Category: Knowledgebase

August 21, 2021

How to disable ssh access for a user/group but allow command execution

You can restrict users as well as groups to execute all commands over ssh without having access to the server.

The first step is to add a new option in /etc/ssh/sshd_config file as follows:
For user restriction, add the following and make sure to replace the username with the actual username:

Match User username PermitTTY no

For group restriction, add the following and make sure to replace testgroup with the actual group:

Match Group testgroup PermitTTY no

Reboot the server or restart the service until the new change takes effect.

systemctl restart sshd

August 18, 2021

How to restrict the maximum simultaneous ssh logins from a specific user on AlmaLinux, CentOS

There should be pam_limits.conf module present in /etc/pam.d/system-auth. On older systems, this entry must also be in system-auth and password-auth files.

grep limit /etc/pam.d/system-auth session required pam_limits.so

Add maxlogins entry in /etc/security/limits.conf as follows:

username hard maxlogins 'number of max logins'

Enable PAM in /etc/ssh/sshd_config file as follows:

UsePAM yes

August 15, 2021

Why AlmaLinux server receiving very slow incoming ssh connections?

For quick resolution, though not a permanent fix in the DNS environment, add IP hostname entries in /etc/hosts file. If you use this method, make sure the following entries are in /etc/nsswitch.conf file:

hosts: files dns

The second method is to add/update the below directive in the /etc/ssh/sshd_config file:

UseDNS no

The default for the UseDNS directive is yes. UseDNS specifies whether sshd should look up the remote hostname and make sure that the resolved hostname for the remote IP address maps back to the same IP address.

If you do not want to change UseDNS directive to no and keep the directive option to yes, consider running the below command on the server.

tcpdump -n -i any port 53 -w /tmp/ssh-whyslow.pcap

The above command will cause simultaneous query requests reaching all name servers. If the primary DNS server is slow and secondary/tertiary are responding quickly then consider exchanging secondary with primary DNS server. Always check ssh-whyslow.pcap file to find out which DNS server is slow.

Change nameserver orders in /etc/resolv.conf file and again ssh from the client and hopefully, a slow connection error will be resolved.

August 14, 2021

Does AlmaLinux provide support for mod_lua module?

Yes, module mod_lua is supported in AlmaLinux 8 as part of httpd.

August 14, 2021

Does AlmaLinux provide any modules for XSS prevention in Apache httpd?

Protection against some types of XSS attacks can be mitigated by OWASP ModSecurity Core Rule Set (CRS). You can install in AlmaLinux 8 using yum as below:

yum install mod_security_crs

August 5, 2021

After joining AD, realmd do not register DNS hostname

The error may be caused by an incorrect entry in the /etc/hosts file added by the provisioning script. To resolve this error;

Remove SSSD from the AD domain

realm leave webconn.tech

Rename the host to use FQDN hostname

hostname set-hostname metal.webconn.tech

Ensure /etc/hosts have correct entries for hosts or create forward and reverse DNS records of the server.

192.168.1.1 metal.webconn.tech metal

Re-join SSSD to AD domain with the following command;

realm join webconn.tech

August 5, 2021

ntpd: br-22eee3e444b: getting interface flags: No such device

You get following error output by ntpd and docker in CentOS 7

Dec 2 16:12:11 server1 ntpd[xxxx]: ./../lib/isc/unix/interfaceiter.c:248: unexpected error: Dec 2 16:12:11 server1 ntpd[xxxx]: br-22eee3e444b: getting interface flags: No such device

The above error message is harmless if ntpd is not listening on this interface. The best solution is to use chronyd, which is preferred and default in CentOS 7.

April 20, 2021

What is SSH and its Authentication Methods: Usage and Troubleshooting

Overview:

The Secure shell, also called the SSH protocol, is used to make reliable and secure communication between two servers connected to a local or public network. The SSH protocol supports various authentication methods and uses strong encryption to protect exchanged data on the network. It is highly recommended to use SSH-based communication instead of clear-text communication protocols (rlogin, rsh, telnet) and unencrypted file transfer protocol (FTP). SSH protocol can also be used for X forwarding, tunneling a port, forwarding a port, as SOCKS proxy, VPN, and secure remote mounts.

Steps of SSH authentication:

Following steps are taken by server and client to establish a secure connection.

Create a TCP-based connection between server and client.
Check the compatibility of server and client SSH versions.
Use the Diffie-Hellman algorithm to exchange encryption keys.
Client systems inform the server system of the username and password it will use to authenticate itself.
The client system verifies the server’s public key to protect itself from MITM attacks.
Server and client systems agree on common methods of client authentication.
The client system authenticates, and a secure communication line is established between the server and the client system.

