Thinking…

I went to Lowes to make up for the spare apartment key I lost (and discovered a really cool key-making kiosk). On my way home I decided I needed to reward myself for the substantial raise I received at Digium. So, I dropped by The Cigar Room in Madison, AL. I’ve been there at least thirteen times in the past, but never ventured into the back lounge to smoke a cigar. I bought my favorite cigar, the Acid Kuba Kuba from Drew Estate. Thankfully The Cigar Room has reasonable prices (not like another local store in their overpriced, shopping-mall real estate). I cut my cigar with a cutter called “The Shuriken,” and lit my cigar with the shop’s hand-held Bunsen burner-like device. I mosied on back to the lounge, to check it out and smoke my cigar.

There were large TVs on both walls, and in one corner. The walls were painted a reddish brown, very classy. There was cigar and classic martini lounge decor hung on those walls, and the floor was some kind of rich, wooden tiling. The floor was littered with leather sofas and chairs, and there were plenty of end tables with ash trays for your cigars, and there were ottomans for your feet. The place had a really class lounge feel. Since there were folks watching television, there was no music. There was a wet bar in the back, but it wasn’t the kind where people can sit at it and interact with a bartender. It was like something you’d find in a house, that didn’t have room for an entire bar. This got me to thinking…

My hometown, Mobile, AL, does not appear to have anything like this that I know of. I think an excellent business idea would be to open my own place like that there. My thoughts may be quite ambitious here, but I’d also like to add a small but full-service bar, and sell choice wines on top of that. Maybe even have a small kitchen to serve wine bar food. As always, it would be location, location, location! I don’t think I’d be able to start on this for several years, but at least I have a seed of an idea. At least now I’m documenting that! I’m wondering if there is an Alabama state law against allowing smoking in a cigar lounge and serving alcohol directly to customers. One of the many things I will have to research. However, my first order of business is to research this heavily. I may not have all the time in the world, but I can’t be bothered with that now. Someone, or some organization, may be way ahead of me yet. Can’t control that.

Installing tripwire on Debian Sid.

One security tool I use on my Linux servers is tripwire. Essentially, it hashes both a file/directory and its metadata (modify/access/creation timestamps, file size, inode, etc.) into the tripwire database. Daily (or more often) tripwire re-scans the designated filesystems and alerts the administrator of any changes. This is glossing over many of the finer points, but if a system is compromised and key files are changed the administrator is notified at the next re-scan. Tripwire shouldn’t be the only line of defense, but it can be useful as a catch-all to notify the system manager so corrective action can be taken.

    To install and set up tripwire on Debian Sid, follow these instructions (inspired by this):

  1. Actually installing tripwire is very simple:
    
    # aptitude install tripwire
    
    

    The curses-based menu prompts will instruct you to create a pair of keys to cryptographically sign many files, in order to ensure their contents or metadata haven’t changed. The first tripwire installation prompt warns that these passphrases exist unencrypted for a period of time. Because of this I have elected not to enter these passphrases at this time, and will follow the instructions in twadmin(8) for creating these keys.

  2. To generate the keys, I ran the following command:
    
    # twadmin --generate-keys \
    --verbose \
    --local-keyfile /etc/tripwire/local.key \
    --site-keyfile /etc/tripwire/site.key
    
    

    This generated the following output:

    
    Open Source Tripwire(R) 2.4.2.2.2 built for x86_64-unknown-linux-gnu
    
    Open Source Tripwire 2.4 Portions copyright 2000 Tripwire, Inc. Tripwire is a registered
    trademark of Tripwire, Inc. This software comes with ABSOLUTELY NO WARRANTY;
    for details use --version. This is free software which may be redistributed
    or modified only under certain conditions; see COPYING for details.
    All rights reserved.
    
    (When selecting a passphrase, keep in mind that good passphrases typically
    have upper and lower case letters, digits and punctuation marks, and are
    at least 8 characters in length.)
    
    Enter the site keyfile passphrase:
    Verify the site keyfile passphrase:
    Generating site key: /etc/tripwire/site.key
    Generating key (this may take several minutes)...Key generation complete.
    Enter the local keyfile passphrase:
    Verify the local keyfile passphrase:
    Generating local key: /etc/tripwire/local.key
    Generating key (this may take several minutes)...Key generation complete.
    
