infosec

Using a 'quasi'-disposable VM for UpdateVM in Qubes

In Qubes, the dom0 is updated via an 'UpdateVM' which is responsible for downloading any new packages (since dom0 has no direct network access of its own).

Typically the UpdateVM is your sys-firewall or any other VM you've chosen (it's configurable under Global Settings via the Qubes Manager, or with qubes-prefs from command-line).

Virus scanning your Qubes VMs and Templates with ClamAV

Here's a simple script to iterate over your VMs (and, optionally, your templates) and run clamscan against them.

For templates we scan the full disk /, whereas for the AppVMs we just scan the writable dir /rw

The script will start any VMs it needs to, and remember if it had to, so that it shuts down just the VMs that weren't already running.

There are a couple of caveats to this approach:

Monitoring Certificate Transparency logs for fraudulent SSL certs with Scumblr

I read with interest this article by Facebook, about detecting (possibly) fraudulent SSL certificates being issued by CAs.

I wasn't previously aware of Google's Certificate Transparency initiative, but it seems like a good idea. Basically there exists a sort of blockchain of public, append-only logs of all SSL certs that are being issued (at least, where the CA is cooperating to publish that info?).

'So, what is it you exactly do?' - Part five, troubleshooting

In the last article of this sysadmin series, I talked about the importance of monitoring as an insight into infrastructure and application behaviour - something that is hard to overstate. But what good is monitoring if you don't understand what it's telling you? That's where troubleshooting comes in.

'So, what is it you exactly do?' - Part four, monitoring

Here's a scenario...

At 4:30AM every Thursday (sysadmin's time), a server's site suddenly spikes in load, because a full backup takes place at such a time, which is not an off-peak time in terms of traffic due to international visitors.

A bunch of users visiting a site on that server receive a flurry of 502 errors trying to load some content - a form of application timeout due to the taxing effect on the CPU related to the backup process.

'So, what is it you exactly do?' - Part three, security

This article is third in a series of long, windy answers to the inevitable 'but what exactly do you do as a sysadmin consultant?' question. I started writing this because it's hard to give a sufficient short answer.

Adding Yubikey 2-factor authentication to SSH and sudo in Debian

Throughout 2014 and 2015 I have been adding two-factor authentication to Debian and Ubuntu servers (SSH, sudo) for some of my customers, using Yubikeys as the authentication device and OTP as the auth method. It's quite straightforward to integrate Yubikey OTP auth into Debian SSH servers, provided you are using Debian 7 (Wheezy) or higher, and that you can use the version of OpenSSH from the Backports repository.

This guide will work for SSH auth, as well as for other server-side tasks such as the use of sudo.

Encrypting OSSEC mail notifications with GPG

After reading the SecureDrop security audit announced today, I noted that they GPG-encrypt their OSSEC mail to add an extra layer of protection over the incidents that OSSEC finds and sends alerts for. Neat idea, it never occurred to me. Even though my servers use TLS to transmit mail around, and that I run my own mail server, that traffic still has to hop through some public routes, so why not add more encryption.

Monitoring pastebin.com with Scumblr

I have been experimenting with Scumblr and Sketchy - two open source products released in August 2014 by Netflix.

Broadly speaking, Scumblr is a tool for performing external searches that can aggregate and track the results it finds. In addition it employs various workflow/status/tag features to produce a management tool for taking action on the items or 'events'.