☩ Walking in Light with Christ – Faith, Computing, Diary

How to harden Linux Security and imprpove network efficiency on Kernel sysctl Level to Stop SYN flood
Few more good ones are:

net.ipv4.tcp_sack = 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_timestamps = 1

Also for a busy high iron server, it’s nice to have the conntrack sysctl settings like for example:

ipv4.netfilter.ip_conntrack_max = 131072
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 20
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 208000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 80
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 20
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 40
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 20

Also in my above post on many servers it might be better to set:

net.ipv4.tcp_synack_retries = 2
to
net.ipv4.tcp_synack_retries = 1

cause some Denial of Service attacks still will be working against the server with:
net.ipv4.tcp_synack_retries = 2

Christ is Risen Eastern Orthodox Resurrection Paschal Greeting in Different Languages
Thank you i’ve included the Georgian Paschal greeting. It was my bad to not include, it was a gap of mine.

Restrict user to Run one remote Server command only via SSH authorized key passwordless authentication on Linux / UNIX / BSD

Smal script to easify ssh key generation

#!/bin/bash
 
# Define the user and group
USER="user"
GROUP="group"
HOME_DIR="/home/$USER"
 
# Navigate to the user's home directory
cd "$HOME_DIR" || { echo "Failed to navigate to $HOME_DIR"; exit 1; }
 
# Create the .ssh directory if it does not exist
if [ ! -d “.ssh” ]; then
            mkdir .ssh
                echo ".ssh directory created."
            mkdir .ssh
                echo ".ssh directory created."
        else
                    echo ".ssh directory already exists."
            fi

            # Change ownership of the .ssh directory
            chown "$USER:$GROUP" .ssh
            echo "Ownership of .ssh directory changed to $USER:$GROUP."

            # Navigate to the .ssh directory
            cd .ssh || { echo "Failed to navigate to .ssh directory"; exit 1; }

            # Create the authorized_keys file if it does not exist
            if [ ! -f “authorized_keys” ]; then
                        touch authorized_keys
                            echo "authorized_keys file created."
                    else
                                echo "authorized_keys file already exists."
                        fi

                        # Change ownership of the authorized_keys file
                        chown "$USER:$GROUP" authorized_keys
                        echo "Ownership of authorized_keys changed to $USER:$GROUP."
echo "Generating new DSA key with ECDSA encryption algorithm";
                        ssh-keygen -t ecdsa -f id_dsa
echo "Copying id_dsa.pub to ~/.ssh/ directory";
cp -vrpf id_dsa ~/.ssh/
echo "Copy the id_dsa.pub content to remote server's directory $HOME/.ssh/authorized_keys and run chown 600 ~/.ssh/authorized_keys";
        else
                    echo ".ssh directory already exists."
            fi
             
            # Change ownership of the .ssh directory
            chown "$USER:$GROUP" .ssh
            echo "Ownership of .ssh directory changed to $USER:$GROUP."
             
            # Navigate to the .ssh directory
            cd .ssh || { echo "Failed to navigate to .ssh directory"; exit 1; }
             
            # Create the authorized_keys file if it does not exist
            if [ ! -f “authorized_keys” ]; then
                        touch authorized_keys
                            echo "authorized_keys file created."
                    else
                                echo "authorized_keys file already exists."
                        fi
                         
                         
                        # Change ownership of the authorized_keys file
                        chown "$USER:$GROUP" authorized_keys
                        echo "Ownership of authorized_keys changed to $USER:$GROUP."
echo "Generating new DSA key with ECDSA encryption algorithm";
                        ssh-keygen -t ecdsa -f id_dsa
echo "Copying id_dsa.pub to ~/.ssh/ directory";
cp -vrpf id_dsa ~/.ssh/
echo "Copy the id_dsa.pub content to remote server's directory $HOME/.ssh/authorized_keys and run chown 600 ~/.ssh/authorized_keys";

Enable automatic updates on CentOS 8 , CentOS 9 Stream Linux with dnf-automatic and Cockpit Web GUI package management tool

One good hint if cockpit is not accessible in browser and you have to allow it through the firewall,
To open the firewall ports (if needed), execute the following commands:

sudo firewall-cmd --add-service=cockpit --permanent
sudo firewall-cmd --reload

DOOM 1, DOOM 2, DOOM 3 game wad files for download / Playing Doom on Debian Linux via FreeDoom open source doom engine
i don’t really remember 🙂

How to install and use WSL 2 Windows native Linux emulation Debian and Ubuntu Linux on Windows 10 / Windows 11
A nice tip in wsl.conf is you can enable Bridged Network connection if necessery simple:

1. install a new virtual switch using Hyper-V say wsl-switch

to %userprofile%.wslconfig add the following (if the file doesn’t exist create it)

[wsl2]
networkingMode=bridged
vmSwitch=wsl-switch

Now when you restart WSL you will have a bridge session. This has also be known to cure some of the weird network issues seen with WSL where network connectivity stops working, no DNS connectivity – without the need for messing with scripts and config files. YMMV