Imagine this: you SSH into your server to launch a data backup that takes a couple of hours. Halfway through, your internet connection drops — and with it, the SSH session. When you reconnect, the process is gone. You have to start all over again, wasting time and resources.
By default, the terminal session and any running processes are tightly coupled to your SSH connection. Once it closes, the shell exits, and any foreground (and sometimes background) jobs are terminated unless special steps were taken.
This behavior is a real pain point for developers, system administrators, and anyone managing remote Linux systems. Fortunately, there are tools designed to help you keep processes alive independently of your SSH connection. Two popular approaches are:
disown: a shell command to disassociate a job from the current session.
tmux: a full-featured terminal multiplexer that lets you detach and reattach to entire sessions.
In the next sections, we’ll take a closer look at how these tools work — and why tmux is usually the better long-term solution.
Understanding disown: Minimalist Lifeline
The disown command is a built-in feature of many shells like bash and zsh. It’s a way to prevent background jobs from being terminated when you log out or your SSH session disconnects.
How it works:
Start a long-running command in the background:
some-command &
List the current jobs:
jobs
Use disown to remove the job from the shell’s job table:
disown %1
Once disowned, the process keeps running even after you disconnect.
Pros:
No need to install anything.
Simple and fast for occasional use.
Cons:
No way to reattach to the process’s output later.
Easy to forget to use disown before disconnecting.
No session management — if something breaks, you’re in the dark.
Enter tmux: Your Persistent Terminal Powerhouse
Pre-installed on some distros:
Minimal server-focused distros (e.g., Ubuntu Server, CentOS minimal, Debian netinst) usually do not include it by default.
While tmux isn’t always pre-installed, it’s just one command away on almost every Linux system — making it a no-brainer for anyone managing long-lived shell tasks
Start a new tmux session (name it e.g. rclone):
tmux new -s rclone
Detach from tmux (keep it running in background), press:
Ctrl-b d
Later: Resume the session (from any new/existing session!)
tmux attach -t rclone
Use-Case Comparison: disownvs tmux in Action
Scenario
disown
tmux
Start a long backup and disconnect safely
✅ Yes, if disown is used before logout.
✅ Yes, and you can reattach anytime.
Check logs or output later
❌ No way to view command output after disconnection.
✅ Full scrollback and live output available.
Run multiple commands in parallel
⚠️ Doable with background jobs, but hard to manage.
✅ Multiple panes, windows, and sessions.
Reconnect after an accidental disconnect
❌ Job might be lost if not disowned.
✅ Reattach seamlessly and resume work.
Interactive tools (editors, htop, etc.)
❌ Won’t survive logout or disconnection.
✅ Perfectly supported — keep your editor open!
Scriptable and automatable
❌ Very limited.
✅ Can be scripted, logged, and configured.
Learning curve
✅ Minimal.
⚠️ Slightly steeper, but worth it.
Verdict:
Use disown if you’re in a pinch and only need to run one quick command without sticking around. Use tmux if you care about reliability, multitasking, or seeing what your session was doing when you reconnect.
In today’s digital age, safeguarding your data is more crucial than ever. With the increasing reliance on cloud storage, it’s essential to have a robust backup strategy in place. This blog post will guide you through automating your cloud backups (like Onedrive in this example) using rclone and Duplicati on a Linux system (in my case Ubuntu 24.04.1 LTS).
Why rclone and Duplicati?
rclone: A versatile command-line tool (inspired by rsync) that supports various cloud storage providers, including OneDrive. It allows you to sync, copy, and mount cloud storage as if it were a local filesystem.
Duplicati: An open-source backup solution that offers incremental backups, encryption, and scheduling. It’s designed to work efficiently with cloud storage, making it an ideal choice for automated backups.
We’ll use rclone to mount your OneDrive folder as a local directory seamlessly. This setup allows Duplicati to perform smart incremental backups, ensuring your data is securely backed up without unnecessary duplication. In this guide, I’ll walk you through the steps to set up rclone and Duplicati, making sure your cloud storage is backed up efficiently and securely. Let’s get started!
