HOWTO setup a very secure webserver

When getting started with Linux and open source software, running websites was one of the first things I learned how to do. Of course with the way software evolves, I’m still learning new ways to better secure, encrypt and protect web assests. Recently I wanted to build a new project and decided I wanted to use OpenBSD, arguably the most secure operating system out of the box. While years ago I switched to FreeBSD for web and mailserver handling, OpenBSD is just more stringent about how it presents things. There’s more to learn, sure, but that’s all part of the fun. Now, if you look around at normal VPS options like DigitalOcean and Linode won’t allow you to run OpenBSD, but with Vultr (affilate link) you can use any ISO you can point to. They have a $5/month option, but they give you 768M RAM versus the 512M that you get from most other VPS providers for that price. With that decided I ran through the install using their console and was up and running in no time. Now for the fun part, let’s ssh to the server and setup a very setup a secure webserver!

Does your employer run SSL MiTM attacks on you?

TL;DR companies are buying appliances that run SSL MiTM (Man in The Middle) attacks against their users, decrypting sessions on the fly without the user’s knowledge. You should find out if this is happening to you. As a self described privacy advocate, I consider myself pretty cognizant of when I might be under some sort of network surveillance; I know what to look for, and enjoy understanding ways to avoid it (often by not visiting certain sites from certain networks), but one day I hit something that surprised me.

HOWTO retrieve email with fetchmail and forward it on with procmail

[caption id=“attachment_2968” align=“alignright” width=“100” caption=“fetchmail logo”][/caption] I’m starting a new gig Monday, so I got a new email address for use while I work there. Now of course, I have many, many email addresses, but thanks to Google Apps, I still check them all through a Gmail frontend, and can ‘send as’ any address I want; which makes it almost seamless to integrate new email accounts. However, today we hit a snag, whereas my last client offered to simply forward my mail to another address, the new one wouldn’t with something about auditing as their reason, which I can completely understand, as long as they understand, having to check email via multiple clients just won’t scale.