Linux SSH login – a good starting point

The steps below were included in a later article I wrote, regarding new Linux server installations, here which includes much more information from that aspect. The information below is still valid, useful, educational information which should be read if intending to start the process of hardening a Linux server. I apologize for the sloppiness of this, but I see no reason to copy and paste the same information into this article when it flows very naturally in the new article. You will thank yourself for reading both articles, however!

My environment:
Ubuntu Server 18.04 hosted in a datacenter, with a public IP used for administration and public use.
Windows client computer with SSH terminal program. (I highly suggest WinSSHTerm v2 for higher level usage)

The goal:
To run a server with SSH key login only.
To use password authentication for privilege escalation only.
To prevent unauthorized access, login and escalation, through various methods.

The server software:
OpenSSH (sshd – ssh daemon service)
fail2ban (intrusion prevention service)
Linux PAM (Pluggable Authentication Module)
UFW (Uncomplicated FireWall, in lieu of IPTables)

Additional software used for demonstration puroses:
MariaDB (A fork of MySQL, with some enhancements)
HAProxy (A layer 4 and 7 routing service (HTTP(S) and TCP-only proxy)
Hiawatha (HTTP daemon akin to Apache, with simpler configs, and a security focus)

The method:
Using the above software services, the GNU/Linux installation will be secure from intrusion from unauthorized and unauthenticated users (and user-like software). This process will include allowing TCP port 22 incoming access, and denying incoming access to all other ports (opening 22, closing everything else), until such time as additional ports are needed for access into the machine. All outbound connections will be allowed in this tutorial. Once UFW is enabled, external clients may connect only to port 22/TCP. Being OpenSSH will run on port 22, SSH is the only thing that can connect to the server. The next step will be to allow SSH key logins, ensure this is working correctly, and then disable password authentication on SSH. After getting the server to a point where only SSH with a key pair can connect to the server, fail2ban and PAM will be utilized to help mitigate brute-force attacks for login and privilege escalation (i.e. sudo and su usage).

The end result:
We’ll be using 5 pieces of software (Linux, SSH, fail2ban, PAM and UFW) as a starting point to secure a Linux server installation. These instructions are based around Ubuntu 18.04 LTS, but may be applicable to other distros and version. 18.04 is a SystemD based system, and some differences will occur for older, non-SysD installations. Before a Linux server can be of any use, it must be accessible. This can be through a local console (keyboard & monitor), through a remote console (such as many hosting companies provide for direct access, or which can be set up using a serial cable and terminal (often using a laptop connected to the server) – or by remote terminal access, via SSH (at this time, I do not know any other ways to access the main console or terminals of a Linux host) For this tutorial, we will assume SSH access will be used, even if console access is also used.

Users (potentially just the server admin, you, the reader perhaps) will gain access to the server with an SSH compatible client. This client will connect to TCP port 22 (possibly changed, will go over later in this article) The server will go through various methods of authenticating the connect, the supplied account, and credentials (SSH key). Upon successful connection and authentication, the user will have access to the server. If the user is granted sudoers privileges, the user can then use ‘su’ and ‘sudo’ to gain escalated (root) privileges. If, however, authentication fails, the user’s connection will be terminated. Multiple failures will invoke the user being banned, and from connecting at all. The user information will be added to a fail2ban jail, with configurable ban time (or permanent – but this is dangerous as if the admin somehow fails to login properly multiple times, the admin will have to gain direct console access to resolve the issue)

There will be a minimalized guide at the bottom with the basic information needed as a refresher for admins who understand the software and steps needed, but lack the confidence in blindly following memory to achieve this basic setup.

A synopsis of the steps needed:
Step 1 – Install and setup the Linux server, and accounts. This is the only time the root user account will be used to gain access to the system.

Step 2 – Install and set up UFW. This will include choosing to use the default SSH port, or modifying it. Changing the SSH port is “security by obscurity” – which can help mitigate SSH probing attempts, causing a lack of interest in your server to any hackers. Using the default port is still highly suggested, and though probes may find the port to be open, it will be very difficult for hackers to gain access. (Warning: These methods do not encompass software exploits which may exist in the SSH daemon, Linux, or any other software being used – This covers conventional, brute-force and guessing-game type attacks only)

Step 3 – Secure the SSHd to use SSH keys, and to then disable password login. Passwords will still be used by the system for authenticated users to gain su/sudo access.