SSH authentication methods:

There are different authentication methods in SSH protocol.

Password authentication:

The client requests a password from the user, and encrypts this password, and uses this to authenticate itself to the server.

Public Key authentication:

The client system uses a key pair to authenticate itself to the server. The server looks for the key in file authorized_keys in ~/.ssh folder.

Host-based authentication:

In this authentication method, the client uses a key and should be in the list of allowed hosts on the server to authenticate.

Keyboard-based authentication:

In this method, on the client system, the server presents certain text and requires an answer from the user.

OpenSSH authentication methods:

PasswordAuthentication:

This OpenSSH parameter is used to configure password authentication.

PubkeyAuthentication:

This OpenSSH configuration parameter is used to configure public key authentication.

GSSAPIAuthentication:

GSSAPI configuration parameter is an IETF standard for strongly encrypted authentication. OpenSSH uses GSSAPI and Kerberos 5 code to authenticate clients.

HostbasedAuthentication:

This configuration parameter is used to configure host-based authentication.

ChallengeResponseAuthentication:

This is used to configure keyboard-based authentication. A specific backend is used to send the challenges and check the responses.

You may use a sequence of authentication methods or change priorities of preferred authentication methods with preferredAuthentications configuration parameter.

Troubleshooting:

How to confirm SSH service on the Server:

To troubleshoot SSH connections, make sure there is no firewall on both server and client systems. Also, confirm that SSH is up and running and waiting for incoming connections on the correct port (default is 22). Ping server from the client and make sure there are no routing issues between source and destination servers. You can install telnet on the client and use it to test if SSH daemon is running on the server end,

telnet compute.seimaxim.com 22 Trying 18.108.18.2... Connected to 18.108.18.2. Escape character is '^]'. SSH-2.0-OpenSSH_5.4 ^]

If you are connected to an SSH server and the above information is displayed on your console then use ctrl+] and quit the ssh connection.

How to troubleshoot password authentication error:

Perform the following troubleshooting steps if you get the error “Permission denied, please try again” after entering the password.

Make sure the password is correct.

If you are trying to log in as root, make sure PermitRootLogin value is set to yes in /etc/ssh/sshd_config file.

Check if your server configuration if the server allows passwords to authenticate incoming connections.

Check if your password is correct. You must have an account on the server end.

How to troubleshoot pubkey authentication error:

Check file and directory permissions of SSH configuration on server and client end.

Client system:
~/.ssh/id_* permissions should be 600 ~/.ssh/config permissions should be 600

Server system:
~/.ssh/authorized_keys permissions should be 600 ~/.ssh permissions should be 700 ~/.ssh/authorized_keys should be owned by your account ~/.ssh should be owned by your account

Secondly, make sure PubkeyAuthentication the configuration parameter is enabled on the server and it supports Public Key authentication.

Webconn Shared Hosting with SSH Secure Shell:

We offer SSH-enabled cPanel accounts on our fast and secure shared hosting server. You can use our shared hosting infrastructure to host your websites, use SSH for development, communication, or learning purpose.

April 5, 2021

XFS filesystem not checked during boot

XFS stores the actions that were to be taken at the time server unexpectedly shut down in a journal. Therefore, XFS does not have any filesystem corruption. You may check the XFS filesystem with mount and unmount commands like mount /dev/sda and umount /dev/sda.

April 5, 2021

Repair Linux filesystem in rescue mode

Attach CentOS ISO image with virtual media of server and boot from virtual cdrom. When the boot screen appears type Linux rescue or selects the Linux rescue option if available.

Select rescue installed system.
Select relevant option when language and keyboard selection appears on the screen.
Select no for enabling network devices like eth0 or eth1.
If the server has software raid, enable it with mdadm --assemble --scan
If the server has LVM volume activate them with lvm vgchange -ay
check the device containing the corrupted filesystem.
If your server has an EXT filesystem do e2fsck -fvy /dev/sd-device or e2fsck -fvy /dev/mapper/vg-lv or e2fsck -fvy /dev/md-device
If your server has an XFS filesystem do xfs_repair /dev/sd-device or xfs_repair /dev/mapper/vg-lv or xfs_repair /dev/md-device
In case, xfs_repair is not functional due to a missing log file, then run xfs_repair -L
Finally, exit the rescue shell and reboot the server.