Category Archives: sysadmin

Email Sicherheit III – neue Zertifikate (und Keys)

inzwischen bin ich auf StartCom® umgesattelt – anfangs mit Schlüssel von StartCom® (ja, ich weiß, macht man nicht), inzwischen mit eigenem Schlüssel. Und das geht so: $ cd ~/.ssh $ keyname="foo@example.com" $ year=2016   # https://www.startssl.com/Certificates/ $ openssl req -new -newkey rsa:4096 -nodes -keyout "${keyname}.key" -out "${keyname}.${year}.csr"   # funnel through https://startssl.com/Certificates/ApplyClientCert # download & unpack ${keyname}.zip […]

lighttpd + letsencrypt.sh

via letsencrypt.sh Three cases, a ’normal‘ www domain: www.filmfestapp.com a ’normal‘ subdomain where the naked domain is part of shared webspace: drop.mro.name a proxy subdomain for a rails application (redmine): developer.mro.name

hardening ssh (debian wheezy)

LogJam requires some action. (Article in german) Update (open-)ssh to a recent version (6.6)   $ echo "deb http://ftp.de.debian.org/debian wheezy-backports main" | sudo tee -a /etc/apt/sources.list $ sudo apt-get -u update $ sudo apt-get install -t wheezy-backports ssh $ sudo apt-get autoremove$ echo "deb http://ftp.de.debian.org/debian wheezy-backports main" | sudo tee -a /etc/apt/sources.list $ sudo apt-get -u update […]

redmine & chruby (fetch emails)

  #!/bin/bash # chruby needs bash # # # redmine email import with chruby. # # # Put this script into <redmine_dir>/script and a set crontab like # $ sudo -u www-data crontab -l # */15 * * * * <redmine_dir>/script/fetch-email.sh # cd "$(dirname "$0")/.."   log="log/$(basename "$0" .sh).log" cat >> "$log" <<EOF   $(date […]

Key-based FTP authentication

make a strong ssh key $ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa turn to RFC 4716 $ ssh-keygen -e -f ~/.ssh/id_rsa.pub add to ~/.ssh/authorized_sftpkeys on destination host try out: $ curl -u „<username>:“ –key ~/.ssh/id_rsa –pubkey ~/.ssh/id_rsa.pub -T <file to upload> sftp://<target host>/<target path>/ $ lftp -u <username>,xx … sftp://<target host> P.S.: Hetzner FAQ zum […]

Ad Blocking Proxy = abloprox

as an act of digital hygiene, I installed abloprox on a raspi and added this PAC file to save some keystrokes when configuring: function FindProxyForURL(url, host) { if (shExpMatch(host,"*.fritz.box")) return "DIRECT"; if (shExpMatch(host,"*.local")) return "DIRECT"; if (shExpMatch(host,"*.akamaistream.net")) return "DIRECT"; if (shExpMatch(host,"*.m945.mwn.de")) return "DIRECT"; // auto config: // 1. ensure there’s a host ‚wpad‘ in the current […]

install ruby @ OS X

OS X comes with a pretty hung ruby (1.8.7) until ‚Mavericks‘. ruby 1.8.7 had it’s planned EOL long ago, even debian/stable nowadays comes with a newer one. So if you’re still running Mountain Lion or older, you may need to install ruby. I chose rbenv and here’s how I did: RTFM install rbenv: $ brew […]

redmine (rails) + puma + lighttpd

Running redmine with a lightweight ruby on rails/webserver stack on a debian server – puma and lighttpd: Assumed you’ve got both redmine and lighttpd already installed: install puma gem: $ sudo gem install puma caution: ArgumentError on ruby 1.8.7 get tools/jungle/init.d/puma to /etc/init.d/ get tools/jungle/init.d/run-puma to /usr/local/bin/ add a puma app: $ sudo /etc/init.d/puma add /your/app/path www-data $ […]

Visualise macports dependencies

to clean up your installed macports and remove cruft you need to uninstall them in the correct order – according to their dependencies. A graphical visualisation might help doing so: Call $ ./port-deps2dot.rb | dot -Tpdf -o port-deps.pdf ; open port-deps.pdf$ ./port-deps2dot.rb | dot -Tpdf -o port-deps.pdf ; open port-deps.pdf with the ruby script port-deps2dot.rb […]

Simple HTTP Access Authorisation

sometimes you may want to lock down RESTful APIs or plain HTTP GET resources for authorised access by your own client software only, without requiring authentication. You don’t know who (not authenticated), but you know she may access (is authorised). If the server has a valid SSL certificate based on a root certificate pre-installed on the […]