Install rclone
This command downloads and runs the installation script for rclone, making it easy to install on most Unix-like systems, including Linux and macOS. For Windows, you can download the executable from the rclone website.
run apt install rclone
apt install rclone
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
rclone
0 upgraded, 1 newly installed, 0 to remove and 2 not upgraded.
Need to get 21.4 MB of archives.
After this operation, 65.9 MB of additional disk space will be used.
Get:1 http://packages.azlux.fr/debian bookworm/main arm64 rclone arm64 1.68.2 [21.4 MB]
Fetched 21.4 MB in 2s (10.2 MB/s)
Selecting previously unselected package rclone.
(Reading database ... 133411 files and directories currently installed.)
Preparing to unpack .../rclone_1.68.2_arm64.deb ...
Unpacking rclone (1.68.2) ...
Setting up rclone (1.68.2) ...
Processing triggers for man-db (2.12.0-4build2) ...
Install Duplicati
The install-process of Duplicati is already explained here.
Onedrive homework
By default, rclone uses a shared Client ID and Key when communicating with OneDrive, unless a custom client_id is specified in the configuration. This means that all rclone users share the same default Client ID for their requests. This is everything but not optimal, also throttling usually occurs.
Recommended step: Create unique Client ID for Onedrive personal
This section guides you through the steps to configure rclone to mount your OneDrive folder to use this mount point as the source for Duplicati backups.
run rclone config and answer the questions
Example output (Ubuntu 24.04)
rclone config
2024/12/17 11:06:25 NOTICE: Config file "/root/.config/rclone/rclone.conf" not found - using defaults
No remotes found, make a new one?
n) New remote
s) Set configuration password
q) Quit config
n/s/q> n
Enter name for new remote.
name> onedrive
Option Storage.
Type of storage to configure.
Choose a number from below, or type in your own value.
35 / Microsoft OneDrive
\ (onedrive)
Storage> 35
Option client_id.
OAuth Client Id.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_id>
Option client_id.
OAuth Client Id.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_id>
Option client_secret.
OAuth Client Secret.
Leave blank normally.
Enter a value. Press Enter to leave empty.
client_secret>
Option region.
Choose national cloud region for OneDrive.
Choose a number from below, or type in your own value of type string.
Press Enter for the default (global).
1 / Microsoft Cloud Global
\ (global)
2 / Microsoft Cloud for US Government
\ (us)
3 / Microsoft Cloud Germany
\ (de)
4 / Azure and Office 365 operated by Vnet Group in China
\ (cn)
region> 1
Edit advanced config?
y) Yes
n) No (default)
y/n>n
Use web browser to automatically authenticate rclone with remote?
* Say Y if the machine running rclone has a web browser you can use
* Say N if running rclone on a (remote) machine without web browser access
If not sure try Y. If Y failed, try N.
y) Yes (default)
n) No
y/n> n
Option config_token.
For this to work, you will need rclone available on a machine that has
a web browser available.
For more help and alternate methods see: https://rclone.org/remote_setup/
Execute the following on the machine with the web browser (same rclone
version recommended):
rclone authorize "onedrive"
Then paste the result.
Enter a value.
config_token>
for Use web browser to automatically authenticate rclone with remote?: Choose “Yes” if your host supports a GUI. In my case I have to answer this question with no and have to jump on an GUI-equipped host running the same clone-version to generate the needed one drive-token with the command: rclone authorize "onedrive"
{"access_token":"EwCIA8blablaadv!0","expiry":"202blabla.927609745Z"}
Option config_type.
Type of connection
Choose a number from below, or type in an existing value of type string.
Press Enter for the default (onedrive).
1 / OneDrive Personal or Business
\ (onedrive)
2 / Root Sharepoint site
\ (sharepoint)
/ Sharepoint site name or URL
3 | E.g. mysite or https://contoso.sharepoint.com/sites/mysite
\ (url)
4 / Search for a Sharepoint site
\ (search)
5 / Type in driveID (advanced)
\ (driveid)
6 / Type in SiteID (advanced)
\ (siteid)
/ Sharepoint server-relative path (advanced)
7 | E.g. /teams/hr
\ (path)
config_type> 1
vblabla+g0","expiry":"202blabla27609745Z"}
Option config_type.
