Comme j'ai déjà deux Raspberry Pi qui traînent à la maison, je me suis dit qu'il fallait que je construise cette brique moi-même. C'est chose faite, je partage maintenant mon expérience en vous expliquant pas à pas comment j'ai fait. Ce tutoriel est bien sûr valable pour d'autres machines que le Raspberry Pi, à condition qu'elle soit allumée 24/24h car elle servira de passerelle pour toute vos machines.
These are my personal ansible roles. I share with joy, and comments are welcome, but I don't intend to make them generic nor perfect for everybody use. They suit my needs. Oh, and they all are using Debian systems.
Linux distributions have a problem with WebKit security.
Major desktop browsers push automatic security updates directly to users on a regular basis, so most users don’t have to worry about security updates. But Linux users are dependent on their distributions to release updates. Apple fixed over 100 vulnerabilities in WebKit last year, so getting updates out to users is critical.
[...]
Recommended Distributions
We regularly receive bug reports from users with very old versions of WebKit, who trust their distributors to handle security for them and might not even realize they are running ancient, unsafe versions of WebKit. I strongly recommend using a distribution that releases WebKitGTK+ updates shortly after they’re released upstream. That is currently only Arch and Fedora. (You can also safely use WebKitGTK+ in Debian testing — except during its long freeze periods — and Debian unstable, and maybe also in openSUSE Tumbleweed, and (update) also in Gentoo testing. Just be aware that the stable releases of these distributions are currently not receiving our security updates.) I would like to add more distributions to this list, but I’m currently not aware of any more that qualify.
This is the story of how that process has gone wrong for WebKit.
Before we get started, a few disclaimers. I want to be crystal clear about these points:
This post does not apply to WebKit as used in Apple products. Apple products receive regular security updates.
WebKitGTK+ releases regular security updates upstream. It is safe to use so long as you apply the updates.
The opinions expressed in this post are my own, not my employer’s, and not the WebKit project’s.
aujourd'hui, les logiciels libres sont une véritable alternative et permettent à n'importe quel jeune africain de prototyper son application SMS avec des technologies libres et sur une infrastructure délocalisée qu'il pourrait monter à son domicile.
Bâtissons ensemble un Internet libre, neutre et décentralisé
Comment ça marche ?
La Brique Internet, présentée dans la vidéo ci-dessus, est un simple boîtier VPN couplé à un serveur.
Un VPN sert à relier un ordinateur à un autre, de façon sécurisée, de façon à ce qu'aucun intermédiaire sur Internet ne puisse lire le contenu des communications qui transitent. Pour que la Brique fonctionne, il faut lui configurer un accès VPN, qui lui permettra de créer un tunnel jusqu'à un autre ordinateur sur Internet. En vous connectant simplement en Wifi sur la Brique, vous pourrez aller sur Internet, en passant automatiquement au travers de ce tunnel chiffré. De cette façon, votre FAI ne peut plus ni vous espionner, ni vous brider ni vous filtrer. C'est le même mécanisme qui permet à la Brique d'être un serveur nomade.
Au programme de cet article (testé sur Debian Wheezy) :
Mises à jour : cron-apt et checkrestart
Sécurité
virus : clamav,
malwares maldet,
rootkits rkhunter, chkrootkit, lynis
vérification de l'intégrité des paquets : debsums
nettoyage : deborphan, ...
backups
IMPORTANT :
la plupart des commandes ci-dessous nécessitent d'être root ou d'utiliser la commande sudo
tous ces logiciels ont normalement des logs dans /var/log, et c'est TRÈS utile pour trouver pourquoi ça ne marche pas
il faut avoir un logiciel de mail configuré (comme postfix) pour pouvoir envoyer des mails
n'oubliez pas de RELANCER le programme après une modification pour la prendre en comptes
J'ai publié il y a quelques mois un tuto pour mettre en place "facilement" un serveur XMPP/Jabber avec Prosody et du SSL/TLS plutôt bien configuré sous Debian, j'ai eu pas mal de retours positifs depuis et je pense qu'il pourrait intéresser d'autres personnes.
Du code Octopuce
En tant qu’administrateur systèmes de centaines de serveurs, cette commande est donc extrêmement pratique mais manque un peu d’automatismes et d’intelligence. Aussi avons-nous produit notre propre version de checkrestart qui connait mieux les process spéciaux (en perl, python, php, bash etc.) Et qui propose de redémarrer lui-même les services concernés.
À ce jour, ce script connait les services lancés par login, prosody (en lua), amavis, munin-node, sympa (en perl), mailman (en python), dovecot imapd (qui reboote mal), mysqld (que checkrestart ne sait pas analyser) ainsi que fail2ban (qui fait tourner un script python et un gam_server pour la détection des fichiers logs modifiés)
Vous pouvez tout à fait ajouter vos propres cas (c’est du bash) pour gérer vos spécificités serveur individuelles
Le code de checkrestart.octopuce est téléchargeable ici https://www.octopuce.fr/wp-content/uploads/2015/01/checkrestart.octopuce
-
Who are you?!
