Amazon Clouddrive, Encfs and Rsync

Cloudy, with a chance of Unlimitness.

Amazon.$tld just released an unlimited Storage Tier for non-commercial applications for ~70 Bucks a year (depending on your location). And they are not kidding. Not only does the Web-Interface say ‘x used of unlimited’ but once mounted you’ll notice 100TB Quota. And reports on github actually state people reached that limit and even increased that by contacting support. So, plenty of space for your ‘documents’.

In its most basic form you can manage, down- and upload your files via the web-interface. That’s nice for on-the-go, but we are talking serious data here. So we need a client. Amazon offers the usual stuff: Windows Client, OSX Client. No Linux? Don’t be sad. Those clients can’t even do a real ‘sync’. Plus so far all clients upload your files unencrypted. Of course amazon goes ad-fishing with buzzwords from the ‘secure’-department… But they do have a list of compatible file types available. This is just for the web-client that it can index and play media; but this also means they are scanning your files (even if only automatically).

Err, no thanks.

What we want is the ability to mount the CloudDrive in Linux and encrypt everything before uploading.
Let’s get cracking.

(more…)

Authenticated with partial success

The What

It’s hardening time again.

Following up on my post “DNSSEC, SSH and keys.” this is another post in the series of hardening your SSH server and your server in general. Are you using password login or public keys?

1238895886504840879

Indeed. Why not both? And I am not going to recommend you that should put a password on your ssh keys (which is nice) but rather recommend real two-factor authentication: Public Key and a Password. What does it do?

(more…)

OpenFire and Ciphers

OpenFire.

Running OpenFire for XMPP is fun, as it is a fully featured server that brings it’s own web-interface.  I have been running it for nearly a decade now.

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the only widely adopted open protocol for instant messaging, XMPP (also called Jabber). Openfire is incredibly easy to setup and administer, but offers rock-solid security and performance.

Scoring.

Most distribution bring openfire packaged and somewhat up-to-date,  but to be on the safe side you should install the .deb or .rpm files from the developers homepage.  Installation is pretty straightforward as configuration is done via the web-interface. You only need an up and running mysql (or mariadb) server and off you go. I will not go into installing said packages in this article, I assume you are able to get things running for yourself. If not, the remainder of this article is not for you – yet.

Issues start however getting a good grade over at xmpp.net:

xmpp.net score

(more…)

DNSSEC

DNSSECShort: We now have a fully working DNSSEC infrastructure, complete with DANE!

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

– Wikipedia entry for DNSSEC.

Implementing DNSSEC itself is fairly easy, there are a lot of good howtos out there. The trick is to make it work with puppet and several dns servers at once. I don’t want any hassle with the DNSSEC part at any time. If I change a dns zone in my puppet manifest, the change has to be made public on the dns servers, which in turn have to handle the signing by themselves. But if you manage the zones with puppet the signed zonefiles will get wiped. So that was the tricky bit.

Plus I host several other domains whose admins want to enjoy DNSSEC without any hassle. With my current implementation of puppet and dns — it works! \o/

DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.

– Wikipedia on DANE.

DANE was rather easy once DNSSEC was online. As the zones are trusted (by verifying the signatures) the TLSA records are trusted, too. It’s a shame that most browsers do not yet support DANE. Youcan add TLSA/DANE suport by installing and addon.

 

See for yourself:

(more…)