    

    It may have said it may take several minutes to generate these keys, but it processed through very quickly on my li’l VPS. It took mere seconds to generate the keys. It actually took more time for me to select my passphrases then it did to generate the keys. The keys are nice and encrypted (the “file” command just says they’re data!). Some notes on my passphrases:

    • I use keepassx to maintain my password database. It has an added feature of generating random passwords! I back up my password database religiously, and I use sshfs on all of the workstations I control to always keep the same file updated, no matter what machine I’m using. It’s great!
    • I used keepassx to generate a 128 character password for the site key, and a 64 character password for the local key. I was sure to use characters from every character class (upper, lower, underscore, hyphen, space, symbols). The site key ended up being a whole 1,024 bits of entropy, and the local key was 512 bits of entropy.
    • I probably should have collected fresh entropy before generating those keys, but then I’m getting really pedantic. I have unchecked that option, so it should collect fresh entropy more often, if not every time I generate a new password.
  3. Next step is to actually configure tripwire. This is done by modifying /etc/tripwire/twpol.txt, and removing or commenting out the stuff we don’t have or need. The first step is to run this command:
    
    # tripwire --check
    
    

    This will compare the system with the current /etc/tripwire/twpol.txt, and report on the differences. On first run, I got:

    
    # tripwire --check
    ### Error: File could not be opened.
    ### Filename: /etc/tripwire/tw.cfg
    ### No such file or directory
    ### Configuration file could not be read.
    ### Exiting...
    
    

    I changed the following line in /etc/tripwire/twpol.txt:

    
      $(TWETC)/tw.cfg    -> $(SEC_BIN) -i ;
    
    

    To this:

    
      $(TWETC)/twcfg.txt    -> $(SEC_BIN) -i ; 
    
    

    Turns out that’s not right, so I reverted the change above. What I had to do was initialize the tripwire configuration file like so:

    
    # twadmin --create-cfgfile --site-keyfile site.key twcfg.txt
    
    

    That brought me to the following:

    
    # tripwire --check
    ### Error: File could not be opened.
    ### Filename: /etc/tripwire/eldon-local.key
    ### No such file or directory
    ### Exiting...
    
    

    I had to edit twcfg.txt and regenerate tw.cfg (since my local key is /etc/tripwire/local.key, not /etc/tripwire/eldon-local.key). My next problem was that the tripwire database did not exist. I entered the following command:

    
    # tripwire --init
    
    

    After entering the local key passphrase, I got the following output:

    
    ### Error: File could not be found.
    ### /etc/tripwire/tw.pol
    ### Exiting...
    
    

    I generated that policy file using the following command:

    
    # twadmin --create-polfile twpol.txt
    Please enter your site passphrase: 
    Wrote policy file: /etc/tripwire/tw.pol
    
    

    Next I could run the initialization:

    
    # tripwire --init
    ...lots of messages about missing /proc files, then
    Wrote database file: /var/lib/tripwire/eldon.twd
    The database was successfully generated.
    
    

    I removed /proc, and a bunch of other stuff from twpol.txt, then regenerated the policy file. I then could finally run the check:

    
    # tripwire --check
    
    

    This listed a bunch of files that couldn’t be found. I removed those from the policy file (twpol.txt), regenerated the policy, reinitialized the database, and got the standard report on standard output (I won’t reprint it here because it’s rather long). Now I can modify my upgrade alias in .bashrc:

    
    alias upgrade='aptitude update && aptitude full-upgrade && \
                    aptitude clean && rkhunter --propupd && tripwire --check'
    
    

    I do not run tripwire on any of my workstations or laptops, simply because I am constantly futzing with them, and getting the near-constant email warnings that there are violations, created, deleted, or modified files outside the .twd file. Here, usability trumps security, in the ever-constant stuggle.

WordPress install on Debian Sid (post-Wheezy)

For my first post, I will discuss how I installed this website on my Debian Sid installation on my EDIS Virtual Private Server (VPS). I first started with the EDIS VRS STARTER, which includes 512MB RAM, with a 10GB disk, 1Gbps network bandwidth, and 2TB total bandwidth allowed per period. Not much to work with, but it’s only ~$7 per month! The nice thing is, the Wheezy image I started with only takes up 200MB of disk space, so there’s plenty to work with.