Step 4 – Use PAM to mitigate authenticated user brute-force and guessing-game password escalation attempts, and to assist with SSH key login.

Step 5 – Ensure fail2ban is set up to ban malicious connections, and mitigate attacks on connection and escalation.

Step 6 – To use some commonly used user-accessible software services to demonstrate how to allow access to these services, including non-authentication public access (HAproxy and Hiawatha) and secure, private access (MariaDB) These demonstrations will provide a basis for understanding how to grant access to nearly any hosted service in a secure manner.

These 6 steps will give a BASE LINE level of security, and should not be counted on for 100% of a system’s security. There are many additional methods which can be utilized to harden a server system. Some options are additional software, replacement software, hardware firewalls, VPNs (Software and hardware) The extensiveness of advanced security and hardening is beyond the scope of this guide, but should be understood and researched as needed. and I, the author do NOT make any guarantee to any end, and CANNOT be held accountable for security failure for any system which is set up using this guide. Again, this is a base line guide, but the admin must ensure that ALL security needs are met, including ensuring that every security measure needed is in use and properly functioning and using the latest available software. With that said, this guide can provide a good starting point for admins to secure their servers.

(At this time, I am publishing this page, with it incomplete and lacking any actual instructions. The information here is enough for a smart person to do some research and be able to begin the process, if not complete it. This tutorial will be updated at a later time to include instructional steps for installing, setting up and utilizing the software mentioned thus far. There may also be additions to what is currently published)

Simple batch file clock

A very simple batch file clock to run in a command prompt or powershell window.
This was intially written to watch for OS freezes for Wolf68k, when he was streaming. The concept is simple: show an ever changing display which will cease updating during system freezes. I’ll go over the lines one at a time below.

|@echo off
|title JDenslinger's local system Time
|color 0a
| | cls
| | echo %time%
| | ping localhost -n 1 >null
| goto CLOCK

wordpress seems to want to delete all my extra space. I hate it. so, here, in the code section, there is a pipe | preceeding the lines. Remove the pipes if you use this code, otherwise it will not function properly or at all!

@echo off
– Ths provides for the system to not show any of the commands, and to only output the time
title JDenslinger’s local system Time
– two parts here, to form the titlebar display:
— title – the command to initiate the titlebar display
— JDenslinger’s local system time – the words to be displayed.
color 0a
– the background (0) and text (a) colors, black and lime, respectively
– clears the screen, ensuring that the display is only a single line
– basic function pointer, can be called later in the script
– this clears the previous time allow for the new time to be displayed
echo %time%
– echo (output to the display) the current time (%time% is a system variable)
ping localhost -n 1 >null
– poor man’s timer. On very slow systems, this can more close to a second or longer delay.
goto CLOCK
– This directs the script to go back to our function pointer, creating an infinite loop.

This script can be stopped with ctrl-c or by closing the window.

Icecast music streaming…

This is an old guide I wrote back in 2014. It may still be applicable, or it may be completely useless now. But at least it’s shows the steps I took years ago to set up a streaming station.

Poor man’s basic Icecast source setup instructions
Everything needed to set up a basic streaming system without the mess.

This tutorial assumes you’ve successfully setup icecast2 for this.
This tutorial also assumes you’ve got audio files to use to stream to icecast2.
You will also need a method seperate from your source computer to tune-in to the
stream – another computer or a friend with a PC you can be in communication with.

We will be using several programs to achieve this. These are:
VB-Cable from
edcast reborn from
LAME MP3 from
VLC from

First, you will need to download and install several pieces of software.
We will do this before continuing to configuration. Please follow the directions
as given as not doing so may cause errors in setup or configuration which cannot
easily be traced with issue diagnosing.

