server to authenticate.

Keyboard-based authentication:

In this method, on the client system, the server presents certain text and requires an answer from the user.

OpenSSH authentication methods:

PasswordAuthentication:

This OpenSSH parameter is used to configure password authentication.

PubkeyAuthentication:

This OpenSSH configuration parameter is used to configure public key authentication.

GSSAPIAuthentication:

GSSAPI configuration parameter is an IETF standard for strongly encrypted authentication. OpenSSH uses GSSAPI and Kerberos 5 code to authenticate clients.

HostbasedAuthentication:

This configuration parameter is used to configure host-based authentication.

ChallengeResponseAuthentication:

This is used to configure keyboard-based authentication. A specific backend is used to send the challenges and check the responses.

You may use a sequence of authentication methods or change priorities of preferred authentication methods with preferredAuthentications configuration parameter.

Troubleshooting:

How to confirm SSH service on the Server:

To troubleshoot SSH connections, make sure there is no firewall on both server and client systems. Also, confirm that SSH is up and running and waiting for incoming connections on the correct port (default is 22). Ping server from the client and make sure there are no routing issues between source and destination servers. You can install telnet on the client and use it to test if SSH daemon is running on the server end,

telnet compute.seimaxim.com 22
Trying 18.108.18.2...
Connected to 18.108.18.2.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.4
^]

If you are connected to an SSH server and the above information is displayed on your console then use ctrl+] and quit the ssh connection.

How to troubleshoot password authentication error:

Perform the following troubleshooting steps if you get the error “Permission denied, please try again” after entering the password.

Make sure the password is correct.

If you are trying to log in as root, make sure PermitRootLogin value is set to yes in /etc/ssh/sshd_config file.

Check if your server configuration if the server allows passwords to authenticate incoming connections.

Check if your password is correct. You must have an account on the server end.

How to troubleshoot pubkey authentication error:

Check file and directory permissions of SSH configuration on server and client end.

Client system:
~/.ssh/id_* permissions should be 600
~/.ssh/config permissions should be 600

Server system:
~/.ssh/authorized_keys permissions should be 600
~/.ssh permissions should be 700
~/.ssh/authorized_keys should be owned by your account
~/.ssh should be owned by your account

Secondly, make sure PubkeyAuthentication the configuration parameter is enabled on the server and it supports Public Key authentication.

Webconn Shared Hosting with SSH Secure Shell:

We offer SSH-enabled cPanel accounts on our fast and secure shared hosting server. You can use our shared hosting infrastructure to host your websites, use SSH for development, communication, or learning purpose.

XFS stores the actions that were to be taken at the time server unexpectedly shut down in a journal. Therefore, XFS does not have any filesystem corruption. You may check the XFS filesystem with mount and unmount commands like mount /dev/sda and umount /dev/sda.

Attach CentOS ISO image with virtual media of server and boot from virtual cdrom. When the boot screen appears type Linux rescue or selects the Linux rescue option if available.

• Select rescue installed system.
• Select relevant option when language and keyboard selection appears on the screen.
• Select no for enabling network devices like eth0 or eth1.
• If the server has software raid, enable it with mdadm --assemble --scan
• If the server has LVM volume activate them with lvm vgchange -ay
• check the device containing the corrupted filesystem.
• If your server has an EXT filesystem do e2fsck -fvy /dev/sd-device or e2fsck -fvy /dev/mapper/vg-lv or e2fsck -fvy /dev/md-device
• If your server has an XFS filesystem do xfs_repair /dev/sd-device or xfs_repair /dev/mapper/vg-lv  or xfs_repair /dev/md-device
• In case, xfs_repair is not functional due to a missing log file, then run xfs_repair -L
• Finally, exit the rescue shell and reboot the server.

On the NFS client, execute the following command and in output check, if pnfs=not configured is present.

egrep "nfs(v)?4" /proc/self/mountstats
device NFS-Server-IP:/mnt/path-shared mounted on /mnt/point with fstype nfs4 statvers=1.2
nfsv4: bm0=0xfdfbbbff,bm1=0x40f9bui3e,bm2=0x906,acl=0x3,sessions,pnfs=not configured

You can only use the ordered journaling method on a Linux Server. First check if the journal feature is enabled on ext3/ext4 filesystem with the following command:

tune2fs -l /disk-path

Check the output of the above command for has_journal which indicates the journaling is enabled on the filesystem.

Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize

To disable journaling use the command:

tune2fs -O ^has_journal ext4-device-name

If you want to enable (on device without prefix or with + prefix) then run the command:

tune2fs -O has_journal ext4-device-name

tune2fs -O +has_journal ext4-device-name

Tip from ‘man tune2fs’ page: Filesystem features prefixed with a caret character (‘^’) will be cleared in the filesystem’s superblock; filesystem features without a prefix character or prefixed with a plus character (‘+’) will be added to
the filesystem.

You can use RewriteCond and RewriteRule on a webserver. The RewriteRule evaluates the HTTP method used and RewriteRule blocks the request with error 403 Forbidden.

RewriteCond %{REQUEST_METHOD} ^(PUT|DELETE|TRACE|OPTIONS|CONNECT)$ [NC]
RewriteRule .* - [F]

By default, rsync overrides old files in the destination server/folder. To resolve this use the –backup flag in rsync.

rsync -a –backup –backup-dir=”/src-old-files” /usr/src/ root@85.17.219.154:/src-backup/

The above rsync command will copy files from local server /usr/src to root@85.17.219.154:/src-backup/. If some files are overwritten in root@85.17.219.154:/src-backup/, these will be backed up in root@85.17.219.154:/src-old-files first before they are being overwritten.