This month we had a bit of a round table to think of some ideas of what to talk about in future meetings.
Some of the ideas include:
> Repository management
> Hardware issues: tools and utilities for managing devices
> Security: SSH, GPG, securing your home network, using networked/wireless cameras
> Network: setup, vlans, remote desktops/admin
> Other: how to build a container, user’s personal projects, desktop customization
David showed us how to set up a NextCloud instance. Nextcloud is your own personal cloud offering a myriad of features and functions. You want to setup your own, private iCloud? Nextcloud makes sure your data never leaves your control. You want to be able to edit office documents on in the cloud? Nextcloud offers a full fledged office solution. You want to synchronize your phone’s data with your Nextcloud instance? Install the iPhone or Android app, connect to your server and you are good to go.
If you want to have a quick look at what was covered in our last meeting please feel free to review the video here:
https://nextcloud.elug.rocks/index.php/s/AkaeFBHDBZ8DFpL?path=%2F2022-04%20Nextcloud
Manuel reviewed how to set up a Network File System using NFS.
It was very exciting.
Really. It was.
He used vim, too.
If you want to take a look at the presentation please check our nextcloud instance here:
We had a fairly lengthy group discussion regarding a variety of Linux security issues – security management and server configuration, firewalls, pfsense, routers, VPNs, etc. We touched on honeypots, log files, DNS leaks, malware, passwords, 2FA, and many other things. It was good to see some new faces!
Check out the recommended podcasts:
https://malicious.life/
https://darknetdiaries.com/
A new year and the ELUG is still strong on their VIM journey. This month, Rajiv presented some of the really, really advance features that VIM offers. If you want to see for yourself, there is a video about that available here.
This month we had a round table social talk. Everyone was encouraged to bring an idea to share, or just something about what’s going on in their Linux world. It was good to see some new faces!
Manuel walked through how to setup a simple RAID system using mdadm.
We had a great walk through this month. Spencer showed off a way to setup his own NTP server in-house. The details are hosted on a private GITHUB site. If you want access to follow Spencer’s instructions, please join our SLACK chat at https://elugyeg.slack.com and contact Spencer for the access to his GITHUB.
This month we had an open forum. The focus was on general networking. There were a few questions around DHCP and static IPs. Some basics around network protocols were discussed as well as how these were developed. A few of the items that came up were token ring networking, OCI, TCP, UDP to name a few.
If you want to take a look into our Nextcloud instance you can find that here:
In our meeting on August 26 Spencer walked us through how to setup different machines and ensure that they are equipped with certificates. Once accessed with a browser these devices show up as “secure” where as the default behaviour would highlight the site as not secure.
A video of that session was recorded so if you want to take a look at look check that out here:
Spencer also was kind enough to provide a high level overview:
# "something about a self-signed certificate and pi-hole"
## Objective
---
As a user I want to view the pi-hole admin page using https instead of http. As the creator of a local certificate authority, I accept the risk of installing its certificate on my local devices.
## Requirements (prework)
---
1. Lessons 1.1, 1.2, and 1.3 from *resource #1*
1. Check the device hostname
1. Sync your clock
1. Review your OpenSSL configuration (openssl version -a)
1. Create a directory structure to store the keys, signing requests, and certs
1. Lock it down (chmod 600)
## Create the private key and cert for the CA
---
``` sh
# Create a private key for the CA
openssl genrsa -aes256 -out private/cakey.pem 4096
# Create a certificate for the CA
openssl req -new -x509 -key /root/ca/private/cakey.pem -out cacert.pem -days 3650 -set_serial 0
```
## Create the private key and cert for the pihole
---
``` sh
# Create a new private key
openssl genpkey -algorithm RSA -out /root/ca/private/my_server.key
# Create a new certificate signing request (CSR)
openssl req -new -key /root/ca/private/my_server.key -out /root/ca/requests/my_server.csr
# CA signing the CSR
openssl ca -in /root/ca/requests/my_server.csr -out /root/ca/certs/my_server_NO-SAN.crt
# CA signing the CSR with configuration file with X509v3 extensions to add
# NET::ERR_CERT_COMMON_NAME_INVALID is resolved by adding 'subjectAltName'
openssl ca -in /root/ca/requests/my_server.csr -extfile /root/ca/my_server.ext -out /root/ca/certs/my_server_SAN.crt
```
> my_server.ext
``` sh
subjectAltName = DNS:my_server.local, DNS:pi.hole, IP:10.0.0.10
```
### Checking the certificate
---
``` sh
# Check for SAN
openssl x509 -text -in /root/ca/certs/my_server_SAN.crt -noout
```
> Expected output should include:
``` sh
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:my_server.local, DNS:pi.hole, IP Address:10.0.0.10
```
## lighttpd config
---
``` sh
nano /etc/lighttpd/external.conf
```
``` sh
server.modules += ("mod_openssl")
$HTTP["host"] == "my_server.local" {
$SERVER["socket"] == ":443" {
ssl.engine = "enable" # basic option
ssl.pemfile = "/usr/lib/ssl/certs/my_server_SAN.crt" # basic option
# ssl.pemfile = "/usr/lib/ssl/certs/my_server_NO-SAN.crt"
ssl.privkey = "/usr/lib/ssl/private/my_server.key" # basic option
ssl.ca-file = "/usr/lib/ssl/certs/cacert.pem" # (deprecated) renamed ssl.verifyclient.ca-file (since 1.4.60)
}
}
```
## Resources
---
1. [OpenSSL Certification Authority (CA) on Ubuntu Server](https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server)
1. Prerequisites
1. hostname, /etc/hosts, and ntp
1. OpenSSL Configuration
1. Specify the path, generate cakey.pem & cacert.pem
1. Install cacert.pem on your client machine(s)
2. [Enabling HTTPS for your Pi-hole Web Interface](https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771)
1. Which config file to edit (/etc/lighttpd/external.conf)
3. [OpenSSL man pages - genpkey](https://www.openssl.org/docs/man1.1.1/man1/genpkey.html)
1. Generate a private key using genpkey;
4. [Lighttpd wiki #Self-Signed-Certificates](https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#Self-Signed-Certificates)
1. Used the 'Quick Start'
1. Tip: keep your lighttpd -version in mind
5. [Firefox no longer trusts my internal certificate authority used for internal sites on our domain.](https://support.mozilla.org/en-US/questions/1175296)
1. See also *security.enterprise_roots.enabled* on the about:config page.