SFTP Chroot with Public Key Authentication and SELiunx in CentOS

Chroot 後

SSHD 對於 chroot的 userhome/.ssh 的讀寫權限，受到selinux的限制

可以在 /var/log/audit.log裡面看到類似

type=AVC msg=audit(1635139929.544:379): avc:  denied  { read } for  pid=144254 comm="sshd" name="authorized_keys" dev="sda2" ino=50348313 scontext=system_u:system_r:sem_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file permissive=0

 

解法1 :

 把 authorized_key 放到其他資料夾

參考 https://wiki.archlinux.org/title/SFTP_chroot

 

Match Group sftponly
  AuthorizedKeysFile /etc/ssh/authorized_keys/%u
  ChrootDirectory %h
  ForceCommand internal-sftp
  AllowTcpForwarding no
  X11Forwarding no
  PasswordAuthentication no

解法2 :

如果要保持放在 userhome/.ssh

 

安裝 semanage 

yum install policycoreutils-python-utils

 針對  choort 的 userhome/.ssh

執行

semanage fcontext -a -t ssh_home_t /path/to/users/homedirectory/.ssh/
restorecon -v /path/to/users/homedirectory/.ssh/

GCP Instance Multiple Network Interface Access Problem

 GCP 上面創建Instance時，如果有多個network interface設定，需要額外創建routing rule

 

1. 
   nic 0 / default / 10.140.0.2
   nic 1 / interface-1 / 10.40.0.2
   nic 2 / interface-2 / 10.60.0.2
   
   
2. 
   創建好VM後，進入linux
   
   
3. 
   sudo echo "100 rt1" | sudo tee -a /etc/iproute2/rt_tables
   sudo echo "200 rt2" | sudo tee -a /etc/iproute2/rt_tables 
   
4. 
   vim /root/iproute.sh
   
   #!/bin/bash
   
   sleep 10
   ip route add 10.40.0.1 src 10.40.0.2 dev eth1 table rt1
   ip route add default via 10.40.0.1 dev eth1 table rt1
   ip rule add from 10.40.0.2/32 table rt1
   ip rule add to 10.40.0.2/32 table rt1
   
   ip route add 10.60.0.1 src 10.60.0.2 dev eth2 table rt2
   ip route add default via 10.60.0.1 dev eth2 table rt2
   ip rule add from 10.60.0.2/32 table rt2
   ip rule add to 10.60.0.2/32 table rt2
   
   
5. 注意一定要 sleep 10 (因為google 執行 startup-scritp的時候，有可能network interface還沒啟動)
   
   
6. 
   在 Instance 加入 metadata :
   metadata key : startup-script
   metadata value :
   
   #!/bin/bash
   /root/iproute.sh
   
   
   
7. 重新啟動 instance，應該就可以正常存取
8. 可以去 /var/log/message 看啟動資訊，關鍵字 GCEMetadataScripts
   

Secure your instances with multi-factor authentication

ref:
https://aws.amazon.com/tw/blogs/startups/securing-ssh-to-amazon-ec2-linux-hosts/

https://qiita.com/daikumatan/items/8b05607cdc4676ff8e28


AWS ec2 linux 2 instance with apache + let's encrypt

https://aws.amazon.com/blogs/compute/extending-amazon-linux-2-with-epel-and-lets-encrypt/

Google Play Store Feature Notes

1.      Android 裝置上的返回鍵，應該有正常作用，可以[返回上一頁]

 To maintain a consistent user experience, the Android Back button must:
• Have the same functionality as any on-screen back or close button
• Dismiss all dialog windows
Please refer the attached screenshot for more details.
For more info:
https://developer.android.com/distribute/essentials/quality/core.html#ux
https://developer.android.com/design/patterns/navigation.html

2.      遊戲中必須進行的流程(例如說新手任務)，介面不應該讓用戶有取消的按鈕，造成任務中斷

3.      Android 裝置切換到英文語系的時候，遊戲APP的名稱應該是顯示對應的英文名稱(例如註冊的英文名稱)，避免顯示亂碼、中文

4.      商店中一定要有隱私權宣告的連結

https://support.google.com/googleplay/android-developer/answer/2519872

5. TargetSDK Version 要設定為最新，而且要確保可以正確執行在最新Android版本上

6.      要有一張 Feature 的美術圖(Feature Graphic)，要符合幾個 guideline

• The feature image should prominently display the app’s title/logo as this graphic may be displayed without the app icon during a promotion.
• Use large font sizes that are legible across multiple screen sizes.
• Try to vertically and horizontally center any logo/copy information in the frame to ensure visibility
For more info:
https://support.google.com/googleplay/android-developer/answer/1078870?

7.      商店上要有提供平板的美術宣傳圖

Please upload at least one unaltered, high-resolution (1280 x 800 minimum) screen capture to the tablet sections of the developer console, preferably in each supported orientation. For more info:
http://developer.android.com/distribute/googleplay/quality/tablet.html#google-play

8.      App Icon 要符合一些guideline

http://www.google.com/design/spec/style/icons.html#icons-product-icons
Consider using this icon generator as a starting point: http://goo.gl/14DrRi (Github)

9.      不要在用戶重複按會產生對話介面(Dialog)按鈕的時候，產生堆疊式的對話介面，而應該只顯示單一一個對話介面

MySQL Error 1118 : Row Size too large ( > 8126)

簡單說 :

Innodb 下, 如果 innodb_page_size 設定為 16KB
table 每一個 row 最大的 length(size) 為 8126 bytes  ( 大約是 16KB /2 )

(注意： mysql 限制 row size 為 65536，但是每種 engine 還會有自己的限制)
(ref : https://dev.mysql.com/doc/refman/5.7/en/column-count-limit.html)
(Every table (regardless of storage engine) has a maximum row size of 65,535 bytes. Storage engines may place additional constraints on this limit, reducing the effective maximum row size.)



固定欄位的大小就是固定大小
但是變動欄位大小 (blog / text / varchar) 等，在不同的 innodb row_format 下有不同的計算方法

compact :
變動欄位會用 768 bytes, 超過的會放在另一個 page
如果有太多的 column (例如11個 blob)，那很容易就超過 8126 bytes，就會出現上述的訊息

dynamic / compress
變動欄位會用 20 bytes，超過的會放在另一個page



解決方法 :

1. 改用 dynamic / compress row_format

這需要啟用 innodb barracuda file-format
同時重新 create table(alter table)
row format可以用 show table status 查看



2. 增加 page_size

提高 innodb_page_size
show variables like "innodb_page_size"

ref :
 http://dev.mysql.com/doc/refman/5.7/en/innodb-restrictions.html

The maximum row length, except for variable-length columns (VARBINARY, VARCHAR, BLOB and TEXT), is slightly less than half of a database page for 4KB, 8KB, 16KB, and 32KB page sizes. For example, the maximum row length for the default innodb_page_size of 16KB is about 8000 bytes. For an InnoDB page size of 64KB, the maximum row length is about 16000 bytes. LONGBLOB and LONGTEXT columns must be less than 4GB, and the total row length, including BLOB and TEXT columns, must be less than 4GB.

http://dev.mysql.com/doc/refman/5.7/en/column-count-limit.html



3. 把欄位拆到其他 table


4. 把很多個 blob/text 合併，在應用層再去分離

nf_conntrack error in dmesg

dmesg

nf_conntrack: table full, dropping packet

ref :

http://www.mwclearning.com/?p=1506

http://www.pc-freak.net/blog/resolving-nf_conntrack-table-full-dropping-packet-flood-message-in-dmesg-linux-kernel-log/

https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt



Short Version :

echo "options nf_conntrack hashsize=245760" > /etc/modprobe.d/nfconntrack.conf
echo "net.netfilter.nf_conntrack_max=1966080" >> /etc/sysctl.conf

restart server

The value  should depend on the system resources like memory.

ps. we can't not excute
echo "net.netfilter.nf_conntrack_buckets=245760" >> /etc/sysctl.conf
sysctl -p

because nf_conntrack_buckets is a read-only varaible


If we restart iptables, system won't reload the correct value, so we need change setting in /etc/sysconfig/iptables-config

adds setting IPTABLES_SYSCTL_LOAD_ON_START to /etc/sysconfig/iptables-config
when set to yes (default is no), sysctl settings will be loaded at the end of the iptables start sequence.
# Reload sysctl settings on start and restart
#   Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"




Long Version :


There are some errors in the following article.

On many busy servers, you might encounter in /var/log/syslog or dmesg kernel log messages like

nf_conntrack: table full, dropping packet

to appear repeatingly:

[1737157.057528] nf_conntrack: table full, dropping packet.
[1737157.160357] nf_conntrack: table full, dropping packet.
[1737157.260534] nf_conntrack: table full, dropping packet.
[1737157.361837] nf_conntrack: table full, dropping packet.
[1737157.462305] nf_conntrack: table full, dropping packet.
[1737157.564270] nf_conntrack: table full, dropping packet.
[1737157.666836] nf_conntrack: table full, dropping packet.
[1737157.767348] nf_conntrack: table full, dropping packet.
[1737157.868338] nf_conntrack: table full, dropping packet.
[1737157.969828] nf_conntrack: table full, dropping packet.
[1737157.969928] nf_conntrack: table full, dropping packet
[1737157.989828] nf_conntrack: table full, dropping packet
[1737162.214084] __ratelimit: 83 callbacks suppressed

There are two type of servers, I've encountered this message on:

1. Xen OpenVZ / VPS (Virtual Private Servers)
2. ISPs – Internet Providers with heavy traffic NAT network routers 

I. What is the meaning of nf_conntrack: table full dropping packet error message

In short, this message is received because the nf_conntrack kernel maximum number assigned value gets reached.
The common reason for that is a heavy traffic passing by the server or very often a DoSor DDoS (Distributed Denial of Service) attack. Sometimes encountering the err is a result of a bad server planning (incorrect data about expected traffic load by a company/companeis) or simply a sys admin error…

– Checking the current maximum nf_conntrack value assigned on host:

linux:~# cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max
65536

– Alternative way to check the current kernel values for nf_conntrack is through:

linux:~# /sbin/sysctl -a|grep -i nf_conntrack_max
error: permission denied on key 'net.ipv4.route.flush'
net.netfilter.nf_conntrack_max = 65536
error: permission denied on key 'net.ipv6.route.flush'
net.nf_conntrack_max = 65536

– Check the current sysctl nf_conntrack active connections

To check present connection tracking opened on a system:

:

linux:~# /sbin/sysctl net.netfilter.nf_conntrack_count
net.netfilter.nf_conntrack_count = 12742

The shown connections are assigned dynamicly on each new succesful TCP / IP NAT-ted connection. Btw, on a systems that work normally without the dmesg log being flooded with the message, the output of lsmod is:

linux:~# /sbin/lsmod | egrep 'ip_tables|conntrack'
ip_tables 9899 1 iptable_filter
x_tables 14175 1 ip_tables

On servers which are encountering nf_conntrack: table full, dropping packet error, you can see, when issuing lsmod, extra modules related to nf_conntrack are shown as loaded:

linux:~# /sbin/lsmod | egrep 'ip_tables|conntrack'
nf_conntrack_ipv4 10346 3 iptable_nat,nf_nat
nf_conntrack 60975 4 ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4
nf_defrag_ipv4 1073 1 nf_conntrack_ipv4
ip_tables 9899 2 iptable_nat,iptable_filter
x_tables 14175 3 ipt_MASQUERADE,iptable_nat,ip_tables

II. Remove completely nf_conntrack support if it is not really necessery

It is a good practice to limit or try to omit completely use of any iptables NAT rules to prevent yourself from ending with flooding your kernel log with the messages and respectively stop your system from dropping connections.

Another option is to completely remove any modules related to nf_conntrack, iptables_nat and nf_nat.
To remove nf_conntrack support from the Linux kernel, if for instance the system is not used for Network Address Translation use:

/sbin/rmmod iptable_nat
/sbin/rmmod ipt_MASQUERADE
/sbin/rmmod rmmod nf_nat
/sbin/rmmod rmmod nf_conntrack_ipv4
/sbin/rmmod nf_conntrack
/sbin/rmmod nf_defrag_ipv4

Once the modules are removed, be sure to not use iptables -t nat .. rules. Even attempt to list, if there are any NAT related rules with iptables -t nat -L -n will force the kernel to load the nf_conntrack modules again.

Btw nf_conntrack: table full, dropping packet. message is observable across all GNU / Linux distributions, so this is not some kind of local distribution bug or Linux kernel (distro) customization.

III. Fixing the nf_conntrack … dropping packets error

– One temporary, fix if you need to keep your iptables NAT rules is:

linux:~# sysctl -w net.netfilter.nf_conntrack_max=131072

I say temporary, because raising the nf_conntrack_max doesn't guarantee, things will get smoothly from now on.
However on many not so heavily traffic loaded servers just raising thenet.netfilter.nf_conntrack_max=131072 to a high enough value will be enough to resolve the hassle.

– Increasing the size of nf_conntrack hash-table

The Hash table hashsize value, which stores lists of conntrack-entries should be increased propertionally, whenever net.netfilter.nf_conntrack_max is raised.

linux:~# echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
The rule to calculate the right value to set is:
hashsize = nf_conntrack_max / 4

– To permanently store the made changes ;a) put into /etc/sysctl.conf:

ERROR : nf_conntrack_count is a counter for currently allocated entries
https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
 

linux:~# echo 'net.netfilter.nf_conntrack_count = 131072' >> /etc/sysctl.conf
linux:~# /sbin/sysct -p

b) put in /etc/rc.local (before the exit 0 line):

echo 32768 > /sys/module/nf_conntrack/parameters/hashsize

Note: Be careful with this variable, according to my experience raising it to too high value (especially on XEN patched kernels) could freeze the system.
Also raising the value to a too high number can freeze a regular Linux server running on old hardware.

– For the diagnosis of nf_conntrack stuff there is ;

/proc/sys/net/netfilter kernel memory stored directory. There you can find some values dynamically stored which gives info concerning nf_conntrack operations in "real time":

linux:~# cd /proc/sys/net/netfilter
linux:/proc/sys/net/netfilter# ls -al nf_log/
total 0
dr-xr-xr-x 0 root root 0 Mar 23 23:02 ./
dr-xr-xr-x 0 root root 0 Mar 23 23:02 ../
-rw-r--r-- 1 root root 0 Mar 23 23:02 0
-rw-r--r-- 1 root root 0 Mar 23 23:02 1
-rw-r--r-- 1 root root 0 Mar 23 23:02 10
-rw-r--r-- 1 root root 0 Mar 23 23:02 11
-rw-r--r-- 1 root root 0 Mar 23 23:02 12
-rw-r--r-- 1 root root 0 Mar 23 23:02 2
-rw-r--r-- 1 root root 0 Mar 23 23:02 3
-rw-r--r-- 1 root root 0 Mar 23 23:02 4
-rw-r--r-- 1 root root 0 Mar 23 23:02 5
-rw-r--r-- 1 root root 0 Mar 23 23:02 6
-rw-r--r-- 1 root root 0 Mar 23 23:02 7
-rw-r--r-- 1 root root 0 Mar 23 23:02 8
-rw-r--r-- 1 root root 0 Mar 23 23:02 9

IV. Decreasing other nf_conntrack NAT time-out values to prevent server against DoS attacks

Generally, the default value for nf_conntrack_* time-outs are (unnecessery) large.
Therefore, for large flows of traffic even if you increase nf_conntrack_max, still shorty you can get a nf_conntrack overflow table resulting in dropping server connections. To make this not happen, check and decrease the other nf_conntrack timeout connection tracking values:

linux:~# sysctl -a | grep conntrack | grep timeout
net.netfilter.nf_conntrack_generic_timeout = 600
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 120
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 60
net.netfilter.nf_conntrack_tcp_timeout_established = 432000
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 300
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 300
net.netfilter.nf_conntrack_udp_timeout = 30
net.netfilter.nf_conntrack_udp_timeout_stream = 180
net.netfilter.nf_conntrack_icmp_timeout = 30
net.netfilter.nf_conntrack_events_retry_timeout = 15
net.ipv4.netfilter.ip_conntrack_generic_timeout = 600
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent2 = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10
net.ipv4.netfilter.ip_conntrack_tcp_timeout_max_retrans = 300
net.ipv4.netfilter.ip_conntrack_udp_timeout = 30
net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180
net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30

All the timeouts are in seconds. net.netfilter.nf_conntrack_generic_timeout as you see is quite high – 600 secs = (10 minutes).
This kind of value means any NAT-ted connection not responding can stay hanging for 10 minutes!

The value net.netfilter.nf_conntrack_tcp_timeout_established = 432000 is quite high too (5 days!)
If this values, are not lowered the server will be an easy target for anyone who would like to flood it with excessive connections, once this happens the server will quick reach even the raised up value for net.nf_conntrack_max and the initial connection dropping will re-occur again …

With all said, to prevent the server from malicious users, situated behind the NAT plaguing you with Denial of Service attacks:

Lower net.ipv4.netfilter.ip_conntrack_generic_timeout to 60 – 120 seconds andnet.ipv4.netfilter.ip_conntrack_tcp_timeout_established to stmh. like 54000

linux:~# sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout = 120
linux:~# sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000

This timeout should work fine on the router without creating interruptions for regular NAT users. After changing the values and monitoring for at least few days make the changes permanent by adding them to /etc/sysctl.conf

linux:~# echo 'net.ipv4.netfilter.ip_conntrack_generic_timeout = 120' >> /etc/sysctl.conf
linux:~# echo 'net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000' >> /etc/sysctl.conf