Datacenter move completed

Hey folks,

during the past 30 days we moved all the Hardware to a different data center (and provider). We tried to make the migration as seamless as possible but at some point everyone got hurt in the process.

Regarding IP ranges

Our new IP ranges are as follows:

IPv6: 2a01:1f8:2000::/48

Wait, IPv6? That’s right: We moved all servers to use IPv6 as primary address, with a fallback to IPv4 if needed. We also have some (minor) Servers running IPv6 only; but fear not, no production servers. You do not need to change anything on your end.

While on the matter of re-doing the entire thing I bought a new firewall, a WatchGuard XTM5 ( I upgraded the rather weak Celeron CPU to a Intel Core2Duo E5700 and increased the memory to 4gb. This is, for a firewall, beyond anything you can imagine. Its’ also fancy red, looking awfully sexy for a firewall (in my techie-opinion):

The firewall is running pfsense now, running (among other things) GeoIP-Block (No more Nigerian Spam), Snort (with subscription) and several other things. Even at full usage of the Up-link port the CPU of the firewall does not exceed 70%– and no packets dropped.

Beware the Dog! If your computer is doing an aggressive port scan or other nasty thing you will get blocked off the network for 1 hour. If you get bitten by accident, please contact me above (after the block is lifted) giving me your IP. I will look up the logs and adjust the firewall accordingly.

Regarding Power

I also picked up another Server, a used SuperMicro with 16 cpus and 24gb of ram. Not much, but the 4x4tb hard disks make a great Server to use for backups. For the most part it is identical with the main server: two power supplied, hardware raid doing RAID10, IPMI et all. In a worst case scenario this Server can run most of the important Servers as the main server does.

Regarding Backups

All your files, emails and whatnot hosted on this network are secured by hourly backups with Bareos, which data is stored on the other hardware. Daily Backups done and moved off-site and weekly dumps off all hardware to an encrypted hardware disk This means that if there is a catastrophic hardware failure the other server can (for the most part) pick up the load. If a plane crashes into the data center, the off-site data will still be available. If some freak software bug arises that wipes all the XenServers clean we have local attached backups and can get back online within a jiffy.
Bottom line: Your data is pretty much safe.

Sorry about the downtimes in the past 30 days. I hope your endurance paid off!

Server Status Page

Hello folks,

I will now publish all server related downtimes and information via a dedicated status page. Downtimes will no longer be published here. Visis (and bookmark) the new Server Status Page, available under or via the “Server Status” Menu on top of the website.

You can also subscribe to instant Email notifications here,
or subscribe to a real-time rss feed here.

If you have any issues with accessing the page, please do let me know.

PFsense and XenServer

The players

I like XenServer. It’s a rock solid (albeit basic) virtualisation platform that’s not only open-source but can handle any OS you throw at it. Management is a bliss and in my many years of using it both professionally and privately I yet have to encounter a (non-hardware related) crash or other issue with it.

Installation is a breeze. All you need is the ISO, burn it an install it on some hardware you have lying around (it works even inside VirtualBox for a Test-drive; and yes: It also works inside XenServer. Xenception.). The hardware specifications are based on what you are going to do with it. From basic testing to high end computing with several hundreds of cores– no problem there.

The other piece of software I totally like is pfsense, a software based firewall distribution. With some minor tweaking you can get a real neat setup working.

Those two are just screaming to get together and have  party. Bring the party hats!

Read More

Centos 6, PHP 5.6 and FastCGI

The What

So most of you are running (some sort of) a web-server. Mostly this is the usual LAMP stack, consisting out of

  • Linux
  • Apache
  • MySQL
  • PHP

and there is nothing wrong with that. Built on top of a Centos 6 machine yields a pretty fast and stable server. Yet, with the default setting and repositories of CentOS 6 this would yield with a mod_php run Apache Server featuring a whooping PHP 5.3. To remedy the version issue and switch to fastcgi yields in a modern set-up that’s lighting fast on top.

I will show you how to build a LAMP stack with stack apache, mod_fastcgi and a current PHP 5.6.

Let’s get down to business.

Read More

Upgrading Alfresco

The Situation

I am using Alfresco as a personal document archiving system for all my personal things. Everything that gets (snail-)mailed to me get scanned with my document scanner, which does OCR, page cutting, rotating and optimizing, and then uploaded to alfresco with pretty much one click. Well, one button (scanner), then I need to supply a file-name and finally the document is added via drag&drop to Alfresco. This system works great, even my wife uses it (frequently). The only thing that’s kept on paper are important documents like insurance policies and things like that.

As this is obviously a critical piece of our “digital lives”, it needs to be stable and somewhat up-to-date. I opt-out of going after every update and I seem to upgrade Alfresco only once a year, which works well for me. My Alfresco installation in shielded from the internet, that is, it’s on my private (non-internet connected) server, so bugs and exploits are of no concern here.

Now installing and running Alfresco is straightforward, consisting out of downloading, running and doing the setup and configuration wizard, period. But as some point, you do want to upgrade it. And this is where the fun starts.

Read More

OpenFire and Ciphers


Running OpenFire for XMPP is fun, as it is a fully featured server that brings it’s own web-interface.  I have been running it for nearly a decade now.

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.


Most distribution bring openfire packaged and somewhat up-to-date,  but to be on the safe side you should install the .deb or .rpm files from the developers homepage.  Installation is pretty straightforward as configuration is done via the web-interface. You only need an up and running mysql (or mariadb) server and off you go. I will not go into installing said packages in this article, I assume you are able to get things running for yourself. If not, the remainder of this article is not for you – yet.

Issues start however getting a good grade over at score

Read More


DNSSECShort: We now have a fully working DNSSEC infrastructure, complete with DANE!

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

– Wikipedia entry for DNSSEC.

Implementing DNSSEC itself is fairly easy, there are a lot of good howtos out there. The trick is to make it work with puppet and several dns servers at once. I don’t want any hassle with the DNSSEC part at any time. If I change a dns zone in my puppet manifest, the change has to be made public on the dns servers, which in turn have to handle the signing by themselves. But if you manage the zones with puppet the signed zonefiles will get wiped. So that was the tricky bit.

Plus I host several other domains whose admins want to enjoy DNSSEC without any hassle. With my current implementation of puppet and dns — it works! \o/

DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.

– Wikipedia on DANE.

DANE was rather easy once DNSSEC was online. As the zones are trusted (by verifying the signatures) the TLSA records are trusted, too. It’s a shame that most browsers do not yet support DANE. Youcan add TLSA/DANE suport by installing and addon.


See for yourself:

Read More

New certificates

Hey folks,

I just rolled out new startssl-signed class 2 certificates for several Domains, including the jabber Server and all jabber frontends. As they are all signed you should actually not notice any errors or warnings.

The current fingerprint for the jabber certificate is


I moved to the new policy of…

– signing all public services with officially signed certificates,
– signing all private services with my own certificate-authority.

One would think that having a “self”-signed certificate for jabber would actually not mattter, but the amount of TLS connected clients has doubled since the rollout of the new signed certs. Sigh.