Type of connection
Choose a number from below, or type in an existing value of type string.
Press Enter for the default (onedrive).
1 / OneDrive Personal or Business
\ (onedrive)
2 / Root Sharepoint site
\ (sharepoint)
/ Sharepoint site name or URL
3 | E.g. mysite or https://contoso.sharepoint.com/sites/mysite
\ (url)
4 / Search for a Sharepoint site
\ (search)
5 / Type in driveID (advanced)
\ (driveid)
6 / Type in SiteID (advanced)
\ (siteid)
/ Sharepoint server-relative path (advanced)
7 | E.g. /teams/hr
\ (path)
config_type> 1
Option config_driveid.
Select drive you want to use
Choose a number from below, or type in your own value of type string.
Press Enter for the default (7bla49295c6fb0).
1 / (personal)
\ (7blae49295c6fb0)
config_driveid>
Drive OK?
Found drive "root" of type "personal"
URL: https://onedrive.live.com/?cid=07bla49295c6fb0
y) Yes (default)
n) No
y/n>
Configuration complete.
Options:
- type: onedrive
- token: {"access_token":"EwCIblabla==","token_type":"Bearer","refresh_token":"K.Abla1.0.U.-CsblaFy55aAHgafDLr5t0","expiry":"202blabla609745Z"}
- drive_id: 79blabla95c6fb0
- drive_type: personal
Keep this "onedrive" remote?
y) Yes this is OK (default)
e) Edit this remote
d) Delete this remote
y/e/d>
Current remotes:
Name Type
==== ====
onedrive onedrive
Now we can mount the onedrive-storage-folder as a mount-point. In this example I use /mnt/onedrive as the mount-point (the folder /mnt/onedrive must be present prior executing the mount command):
rclone mount onedrive:/ /mnt/onedrive
Let’s create an rclone-service to mount the one drive-folder at startup:
┌──$(root㉿raspi24)-[/]
└─# systemctl status rclonemount
● rclonemount.service - rclonemount
Loaded: loaded (/etc/systemd/system/rclonemount.service; enabled; preset: enabled)
Active: active (running) since Tue 2024-12-17 16:33:29 CET; 1 week 5 days ago
Main PID: 1039 (rclone)
Tasks: 12 (limit: 8674)
Memory: 68.4M (peak: 131.5M)
CPU: 15min 9.054s
CGroup: /system.slice/rclonemount.service
└─1039 /usr/bin/rclone mount --config=/root/.config/rclone/rclone.conf --vfs-cache-mode writes onedrive: /mnt/onedrive
run rclonemount.service at startup:
systemctl enable rclonemount
┌──$(root㉿raspi24)-[/]
└─# systemctl enable rclonemount
Created symlink /etc/systemd/system/default.target.wants/rclonemount.service → /etc/systemd/system/rclonemount.service.
With Duplicati we can create now a new Backup-Job using the source directory /mnt/onedrive, or any specific subfolder like /mnt/onedrive/important_data.
Onedrive can now be backed up fully automatically with a smart backup solution 🙂
As we wrap up our journey with rclone, it’s clear that this powerful tool can significantly streamline your data management tasks. Whether you’re syncing files across multiple cloud services, automating backups, or simply exploring new ways to enhance your workflow, rclone offers a versatile and reliable solution.
Remember, the key to mastering rclone—or any tool—is practice and experimentation. Don’t hesitate to dive into the documentation, explore the various commands, and tailor rclone to fit your unique needs. The possibilities are vast, and the more you experiment, the more you’ll discover the true potential of this remarkable tool.
ssh-audit is a powerful tool designed to help you assess the security of your SSH servers (and clients!). It provides detailed information about the server’s configuration, supported algorithms, and potential vulnerabilities. In this guide, I’ll walk you through the steps to install ssh-audit and run your first security tests. Secure SSH configuration made easy.
