Skip to content

Instantly share code, notes, and snippets.

View kyle0r's full-sized avatar

Kyle kyle0r

4 followers · 4 following
  • Independent Consultant
  • Earth
View GitHub Profile
@kyle0r
kyle0r / README.md
Last active September 7, 2023 21:30
Notes around secure defaults for Debian sshd_config and MFA

Disclaimer: Your mileage may vary. Rigorous testing (e.g. pen-testing) is recommended to validate that your config behaves according to your use cases, that it is secure, locked down and not exploitable.

The following configs provide a "secure by default" configuration for sshd and enforces MFA authentication from public ip space.

A screencast walking-through and demonstrating the configuration has been posted on YouTube here: https://youtu.be/m_MCVm79xyY

In theory, the strategy/concept and configuration should work on most distros running sshd. The screencast was recorded on an instance of Debian 12 aka bookworm. OpenSSH_9.2, OpenSSL 3.0.9.

@kyle0r
kyle0r / README.md
Last active December 18, 2021 15:08
Integrating Nets AFCR - Automated Fraud and Chargeback Reporting
@kyle0r
kyle0r / README.md
Last active September 20, 2021 02:04
zed scheduled zpool scrub support for MAX_PARALLEL_SCRUBS

Check the inline code docs.

The revision of the script on my system was this one.

I don't have the time at the moment to submit a bug and/or patch and/or commit directly to HEAD.
I did a quick study of the Debian bug reporting process and the reportbug tool.
cite: https://www.debian.org/Bugs/Reporting
I will try to find the time to report the improvement and link the maintainers to this gist.

example of the xargs process pool with MAX_PARALLEL_SCRUBS=3

@kyle0r
kyle0r / README.md
Last active March 18, 2021 13:17
specify a transient git author and committer, and optionally specific commit dates

specify a transient git author and committer, and optionally specific commit dates

This worked for me on git version 2.23.3.

git -c user.email=joeb@domain.tld -c user.name="Joe B" commit <path>

Pay attention to the docs on user. as it determines both the author and committer fields.

This approach can be useful when you find yourself having to make a commit to someone else's repo or an anonymous repo, where you don't want to modify the persistent git config.

I had issues using GIT_AUTHOR_EMAIL and GIT_AUTHOR_NAME env vars to work, so I was probably doing something wrong, maybe I was having a mix up with GIT_COMMITTER_EMAIL and GIT_COMMITTER_NAME. Feel free to experiment with them and check the docs.

@kyle0r
kyle0r / README.md
Last active March 17, 2021 23:20
mirror a root owned path to a remote node, with your non root user

mirror a root owned path to a remote node, with your non root user

Its often undesirable for InfoSec reasons and/or a productivity killer to use root to ssh|scp|rsync to other nodes.

There seem to be a number of sources of knowledge online about rsync'ing when you have sudo rights on the remote dst node aka "the receiver", but I didn't find a good answer when you also want to use sudo on the local src node aka "the sender". Typically once you've sudo rsync on the sender node, the env is changed to the sudo user e.g. root and previous session authentication mechanisms are lost.

For example if you have barrier free ssh and sudo access to your internal systems with your own user because of already satisfying MFA on the perimeter, and you're using ssh keys and/or Kerberos tickets to persist authenticated sessions, it can be a real PITA to be forced to use a different user to ssh|scp|rsync.

In related news root is often restricted for good InfoSec reasons via sshd_config directive `PermitRoo

@kyle0r
kyle0r / README.md
Last active September 7, 2023 21:01
systemd knowledge and debugging units

systemd knowledge and debugging units

edited with: https://stackedit.io (why is this not built-in into the .md gist editor 😵⁉)

Sometimes there is non-obvious stuff/errors happening when managing or creating systemd units, and its is easy to waste time trying to figure out. Here is a brain dump for future me/you/us ✌😉

A pitfall I keep wasting time on is expecting all output/errors in the unit journal, but if something goes wrong before the unit starts, then output/errors may not be in the unit journal, so you need remove the unit filter and/or check /var/log/messages or perhaps /var/log/syslog depending on how your distro is configured.

search terms that might land here

"systemd unit output and errors go to messages and not my unit journal"

@kyle0r
kyle0r / README.md
Last active March 18, 2021 12:15
export oracle tables to portable raw bytes via named pipe, delimiter separated format (tsv|csv|tabnull|etc), compressed and protected/encrypted by gpg

export oracle tables to portable raw bytes via named pipe, delimiter separated format (tsv|csv|tabnull|etc), compressed and protected/encrypted by gpg

HOWTO / TL;DR

  1. protect yourself and your system, do not run as root.

  2. curl -LO https://gist.github.com/kyle0r/10501a2078a0b1cd198891e971db5dd9/raw/run-export.sh

  3. run run-export.sh overriding the env vars as needed e.g.:

    EDITOR=vim GPG_RECIPIENT_KEY=FFFFFF WORKING_DIR_PATH=/var/tmp/your-preferred-path /bin/bash run-export.sh

  4. in theory the script should do the rest for you, or show you what is missing/wrong.

@kyle0r
kyle0r / s3-download-aws4.sh
Last active January 22, 2024 13:18 — forked from vszakats/s3-upload-aws4.sh
shell/bash scripts for AWS S3 upload and download (signature v4)
#!/bin/sh
# cite
# https://stackoverflow.com/a/40866205
# USAGE:
# download-aws.sh <bucket> <region> <source-file> <dest-file>
set -e