Debian Wheezy's "apache2" now with ECC and ECDH (got backported)

Today I happily looked at what apt-get upgrade on Wheezy presented to me (for apache 2 / 2.2.22):
[...]
* This release adds support for SSL/TLS ECC keys and ECDH ciphers.
[...]

Your SSL vhost should look somewhat like that now:

SSLHonorCipherOrder On
Header add Strict-Transport-Security "max-age=15768000"
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH

Have fun.

Looking for that RAID ("smartd" and "mdadm")

It's nice to have a software raid in Linux in place, security is always good. But it's only as good as you let some daemon(s) check the status and let it report to you. Two highly recommended pieces of software are smartmontools (aka smartctl / smartd) and mdadm in daemon mode.
Assuming you're using Debian:
# apt-get install smartmontools
# apt-get install mdadm (probably already installed)

Depdending on what your /etc/mdadm/mdadm.conf says, better create a new config with mkconf:
# /usr/share/mdadm/mkconf
Don't forget to put your E-Mail address in it, like
MAILADDR you@domain.tld
Now, restart the daemon
# service mdadm restart
and send a testmail(!) to yourself using mdadm
# mdadm --monitor --scan --test --oneshot

Now for smartd, which will send you email about important S.M.A.R.T. values from your hdd(s).
# edit /etc/default/smartmontools
Enable this line:
start_smartd=yes
and leave the others alone. Detailed settings follow here:
# edit /etc/smartd.conf
Comment out the one line that is enabled and put the following (to your hardware matching) line(s) in it:
/dev/sda -a -o off -S on -s (S/../.././02|L/../../6/03) -I 194 -m you@doman.tld
/dev/sdb -a -o off -S on -s (S/../.././02|L/../../6/03) -I 194 -m you@domain.tld
Hint: Depending on your distribution a DEVICESCAN-line is present, comment that one out.)

# service smartmontools restart
And with this service as well: Test(!) sending the mail:
# echo "/dev/sda -m you@domain.tld -M test" > /etc/smartd.conf.test
# smartd -c /etc/smartd.conf.test
Now for some final:
# service smartmontools restart
(Please recheck that smartd is now running without smartd.conf.test -> Otherwise "kill" and start the service normally)
And you're done!

SHA2 instead of SHA1 for your new cert

Looking out for a new SSL certificate soon? Maybe better create a new set of keys as well, not only because of heartbleed. SHA1 is said to be no longer secure. Here is the all-in-one command for your shell:
$ openssl req -nodes -sha256 -newkey rsa:2048 -keyout myserver.key -out server.csr

Even M$ has depreciation for SHA1 set to somewhat in 2016:
http://social.technet.microsoft.com/wiki/contents/articles/1760.windows-root-certificate-program-technical-requirements-version-2-0.aspxhttp://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

Let's see how you can check with FF what sig algo for the key was used (sorry for the german screenshot)
sha256

Install Debian 7 on ALIX APU1C

Did you also recently get your brand new ALIX APU1C board?
http://www.pcengines.ch/apu1c.htm It's around 170 EUR gross incl. casing, power and some ssd.
I got mine from Varia Shop using the bundled article with some nice casing, power supply and 16 GB mSATA card. Anyway, I was eager to install Debian Wheezy on this thing.
All you need is a DHCP-service and a tftp daemon. If your host is Debian too, this is the way to go:
aptitude install dnsmasq tftpd-hpa
A minimal setup would look like:
/etc/dnsmasq.conf
dhcp-range=192.168.0.50,192.168.0.150,12h
dhcp-boot=pxelinux.0

/etc/default/tftpd-hpa
TFTP_OPTIONS="--secure -v"
I added the verbose option to see in syslog what files are requested.

Now fill up your tftp-root-directory. On wheezy (host) it is /srv/tftpd
Download all the files from e.g.:
http://ftp.de.debian.org/debian/dists/wheezy/main/installer-amd64/current/images/netboot/debian-installer/amd64/

Yes, your box is 64-Bit and has two cores.
My final tree there looked like:
./pxelinux.0
./pxelinux.cfg
./pxelinux.cfg/default
./debian
./debian/stable
./debian/stable/amd64
./debian/stable/amd64/linux
./debian/stable/amd64/initrd.gz

Where the content of the default file looks like this:
DISPLAY boot.txt
DEFAULT stable
LABEL stable
kernel debian/stable/amd64/linux
append vga=off initrd=debian/stable/amd64/initrd.gz console=ttyS0,115200n8 fb=false
PROMPT 1
TIMEOUT 0

The important part is the bold append line where we activate serial console.

Now boot up your device and hit enter on the PXE prompt (maybe there's no output at all -at first- after getting an IP). Have fun.

PFS - perfect forward secrecy

Becomes more and more important for certain reasons :-) Here is what I basically did for my use cases.

nginx:
[ blah ... ssl on ... certificates ... ]
        add_header Strict-Transport-Security max-age=15768000;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA;
[...]

Apache2 looks like this (>= v2.2.22 | below now TLSv1.2 available)

[...]
SSLProtocol all -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite AES256+EECDH:AES256+EDH:!aNULL
[...]
And yes, this breaks some older IE like the one in XP :)
And finally, verify your results here: https://www.ssllabs.com/ssltest/

Check your SMTP server (updated)

Ever had trouble sending out mail being recognized as spam? Here are some simple tests you should perform in order to find out whats wrong:

- Visit http://multirbl.valli.org/ and enter the IP address of the outgoing SMTP server
- Send an email to test @ allaboutspam.com and wait approx. 10-15 mins for a non-delivery-notice. In it you'll find a link to your results ! Besides blacklists it checks for DKIM, SPF and such
- Please also send a testmail to: check-auth @ verifier.port25.com and wait for the detailed answer after that
- You may also check for TLS working correctly here: http://www.checktls.com/
- Finally check your protocols here: https://starttls.info/

Configuring your own postfix for the incoming side involves this:
https://help.ubuntu.com/community/Postfix/SPF
https://help.ubuntu.com/community/Postfix/DKIM

ext4 performance

I recently learned that "nobarrier" plus "noatime" can be a real performance boost when using ext4. Ref: https://www.kernel.org/doc/Documentation/filesystems/ext4.txt
My use case was a libvirt/KVM vm image lying on an ext4 system.

grub2 error: "no argument specified"

Today I experienced a small heart-attack while rebooting a Debian Linux VM.
grub2 told me "no argument specified" after the GRUB-Splashscreen when normally loading the initrd and the kernel.

The solution was as simple as that:
OLD: search --no-floppy --fs-uuid --set 857d5af9-23cd-4d9b-908b-cc075e866758
NEW: search --no-floppy --fs-uuid --set=root 857d5af9-23cd-4d9b-908b-cc075e866758

There must have been some syntax change recently I didn't realize.

Phew.