Installation on Linux
Clone the Repository: Open your terminal and clone the ssh-audit repository from GitHub: git clone https://github.com/jtesta/ssh-audit.git
Navigate to the Directory: Change to the ssh-audit directory: cd ssh-audit
Install Dependencies: Ensure you have Python installed on your system. If not, install it using your package manager. For example, on Ubuntu: sudo apt-get install python3
Installation on macOS
To install ssh-audit , run: brew install ssh-audit (You have already Brew installed, right ?)
Please check the ssh-audit url for many other setup options (Docker,Windows,etc.)
Test the SSH-Server against vulnerabilities
execute ssh-audit <hostname> Replace <hostname> with the IP address or domain name of the SSH server you want to audit.
Example of Ubuntu’s 24.04 LTS default SSHD setup:
(if you add the -l warn switch you just get the vulnerabilities presented)
Interpreting the Results:ssh-audit will provide a detailed report of the server’s configuration, including supported key exchange algorithms, encryption ciphers, and MAC algorithms. Look for any warnings or recommendations to improve your server’s security.
Remediation
After running ssh-audit and identifying potential vulnerabilities or weak configurations in your SSH server, it’s important to take steps to remediate these issues. Below are examples of how to apply them:
Example for Ubuntu 24.04.1 LTS:
(Note: This is just an example. The example eliminates vulnerabilities for the SSH-daemon, but it can well be that this snippet does not fit for your setup. Handle with care)
This snippet creates a configuration file (51-ssh-harden_202412.conf) in directory /etc/ssh/sshd_config.d/ with the specified settings to enhance the security of your SSH server.
(Note: This is just an example. This example eliminates vulnerabilities for the SSH-daemon, but it can well be that this snippet does not fit for your setup. Handle with care)
# Backup the original OpenSSH server configuration file
cp /etc/crypto-policies/back-ends/opensshserver.config /etc/crypto-policies/back-ends/opensshserver.config.orig
# Update the OpenSSH server configuration with specific cryptographic policies
echo -e "
# Ciphers: Specifies the encryption algorithms used to secure the SSH session
Ciphers=aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
# Message Authentication Codes (MACs): Defines the algorithms used to ensure data integrity and authenticity
MACs=hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
# GSSAPI Key Exchange Algorithms: Specifies the algorithms used for GSSAPI key exchange
GSSAPIKexAlgorithms=gss-curve25519-sha256-
# Key Exchange Algorithms (KexAlgorithms): Lists the algorithms used for key exchange during the SSH handshake
KexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# Host Key Algorithms: Lists the algorithms used for verifying the server's host key
HostKeyAlgorithms=ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512
# Public Key Accepted Key Types: Specifies the types of public keys accepted for authentication
PubkeyAcceptedKeyTypes=ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512
" > /etc/crypto-policies/back-ends/opensshserver.config
(SSHD restart required)
Proof the remediation
run ssh-audit again!
Example-output after remediation:
How can I test if my SSH-Client is not vulnerable ?
