用 nginx 建置一個 A+ 等級的 https 網頁伺服器

隨著資安意識提升、 Google 把網站的 https 列為搜尋引擎的排行指標,越來越多的網站開始導入 https 以確保伺服器以及使用者端兩個端點之間的安全溝通,先前在 10 web server online https/ssl testing services 有列出了一些可以協助網管人員測試網頁伺服器安全性強度的服務(注意是”網頁伺服器”而不是”網頁應用程式”),讓大家可以參考看看,其中 Qualys SSL LabsSSL Server Test 算是近期非常熱門的一個測試跟服務,其測試報告以及評分標準算是非常簡單易懂,以截至目前為止(2015年10月25日)的最新版本”2009j (20 May 2015)“為例,給分主要從 A ~ F,Protocol support、Key exchange 及 Cipher strength 分別占總分的30%、30%及40%,相關的細節都可以在SSL Server Rating Guide (PDF) – Qualys SSL Labs 裡面找到,Qualys SSL Labs也提供了一份 SSL/TLS Deployment Best Practices Guide,但看起來近期沒更新就是了,停留在 Version 1.4 / 8 December 2014。

對於一些非網管或是相關背景的網站管理員來說,該如何有效的提升自己架設的伺服器安全性強度? 又如何改善各安全測試出來的分數? 由於最近有些人在問相關的問題,我找了一下發現好像沒有中文的資源在提供這方面的指南,所以決定野人獻曝一下稍微分享我知道的做法。另外必須說明的是,安全性跟方便性從以前到現在就是兩難,例如夠安全的密碼基本上都是由不同的元素以及夠長的長度組成,相對來講就會不好記,在伺服器安全性上的問題亦然,較好的安全性會使得 Windows XP,Java 6的使用者受到影響,如果還有遇到這使用如此老舊軟體的使用者,還是勸他趕緊換個平台吧 …

開頭先說一個比較不影響這次評分(https)但讀者可能也會想要處理的一塊,關於 Web server 的 response header 處理的部分,可以參考先前寫的 “用Apache/nginx&PHP架網站要注意的安全事項” ,將不必要的Server資訊隱藏起來,那接下來就會講這次的重點,關於伺服器的安全性設定以及該如何”拉分”!

繼續閱讀

Convert your Ubuntu/Debian between different versions, like Desktop to Server

There is a very useful tool under Debian/Ubuntu GNU/Linux called tasksel, which can help us “convert” our Debian/Ubuntu between versions.

Install via apt-get/aptitude:

and run:

It’ll show you a menu like this:

繼續閱讀

Stop the annoying USB power autosuspend under GNU/Linux

Got a problem that the usb mouse will been poweroff/suspend periodically on Linuxmint 17 when the notebook is not in ac mode, here is a quick fix without rebooting system:

For permanent change, for example on Debian / Ubuntu based GNU/Linux, with usbcore module:

Reference:

Linux kernel Power Management for USB documentation:
https://www.kernel.org/doc/Documentation/usb/power-management.txt

How to disable auto power off of usb devices like usb mouse?
http://askubuntu.com/a/301416

Remotely shutdown/restart Windows via Linux on Debian/Ubuntu based Linux

Need samba-common package
sudo apt-get install samba-common

Then use this command to shutdown the computer remotely:
net rpc shutdown --ipaddress ip --user username%password

Add -r if you want to restart, not shutdown:
net rpc shutdown -r --ipaddress ip --user username%password

Success message:

Shutdown of remote machine succeeded

These messages mean failed:

  • Could not connect to server 192.168.1.55
  • Connection failed: NT_STATUS_IO_TIMEOUT
  • Connection failed: NT_STATUS_RESOURCE_NAME_NOT_FOUND
  • Could not initialise pipe winreg. Error was NT_STATUS_OBJECT_NAME_NOT_FOUND

There are many functions provide by net [rpc], like:

net rpc audit Modify global audit settings
net rpc info Show basic info about a domain
net rpc join Join a domain
net rpc oldjoin Join a domain created in server manager
net rpc testjoin Test that a join is valid
net rpc user List/modify users
net rpc password Change a user password
net rpc group List/modify groups
net rpc share List/modify shares
net rpc file List open files
net rpc printer List/modify printers
net rpc changetrustpw Change trust account password
net rpc trustdom Modify domain trusts
net rpc abortshutdown Abort a remote shutdown
net rpc shutdown Shutdown a remote server
net rpc samdump Dump SAM data of remote NT PDC
net rpc vampire Sync a remote NT PDC’s data into local passdb
net rpc getsid Fetch the domain sid into local secrets.tdb
net rpc rights Manage privileges assigned to SID
net rpc service Start/stop/query remote services
net rpc registry Manage registry hives
net rpc shell Open interactive shell on remote server
net rpc trust Manage trusts
net rpc conf Configure a remote samba server

Check man rpc for more detail!

Build Chromium OS from source [notes]

Environment: Ubuntu server 14.04.2 LTS x86_64 with Xeon E3-1230 V2 and 8G ram

Reference: Chromium OS Quick Start Guide

Step by step:

Install the necessary packages:

Install depot_tools:

Add depot_tools to your PATH:

Tweak sudoers config:

Create directory for chromiumos:

Get the source code:

Create(and enter) a chroot(still in the directory for chromiumos):

Choose a board you want to build for, from ~/trunk/src/overlays, and export it to environment:

(I selected amd64 arch)
Setup board:

Setup password:

(if you want to config kernel, you can try to configure it now, via ~/trunk/src/third_party/kernel/v3.4/chromeos/scripts/kernelconfig, place v3.4 with your kernel version here)
Build packages:

Build image(we are almost there):

Copy image to a usb drive:

or copy to file:

or create a imgage for virtual machine
(default for kvm, for other vm you can pass parameters –format=vmware or –format=virtualbox):

(image will be here : ~/trunk/src/build/images/${BOARD}/latest/)

If you copy image to a file, you can use dd to write to a usb disk like this:

And then you can boot a computer via this usb disk now.

If you got kernel panic, you may need to press Esc and try this command to boot

, X may be a~e

If you want to install Chromium OS to your hard disk, try this command when your usb disk boot up:

, PS, it’ll wipe your disk!!!

Don’t know what’s the reason why it’ll keep getting deadly segment fault and hang, but it works on my acer Aspire one D150, a super old notebook, the performance is not so good, and I don’t know how to remap the keyboard on it(there are 3 broken keys orz …), so I just quit, ha!

Only 2 screenshots this time … took by my low-end phone.
ChromiumOS

ChromiumOS2