[Cc-webedit] Server work done today

Jim Dog theinnercityhippy at riseup.net
Fri Oct 9 17:08:28 BST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All

Just to let you know about some stuff I have done today, and where I
need a bit of help to continue. Aplogies for the stream of geek
consciousness.

Regarding installing the Intrusion Detection System "Snort":

It occured to me that we won't be able to install this as it is a
vserver that does not have direct access to the networking hardware,
rather it goes through a virtualisation layer so we won't be able to
install this. It did however occur to me a different way hat we can
tighten up security so I propose the following:

* We use scponly to restrict those who only need sftp access (ie for
uploading photos etc) to not be able to open an ssh shell on the server.
This should be done immediately I believe, and especially before the
swoop. The danger is that if one of our official photographers gets
arrested and has their laptop with their ssh keys seized, there is a
(slim) chance that their password could be compromised and that the
rozzers would get shell access to our server. By setting the default
shell in /etc/passwd for each non-administrative user to
/usr/bin/scponly this would eliminate this risk, and make sure noone
accidentally does something weird with a shell account.

* We change the default ssh port from the current 22 to a high random
number as agreed a the last meeting, but that his should be done after
the swoop in case people have problems accessing necessary services at
"peak times" through misconfigured clients.

* That we continue to disallow password based logins, requirring key
based logins even if this makes things slightly more difficult for some,
and that a procedure is put in place as soon as possible to make the
process of server admin open and accountable, without compromising security.


Ok so the second thing I have been doing today is to try and sort out
the ssl certificate for the server, but I have reached an impass as I
can't receive root mail for the domain www.climatecamp.org.uk

There are several ways around this, but all would require my details
being added to the MX records for whoever does the mail relaying now
(nologic still?) so that I receive mail for one of the following
addresses, then someone needs to let me know which asap

root
hostmaster
postmaster
admin
webmaster

I would suggest that it is a good idea to get someone other than nologic
to receive the mail for all of these addresses anyhow if this has not
already been done. Ideally, I think we ought to run our own MX or at
least use someone who will make it easier to do stuff like this in a
hurry. Who has the logins for the DNS etc? It would make my life a lot
easier if I could deal with this directly if the group can get consensus
that this is necessary. Therefore I propose that I be given access to
the DNS and MX records held with NoLogic as I can't generate a server
certificate with CACERT without being able to do this.


The other thing related to certificates is that I ned an up to date list
of subdomains that are being used at the moment ie
photo.climatecamp.org.uk or foo.clim.... etc

This iis to fill in a field on the CACERT ertificate request form that
means we can add subjectaltnames to the request, meaning we can have one
certificate to cover the hole site without the possible insecurity of a
wildcard and without security warnings for users. This needs to be kept
up to date so I propose that someone who as this knowledge starts a wiki
page in crabgrass and so we can be alerted and generate a new csr if it
changes. I will work on a way of making this whole process easier soon,
but or now it's really really important that we get that login page
secured asap so this needs doing as a priority! (having said that, if I
can't get this done tonight, it will have to wait until monday as I will
be at work all weekend :-)

Deeeeeeep breath

Hope that makes sense to someone, let me know if anyhting is too baffling

In Solidarity

JimDog*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrPX+sACgkQjI3ttaQQxvazCgCgmkVIbrzp8Q1frPBi0HxuM3LU
IQ0AnjkGVmWv5JB2jOkTA8Fg+faLagm4
=qi1k
-----END PGP SIGNATURE-----

More information about the Cc-webedit mailing list