Go to:
download CB-Cable Driver (center coloumn)
unzip to a fodler on your desktop and open the folder
right click on VBCable_setup and choose “Run as Administrator”
**Note: If using Windows 64bit, instead use VBCable_Setup_x64**
Click install on the screen that opens (if nothing, use other setup file)
allow the software to be trusted (check the box) and install
Verify this was installed by:
open Sound control panel
verify “CABLE Input” exists on “Playback” tab
verify “CABLE Output” exists on “Recording” tab
close Sound control panel

Go to:
download edcast_standalone_3.37~~
Open Edcast Standalone Setup
click “Next>”
click “I Agree” (after reading and understanding the liscensing and terms)
click “Next>”
click “Install” (yes, use the default path)
Verify edcast is installed:
open the icon on the desktop for EdcastStandalone
Verify edcast opens, providing a window with several controls
close edcast

Go to:
Download LAME 3.99.5 with a size of 636kB (top download)
(DO NOT download the 64bit version)
open your edcast installation directory (C:\Program Files (x64)\edcast)
open the archive
copy lame_enc.dll from the zip to ~\edcast (it will be in with ogg.dll, vorbis.dll)
close the zip archive
close the edcast install directory
Verify LAME is installed:
open edcast (shortcut on desktop)
click “Add Encoder” button
See that a new entry was added under “Encoder Settings” and it is the only one
right click the new Encoder Setting selection, choose “Configure”
click the “Encoder Type” drop down, choose “MP3 Lame”
(it will not allow you to select it if it’s not instaleld properly)
click “OK” button
close edcast

Go to:
download VLC (big blue “Download VLC” button)
open VLC install
follow instructions on screen to install
use “Recommended” install type (just press next on “Choose Components” screen)
Verify VLC is installed:
open VLC (shortcut on desktop)
play any media file with audio to make sure VLC is working
close VLC

Now, go get some coffee, mt dew, take a bathroom break or just stretch.
You now have all the base software installed on your computer.
When you get back, it will be time to put all these bits together and stream!

OK Good! You’re back. At this point it would be ideal to have either another
computer, or a friend you can communicate with to help with testing. Their part
will be minimal, they just have to connect to your icecast server and listen.

Now, it’s time to configure VLC and edcast to work in tandem via VB-Cable.
VB-Cable shouldn’t need to be configured, but we will touch it’s options.

Open VLC (shortcut on the desktop)
open VLC’s Preferences (ctrl-p)
under “Show settings” click “All”
Go to Audio > Output modules
for “Audio output module” select “DirectX audio output”
go to Audio > Output modules > DirectX (You will have to expand the list to see it)
for “Output device” select “CABLE Input (VB-Audio Virtual Cable)
uncheck “Use float32 output”
for “Speaker configuration” select “stereo”
click “Save” button
Close VLC
re-open VLC (This is required to set the audio output properly)

set VLC aside for a bit, but leave it open.

Open edcast (desktop shortcut)
under “Live Recording” select “CABLE Output…”
right click on the MP3: selection under Encoder Settings, choose “configure”
Basic Settings tab:
change “Server IP” to the *IP* address of your server
change “Server Port” if you chose something other than 8000 in icecast2 setup
change “Encoder Password” to the password you used when setting up icecast2
YP Settings tab:
uncheck “Public Server” (This disables your server from being in icecast directories)
change “Stream Name” to your website/domain/station name
change “Stream Description”
change “Stream URL” to your website or icecast2 url
Advanced Settings tab:
(nothing to change, but look anyways for familiarity)
click “OK” button
click “Edit” to the right of “Metadata”
put your station name and your dj handle in the “Metadata” field
click “OK” button

Now it’s time to get your client computer or friend to tune into the stream
Be advised the audio may be very loud, so the volume on the client should be down

go to VLC
load up the playlist with files, enough for 20 minutes, or hit repeat
press play, ensure you cannot hear audio from it from your speakers
turn the volume all the way up to ensure audio quality to edcast and beyond

go to edcast
click the large black bar towards the top, it should start showing two
green and yellow bars bouncing left and right
press “Connect” button and let your friend know to tune in

You should now have a live stream going from VLC to edcast to icecast2 to your friend.

There are additonal features of edcast that can be set or configured. Such as the
Metadata being able to pull the song title from VLC’s window (this did not work for me)
Take note of what you change in case it breaks something and you need to revert it.

Play with the settings so you know what everything does, and remember it’s better to
have the audio player’s volume very high and use edcast to limit it so as to keep the
audio quality higher.

