Monthly Archives: November 2013

The Making of me.chschmid.com, Part 7: Some More Client Software

Ubuntu comes with almost everything that you can think of out of the box. And almost all of those little exceptions can be found elsewhere. So here’s how to install a couple of those things that I just would not want to miss ;)

Spotify

sudo add-apt-repository "deb http://repository.spotify.com stable non-free"
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 94558F59
sudo apt-get update
sudo apt-get install spotify-client

Screenshot-from-2013-07-23-195423

jdotxt

I have written an app to keep track of my todos, lets install it!

sudo add-apt-repository ppa:chms/jdotxt
sudo apt-get update
sudo apt-get install jdotxt

owncloud client

Can be installed as described at http://software.opensuse.org/download/package?project=isv:ownCloud:devel&package=owncloud-client

sudo echo 'deb http://download.opensuse.org/repositories/isv:ownCloud:devel/xUbuntu_13.10/ /' >> /etc/apt/sources.list.d/owncloud-client.list
sudo apt-get update
sudo apt-get install owncloud-client

The Making of me.chschmid.com, Part 6: Connection to the World

So far the server was in a protected environment, but it’s time to let it see the world! This involves three things:

  • Setting up the server firewall
  • Configuring the dyndns stuff
  • Setting up the router

Server Firewall

You only want those ports to be open that you really need. I’d recommend using ufw for configuring your firewall. In my case

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw deny proto udp to any port 137 from 192.168.22.1
sudo ufw deny proto udp to any port 138 from 192.168.22.1
sudo ufw deny proto tcp to any port 139 from 192.168.22.1
sudo ufw deny proto tcp to any port 445 from 192.168.22.1
sudo ufw deny proto tcp to any port 9000 from 192.168.22.1
sudo ufw deny proto tcp to any port 5901 from 192.168.22.1
sudo ufw deny to any port 3483 from 192.168.22.1
sudo ufw allow proto udp to any port 137 from 192.168.22.0/24
sudo ufw allow proto udp to any port 138 from 192.168.22.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.22.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.22.0/24
sudo ufw allow proto tcp to any port 9000 from 192.168.22.0/24
sudo ufw allow proto tcp to any port 5901 from 192.168.22.0/24
sudo ufw allow to any port 3483 from 192.168.22.0/24

which means allowing access to SSH, HTTP and HTTPS from anywhere in the world and to the squeezebox server and the Samba server only from the local network but not from the router.

Dyndns Stuff

My provider gives my router a new IP (= unique address on the web) from time to time. To be able to find my router/computer from the outside world, I have to report my IP to someone who can help me find it any time.

Here is how it works: me.chschmid.com points to chschmid.mooo.com and chschmid.mooo.com I have tell what my current IP is when it has changed. It’s less complicated than it sounds

  1. Get an account at http://freedns.afraid.org/
  2. Download the latest IPdetect from http://ipdetect.sourceforge.net/
  3. and set it up as described in the readme file ;)

By the way if your router is running on a modified firmware such as DD-WRT, this task can also be handled by your router and configured via its web interface. Just search for Dynamic Domain Name Service (DDNS). Sadly DD-WRT is not an option for me as the 5 GHz support is broken for my router :(

The Router

First I had to tell my router that my server should always get the same local IP 192.168.1.200 based on its MAC address.

static_ip

And secondly ports 22, 80 and 443 have to be forwarded to that local IP. Here’s a screenshot what this looks like in my case.

port_forwardingNow this calls for some champaign! The server is set up and online! You can take a look at some server stats at https://me.chschmid.com.

The Making of me.chschmid.com, Part 5: Server Configuration

With the base OS up and running it’s time to install and configure all the services. By the way it is important that the server is not connected to the Internet directly yet. – Working behind a router is ok. You just don’t want that out your server can be accessed via the web already.

server

SSH

SSH is a secure way of accessing your machine from anywhere. You can transfer files, run commands, tunnel services and probably much more using SSH in an easy and encrypted way. After the server installation SSH is running already. But I did some modifications to the config file “/etc/ssh/sshd_config” to make it even more secure. Basically I added one line

AllowUsers christian cs-git

to only allow incoming connections for those two users. Restarting the ssh daemon can be done via

sudo service ssh restart

Apache

I don’t want my machine to be accessible via HTTP, but only through the more secure HTTPS. So I configured port 80 to redirect to 443 and enabled https. I also added the following lines to my https config file

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS
SSLCompression Off

to make the encryption more robust. – You can check how robust your encryption is via https://sslcheck.globalsign.com.The apache server can be restarted again via

sudo service apache2 restart

Owncloud

… can be installed easily via an opensuse repository at http://software.opensuse.org/download/package?project=isv:ownCloud:community&package=owncloud. The configuration works via the web interface https://localhost/owncloud.

