http://user.xmission.com/~hidden/aatqos/
Using tcpdump, Snort, sec, and policing to programatically rate limit connections for the improvement of call (or other delay-sensitive application) traffic.
http://user.xmission.com/~hidden/aatqos/
Using tcpdump, Snort, sec, and policing to programatically rate limit connections for the improvement of call (or other delay-sensitive application) traffic.
http://packetroute.wordpress.com/2012/12/12/tacacs-ad-centos-free/
Pretty complete guide to getting Marc Huber’s tac_plus set up on a CentOS box. Need to give this a shot in an LXC container at some point.
http://www.networkworld.com/news/2013/091713-proposed-changes-to-whois-system-273914.html
I can see both sides of this. I think there is significant benefit to having the name and contact information associated with the domain record. I think it promotes a certain amount of responsibility. However, I have also had instances where it would be nice to privatize or restrict the visibility that information, and I have at times taken advantage of registrar privacy features.
In a recent post, I reconfigured one of my POGO-E02 devices to run Linux (also in a much older post, but I intend to go back and revisit that device with the updated process at some point). I have reccently replaced my laptop (OfficeMax had a pretty impressive flash sale on a Gateway with an AMD quad core, and huge kudos to the OfficeMax in Kearney, NE for taking care of the customer incredibly well when the one I initially picked up had a dead left mouse button and a dead F10 key out of the box… literally zero hassle getting it replaced, great job to that team). Unfortunately the old laptop is still sitting on the desk next to the new one, soaking up space I don’t have. I need to make sure I have everything I’ve done on it in the past year and a half or so saved off and duplicate backup copies, as there are a couple of videos I’ve stored on there that are simply irreplaceable.
Time to get back into storage. I like my Dropbox (you should definitely sign up here if you don’t already have an account) and I recently got some additional temporary space when I bought my Samsung Galaxy S3, but my space is otherwise full and I won’t pay for more. I think ownCloud, an older version of which I reference briefly in the second linked post above, will prove quite suitable for this, especially in conjunction with my personal CA.
I brought my Linux-ified Pogo back online and hooked up a Seagate external drive I’ve had sitting around and been meaning to hook up for quite a while. I hooked it up to the Pogo unit and it was recognized as sdb. From there, I performed the following (as root) to create two, 1TB partions on the drive:
apt-get install parted
#confirm installation when prompted
parted -a optimal /dev/sdb
rm 2
rm 1
mkpart
#Answer prompts with label=OwnCloud, type=ext4, start=0%, end=50%
mkpart
#Answer prompts with label=Storage, type=ext4, start=50%, end=100%
quit
mkfs.ext4 /dev/sdb1
#I only created the OwnCloud partition at this time in the interest of saving time.
#Perform a similar command for sdb2
mkdir /mnt/owncloud
#Should edit /etc/fstab and add a line similar to the following for perpetuity:
#/dev/sdb1 /mnt/owncloud ext4 rw,relatime,data=ordered 0 0
#I did, and then rebooted to make sure everything came up/remounted as expected
From there, I proceeded with the installation of ownCloud on Debian as per the instructions on the site. I followed the link for Debian Linux, verified my version (cat /etc/debian_version) – I am on 7.1 so followed the 7.0 instructions with a few verifications.
echo 'deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /' >> /etc/apt/sources.list.d/owncloud.list
apt-get update
#Received the following error here:
#W: GPG error: http://download.opensuse.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 977C43A8BA684223
#Added the following steps, per http://en.kioskea.net/faq/809-debian-apt-get-no-pubkey-gpg-error
gpg --keyserver pgpkeys.mit.edu --recv-key 977C43A8BA684223
gpg -a --export 977C43A8BA684223 | apt-key add -
#Reran update to verify
apt-get update
#Success! I then noticed they had an equivalent answer in the next step :/ Oh well.