This document is liscensed under the Creative Commons Attribution with ShareAlike BY-SA

Spreadsheets, Minecraft and OCD organization…

Let me start out with HOLY CRAP TWO POSTS IN ONE DAY!? AFTER 9 MONTHS OF NO POSTS!? WOAH!! Am I crazy? Probably! Maybe not enough though…

So I found that I really enjoy using Google Docs spreadsheets. Well, I’d say use, but I think “abuse” is more the correct adjective here. Did you know that you can get 188000 rows, if you have only 13 columns? Well, it’s an odd limitation, but I found it! A workbook on Googlde Docs Spreadsheets can have only 5 million cells. That’s all sheets in a spreadsheet, not per-spreadsheet. It makes sense, memory resource limitations and all.

I’ve taken to using a spreadsheet for organizing all of the permissions for a small Minecraft network. When I say small, I mean 9 servers, 26 worlds, 10 “tracks” (groups of permission groups), 75 positions (permission groups), with an unknown amount of permission nodes for 98 plugins. The way I have my spreadsheet set up, is to use a row as section headers for the next set of columns. (If that don’t sound foncusing, let me explain)

The first row is, of course, my sheet header with each column labeled – because “A” “B” etc are not good names for data organization. I have this row frozen, so it’s always at the top. I also have the first and second columns frozen, so they will always be shown on the left side of the screen. These columns are Track and Group. I then have Columns “C”, “D” and “E” grouped under Group. These columns are “Prefix” “Username” and “Suffix” This was important so I can hide these columns now that I’ve completed that part of my job, without starting a new sheet, or removing them. Duration and Titles, “G” and “H” are grouped under Info, column “F”. Again, so the Duration and Titles columns can be hidden under Info. Columns “I” and “J” are “Server context” and “World context”, with World being grouped under Server, again to hide it. The next three columns, “K”, “L” and “M” are Plugin, Permissions and Negated Permissions. Yes, “L” and “M” are grouped under “K”. When I say grouped, this is a function in Spreadsheets which allows the grouped rows or columns to be folded or collapsed into the parent row/column. So with everything collapsed, I see columns “A”, “B”, “F”, “I” and “K” – and I can expand the section I need to focus on.

I’ve done this with rows as well. The first data row is the name of my first track, and as such A2 is filled in with that name, “Admin” (A1 being the label for the column in my header row, “Track”) For organizational purposes, I’ve left B2 empty, and went to B3 for my first “Group” entry. This allows me to collpase B3 under A2, without showing the first group, as it would be if I were to have used B2. This also allows me to free-up the rest of the row for track-specific data, such as Suffix, info, etc. I’ve done the same for the rows which contain an entry in the Group column, again so I can have group-specific data stored in that row. Moving to Column “I” or “Server context” I have again stepped the first entry in this column to the next row down. So, I4 is my first entry for Server contexts. And “J5” is my first entry for World contexts, as a “world” is a subset of a “server” I’ve continued this mostly-empty row organization with columns “K”, with each row having a plugin name. My first plugin is in cell K6. The next two columns will contain all of the permissions for that plugin in the same row however, L6 (first plugin’s permissions) and M6 (first plugin’s negated permissions) Row 7 will have my second plugin, permissions and negations, so on and so forth until I run out of plugins.

I have a nice nested effect going on with my rows, with the column to the left being the “header” for the cells to down and to the right. And when I collapse all of my rows, I see a nice list of all of my tracks. Then I can expand which track I want, and see the Groups within it. And expand the Group for which I want to modify or retrieve data from. At this point, I’m working towards well over 120000 rows, with 12 columns (The username column is only a placeholder, and is going to be removed) And so I’ll be looking at 1.4 million cells, with the vast majority of them empty, and not even visible at any given time.

But why so many rows, columns and thus cells? So, each plugin has it’s own permissions – some plugins give inherent permissions for all players, and some give inherent permissions only for those in the game servers’ “Op” file. Minecraft uses it’s own very primitive permission system for built-in commands. It’s archaic, non-granular, has 4 levels and various permissions within each level, with each higher level inheriting the permissions from the lower. But here’s the kicker, and why it’s archaic – Say I want someone to be able to kick a player, but not to build at spawn – well, with Minecraft’s Op system, that’s not possible, because building in spawn protected areas is a base level permission – kicking is the next level up. So, enter, and back to, Minecraft Permission Management Systems. I’m transitioning from PermissionsEx to LuckPerms. Various reasons, mostly due to LuckPerms having an active development team, and some functional technical reasons as well. I’m also taking the opportunity to build out readable documentation that my staff can access to assist with entering all of the permissions into LuckPerms, and for future reference for myself.

