Grade A SSL report

It’s important that we setup ssl/tls encryption properly, and like most good students achieve an “A” grade.

The test can be done for instance at https://www.ssllabs.com/ssltest/index.html

All you have to do is to enter your site name, then wait until several tests and checks are performed. Provided that you have nginx, try the following ssl/tls options:

ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

ssl_ciphers “ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS”;

 

 

Sidenotes for a mail migration

I’ve decided to migrate my emails to another host. It includes a postfix sandwich config with a spam filter in the middle. By the way, I use dovecot as the virtual transport to let my emails sorted to different folder, including spam to the Junk folder.

So far so good (even though there was hell of a troubleshooting why the spam filter became terribly slow. It’s fixed by now, anyway). Then I tested with some emails, and found that I got a mail loops back for my@email. Wtf?

The culprit was the already existing Delivered-To: header in the emails. So I’ve fixed master.cf like

dovecot unix – n n – – pipe
flags=Rhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} -e

and it started to work propely.

However, I just couldn’t let it go that it was working properly with DRhu flags.

Then I’ve fixed the email, and removed any additional header that was added by either the local postfix or the content filter, and reverted the flags to DRhu, and it worked!

dovecot unix – n n – – pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient} -e

The moral of the story: test with new emails. Or at least remove any locally added headers 🙂

Docker vs. systemd

I’ve decided to setup a few docker hosts. I needed to access them remotely, so I deployed the necessary CA and server keys and certs (see https://docs.docker.com/engine/security/https/#create-a-ca-server-and-client-keys-with-openssl for more). So far, so good.

I knew that docker should have been instructed to use these files, also to listen on 0.0.0.0. So I edited /etc/default/docker (on Ubuntu Bionic), restarted the docker daemon, and nothing happened.

I rushed to the docker site to figure out what da heck, and end up at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file  telling me that unfortunately it wouldn’t work with systemd, you must use /etc/docker/daemon.json.

I’ve created the file:

{
“hosts”: [“0.0.0.0:2376”],
“tlsverify”: true,
“tlscacert”: “/etc/docker/ca.pem”,
“tlscert”: “/etc/docker/server-cert.pem”,
“tlskey”: “/etc/docker/server-key.pem”
}

 

then restarted docker, and still nothing. The -H fd:// option in /lib/systemd/system/docker.service file caused trouble preventing docker to listen on 0.0.0.0:

ExecStart=/usr/bin/dockerd -H fd://

Fear not, the fix is to remove -H fd:// as follows:

ExecStart=/usr/bin/dockerd

Then run systemctl daemon-reload && systemctl restart docker, and you should be able to connect to docker on the remote host.

Disable udp ports for Jenkins

I’ve noticed that Jenkins has an unpleasant habit to listen on two UDP ports (5353 and 33848) on all interfaces even if it was told to listen on 127.0.0.1:8080.

These ports are for UDP multicast broadcast. You may not need either of them, and you can disable them by adding the following options:

-Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1

eg.

java -Dhudson.DNSMultiCast.disabled=true -Dhudson.udp=-1 -jar jenkins.war –httpListenAddress=127.0.0.1 –httpPort=8080 –daemon –logfile=/home/jenkins/jenkins.log

See the Jenkins docs for more https://wiki.jenkins.io/display/JENKINS/Features+controlled+by+system+properties

Secure your pendrive

Pendrives often contain customer, personal or other sensitive data. Now that GDPR is on us, it’s high time to protect those pendrives. The following example assumes that your pendrive is /dev/sdb, and you have a Linux partition on it (/dev/sdb1).

Format the device:
cryptsetup luksFormat /dev/sdb1

Open it:
cryptsetup luksOpen /dev/sdb1 pendrive

Create a filesystem:
mkfs.ext4 /dev/mapper/pendrive

Create a directory where we can mount it:
mkdir /mnt/pendrive

And finally mount the pendrive:
mount /dev/mapper/pendrive /mnt/pendrive