autossh systemd service

client side

apt install autossh

vim /etc/systemd/system/autossh-tunnel.service

[Unit]
Description=AutoSSH tunnel service
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -NR 2221:localhost:22 sshtunnel@sub.domain.tld -p 222

[Install]
WantedBy=multi-user.target

server side

2nd ssh server instance config

vim /etc/ssh/sshd222_config

Port 222
PermitRootLogin no
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
PrintMotd no
Banner none
PidFile /var/run/sshd222.pid

create user

useradd -d /home/sshtunnel -s /bin/false -m -u sshtunnel

ssh keys limit tunneling only

mkdir /home/sshtunnel/.ssh

vim /home/sshtunnel/.ssh/authorized_keys

no-pty,no-X11-forwarding,permitopen="localhost:2221",command="/bin/echo do-not-send-commands" ssh-rsa VeryLongsShkeyBlaBlaBlaBla root@hostname

systemd

vim /etc/systemd/system/ssh222.service

[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t -f /etc/ssh/sshd222_config
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS -f /etc/ssh/sshd222_config
ExecReload=/usr/sbin/sshd -t -f /etc/ssh/sshd222_config
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
Alias=sshd.service
systemctl enable ssh222
systemctl start ssh222

create custom debian buster live

download your favourite iso

http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/

wget http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/10.2.0-live+nonfree/amd64/iso-hybrid/debian-live-10.2.0-amd64-standard+nonfree.iso

mount iso

mount -o loop debian-live-10.2.0-amd64-standard+nonfree.iso /mnt/

copy to local workdir

mkdir -p debian-live-custom/workdir

cp -av /mnt/live/filesystem.squashfs debian-live-custom/

unpack squashfs

cd debian-live-custom/workdir

unsquashfs ../filesystem.squashfs

mount binds

mount --bind /dev squashfs-root/dev

mount --bind /sys squashfs-root/sys

mount --bind /proc squashfs-root/proc

chroot

chroot squashfs-root

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

install packages

nano /etc/apt/sources.list

echo "nameserver 8.8.8.8" > /etc/resolv.conf

apt update

dpkg-reconfigure locales

apt install --no-install-recommends vim screen rsync bwm-ng iotop iftop mdadm gddrescue memtester stress openssh-server netrw tcpdump console-data quota ntfs-3g chntpw smbclient testdisk cryptsetup

systemctl disable mdadm

dpkg-reconfigure keyboard-configuration

dpkg-reconfigure console-setup

apt-get clean

sed config files

sed -i /etc/ssh/sshd_config -e s/#PermitRootLogin\ prohibit-password/PermitRootLogin\ yes/

sed -i /etc/ssh/sshd_config -e s/#PasswordAuthentication\ yes/PasswordAuthentication\ yes/

sed -i /etc/vim/vimrc -e s/\"syntax\ on/syntax\ on/

sed -i /root/.bashrc -e s/\#\ export\ LS_OPTIONS=\'--color=auto\'/export\ LS_OPTIONS=\'--color=auto\'/

sed -i /root/.bashrc -e s/\#\ eval\ \"\`dircolors\`\"/eval\ \"\`dircolors\`\"/

sed -i /root/.bashrc -e s/\#\ alias\ ls=\'ls\ \$LS_OPTIONS\'/alias\ ls=\'ls\ \$LS_OPTIONS\'/

sed -i /root/.bashrc -e s/\#\ alias\ ll=\'ls\ \$LS_OPTIONS\ -l\'/alias\ ll=\'ls\ \$LS_OPTIONS\ -l\'/

sed -i /root/.bashrc -e s/\#\ alias\ l=\'ls\ \$LS_OPTIONS\ -lA\'/alias\ l=\'ls\ \$LS_OPTIONS\ -lA\'/

set root password

passwd

exit

umount squashfs-root/dev
umount squashfs-root/sys
umount squashfs-root/proc

create squashfs

mksquashfs squashfs-root/ filesystem.squashfs -comp xz

prepare live iso

copy to local workdir

mkdir debian-live-iso-custom

cp -av /mnt/* debian-live-iso-custom/

cp -av /mnt/.disk debian-live-iso-custom/

cd debian-live-iso-custom

edit disk info corresponding to xorriso -V option

vim .disk/info

Debian 10.1 amd64 custom nonfree

copy custom squashfs

cp ../filesystem.squashfs live/filesystem.squashfs

create iso

xorriso -as mkisofs -V 'Debian 10.1 amd64 custom nonfree' -o ../debian-live-10.1-custom-amd64-nonfree.iso -J -J -joliet-long -cache-inodes -isohybrid-mbr /usr/lib/syslinux/bios/isohdpfx.bin -b isolinux/isolinux.bin -c isolinux/boot.cat -boot-load-size 4 -boot-info-table -no-emul-boot -eltorito-alt-boot -e boot/grub/efi.img -no-emul-boot -isohybrid-gpt-basdat -isohybrid-apm-hfsplus .

ipv4 ipv6 mtu mss size

In this case we have an gre tunnel inside an ikev2 tunnel inside an pppoe tunnel :-)


Get ipv4 mss with Linux host


Size 1339 error

ping -4 -n -c 2 -M do -s 1339 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1339(1367) bytes of data.
ping: local error: Message too long, mtu=1366
ping: local error: Message too long, mtu=1366

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1027ms

Size 1338 good

ping -4 -n -c 2 -M do -s 1338 www.google.com
PING www.google.com (xxx.xxx.xxx.xxx) 1338(1366) bytes of data.
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx.xxx.xxx.xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.926/31.966/32.006/0.040 ms

How to calculate ipv4 mss

ICMPv4 header size ([IPv4 + ICMP] [20 +8]) = 28
MTU ([Size + ICMPv4] [1338 + 28]) = 1366
IPv4TCP header size ([IPv4 + TCP] [20 +20]) = 40
TCP-MSS ([MTU – IPv4TCP] [1366 – 40]) = 1326


Mikrotik ipv4 tcp-mss clamping example

/ip firewall mangle
add action=change-mss chain=forward new-mss=1326 passthrough=yes protocol=tcp src-address=xxx.xxx.xxx.xxx tcp-flags=syn tcp-mss=1327-65535
add action=change-mss chain=forward dst-address=xxx.xxx.xxx.xxx new-mss=1326 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1327-65535


Get ipv6 mss with Linux host


Size 1319 error

ping -6 -n -c 2 -M do -s 1319 www.google.com

PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1319 data bytes

--- www.google.com ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1004ms

Size 1318 good

ping -6 -n -c 2 -M do -s 1318 www.google.com
PING www.google.com(xxx:xxx:xxx:xxx::xxx) 1318 data bytes
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=1 ttl=52 (truncated)
76 bytes from xxx:xxx:xxx:xxx::xxx: icmp_seq=2 ttl=52 (truncated)

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 31.501/31.733/31.966/0.292 ms

How to calculate ipv6 mss

ICMPv6 header size ([IPv6 + ICMP] [40 +8]) = 48
MTU ([Size + ICMPv6] [1318 + 48]) = 1366
IPv6TCP header size ([IPv6 + TCP] [40 +20]) = 60
TCP-MSS ([MTU – IPv6TCP] [1366 – 60]) = 1306


Mikrotik ipv6 tcp-mss clamping example

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=1306 passthrough=yes protocol=tcp src-address=xxx:xxx:xxx:xxx::xxx/120 tcp-flags=syn tcp-mss=1307-65535
add action=change-mss chain=forward dst-address=xxx:xxx:xxx:xxx::xxx/120 new-mss=1306 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1307-65535

Have fun!

linux kvm resize qcow2 Image

Here a very short howto

virsh shutdown kvm11111
qemu-img resize hd.qcow2 +10G
fdisk /dev/vda

Command (m for help): p

Command (m for help): d

Command (m for help): n

Do you want to remove the signature? [Y]es/[N]o: N

Command (m for help): w

boot a rescue image then run

e2fsck -f /dev/vda1

resize2fs /dev/vda1

Have fun!

Apache mod_qos WordPress bruteforce mitigation

Hi, WordPress bruteforce attacks produce high cpu load
here some simple examples to get rid of that issue with mod_qos

Install apache module and enable it

apt install libapache2-mod-qos
a2enmod unique_id qos setenvif

For global mitigation, edit your apache module config

/etc/apache2/mods-enabled/qos.conf
<IfModule qos_module>
  # minimum request rate (bytes/sec at request reading):
  #QS_SrvRequestRate                                 120

  # limits the connections for this virtual host:
  #QS_SrvMaxConn                                     100

  # allows keep-alive support till the server reaches 600 connections:
  #QS_SrvMaxConnClose                                600

  # allows max 50 connections from a single ip address:
  #QS_SrvMaxConnPerIP                                 50

  # allows a single IP addess to access the URI /wp-login.php not more
  # than 10 times within 2 minutes:
  SetEnvIf Request_URI ^/xmlrpc.php LimitWpXmlRpc
  QS_ClientEventLimitCount 10 120 LimitWpXmlRpc
  SetEnvIf Request_URI ^/wp-login.php LimitWpLogin
  QS_ClientEventLimitCount 10 120 LimitWpLogin
</IfModule>

Per Virtualhost mitigation apache config

<IfModule qos_module>
  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/wp-login.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/wp-login.php).*$" 1

  # limits concurrent requests to the locations:
  QS_LocRequestLimitMatch "^(/xmlrpc.php).*$" 2
  # does not allow more than 1 requests/sec:
  QS_LocRequestPerSecLimitMatch "^(/xmlrpc.php).*$" 1
</IfModule>

Have fun!