apt-get install owncloud
#Accept dependencies
Once installation completed, I opened a browser to the owncloud URL on the Pogo at http://<pogo_ip>/owncloud. Because I intend to make my access seamless whether I’m at home or connecting from the Internet at large, I have a few tricks I need to do yet. But first I finished up the basic configuration. I created my administrator account and password, hit the Advanced button and set my data directory to the /mnt/owncloud/data directory using the mountpoint I had created previously. The database was set at SQLite, so I left it for the time being. After submitting, I thought to check and found that there was an existing “data” directory in /var/www/owncloud with ownership www-data:www-data and ug+rwx, so I created a /mnt/owncloud/data directory with the same ownership and permissions. After refreshing the initial page and setting the final config again, things seemed to load properly this time around.
I set up a WebDAV connection from the Dolphin file browser and started transferring some of the files from the Linux laptop per the user manual. I experienced problems transferring a few of these files and remembered something about large file support, so I went back and took a look into that. The default max size looks to be 800MB and I didn’t have anything beyond that, so I tried a reboot; it took a long time to complete, but it seemed to work. I backed up the remaining files I had planned on, shut down the old laptop, and was able to get it out of the way.
I downloaded the Windows client on the new laptop and installed it. When installation was complete, I took a moment to pause and reconfigure a few things. As I plan to partially expose the ownCloud instance to the Internet and have it accessible from my smartphone, one of my first goals/low hanging fruit items for protecting it from a large chunk of port scans, hacks, and exploits is to change the web service to run on a non-default port number. I could simply do this externally, but then I would have to change my client settings whenever I was on my wifi connection. So instead I referenced changing the port number in Apache. I’ve done this a few times in the past, but I decided I would like to also maintain the ability to serve some pages on the standard HTTP port if I so decided later. I edited /etc/apache2/ports.conf and added an entry for my non-SSL port directly below the “Listen 80” directive, and for my SSL ports within the <IfModule mod_ssl.c> and <IfModule mod_gnutls.c> sections below the “Listen 443” directives in each of those sections. Rather than edit the “default” site file, I created a new site file at /etc/apache2/sites-available/owncloud, similar to the following. The port numbers and DNS names referenced are purposefully invalid as I’m not trying to create a honeypot; modify them appropriately for your configuration.
#unfortunately this isn't pasting correctly, so parts are missing. #Too late in the day for me to fix right now. ServerName owncloud.example.com DocumentRoot /var/www/owncloud ServerAdmin me@example.com Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all #ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ #<Directory "/usr/lib/cgi-bin"> #AllowOverride None #Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch #Order allow,deny #Allow from all # ErrorLog ${APACHE_LOG_DIR}/ownclouderror.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn
In the future I will also be creating an owncloud-ssl file in the same directory. This will definitely happen before I configure any phone synchronization over the public Internet. After restarting the apache service, I was able to access the ownCloud instance via http://owncloud_ip:newport#. I have a bit of DNS work to do on my router to make the naming work universally, from the Internet or my LAN. May document it up if there is any interest. I would have to say this install was pretty slick and that I’m likely to pay for the client for my Android.
http://nexus.zteo.com/blog/your-own-dynamic-dns-in-3-steps/
Interesting idea, perhaps provides a little bit of added flexibility (and reduced cost) compared to Dyn, though I don’t have any complaints about Dyn at this point. Also review the DDNS and TSIG articles on Wikipedia as well as RFC2136. Still thinking that perhaps a hybrid HTTPS method; would allow any web server one had available to potentially be able to serve as a receiver for the updates as long as it had at least enough outbound access to give the information to the BIND server, allowing for possibly a bit more obscurity in the update path; also wouldn’t require that whatever host received the update information not have BIND running (i.e., perhaps a web host) as long as it could establish an outbound communication to the BIND server – or write to some file that the BIND server could retrieve.
Interesting question therefrom – short of a VPS, is it possible to use client-side certificates to identify a client to a webserver? How about self-signed client certificates?