Here’s the procedure I followed:

  1. First thing was to install my bare essentials. This includes vim and tmux. I installed them with the following command, as root:
    aptitude install vim tmux
  2. Now that vim was installed, I could remove nano and edit /etc/apt/sources.list properly:
    
    # aptitude purge nano # DIE EVIL NANO!
    # vim /etc/apt/sources.list
    
    

    The /etc/apt/sources.list file ended up like this:

    deb http://debian.uchicago.edu/debian sid main contrib
    
    

    Since this server is in Chicago, IL, USA, I changed the Debian repository server from ftp.at.debian.org (EDIS is based in Austria). The “contrib” parameter was used because several key MySQL components (necessary for WordPress) are not available in the “main” repository because of licensing issues. With that I added the following alias to root’s bash run control file (~/.bashrc):

    
    alias upgrade='aptitude update && aptitude full-upgrade'
    
    

    I do the above on all of the Debian servers and workstations I manage, to make it a simple matter to update the system to the latest available packages. Sourcing the .bashrc file source .bashrc(or what I really use) . .bashrc loaded the new alias. Executing the “upgrade” alias proceeded to update my Wheezy install to Sid, and took about twenty minutes or so. Note that lsb_release -a still returns Wheezy; I’ll have to investigate that when I have time.

  3. Now that my machine had been updated, I rebooted it to load the new kernel (with the command reboot. Next, I installed wordpress and mysql. I note that mysql-server is *not* a dependency of wordpress (it merely suggests mysql-server); I discovered this when I tried to start WordPress for the first time and noticed mysql-server was not installed (this led me to adding “contrib” to sources.list above). The command below installed many libraries and helper packages, including apache2 and php5 related packages:

    
    # aptitude install wordpress mysql-server libssh2-php
    
    

    I installed libssh2-php since I wanted to use SSH keys for WordPress to apply updates, plugins, and themes (rather than use FTP or FTPS [I’ve always found installing and securing FTP repositories to be a major pain]). I was then ready to set up apache.

  4. Setting up apache was as simple as creating the /etc/apache2/sites-available/eldon.me:
    
    
    DocumentRoot /var/www/eldon.me
    ServerName eldon.me
    ServerAlias www.eldon.me
    ServerAdmin trey@blancher.net
    ErrorLog /var/log/apache2/wp-error.log
    TransferLog /var/log/apache2/wp-access.log
    RedirectPermanent / https://eldon.me
    
    
    
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/eldon.me.pem
    SSLCertificateKeyFile /etc/ssl/private/eldon.me.crt
    DocumentRoot /var/www/eldon.me
    Customlog /var/log/apache2/eldon.me-ssh-access.log combined
    ErrorLog /var/log/apache2/eldon.me-ssh-error.log
    HostnameLookups On
    
    
    
            Options FollowSymLinks            
            AllowOverride Limit Options FileInfo
            DirectoryIndex index.php
                                                
    
    

    I obtained my SSL certificates from StartSSL, based in Israel. The main reason I use them is they offer level 1 certificates for personal use completely free/gratis! The only downside is that many older, out of date browsers and smartphones don’t recognize their certificate authority credentials, which means many browsers issue an SSL warning (as if the site used self-signed certificates). If that becomes a major problem, I may switch.

    The next step was to enable the site:

    
    # a2ensite eldon.me
    
    
  5. The next step is to set up the WordPress MySQL user and database (adapted from here). In Debian, when mysql-server is installed apt/dpkg directs you to set root’s password for the MySQL server. The first command below will prompt for that password:
    
    # mysql -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 308
    Server version: 5.5.29-1 (Debian)
    
    Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
    
    Oracle is a registered trademark of Oracle Corporation and/or its
    affiliates. Other names may be trademarks of their respective
    owners.
    
    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
    
    mysql> create database eldon;
    Query OK, 1 row affected (0.00 sec)
     
    mysql> grant all privileges on eldon.* to "wp_agent"@"localhost"
        -> identified by "SUPERSECRETPASSWORD";
    Query OK, 0 rows affected (0.00 sec)
      
    mysql> flush privileges;
    Query OK, 0 rows affected (0.01 sec)
    
    mysql> exit
    
    

    Since wordpress installs to /usr/share/wordpress on Debian, I made a symlink, and then restarted apache2:

    
    ln -s /usr/share/wordpress /var/www/eldon.me
    service apache2 restart
    
    

    If I want to add other sites to this VPS, I’ll just need to set up the site as above, and place it in /var/www/. Note thttps://www.startssl.com/hat I’ll have to be careful when setting up SSL. I had originally found that multiple SSL sites on a single IP was impossible. However, when I tried to find the page that explained that, I found this post instead: “Configure Apache to Support Multiple SSL sites on a single IP address”. I could have saved some money, but having multiple VPS services makes sure I have access to one of them should the other go down (I use my other VPS for IRC as well).

  6. Now, I could finally set up WordPress. I navigated here (you’ll see that it has already been set up). I won’t go into setting up WordPress from there, but this is precisely the same as “Run the Install Script”.

And that’s it for now! Hopefully I didn’t miss any steps.