JDPFu.com 2025

I’ve been traveling overseas more and have discussed security issues with others in the IT security industry. Here is what I’ve decided.

With the recent HeartBleed issue in the openSSL libraries that impacted 80% of websites and the GnuTLS issue from last month, what should we do when security is needed most?

BTW, the NSA admitted to using the HeartBleed bug for years. My 20 yrs of professional experience with software tells me that there are probably 50 other issues like this in the openssl and gnutls software libraries. They are the best options for HTTPS traffic, but really shouldn’t be trusted when real security is needed.

What do I do?

11/2018 Update

For Ubuntu 18.04, the commands have changed for network setup thanks to netplan, but the major ideas are still the same.
Hammond is active on the Ubuntu Forums. He has many server setup guides

6/2016 Update

Nothing major, just minor tweaks and a few details added.

4/2015 Update

Seems that lots of people are interested in extremely basic security of Linux systems and would like to see what others do initially on their fresh servers or VMs. So, I did a little googling (DRY, right?) to see what a few others are doing and to compare that with my setup steps. We all come from different places, backgrounds, and have different things we want out of our servers.

This is about basic, first-pass security, not securing Apache, MySQL, Tomcat, email, or any webapp. The box has an ssh-server, known login, DHCP IP and is ready for other stuff. That is our starting point.

Let’s get started.

Installed Ubuntu 13.10 x86 under an ubuntu 12.04 KVM server.

Installation

VM Settings:

• 1G of RAM
• 500MB swap
• 10G of ext4 for /
• Cirrus video – 9MB

Install started at : 08:43:54 EDT 2013
Install ended at : 08:58:07 EDT 2013
Reboot.
forgot to remove the installation ISO file – remove and reboot again. ;)
Login.

About 15 minutes to install a full desktop OS? What is not to like?

Last night at an installFest, I helped someone with a Core i7, 6GB of RAM and 300GB free install Ubuntu 12.04 with Unity into a virtual machine. After the install, it was painfully slow. That is an understatement. Every character that I typed didn’t get displayed until about 30 seconds later. To the other person, it seemed that Ubuntu had locked up. He wanted to delete the Ubuntu install and leave. Clearly, something was broken. This was with 12.04.1 32-bit desktop inside the latest available VirtualBox on MS-Windows7 x64..

If I hadn’t seen this myself, I wouldn’t believe it either. Complete instructions follow to speed up VirtualBox for Ubuntu 12.04.1. It should work for prior versions and other Linux-based VMs too.

11/2013 Update

My old backup method was a little cumbersome. To ensure a good backup set, I’d take down the virtual machine, mount the VM storage on the host (Xen), then perform an rdiff-backup of the entire file system, before bringing the VM back up again. This happened daily, automatically, around 3:30am. It has been working for over 3 years with very few hiccups. I’ve had to restore entire VMs and that has worked too. One day I needed to restore the Zimbra system ASAP. From the time I decided to do the restore until end-users could make use of the system was 20 minutes. That’s pretty sweet in my book.

There are some issues with the current setup.

• Backups are performed locally, to a different physical disk before being rsync’ed to the backup server. This is necessary because the backup tool versions are different and incompatible between Ubuntu 8.04 and 10.04 LTS servers.
• Each system is completely shutdown for some period of time during the backup process. It is usually 1-4 minutes, but still that is downtime.
• Most of the systems are still using 8.04 paravirtual machines under Xen. A migration of some type is needed to a newer OSes. I should use this opportunity to make things better.
• Some of the systems are running old versions of software which are not up to current patch levels. I guess this happens in all IT shops. None of that is available outside the VPN, so the risks are pretty low.

think I can do better.

Since this is a technology blog, I figure some of you may be interested in a major change that happened out of necessity here today.

This is the very first blog article on our new physical server, running in a completely different virtual machine. For the next week, everything here is a test.

Due to some sort of outage issue earlier today, I was forced to upgrade everything involved with this blog. I had attempted to perform this upgrade previously and failed. As you can see, this time, there was success. Nobody was shocked more than I.

Below is the 6th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)

Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization |
Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email |
Part 5 – Reverse Proxies

duijf asks:

Q6: It seems desirable to be able to VPN in to my network at any time, if I decide to set up said service, does any device in my internal network need to connect before it is discoverable?

Sorry, but I don’t understand the question entirely. Discoverable? That confuses me. This isn’t a game console. Your VPN client and server will need to know about each other explicitly. Not to worry, that isn’t very difficult to setup. There are just a few details.

Below is the 5th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)

Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization |
Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email

duijf asks:

Q5: Do I need a reverse proxy if I ? I’ve read about proxy servers on TheFu’s blog that filter internal traffic (if you read this, in the end I liked the idea a lot more than at first). Is this even the same thing? If this is to happen, is it correct that I’d need two NICs and bridge the connection from the router to the internal network? If so, can I get rid of the router? We do use it for telephone access too.

Below is the 4th of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)

Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization | Part 3 – Virtualizing Media Storage

duijf asks:

Q4: Maybe I’ll host the email for my own domain, what do I have to know? (ISPs, configuration, internal mail)

Below is the 3rd of 6 questions from a reader. I definitely don’t have all the answers, but I’m not short on opinions. ;)

Previous articles:
Part 1 – LVM+JFS+RAID | Part 2 – Service Virtualization | Part 3 – Virtualizing Media Storage | Part 4 – Hosting Email

duijf asks:

Q3: I intent (sic) to provide quite a lot of media to my internal network, if I choose for virtualisation, will the VMs be able to access the disk space outside of the container? I do not want to create TB size containers (or should I?). I will probably use the SMB protocol here.