Manuel We had a fairly lengthy group discussion regarding a variety of Linux security issues – security management and server configuration, firewalls, pfsense, routers, VPNs, etc. We touched on honeypots, log files, DNS leaks, malware, passwords, 2FA, and many other things. It was good to see some new faces!
Check out the recommended podcasts:
https://malicious.life/
https://darknetdiaries.com/
A new year and the ELUG is still strong on their VIM journey. This month, Rajiv presented some of the really, really advance features that VIM offers. If you want to see for yourself, there is a video about that available here.
We had a great walk through this month. Spencer showed off a way to setup his own NTP server in-house. The details are hosted on a private GITHUB site. If you want access to follow Spencer’s instructions, please join our SLACK chat at https://elugyeg.slack.com and contact Spencer for the access to his GITHUB.
This month we had an open forum. The focus was on general networking. There were a few questions around DHCP and static IPs. Some basics around network protocols were discussed as well as how these were developed. A few of the items that came up were token ring networking, OCI, TCP, UDP to name a few.
If you want to take a look into our Nextcloud instance you can find that here:
In our meeting on August 26 Spencer walked us through how to setup different machines and ensure that they are equipped with certificates. Once accessed with a browser these devices show up as “secure” where as the default behaviour would highlight the site as not secure.
A video of that session was recorded so if you want to take a look at look check that out here:
Spencer also was kind enough to provide a high level overview:
# "something about a self-signed certificate and pi-hole"
## Objective
---
As a user I want to view the pi-hole admin page using https instead of http. As the creator of a local certificate authority, I accept the risk of installing its certificate on my local devices.
## Requirements (prework)
---
1. Lessons 1.1, 1.2, and 1.3 from *resource #1*
1. Check the device hostname
1. Sync your clock
1. Review your OpenSSL configuration (openssl version -a)
1. Create a directory structure to store the keys, signing requests, and certs
1. Lock it down (chmod 600)
## Create the private key and cert for the CA
---
``` sh
# Create a private key for the CA
openssl genrsa -aes256 -out private/cakey.pem 4096
# Create a certificate for the CA
openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
```
## Create the private key and cert for the pihole
---
``` sh
# Create a new private key
openssl genpkey -algorithm RSA -out /root/ca/private/my_server.key
# Create a new certificate signing request (CSR)
openssl req -new -key /root/ca/private/my_server.key -out /root/ca/requests/my_server.csr
# CA signing the CSR
openssl ca -in /root/ca/requests/my_server.csr -out /root/ca/certs/my_server_NO-SAN.crt
# CA signing the CSR with configuration file with X509v3 extensions to add
# NET::ERR_CERT_COMMON_NAME_INVALID is resolved by adding 'subjectAltName'
openssl ca -in /root/ca/requests/my_server.csr -extfile /root/ca/my_server.ext -out /root/ca/certs/my_server_SAN.crt
```
> my_server.ext
``` sh
subjectAltName = DNS:my_server.local, DNS:pi.hole, IP:10.0.0.10
```
### Checking the certificate
---
``` sh
# Check for SAN
openssl x509 -text -in /root/ca/certs/my_server_SAN.crt -noout
```
> Expected output should include:
``` sh
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:my_server.local, DNS:pi.hole, IP Address:10.0.0.10
```
## lighttpd config
---
``` sh
nano /etc/lighttpd/external.conf
```
``` sh
server.modules += ("mod_openssl")
$HTTP["host"] == "my_server.local" {
$SERVER["socket"] == ":443" {
ssl.engine = "enable" # basic option
ssl.pemfile = "/usr/lib/ssl/certs/my_server_SAN.crt" # basic option
# ssl.pemfile = "/usr/lib/ssl/certs/my_server_NO-SAN.crt"
ssl.privkey = "/usr/lib/ssl/private/my_server.key" # basic option
ssl.ca-file = "/usr/lib/ssl/certs/cacert.pem" # (deprecated) renamed ssl.verifyclient.ca-file (since 1.4.60)
}
}
```
## Resources
---
1. [OpenSSL Certification Authority (CA) on Ubuntu Server](https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server)
1. Prerequisites
1. hostname, /etc/hosts, and ntp
1. OpenSSL Configuration
1. Specify the path, generate cakey.pem & cacert.pem
1. Install cacert.pem on your client machine(s)
2. [Enabling HTTPS for your Pi-hole Web Interface](https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771)
1. Which config file to edit (/etc/lighttpd/external.conf)
3. [OpenSSL man pages - genpkey](https://www.openssl.org/docs/man1.1.1/man1/genpkey.html)
1. Generate a private key using genpkey;
4. [Lighttpd wiki #Self-Signed-Certificates](https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Self-Signed-Certificates)
1. Used the 'Quick Start'
1. Tip: keep your lighttpd -version in mind
5. [Firefox no longer trusts my internal certificate authority used for internal sites on our domain.](https://support.mozilla.org/en-US/questions/1175296)
1. See also *security.enterprise_roots.enabled* on the about:config page.
Topic: open forum, speed talks
Presenter: various
This meeting around we will try something different. Whoever wants and is prepared can talk about a LINUX topic for about 5 minutes. Everyone is welcome to do so or just listen if you prefer. No need to register any talk just come, join and talk about a topic, near and dear to your LINUX heart.
In our latest edition of ELUG virtual meetups, Rajiv gave us some insights into awk.
A video of that session was recorded so if you want to take a look at look check that out here:
In our latest edition of ELUG virtual meetups, Manuel walked the participants through the developments of services in regards to server infrastructure. From the initial “one machine, one task” philosophy to the development and advantages of virtualization to containerization of applications and container orchestration through kubernetes.
A video of that session was recorded so if you want to take a look at look check that out here:
Virtualization vs Containerization
The presentation can be found here:
In our last meeting on March 25, Rajiv presented advanced concepts of VIM. He walked the participants through how and when using the mouse, search, replace, open documents in tabs, vertically split the screen an a lot more. Fortunately, Rajiv also recorded the session as it would be too much to document everything in a post.
If you want to take a look at how great vim can be head over to our Nextcloud instance and check out the video here:
In our meeting, Rob provided the group with an overview on Regular Expression. Walking through what regular expressions are, Rob provided the basics to understand where these come from, where these are used and how they can be applied in the context of linux and programming.
The presentation can be accessed through the ELUG’s Nextcloud instance: