HOWTO setup your very own Jabber server…

XMPP (aka Jabber) in combination with OTR is a secure way to chat with others. There are some public servers available, but their popularity centralizes the infrastructure and leaves single points of failure. A recent example is Chaos Computer Club’s Jabber server (jabber.ccc.de) which was down for some days between Christmas and New Years 2014/2015, as a consequence of a DOS attack.

I’ve been setting up a Jabber server of my own on my Raspberry Pi. Here is how you can too:
Continue reading HOWTO setup your very own Jabber server…

Cheap and Free SSL/TLS Certificates…

I recently was pointed to a website where one can get really cheap SSL certificates (Danke Oliver).
They sell certificates, signed by GeoTrust, Comodo, RapidSSL, Thawte and Symantec. As CheapSSLSecurity is a major reseller they can offer a really low price. If you take a 3 year certificate you get as low as 5$/year.

I am aware that there is an offer for FREE SSL Certificates out there. The drawback is however, that they are free to get, but cost 25$ to be revoked.

There are also efforts on the way to make encryption free and easy to use: Let’s Encrypt is a free and automated open-source certification authority. Their plan is to offer free certificates in summer 2015.
If you can wait for this service, it should be the cheapest option. To learn more about Let’s Encrypt, watch the talk that was given at 31c3 (icon-magnet magnet link).

And of course there is CAcert. They are a community driven assurer, which I’ve been using for many years. They however did not yet manage to be included in popular web browsers. Using their certificates will likely trigger warnings with normal desktop setups. Their certificates are free and depending on your involvement they grant certificates for up to two years.

Personally I’m using CAcert for most certificates, but whenever a broader audience should be able to connect without warnings these certificates become combersome. This blog is using a Comodo certificate via cheapsslsecurity.

Update 2015-01-03 14:00: added the Let’s Encrypt video from 31c3.

Update 2015-01-16 12:30: A user comment pointed at www.cheapsslshop.com, which seems even cheaper at $3.5/year, with a new years discount code (“CMDXMAS50″). Thanks.

Fixing brushes of the iRobot…

I’ve been using the same old brushes for more than a year now on our “Profimaster Robot Model 2712″. They are a little misdesigned, as the brushes go under the wheels of the robot, which makes them tare.

I fixed the brushes with some Sugru™ and bristles from a simple wallpaper brush, which I used to hang the Open Streetmap Wallpaper.

Here are the pictures of the build and a video of the result:

Fail2ban country statistics…

I was lucky enough to seize a “Raspberry Pi Colocation“-slot for my Raspberry Pi.

To secure it further I just recently installed fail2ban.
The software basically detects login attempts and blocks the IP for some limited time in the future. This prevents a depletive password guessing for server logins.

I was interested in the password-guessers` country of origin. Now I can confirm, at least for my Raspberry Pi, that most attacks come from China.
110 CN
2 UA
2 RU
2 DE
1 VN
1 PE
1 KR
1 CZ
1 BD

the quick and dirty command for this looks like this: (you need to have ‘whois’ installed)

for i in `sudo cat /var/log/fail2ban.log | sed 's/.*[Bb]an \(.*\)/\1/' | sort | uniq | cut -d ' ' -f 1 | grep "\."`; do
echo $i; whois $i | grep country\: |head -n 1 >> fail2ban_ctry.log ;
done
cat fail2ban_ctry.log fail2bancry2.log | sed 's/country: //g' |sort | uniq -c |sort -nr

Murstrom Podcast…

Nur eine kurze Ankündigung:

Ich habe angefangen zu podcasten.
Der Podcast an dem ich mitwirke heisst mur.strom. Wir besprechen diverse Themen zu Technik und Gesellschaft und senden in unregelmässigen Abständen. Die erste Folge mit meiner Komoderation ist Folge 13. In Folge 3 war ich einmal als Gast vertreten. Unsere Werke sind unter der CC-BY Creative Commons Lizenz auf der Webseite herunterzuladen und dürfen natürlich frei (unter Namensnennung) im Netz verteilt werden. So sehen wir es natürlich gerne wenn ihr unseren Podcast per BitTorrent herunterladet und zum download anbietet. :)

Wer gerne regelmässig zuhören möchte, dem kann ich die Android App AntennaPod empfehlen. Hier kann man unserem Podcast-Feed automatisch ‘zuhören’. Einfach die mur.strom URL eingeben und abonnieren. In den Einstellungen das automatische Herunterladen aktivieren und die neuesten Episoden sind dann automatisch auf dem Handy und lassen sich abspielen wenn man Zeit hat sich diese anzuhören.

Die aktuelle Episode, die erste mit mir, behandelte Bitcoin, das derzeit sehr gefragte online Geld. Die Folge kann man sich auf der Podcast Webseite herunterladen. Hier der direkte Link zur Bitcoin Episode. Und für alle Torrent Freunde: hier ist der icon-magnet Magnet Link zur aktuellen Bitcoin Episode. Wer Themenvorschläge hat oder Interviewpartner zu einem spannenden Thema sein will, darf sich gerne bei mir melden.

Die nächste Episode ist auch schon im Kasten und sollte demnächst erscheinen. Viel Spass beim hören.

Hetzner Root Server Networking Configuration…

I’ve been setting up a new server at hetzner.de.
I ran into problems when configuring the network. The server is running Debian (wheezy).

hetzner network info
note the last line: “The additional route to the gateway is now no longer necessary.” not only that: it will not work.

The basic configuration looked like this:

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
# Main IP address of the server
address 192.168.0.250
# Netmask 255.255.255.255 (/32) independent from the
# real subnet size (e.g. /27)
netmask 255.255.255.255
# explicit host route to the gateway
gateway 192.168.0.1
pointopoint 192.168.0.1

This should work, as mentioned in the Hetzner DokuWiki.

I added DNS servers at the end (use your DNS servers here or pick an open DNS server)

dns-nameservers X.X.X.X Y.Y.Y.Y

at the end since I’ve resolvconf installed.
eth0 did not come up correctly.

When trying ‘ifdown eth0; ifup eth0′ I kept getting:
ifdown: interface eth0 not configured
RTNETLINK answers: File exists
Failed to bring up eth0.

This error would show up at boot time or when trying to start eth0 by hand.
The setup would look fine otherwise, IP was correct network seemed to work, but the DNS-servers were not added correctly. Weird!

‘ifdown –force eth0; ifup eth0′ worked. Server went off for a second but came back. with DNS-servers setup correctly. Interesting!

I started to comment out lines from /etc/network/interfaces.
Et voilá!

It turns out: It is deadly to try to configure ‘gateway’ in /etc/network/interfaces!

Finally I used this:

## /etc/network/interfaces working Hetzner root server
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.168.0.250
netmask 255.255.255.255
# next line optional
network 192.168.0.0
## never EVER use the next line! you have been warned!
## gateway 192.168.0.1
pointopoint 192.168.0.1
dns-nameservers X.X.X.X Y.Y.Y.Y

I hope this post will save others some time to fix this issue with their setup.

Tech, Food, Life