We are Veteran Unix Admins and we are concerned about what is happening to Debian GNU/Linux to the point of considering a fork of the project. -
And why would you do that?
Some of us are upstream developers, some professional sysadmins: we are all concerned peers interacting with Debian and derivatives on a daily basis.
We don't want to be forced to use systemd in substitution to the traditional UNIX sysvinit init, because systemd betrays the UNIX philosophy.
We contemplate adopting more recent alternatives to sysvinit, but not those undermining the basic design principles of "do one thing and do it well" with a complex collection of dozens of tightly coupled binaries and opaque logs.
Rainer Gerhards, the rsyslog project leader, reported a vulnerability in Rsyslog, a system for log processing. As a consequence of this vulnerability an attacker can send malformed messages to a server, if this one accepts data from untrusted sources, and trigger a denial of service attack.
For the stable distribution (wheezy), this problem has been fixed in version 5.8.11-3+deb7u1.
It was discovered that APT, the high level package manager, does not properly invalidate unauthenticated data (CVE-2014-0488), performs incorrect verification of 304 replies (CVE-2014-0487), does not perform the checksum check when the Acquire::GzipIndexes option is used (CVE-2014-0489) and does not properly perform validation for binary packages downloaded by the apt-get download command (CVE-2014-0490).
For the stable distribution (wheezy), these problems have been fixed in version 0.9.7.9+deb7u3.
For the unstable distribution (sid), these problems have been fixed in version 1.0.9.
We recommend that you upgrade your apt packages.
DebOps is a collection of Ansible playbooks and roles which can create and maintain Debian-based Linux infrastructure, scalable from one virtual machine to an entire data center.
For now, you can hang out with the developers on IRC: #debops @ irc.FreeNode.net.
Github: https://github.com/debops
Ansible galaxy: https://galaxy.ansible.com/list#/users/6081
Comme ARN m’a donné un nom pour trouver Debianchou sur internet alors ils m’ont dit que je n’avais qu’à mettre quelque chose en place pour le gérer moi-même. Ça (vous avez vu j’ai trouvé le Ç majuscule xD) s’appelle Bind.
In his Q&A http://www.youtube.com/watch?v=UFFTYRWB0Tk to his keynote address at the World Hosting Days Global 2014 conference in April, the world’s largest hosting and cloud event, Julian Assange discussed encryption technology in the context of hosting systems. He discussed the cypherpunk credo of how encryption can level the playing field between powerful governments and people, and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised.
I recommend watching his 36 minute Q&A in its entirety, keeping in mind my recent warnings about how Linux is almost entirely engineered by the government/military-affiliated Red Hat corporation.
The Voice of Russia website has an article http://voiceofrussia.com/news/2014_04_07/US-annexed-the-whole-world-through-mass-surveillance-Assange-6580/ on Assange’s address with a few quotes:
“To a degree this is a matter of national sovereignty. The news is all flush with talk about how Russia has annexed the Crimea, but the reality is, the Five Eyes intelligence alliance, principally the United States, have annexed the whole world as a result of annexing the computer systems and communications technology that is used to run the modern world,” stated Julian Assange in his keynote address…
Don’t just read the short article, listen to the address yourself, because Assange goes into many areas, and the work being done in these fields.
Assange mentions how Debian famously botched the SSL random number generator for years (which was clearly sabotaged – a known fact). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, and more, the nightmarish OpenSSL recently botched SSL again https://security-tracker.debian.org/tracker/CVE-2014-0160 . It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys were potentially compromised. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference. http://mirrors.dotsrc.org/fosdem/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm)
From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option.
A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned.
As Assange observed:
“The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].”
Petite installation, une seule zone, gérée sur le même serveur via un nsd (même si j’essaye de mettre des paramètres valables pour plusieurs zones).
apt-dater provides an ncurses frontend for managing package updates on a large number of remote hosts using SSH. It supports Debian-based managed hosts as well as rug (e.g. openSUSE) and yum (e.g. CentOS) based systems.
Souvent, dans mon métier, je dois prendre un logiciel libre existant (par exemple récemment gnupg, gnome-panel ou php...) et le modifier légèrement pour qu’il corresponde plus à mes besoins. Ce faisant, je me retrouve avec une version particulière d’un logiciel.
aptly is a swiss army knife for Debian repository management: it allows to mirror remote repositories, take snapshots, pull new versions of packages along with dependencies, publish snapshots.
What we're going to do now is start from our debootstrap image and automate the creation of a system which will run ssh. The resulting image can be further extended in the future to run additonal services - and we'll demonstrate that by adding memcached to it, giving an image with both services running.
Mempo Project is the answer to increasing surveillance of people, and endangered freedom of speech - as well to other IT attacks, cracking by hackers, viruses.
============
A voir ...