#webdevpdx on irc.freenode.net

New to IRC? Try one of these clients:

• Pidgin (but not really Adium)
• Chatzilla
• and of course The Client of the Future: irssi

Update: I should have mentioned I’m schmichael on IRC.

Denyhosts has been doing its job perfectly. It should be illegal to run a Internet exposed SSH server without it or a similar tool.*

Thanks to HoopyCat in #linode for pointing me to a SANS Internet Storm Center article explaining the Summer of Hacks phenomenon.

* Unless of course you only accept key based logins.

Goal: Backup a directory from computer Zim to computer Ark

Details:

• Both Zim and Ark are subdomains of example.com
• The user on Ark which receives the backup files is named backupuser
• The user on Zim with access to the files you want to backup is named steve

Prerequisites:

• ssh installed on both hosts
• rsync installed on both hosts

1. Login to Zim via ssh:

   ssh steve@zim.example.com

2. Generate a ssh key pair using:

   ssh-keygen -t rsa
   <press enter when prompted where to save the key>
   <press enter twice when asked for a passphrase>

3. To use the key to login to Ark remotely without manually entering a password you need to copy the public key from Zim to Ark using:

   ssh-copy-id -i .ssh/id_rsa.pub backupuser@ark.example.com

   If you don’t have ssh-copy-id on your system, get a new system. If thats not possible you can download the script with:

   wget -O ssh-copy-id http://cvsweb.mindrot.org/index.cgi/~checkout~/openssh/contrib/ssh-copy-id?rev=1.6;content-type=text%2Fplain && chmod +x ssh-copy-id

   Then retry the above command only you’ll need to prepend a “./”:

   ./ssh-copy-id -i .ssh/id_rsa.pub backupuser@ark.example.com

4. Verify the key copied properly by attempting to login to Ark. You should not be prompted for a password:

   ssh backupuser@ark.example.com

5. Logout of Ark. The key is setup, so you’re now ready to rsync files without having to manually enter a password.
6. Test rsync by choosing a small file to backup and using:

   rsync -tP /some/small/testfile backupuser@ark.example.com:/tmp

   A nice little progress bar should be displayed as the file is transferred. Confirm that “testfile” is now in /tmp on Ark.

7. You’re finally ready to do a real rsync like:

   rsync -t /directory/to/backup/* backupuser@ark.example.com:/existing/backup/directory

   Note: There are several useful options for rsync. Check man rsync to find out more.

   • -p — preserve permissions (useful for backups, use -E if you only care about the executable bit)
   • -r — recursively backup directories.
   • -z — compressed uncompressed files
   • And just FYI: -t tells rsync to use the last modified timestamp to determine whether or not to transfer files. It makes rsync a lot faster at determining whether or not files have changed.
8. To schedule the backup to take place nightly at 1:13 AM edit your crontab using crontab -e and insert the following line:

   13 1 * * * rsync -qt /directory/to/backup/* backupuser@ark.example.com:/existing/backup/directory

Caveats:

• These instructions will push files from Zim to Ark. There’s no reason why Ark couldn’t pull files from Zim. In fact, this is often more secure if Zim is a web server with a larger attack surface than Ark. Mea culpa.
• If the IP address of Ark is dynamic, use a service like dyndns.com. Otherwise SSH will give you errors.
• Major security warning: If someone breaks into Zim, they can also delete all of your backups on Ark. Never ever ever use the root user for backups on Ark. You can use the root user on Zim to send the backups, but its best to have a special backup user setup on Ark to receive the backup.

Many thanks to Kyle Waremburg for creating the project page and helping me develop firewall-admin! I hope other people find it useful.

   ssh username@ridiculouslylong.domain.com

Ugh

Using the same username makes life a bit simpler:

   ssh ridiculouslylong.domain.com

Meh, better, but I’m really lazy!

I’d heard about tab-completion for hostnames from various blogs, but never knew how to do it. I hopped into #debian and thirty seconds later someone had kindly told me about ~/.ssh/config

Not only is any host listed in your ~/.ssh/config auto-completed on the command line by hitting tab, but you can also specify what username to connect as! So my .ssh/config file looks something like:

Host host1.domain.com
     User randomuser
Host www.somewhereelse.com
     User someotheruser
Host mail.domain2.com
Host domain3.com

Now I can just type:
   ssh h<TAB><ENTER>
to connect to host1.domain.com as randomuser.

Beautiful.

Check out man ssh_config for details and other options.

Also, if you’re not using ssh keys instead of passwords, you’re doing too much work. Seahorse makes SSH keys simple.

Unfortunately, for a client I needed to extend a LAN from Building A across 30 feet of asphalt to Building B. Time to don my Net Admin hat to install a nice straightforward WiFi bridge.

Despite already owning a Linksys WRT54G series router, I decided to just pickup 2 Linksys WET54G wireless bridges (version 3.1). The bridges are actually more expensive than routers. But that just means they’re better suited for their simple task, right? Wrong…

The 2 WET54Gs have been nothing but trouble for me. Their web interface sometimes redirects to the hardcoded IP address. They drop their connection and require resetting a lot. They just don’t work reliably.

So I flashed the WRT54G with Tomato firmware to replace one of the WET54Gs, and so far things are working much better.

If I’ve never mentioned it before: I love Tomato firmware. I’ve been using it at home for ages and never have to reset it. The features are outstanding (QoS with ACK Prioritization is a lifesaver when working over SSH).

From now on anytime I need a WiFi router, access point, or bridge, I’m going to buy a WRT54G and put Tomato on it. Its cheaper than buying specialized Access Points or Bridges and has lots more features.

Did I mention Tomato generates sexy real-time graphs in SVG? Have a screenshot: