Restrict public IP addresses on ssh – Redhat/centOS 8 edition

I have explained on a previous article how to restrict public IP addresses on redhat 7 systems through /etc/hosts.allow and /etc/hosts.deny files. As RedHat explains this is not an option anymore on RHEL8 and this should be enforced by the firewalld package.

You can find the detailed article here

However you can implement the same behavior through sshd configuration with AllowUsers setting.

Edit your /etc/ssh/sshd_config file and add a rule. My created one allows all users to login but only from the specified public IP addresses. If I try to login from another location I will get rejected.

AllowUsers *@public_IP

A more detailed explanation on how to use AllowUsers to block users or groups can be found here.

Testing the behavior with a non allowed IP address will reject me although the key is correct.

The login attempt is logged on the system and can be found with the below command:

proxy server used to verify if connection attempt is successful.

You can also integrate fail2ban package in order to block more than X login attempts from malicious users.

Mastering NTP configuration on Linux systems

The Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks and it is very important for various components and applications.

Many problems occur when time is not synchronized between systems even for time difference of milliseconds.

The latest case that I faced with a customer is composed of some power Linux systems that host SAP applications. Due to only some seconds time difference some flows could not be completed and messages could not be sent successfully between servers. This situation caused problems on client’s production and business departments and had to be resolved.

Although NTP was configured on the systems, the basic configuration was not enough to address correct time differences between systems and we had to alter the configuration.

Two of the most common used NTP daemons that one can use for Linux systems are ntpd and chronyd. In my case I had to alter configuration for ntpd, but same apply for chrony and the only change is where the configuration file is stored.

In order to modify ntpd settings one should edit /etc/ntp.conf file and for chronyd the conf file is located on /etc/chrony.conf

You can browse ntpd and chronyd manual pages with below commands:

Understanding NTPD and options:

The basic configuration of ntpd is the server keyword on the configuration file. However this could not be enough and you may encounter a big offset if your NTP provider is physically located on a long distance. (this was our case actually).

The premises on which NTP provider was located had a distance of some km and the connection was established through a dedicated network line. This however was not enough to keep time accurate.

As you can see below, the offset of the ntp with the one random system on client infrastructure was approximately 1,8 seconds (output is milliseconds) .

ntpd command will show you among others delay and offset statistics

The wikipedia article that is attached below, describes how NTP protocol works. In general a typical NTP client regularly polls one or more NTP servers. The client must compute its time offset and round-trip delay. Time offset θ, the difference in absolute time between the two clocks, is defined by below equation:

The important thing to understand is that NTP polling does not directly synchronize the local system  clock to the server clock; rather, a complex algorithm calculates an  adjustment value for each tick of the local system clock.

As a result, shorter  polling intervals cause NTP to make large but less accurate calculations that never stabilize, causing the local system clock to wander.

Longer  polling intervals allow NTP to calculate smaller tick adjustments that  stabilizes to a more accurate value, reducing wander in the local system  clock.

In many systems, administrators setup NTP only with the iburst option. This option only works for initial synchronization and will not be helpful on the normal system operation.

On the other hand, the burst option would be better, as on every synchronization attempt you will get more accurate calculations.

These options specify the minimum and maximum poll intervals for NTP
messages, in seconds as a power of two.

With burst option, chronyd/ntpd will shorten the interval between up to four requests to 2 seconds or less when it cannot get a good measurement from the server. The number of requests in the burst is limited by the current polling interval to keep the average interval at or above the minimum interval, i.e. the current interval needs to be at least two times longer than the minimum interval in order to allow a burst with two requests.

Adjust minpoll and maxpoll values:

These options specify the minimum and maximum poll intervals for NTP
messages, in seconds as a power of two.

The maximum poll interval defaults to 10 (1024 s), but can be increased by the maxpoll option to an upper limit of 17 (36 h).

The minimum poll interval defaults to 6 (64 s), but can be decreased by the minpoll option to a lower limit of 3 (8 s).

As described it would be better to increase maxpoll and minpoll so that you decrease traffic and improve accuracy.

In my case I altered the configuration to the below one and it seems that time differences between systems got better.

Check leap status:

Leap_none = successful synchronization. Also offset is 76ms


Elevate sudo privileges through winSCP for sudoers

If a Linux user has sudo privileges ( for example with a sudoers file) they can be elevated to root through winscp with the below procedure:

Create an entry on your sudoers.d directory and allow user to execute sudo commands without password.

Select advanced settings on winscp (scp connection)

on shell tab select the one shown below

By doing the above you will login as root (elevated privileges on your specific user – myuser in my case)

Ansible playbook – variable files must contain either a dictionary or a list

Recently I faced the below error when I tried to use some variables which I initialized on a ansible vault file.

My code is shown below. It just prints some values retrieved from a vault.

playbook code. using debug module values are printed.

While deploying the playbook the below error appears:

ERROR! variable files must contain either a dictionary of variables, or a list of dictionaries. Got: user_password:password database_password:password ( <class ‘ansible.parsing.yaml.objects.AnsibleUnicode’>)

Dictionary file

ansible vault variables

In order to resolve issue, you should just leave a blank between dictionary key and value.

Deploy again your playbook and the result will be successful.