Monday, January 28, 2013

2 Way Synchronization with Unison

2 Way directory Synchronization

I found unison is a better option than rsync if the files in both locations frequently change, or if you want to synchronise between more than 2 locations. and you need to keep all locations synchronised.

yum install unison 
on all machines that you want to synchronise between.

for password-less sync make sure you setup ssh private/public key
as described in this previous post ssh public/private key

create a file sync.sh

vim sync.sh

copy and paste the following into your file


#!/bin/bash
# set paths / dirs
_paths="/home/cgerada/directory_to_sync"

# binary file name
_unison=/usr/bin/unison

# server names 
# sync local +server1 with server2 and server3
_rserver="server1.clive.com server2.clive.com server3.clive.com"

# sync it
for r in ${_rserver}
do
        for p in ${_paths}
        do
                ${_unison} -batch -force newer -times "${p}"  "ssh://${r}/${p}"
        done
done

save the file and give it execute rights

chmod + x sync.sh

to run the script on a cronjob every half an hour and output details into a log file

crontab -e

and add the following

*/30 * * * * /path/to/sync.sh &>/var/log/sync.sh.log

save and you are done.

~                                                                          
~                                                  

Saturday, January 26, 2013

Chrooted SFTP

This will chroot (restrict)
all sftp users to their home directory

on your SFTP server type

group add sftpusers

vim /etc/ssh/sshd-config

comment out

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

add

Subsystem       sftp    internal-sftp


You want to put only certain users (i.e users who belongs to sftpusers group) in the chroot jail environment. Add the following lines at the end of /etc/ssh/sshd_config

Match Group sftpusers
        ChrootDirectory %h
        ForceCommand internal-sftp

Match Group sftpusers – This indicates that the following lines will be matched only for users who belong to group sftpusers
ChrootDirectory /sftp/%h – This is the path that will be used for chroot after the user is authenticated. %h indicates the users home directory. So, for john, this will be /home/john.
ForceCommand internal-sftp – This forces the execution of the internal-sftp and ignores any command that are mentioned in the ~/.ssh/rc file.

next either add new users to your system or you can add existing users to the system

user add john mary clive

Add all sftp users to the sftp group by editing your 
/etc/group file  

sftpusers:x:501:john,mary,clive

Make sure users cannot login using ssh, do this by editing /etc/passwd
vim /etc/passwd
and changing /bin/bash to /bin/nologin of each SFTP user
From
john:x:500:500::/home/john:/bin/bash
To
john:x:500:500::/home/john:/bin/nologin
next 
chmod -R 755 /home/john

then you must set the following ownership to the users home directory

chown -R root:sftpusers /home/john

restart sshd
/etc/init.d/sshd restart

you can now sftp into your server and the sftp users will be restricted to their /home folder only.


                   
                                                                                                                                                
~                                                                                                                                                                 

Thursday, January 24, 2013

Encrypting existin Swap Redhat / CentOS



yum install cryptsetup

Switch off swap

swapon -a

comment out existing swap partition is /etc/fstab


#/dev/mapper/VolGroup00-swap swap  


Wipe swap partition


dd if=/dev/zero of=/dev/mapper/VolGroup00-swap

add the swap partition to /etc/crypttab

If it is not already created, create the /etc/crypttab file. Add an entry to /etc/crypttab file. .


swap /dev/mapper/VolGroup00-swap /dev/urandom swap



Add the following entry to  /etc/fstab file.


/dev/mapper/swap none swap defaults 0 0


The next time you boot the system and the /etc/rs.sysinit script executes, it creates a raw dm-crypt device with a random key and formats it as a swap device. During /etc/fstab processing, the swap device is activated.
Reboot the system.
Verify that the swap space is encrypted.
swapon -s
You should see a new entry for the added swap file system. You can see it listed below in the second entry, in our example.
swapon -s


Filename Type Size Used Priority
/dev/dm-2                               partition 2064376 580 -1


Voila. your swap partition has been encrypted

Wednesday, January 9, 2013

mount remote directories over SSH using SSHFS


When you need to mount a remote directory securely
use SSHFS which is a much easier quicker option than trying to tunnel NFS over an ssh tunnel.

SSHS is quick , easy and secure.

yum install fuse-sshfs

If not done already you will wan't to create your private and public encryption keys and put your public key on the server who's directory you want to mount, so that you will have a password less connection
ssh-keygen to create the keys

leave passphrase blank

then to copy your public key to the server type
ssh-copy-id -i .ssh/id_rsa.pub user@remoteserver

Now, lets say there is some directory /mnt/dir/ on the remote system user@remoteserver and we want to mount it on our /localfolder directory. This is how we do it using sshfs.

type
sudo sshfs user@remoteserver:/mnt/dir /localfolder

Thats it. done.

and to unmount type

fusermount -u /localfolder/

If you want the directory to be available after a reboot

You could just put sudo sshfs user@remote:/mnt/dir /localfolder
in to your /etc/rc.local file

or if you prefer to use /etc/fstab then add the following line to your /etc/fstab file

sshfs#user@remoteserver:/mnt/dir /localfolder fuse    comment=sshfs,noauto,users,exec,uid=1000,gid=1000,allow_other,reconnect,transform_symlinks,BatchMode=yes