Restrict SSH and Allow with SFTP

Create SFTP user: 
```
sudo useradd -M -s /sbin/nologin sftpuser
sudo passwd sftpuser
```
Add below lines into, /etc/ssh/sshd_config
```
Match User sftpuser
    ChrootDirectory /data/sftp
    ForceCommand internal-sftp
    PasswordAuthentication yes
    AllowTcpForwarding no
    X11Forwarding no
    PermitTTY no
```
Create folder and set permissions:
```
sudo chown root:root /data/sftp
sudo chmod 755 /data/sftp

sudo mkdir -p /data/sftp/upload
sudo chown sftpuser:sftpuser /data/sftp/upload
```
So the final structure should be:
```
/data/sftp        → owned by root:root (755)
/data/sftp/upload → owned by sftpuser:sftpuser (755)
```
Restart ssh:
```
/etc/init.d/ssh restart
```

And check by connecting with SFTP. it works.

it will show an error during connecting with SSH. 

Kubernetes Cluster Security - Starting 2026 the Right Way 🛡️

Sooooo finally writing the first blog of 2026 — and what better topic to kick things off than Kubernetes cluster security.

Kubernetes has become the backbone of modern infrastructure. From startups to large enterprises, everyone is running workloads on Kubernetes. But with great power comes… well, a massive attack surface.

Security in Kubernetes isn’t optional anymore. It’s foundational.

Let’s break it down.

How to secure kubernetes cluster?

1. cluster and infrastructure security

• Restrict access to:
  • Kube-apiserver
  • etcd
• Never expose API server port to public internet.

Restrict global access port of API server.
Disable Anonymous auth:

--anonymous-auth=false

2. Authorization and Authentication

• RBAC

3. Pod and Container security

• Use pod security standards (PSS)

kubectl label ns prod pod-security.kubernetes.io/enforce=restricted

Restricted means:

• No privileged pods

• No hostPath

• No root user

• Run Containers as non-root user.

securityContext:
  runAsNonRoot: true
  readOnlyRootFilesystem: true

🚫 Disable dangerous settings:  

privileged: true
hostNetwork: true
hostPID: true

4. Image security

• Scan images ( Trivy )
• Example of image scan with trivy:

docker run -v /var/run/docker.sock:/var/run/docker.sock -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy:0.68.2 image python:3.4-alpine

• This will show all the vulnerabilities of the image.

• Use Trusted registry with cosign

cosign verify myimage:1.0

5. Network Security

• Network policy
  • Deny Traffic and then explicitly allow traffic.
• Service Mesh istio

6. Secret Management

• Do not store secret in Plane YAML. instead of use kubernetes secrets.

kubectl create secret generic db-secret --from-literal=password=xyz

7. Runtime Security

• Use Runtime security tools ( Falco, Tetragon )
• Alert if shell executed inside container

8. Logging, Auditing & Monitoring

📜 Enable Audit Logs

--audit-log-path=/var/log/kube-apiserver.log

Track:

• Who deleted pod
• Who accessed secrets

Monitoring

• Prometheus
• Grafana
• Alertmanager

9. Kubernetes API Hardening

• Disable unused APIs
• Disable legacy auth

Use admission controllers:

• PodSecurity
• OPA Gatekeeper
• Kyverno

Example Kyverno policy:

require runAsNonRoot=true

10. Node Security

🔐 Harden nodes

• Minimal OS (COS, Bottlerocket)
• Regular patching
• Disable SSH where possible

 

In next Blog will see how to use Falco as a run time security. 

Failed to execute Terminal Emulator. Input/Output error.

Failed to execute Terminal Emulator. Input/Output error.

I have installed Xfce4 desktop environment in server.

When i am opening terminal and closing, it is showing above error.

Reason:

Your system's default terminal emulator (the one set by update-alternatives) is:

• missing
• broken
• misconfigured
• the executable was deleted
• package is half-installed (common after emergency mode)

So when the console tries to spawn a terminal → it fails with I/O error.

Solution:

sudo update-alternatives --config x-terminal-emulator

Select xfce-terminal and it works.

These 15 resources will sharpen you for interviews and real production chaos

 
1. Explainshell – paste any bash command, and it breaks it down word by word. No more guessing awk or sed.

2. KubeSim – browser-based Kubernetes chaos drills. Crash etcd, break kube-proxy, see if you can recover.

3. AWS Fault Injection Simulator – inject failures in EC2, RDS, or EKS the way AWS does it.

4. etcd Playground – see how Kubernetes falls apart when its “memory” gets corrupted. Practice recovery.

5. Linux Strace Guide – the tool senior engineers use when logs are lying. Debug syscalls directly.

6. Azure Well-Architected Review – learn how Azure designs for availability, security, and cost trade-offs.

7. eBPF Academy – kernel-level observability. Trace sockets, latency, and network drops in real time.

8. Postmortem Templates (Google & Netflix) – write RCAs like FAANG engineers. Learn the structure that matters.

9. Container Security Playground (Katacoda) – hands-on labs to practice securing Docker/K8s workloads.

10. HAProxy Config Explorer – visualize advanced LB configs, spot bottlenecks before they break prod.

11. Helm Best Practices Repo – community-driven repo of anti-patterns and fixes. Learn beyond helm install.

12. Chaos Monkey (Netflix OSS) – the OG chaos tool. Still unmatched for teaching resilience culture.

13. Karpenter Workshop – master AWS-native autoscaling, and how it silently explodes costs if misused.

14. PromCat – curated, production-ready Prometheus dashboards built by Sysdig.

15. Incident.io Learning Hub – how modern teams structure incidents, on-call, and escalations.