• Linux

    Linux security hardening recommendations

    In a previous blog post, I wrote how to secure OpenSSH against brute force attacks. However, what if someone manages to get a shell on your system, despite all your efforts? You want to protect your system from your users doing nasty things? It is important to harden your system further according to the principle of defense in depth in order. Software updates Make sure you are running a supported distribution, and by preference the most recent version one. For example, Debian Jessie is still supported, however upgrading to Debian Stretch is strongly recommended, because it offers various security improvements (more recent kernel with new security hardening, PHP 7 with…

  • Linux

    Securing OpenSSH

    Security hardening the OpenSSH server is one of the first things that should be done on any newly installed system. Brute force attacks on the SSH daemon are very common and unfortunately I see it going wrong all too often. That’s why I think it’s useful to give a recapitulation here with some best practices, even though this should be basic knowledge for any system administrator. Firewall The first thing to think about: should the be SSH server be accessible from the whole world, or can we limit it to certain IP addresses or subnets. This is the most simple and effective form of protection: if your SSH daemon is…

  • Linux,  Work

    Enabling jumbo frames on your network

    Jumbo frames are Ethernet frames with up to 9000 bytes of payload, in contrast to normal frames which have up to 1500 bytes per payload. They are useful on fast (Gigabit Ethernet and faster) networks, because they reduce the overhead. Not only will it result in a higher throughput, it will also reduce CPU usage. To use jumbo frames, you whole network needs to support it. That means that your switch needs to support jumbo frames (it might need to be enabled by hand), and also all connected hosts need to support jumbo frames. Jumbo frames should also only be used on reliable networks, as the higher payload will make…

  • Linux,  Work

    FS-CACHE for NFS clients

    FS-CACHE is a system which caches files from remote network mounts on the local disk. It is a very easy to set up facility to improve performance on NFS clients. I strongly recommend a recent kernel if you want to use FS-CACHE though. I tried this with the 4.9 based Debian Stretch kernel a year ago, and this resulted in a kernel oops from time to time, so I had to disable it again. I’m currently using it again with a 4.19 based kernel, and I did not encounter any stability issues up to now. First of all, you will need a dedicated file system where you will store the…

  • Linux,  Work

    Debian Stretch on AMD EPYC (ZEN) with an NVIDIA GPU for HPC

    Recently at work we bought a new Dell PowerEdge R7425 server for our HPC cluster. These are some of the specifications: 2 AMD EPYC 7351 16-Core Processors 128 GB RAM (16 DIMMs of 8 GB) Tesla V100 GPU Our FAI configuration automatically installed Debian stretch on it without any problem. All hardware was recognized and working. The installation of the basic operating system took less than 20 minutes. FAI also sets up Puppet on the machine. After booting the system, Puppet continues setting up the system: installing all needed software, setting up the Slurm daemon (part of the job scheduler), mounting the NFS4 shared directories, etc. Everything together, the system…

  • Linux

    Going back to my roots: testing Mageia 4 beta

    Many years ago I used to be a Mandriva user and contributor, mostly active in packaging software. I stopped my contributions because I had the feeling the distribution was having more and more trouble keeping up with all new evolutions in the GNU Linux free software world and was loosing ground to other, more innovative distributions. Finally I settled for Debian myself. Even though it is not always the most innovative distribution itself, I liked its open, independent community-based nature. Now after all this time, I was curious to see how my former favourite distribution had evolved. Mandriva was forked by former Mandriva employees and contributors, and so Mageia was…

  • Linux,  Uncategorized

    Living in a surveillance state

    Because of time constraints it has been a long time since I wrote something here. However, this is something I want to share with as many people as possible now: Mikko Hypponen’s talk titled “Living in a surveillance state”, last week at TEDxBrussels . If you think that you don’t have to fear the spying by the NSA, GCHQ and other state services because you have nothing to hide, or you are wondering what we can do against it, then you should definitely watch this. “Open source” is the key answer to the latter question by the way. These are 20 very well spent minutes of your time.

  • Linux,  Work

    Leap second causing ksoftirqd and java to use lots of cpu time

    Today there was a leap second at 23:59:60 UTC. On one of my systems, this caused a high CPU load starting from around 02h00 GMT+2 (which corresponds with the time of the leap second). ksoftirqd and some java (glassfish) process where using lots of CPU time. This system was running Debian Squeeze with kernel 2.6.32-45. The problem is very easy to fix: just run # date -s "`date`" and everything will be fine again. I found this solution on the Linux Kernel Mailing List: http://marc.info/?l=linux-kernel&m=134113389621450&w=2. Apparently a similar problem can happen with Firefox, Thunderbird, Chrome/Chromium, Java, Mysql, Virtualbox and probably other processes. I was a bit suprised that this problem…

  • Linux

    Multi-monitor support with Randr 1.3 and NVidia’s proprietary driver

    I just got a second monitor at home and wanted to configure the two monitors with my NVidia graphics card. You can set up TwinView in the Nvida Settings application, however I did not like that solution: the next time I restarted X, all the settings were lost and the second monitor powered off. Also GNOME did not seem to behave correctly when the monitors went on stand by and I unlocked the desktop. The desktop appeared to be shifted over the monitors. The latter might be a bug of gnome-settings-daemon 3.2 and not Nvidia’s however. However since the NVidia proprietary driver version 330 beta series, it finally supports Randr…

  • Linux

    Creating your own GNOME session based on cairo-dock and Compiz

    Personally I absolutely do not like the gnome-shell in GNOME 3. I actually even hate it: it is slow, messy and cumbersome to use and I have the feeling that developers are not listening to criticism. Obvious and trivial design bugs which are well known, are totally ignored (bug 662738 is an example). For that reason, I went looking for an alternative desktop. KDE is way too bloated for a netbook with 1 GB of RAM, while XFCE is not as polished as a traditional GNOME 2.32 desktop. The best alternative I could find out right now, was to just replace the GNOME Shell by a custom panel or dock…