I seemed to have digressed a bit with that, so back to the question of why so many. First off, I have an unknown number of permissions. But let’s say the average plugin has 15 permissions (so have none, and some have much much more, so 15 is pulled out of thin air). Now, I have about 100 plugins. That alone means there’s 1500 permissions. Now, one plugin in specific has roughly 1500 permissions by itself. So, let’s say we have a total of 3000 permissions. Now, you may ask “OK, but that’s only 100 rows, as permissions for each plugin are grouped into the same row?” It’s not that simple. There is the potential for each world context (a world context is the number of worlds + the global server context, so n+1) having at least one entry for each plugin. There are a total of 26 world contexts, and several servers are only using a single context (global), so there’s the potential for even more. So we’re at 2600 unique potential permission rows. World context * plugin count. (I’m at 96 confirmed plugins, but may be adding a few more, so we’ll round off to 100 for this exercise) Now here’s the kicker: That’s per position. I have 75 permission groups (positions) So, 2600*75 is 195000 potential permission rows. Now, not all plugins will be installed on all servers, not all plugin permissions will be applied to every position (given or negated), not all plugins even have permissions, and there are some tricks to compounding permissions using * and built-in super-permissions (a permission which gives all the same functions as multiple other permissions) So it’s a LOT of permissions, data and work.

As someone who is very visually organizationally oriented, this helps to fully detail out the entire scope of the permissions on the network of servers. For me, at least. Ideally, this will also give my staff the ability to read the permissions per world, per server, per group and thus be able to enter the permissions into the new system for me. AND We’ll have a system-agnostic documentation that can be referred to and altered as needed in the future. It sounds extrememly convoluted and anything from easy. And it has been an absolute pain in the sphincter to set up. However, it’s use should be pretty simple, provided those who use it can understand multi-dimensional data storage. (spreadsheets with collapsable rows and columns) At it’s visually smallest, there will be only 11 rows and 5 columns. 55 cells, with 44 of them being empty. This is how each person should initially view this document. Each row and column can then be exapanded and collapsed as needed to navigate to the particular section and sub-section to modify or read.

In some respects, this is still easier than Windows Server 2003’s Active Directory. In others, I’ve completely rebuilt the entire framework of a Permissions Management System in a spreadsheet. For years, I’ve hoped someone would create an AD or OpenLDAP Minecraft plugin, but I feel the time for such an adventurous project has come and gone. Microsoft may be doing wonderful things with Minecraft still, but if we’re not already in it, Minecraft’s sunset period will be upon us within a few years. With the release of the right game, it could be even sooner. But what the developers behind LuckPerms has done is absolutely amazing and I hope they have written it in a way that LuckPerms can become game-agnostic and useful for other ventures in the future. It is already available for Minecraft Java Edition (Bukkit, Spigot and Paper); Minecraft Bedrock (for consoles/Win10) through NukkitX, a Bedrock server written in Java; Minecraft Forge servers (Also for Minecraft Java Edition, but different API) and I think another Minecraft server or two as well. But these things have two things very much in common: the base Minecraft game & Java.

At the top of this post, there’s a screenshot of the framework, with some sections collapsed, and some visible. For reference to this article only.

Linux, Java, Git and Maven…

Here, I will explain how to *simply* get a Java project with Maven compile instructions (pom.xml) on Github to your system, and compile it using Maven. This requires a few things. We’ll use Potato. You can fork this project with your own Github account, and then you can say that you’ve “Forked a Potato” (Seriously, it’s just a fun project with limited to no practicle use) We’ll be using Potato as our reference example project. It is Java, with Maven, on Github and will compile under Linux.