If you run ssh-audit with the switch -c it creates an ssh-service on port 2222 and audits every connection attempt:
output after the login-attempt (ssh 127.0.0.1 -p 2222)
➜ ~ ssh-audit -c
# general
(gen) client IP: 127.0.0.1
(gen) banner: SSH-2.0-OpenSSH_9.8
(gen) software: OpenSSH 9.8
(gen) compression: enabled (zlib@openssh.com, zlib)
# key exchange algorithms
(kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5
`- [info] default key exchange from OpenSSH 9.0 to 9.8
`- [info] hybrid key exchange based on post-quantum resistant algorithm and proven conventional X25519 algorithm
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange from OpenSSH 7.4 to 8.9
(kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 -- [info] available since OpenSSH 4.4
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) ext-info-c -- [info] available since OpenSSH 7.2
`- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions
(kex) kex-strict-c-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
# host-key algorithms
(key) ssh-ed25519-cert-v01@openssh.com -- [info] available since OpenSSH 6.5
(key) sk-ssh-ed25519-cert-v01@openssh.com -- [info] available since OpenSSH 8.2
(key) rsa-sha2-512-cert-v01@openssh.com -- [info] available since OpenSSH 7.8
(key) rsa-sha2-256-cert-v01@openssh.com -- [info] available since OpenSSH 7.8
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
(key) sk-ssh-ed25519@openssh.com -- [info] available since OpenSSH 8.2
(key) rsa-sha2-512 -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79
# encryption algorithms (ciphers)
(enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
`- [info] default cipher since OpenSSH 6.9
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2
(enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
# message authentication code algorithms
(mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2
(mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2
# algorithm recommendations (for OpenSSH 9.8)
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -ecdsa-sha2-nistp256-cert-v01@openssh.com -- key algorithm to remove
(rec) -ecdsa-sha2-nistp384 -- key algorithm to remove
(rec) -ecdsa-sha2-nistp384-cert-v01@openssh.com -- key algorithm to remove
(rec) -ecdsa-sha2-nistp521 -- key algorithm to remove
(rec) -ecdsa-sha2-nistp521-cert-v01@openssh.com -- key algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove
(rec) -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com -- key algorithm to remove
(rec) -sk-ecdsa-sha2-nistp256@openssh.com -- key algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) -umac-128@openssh.com -- mac algorithm to remove
(rec) -umac-64-etm@openssh.com -- mac algorithm to remove
(rec) -umac-64@openssh.com -- mac algorithm to remove
Make your SSH-communication more secure, if not the SSH-Service opens an attack surface for uninvited visitors. Secure SSH configuration is Key!
Most major Linux distributions have adopted nftables as their default firewall framework, often using it under the hood for iptables commands. Here are some of the key distributions that support nftables:
Debian: Starting with Debian Buster, nftables is the default backend for iptables.
Ubuntu: From Ubuntu 20.10 (Groovy Gorilla) onwards, nftables is included and can be used as the default firewall framework.
Fedora: Fedora has integrated nftables and uses it as the default firewall framework.
Arch Linux: Arch Linux includes nftables and provides packages for easy installation and configuration.
Red Hat Enterprise Linux (RHEL): RHEL 8 and later versions use nftables as the default packet filtering framework.
Let’s examine a fresh installed Ubuntu 24.04 LTS on an RPI:
The system does not use the legacy iptables framework, instead it uses the nf_tables version of iptables which provides a bridge to the nftables infrastructure/framework.
to complete the knowledge we check the symbolic link of iptables:
Iptables-nft ruleset appears in the rule listing of nftables.
Is iptables-nft and nftables then the same ? No, but they share the infrastructureof nftables.
Here’s how they work together:
Compatibility Layer iptables-nft: This is a variant of iptables that uses the nftables kernel API. When you use iptables commands, they are translated into nftables rules by this compatibility layer. This allows you to continue using familiar iptables commands while benefiting from the advanced features of nftables. iptables-legacy: This is the traditional iptables that directly interacts with the kernel’s iptables API. If you use iptables-legacy, it operates independently of nftables and does not translate rules into nftables format. Interaction Rule Management: When you use iptables-nft, the rules you create are managed by nftables under the hood. This means that nftables takes precedence, and the rules are stored in the nftables ruleset. Kernel API: Both iptables-nft and nftables use the same kernel API for packet filtering. This ensures that the packet matching and filtering behavior is consistent, regardless of which tool you use to create the rules. Coexistence: If you use both iptables-legacy and nftables, they can coexist, but it’s generally recommended to stick with one framework to avoid conflicts and ensure consistency.
Best Practices
Transition to nftables: If you’re starting fresh or looking to modernize your firewall management, transitioning to nftables is recommended. It offers better performance, more features, and a simpler syntax. Use iptables-nft: If you prefer using iptables commands, use the iptables-nft variant to take advantage of nftables’ capabilities while maintaining familiarity with iptables syntax. By understanding how iptables and nftables interact, you can make informed decisions about managing your firewall rules and ensure a smooth transition to nftables.
You must be logged in to post a comment.