Today I happily looked at what apt-get upgrade on Wheezy presented to me (for apache 2 / 2.2.22):
* This release adds support for SSL/TLS ECC keys and ECDH ciphers.
Your SSL vhost should look somewhat like that now:
Header add Strict-Transport-Security "max-age=15768000"
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
It's nice to have a software raid in Linux in place, security is always good. But it's only as good as you let some daemon(s) check the status and let it report to you. Two highly recommended pieces of software are smartmontools (aka smartctl / smartd) and mdadm in daemon mode.
Assuming you're using Debian:
# apt-get install smartmontools
# apt-get install mdadm (probably already installed)
Depdending on what your /etc/mdadm/mdadm.conf says, better create a new config with mkconf:
Don't forget to put your E-Mail address in it, like
Now, restart the daemon
# service mdadm restart
and send a testmail(!) to yourself using mdadm
# mdadm --monitor --scan --test --oneshot
Now for smartd, which will send you email about important S.M.A.R.T. values from your hdd(s).
# edit /etc/default/smartmontools
Enable this line:
and leave the others alone. Detailed settings follow here:
# edit /etc/smartd.conf
Comment out the one line that is enabled and put the following (to your hardware matching) line(s) in it:
/dev/sda -a -o off -S on -s (S/../.././02|L/../../6/03) -I 194 -m firstname.lastname@example.org
/dev/sdb -a -o off -S on -s (S/../.././02|L/../../6/03) -I 194 -m email@example.com
Hint: Depending on your distribution a DEVICESCAN-line is present, comment that one out.)
# service smartmontools restart
And with this service as well: Test(!) sending the mail:
# echo "/dev/sda -m firstname.lastname@example.org -M test" > /etc/smartd.conf.test
# smartd -c /etc/smartd.conf.test
Now for some final:
# service smartmontools restart
(Please recheck that smartd is now running without smartd.conf.test -> Otherwise "kill" and start the service normally)
And you're done!
Looking out for a new SSL certificate soon? Maybe better create a new set of keys as well, not only because of heartbleed. SHA1 is said to be no longer secure. Here is the all-in-one command for your shell:
$ openssl req -nodes -sha256 -newkey rsa:2048 -keyout myserver.key -out server.csr
Even M$ has depreciation for SHA1 set to somewhat in 2016:
Let's see how you can check with FF what sig algo for the key was used (sorry for the german screenshot)
Did you also recently get your brand new ALIX APU1C board?
http://www.pcengines.ch/apu1c.htm It's around 170 EUR gross incl. casing, power and some ssd.
I got mine from Varia Shop using the bundled article with some nice casing, power supply and 16 GB mSATA card. Anyway, I was eager to install Debian Wheezy on this thing.
All you need is a DHCP-service and a tftp daemon. If your host is Debian too, this is the way to go:
aptitude install dnsmasq tftpd-hpa
A minimal setup would look like:
I added the verbose option to see in syslog what files are requested.
Now fill up your tftp-root-directory. On wheezy (host) it is /srv/tftpd
Download all the files from e.g.:
Yes, your box is 64-Bit and has two cores.
My final tree there looked like:
Where the content of the default file looks like this:
append vga=off initrd=debian/stable/amd64/initrd.gz console=ttyS0,115200n8 fb=false
The important part is the bold append line where we activate serial console.
Now boot up your device and hit enter on the PXE prompt (maybe there's no output at all -at first- after getting an IP). Have fun.
Nice tutorial on how to build the openvas7 beta on Ubuntu:
If you're even more lazy, get the v6 virtual appliance from the page: http://openvas.org/vm.html
Note to myself:
# vboxmanage modifyvdi HDD.vdi compact
For Windows: sdelete before that
For Linux: zerofree before that
Becomes more and more important for certain reasons :-) Here is what I basically did for my use cases.
[ blah ... ssl on ... certificates ... ]
add_header Strict-Transport-Security max-age=15768000;
Apache2 looks like this (>= v2.2.22 | below now TLSv1.2 available)
SSLProtocol all -SSLv3
And yes, this breaks some older IE like the one in XP :)
And finally, verify your results here: https://www.ssllabs.com/ssltest/
Ever had trouble sending out mail being recognized as spam? Here are some simple tests you should perform in order to find out whats wrong:
- Visit http://multirbl.valli.org/ and enter the IP address of the outgoing SMTP server
- Send an email to test @ allaboutspam.com and wait approx. 10-15 mins for a non-delivery-notice. In it you'll find a link to your results ! Besides blacklists it checks for DKIM, SPF and such
- Please also send a testmail to: check-auth @ verifier.port25.com and wait for the detailed answer after that
- You may also check for TLS working correctly here: http://www.checktls.com/
- Finally check your protocols here: https://starttls.info/
Configuring your own postfix for the incoming side involves this:
I recently learned that "nobarrier" plus "noatime" can be a real performance boost when using ext4. Ref: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt
My use case was a libvirt/KVM vm image lying on an ext4 system.
Today I experienced a small heart-attack while rebooting a Debian Linux VM.
grub2 told me "no argument specified" after the GRUB-Splashscreen when normally loading the initrd and the kernel.
The solution was as simple as that:
OLD: search --no-floppy --fs-uuid --set 857d5af9-23cd-4d9b-908b-cc075e866758
NEW: search --no-floppy --fs-uuid --set=root 857d5af9-23cd-4d9b-908b-cc075e866758
There must have been some syntax change recently I didn't realize.