First, let me state that I use Ubuntu GNU/Linux distros. Life is too short to worry about getting everything installed “the hard way” – Ubuntu’s apt-get is, in my humble opinion, the simplest way to do routine software installs. I’ve built Slackware linux, ran through Fedora Core, messed with Gentoo and Suse, and various other distros, including Debian (Ubuntu’s papa distro) For everything I’ve ever needed, Ubuntu has provided much simpler than other distros. That may not be the case for everyone, however. So with that all said, I’ll be talking about “Linux” pertaining to Ubuntu GNU/Linux specifically. These instructions may be translatable to other Linus distros, to UNIX distros (FreeBSD, MacOS, etc) or even for Windows with varrying degrees of success. I won’t discuss these here though.

The first step, of course, is to procure suitable environment and install your OS. We’ll assume this is done. If it’s not, you’ll want to do that, after reading the rest of this. You’ll find specific instructions for your environment online, and so I won’t waste time here detailing that.

Next, you’ll need to install Java. This is a considerably more difficult process on any Linux distro, if you’re wanting to use Oracle Java (as opposed to OpenJDK), that’s as simple as
> apt-get install open-jdk
I prefer to use Oracle JDK, however that’s a personal preference. You can find installation instructions if you were to search for “Oracle Java Ubuntu webupd8” – there’s plenty of info on that and does not need to be duplicated here.

Once you have Java installed, you’ll want to get a Git client and Maven. Again, there are installation instructions online for each of these. I suggest Gitlab’s instructions, but DigitalOcean has some nice write-ups as well.

At this point, we’ll assume you can do these things:
login to your Linux user account, and perform commands with sudo. I highly suggest NOT using root user!
– Test your network connection:
> ping
– Test your Java installation:
> java -version
– Test git client:
> git –version
– Test Maven installation:
> mvn –version

Assuming this all went to plan, you should now create your work environment. I suggest making a ‘dev’ directory under your /home/username, with a git directory under that. OCD organization!
> cd ~ && mkdir dev && cd dev && mkdir git && cd git && pwd
Provided this worked, you should see something akin to, with “yourusername” being replaced:

Now all the setup is done, let’s clone us some code!
> git clone
> cd Potato && ls
The first command here will reach out to Github and fetch a copy of Potato from and create a new directory under git/ called “Potato” The git client will always create a new directory in your cwd with the project name as the new directory name. The second command simply puts us into that directory and lists it’s contents. Verify that the contents on your system match that of the repository you cloned from. If it does match, Congrats! You’ve cloned a Java Maven Git project!

Let’s build this project. This is what I *LOVE* about Maven, how simple it is! You’ll be addicted and wanting to compile github projects every day! (Ok, maybe I alone got a bit overly enthusiastic about Maven when I first got it working!)
> mvn clean install
That’s it! That’s all you needed to do! Of course, you *have* to be in the directory with the project’s files for this to work, and the project *has* to have a ‘pom.xml’ file. Of course, the project also has to be fully written, not broken, and compatible with your version of Java and potentially your OS (Very old OSes may not have some functions that newer Java projects require, but then your Java version would be subject to these and you’d never get a new enough Java installed to even build with much less run the project with)

Oh! You actually want to run the project? I guess I can tell you where the compiled jar is.
You should still be in /home/yourusername/dev/git/Potato – so do
> pwd
and confirm you are. If you’re not, then something went awefully awry and you should figure that out. Let’s assume there’s no problems though. Now do
> ls
You should now see a “target” directory. Again, assuming all things went well, do
> cd target && ls
And you’ll see “classes” and “Potato.jar” So let’s run Potato!
> java -jar Potato.jar
You should be greeted with a friendly, if passive-aggressive, yet humerous message from your new Potato.

If *anything* went wrong, I suggest starting from the top of the first checklist, pinging Google. If you still can’t get it going, you may need to do some more research.

Here’s the TL;DR for those who just need a reminding of how easy (so easy, it’s forgettable) Java/Maven/Git is:

Get project url:
Enter your working environment:
> cd ~/dev/git
Clone project to local system:
> git clone
Build with Maven:
> mvn clean install
Test the built jar:
> java -jar Potato/target/Potato.jar
Rejoice at the deliciously prepared Potato!

To update the local project files:
> cd ~/dev/git/Potato
> git pull
The git pull command has to be done from within the project’s local directory, otherwise it wouldn’t know which project to update.