In my case I just transfered the complete database from my old machine to the new server.

Samba Server

The Samba Server is used to share files locally, so that I can download the music files stored on the server from my tablet whenever I am in my local network and stuff. – Again Samba should be installed already and only needs to be configured. I added

[media]
    comment = Media
    path = /home/media
    browsable = yes
    guest ok = yes
    writeable = no
    write list = media
    force group = media
    create mask = 0775

to my “/etc/samba/smb.conf” to share what is in the /home/media folder and allowed following symlinks

follow symlinks = yes

I forgot of course I also created a user media using “sudo adduser media”. I again restarted smbd and nbmd

sudo service smbd restart
sudo service nmbd restart

Squeezebox Server

I use this system to stream my audio across multiple devices (including my Raspberry Pi). To install the server run

sudo add-apt-repository "deb http://debian.slimdevices.com stable main"
sudo apt-get update
sudo apt-get install logitechmediaserver

Misc

I also installed and configured the following things

  • A vncserver (x11vnc)
  • The Plex Media Server (can be found in Ubuntu’s repositories)

Im glad you made it to the end of this rather boring post, but that is what servers are all about: Running boring stuff in the background that makes our lives easier and more connected.

Use Keepass or Get Screwed AGAIN

I did blog about some website’s admins using their privileges to steal login data two days ago. But I guess that is not enough for a week. Today I was informed by Evernote (a service I don’t really use, but gave a trial run at some point) that Adobe (I have to have an Adobe ID to get and read those DRM protected e-books I buy from Thalia) has leaked my data. You’ve heard right: In a world like this company A starts mining on data leaked by company B and in case your e-mail pops up they inform you that company B has leaked data of 150 million users. – Just in case you use the same passwords for both companies, WHICH YOU SHOULD NOT.

So again a kind word of warning

  1. Use different passwords for the different online services you use.
  2. Use strong passwords, meaning passwords that are long, contain numbers and special characters, are not too obvious and can not be found in a dictionary. E.g., “christian83” or “hellokitty” are bad passwords, while “M9TSdc_R)OGyKNszL[wM” is a good one.

Of course you can either memorize those passwords, or use a safe place to store them such as keepass, which is what I do.

keepass

Use Keepass or Get Screwed

Today I received an e-mail from a website admin, informing me that two of their admins had misconducted. They had stolen the database + all user e-mails and passwords and of course used that information to log into other web services.

Using keepass and different passwords for every website totally makes sense!!! What do you do to protect yourself against something like this?

keepass

The Making of me.chschmid.com, Part 4: The Operating System

With all components where they should be and the machine booting, installing an operating system (OS) was the next step. GNU/Linux was the obvious choice and all of my machines run on Ubuntu, so Ubuntu it is.

As the machine is intended to act as server, Ubuntu 12.04LTS would make sense, however as my Xeon Haswell CPU (E3-V1245V3) is relatively new, the Linux Kernel and drivers that come with 12.04 are not a perfect fit for the hardware. – So Ubuntu 13.10 it is.

It was as simple as this: Download the 13.10 server image from http://www.ubuntu.com/, put it on an USB drive using http://www.pendrivelinux.com/ (Windows) or the Startup Disk Creator (Linux). Restart the machine, enter the boot menu by pressing F12 and boot from the USB drive. The setup is quit intuitive. As I started with an empty SSD, all I had to do is select automatic installation using LVM on the empty hard drive. To start with I selected LAMP, OpenSSH and Samba as server roles.

The computer rebooted after the installation leaving me with a login prompt.

login

After login I installed all the stuff that I would need to also run the PC as desktop.

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install ubuntu-desktop vlc vainfo lm-sensors calibre texlive-full ipe audacity p7zip thunderbird eclipse wine git-core keepass2 gparted filezilla inkscape chromium-browser kile qjackctl virtualbox virtualbox-guest-additions-iso pavucontrol pulseaudio-module-jack joe rosegarden xdotool musescore dconf-tools openjdk-7-jdk libva-intel-vaapi-driver ufw gufw nautilus-open-terminal smartmontools gksu gimp build-essential devscripts debhelper javahelper

Finally reboot the machine and you should be greeted by a graphical user interface.

sudo shutdown -r now

The Making of me.chschmid.com, Part 2: The Hardware

I recently blogged about why it makes sense to run your own server. Although I have a machine running at me.chschmid.com already, I decided to do a serious hardware upgrade.

serverNot because the old AMD E-350 CPU can’t keep up anymore, but because I’d like to use the new machine as my desktop PC as well. So here’s what I ordered (some parts of it are actually not new, but carry over from my old setup)

For all I know this system will be hopelessly over-powered, yet power-efficient, so that it can run 24/7. The parts are probably going to arrive by the end of the week. I’ll keep you posted about the assembly and everything else that’s going to happen.

The Making of me.chschmid.com, Part 1: The Problem

Privacy is a hot topic these days and part of virtually every coffee break discussion I know of. How much do they know? The Googles, Facebooks, Dropboxes, Wunderlists and above all the NSA.
Actually a lot of people who have no idea about the technology side of things have started asking me these questions lately. I can see that their not knowing about the hidden magic in the background that enables the services they use on a daily basis makes them feel really uneasy. The truth is, its simple.

Privacy

Communication

First of all there is communication between computers, which, on a technical level, is the only thing the web itself allows us to do. When you ask google for search results, when you push your files to dropbox, when you have that Skype call with your mom – it’s all communication and exchange of information between two computers over the web.

Let’s take that Skype call for instance and lets picture the web as a city with you in your house (as a stand in for your computer) and the streets that connect all the houses as data highways. Lets also say there is one guy in every street who controls the street. What happens when you want to send a message to your mom is you tell the guy in your street (your provider) to dispatch the message – it’s wrapped in a nice envelope with your address and the destination on it so that he knows where it has to go. He will then walk to the next street, pass on your massage to the person controlling that street and this guy will do the same until the message arrives at your mom’s place.

There are two problems associated with this in terms of privacy

  1. Everyone who is part of the delivery chain might have opened the envelope and might have looked at message.
  2. Even if they have not read your message, they know that there was communication going on between you and your mom and they will also know how much data was exchanged.

Problem 1 can be solved by encrypting the message so that it does not make sense to anyone who might read it on its way. – There are still some issues here when it comes to technical implementations, but essentially, if you do it right, you can make your messages close to unreadable to the outsider. – This by the way is common practice in a lot of applications, which is good. E.g. always look for websites that come via “https” instead of “http”. The “s” really makes the difference!

Problem 2 is a little bit harder but still solvable. Say you transmit a secret message to your mom asking her to pass another message to someone else. If anyone wants to track your message to the final destination it will become really difficult as not knowing about the message to your mom asking her to dispatch something for you will make it unclear if any outgoing message from your moms was from you or from her or from anyone else. The more people you put between you and your final destination the harder it will be to track your messages. Essentially this is the idea that the Tor network is based on, however it is not widely used and not common practice.

Data

The second aspect apart from communication is data. You do not only exchange information when storing your files on Dropbox, but you ask them to hold on to that data for you as you ask Google to store your e-mails and Wunderlist to store your todos. They might even store data that you do not ask them to store, like your seach history. The problem here is that those companies sometimes leak data (e.g., PlayStation Network outage) and sometimes share your data with other organizations such as the NSA.

To use the analogy with the city and the streets: If there is someone at your mom’s place or at Dropbox’s place who watches over their shoulder while they decrypt your message, your data will be available to them, even when the data transmission through the streets of your city was safe due to encryption.

If all you want to do is storing your data at someone else’s place you can give it to them in an encrypted way. E.g. only store encrypted zip files on dropbox. Or you can opt out and don’t give any data to them in the first place.

Obviously this does not work for your search terms, that Google has to know about in order to give you results.

The Solution

There is not one size fits it all solution, but on central aspect is to be aware of what data you share online and how others may be able to use it. The analogy with the city and the streets will give you a pretty good idea of who can access what. I don’t think sharing stuff is bad per se, you just have to know about the implications. To give you some examples.

  • Stuff that you put on a website, e.g., your blog, can be seen by absolutely everyone.
  • Stuff that you post to social networks may not be seen by anyone who happens to stand between you and the computers of that social network, but by whoever you allow it to see, by the social network itself and by anyone who they share this information with – willingly or by accident.
  • Even when you are just looking at stuff online you let others know about what you are looking at. This means amazon will learn about what you like simply from you browsing their website. – But to be honest: the employees at your local grocery store also know what you buy on a daily basis.

To be better off in terms of communication

  • Look for encryption so that at least your communication is secure. E.g., look for https instead of http, configurate your e-mail client so that it uses encrypted instead of unencrypted mail transfer.
  • Don’t use things such as FTP to transfer files.
  • and  finally:

Use Your Own Cloud Storage

About 1.5 years ago I set up my own Ubuntu GNU/Linux server, that hosts all my git repositories, files (webdav), calendars (caldav) and contact data (carddav) via owncloud and many other services that I use. The Server is currently running on an AMD E-350 APU, which is soon to be replaced by something better. And that’s the reason why this is just part 1. I’ll post information about my new server setup in the next couple of days, so stay tuned!