Security of remote servers

Here is another example of bad randomness practices that lead to pretty serious issues (something like $15000 stolen).

The interesting part, besides the bad programming practice of writing your own random function, is that the vulnerability is outside of the server. In a way, it’s similar to the “physical access” vulnerability. And even if your hoster does not have a “rescue boot” system, datacenters are not invulnerable to theft (it actually happened more than once). This is why you should use encrypted partitions for your important data, even on remote servers.

Posted in Security | Tagged , , | Leave a comment

GPG encryption to multiple recipients

It is a little known feature of GPG: you can encrypt files to multiple recipients.
Since it uses an intermediary key, the resulting file is not that much bigger.

While it is mostly used for e-mails, I am currently using it for encrypted backups.
After all, one of the issue of encrypted backups is that if you lose the key, you can’t decrypt them, and only one person can decrypt them anyway (and you can’t backup people yet).

My goal was not to be a single point of failure for the newly founded Association Weboob. The result is that, while our user database is hosted on my server, it is backed up outside of it and three people (members of the board) can decrypt it.

To use that feature, just provide the --recipient option multiple times, for example:

gpg --recipient 42FF42FF \
    --recipient 12345678 \
    --recipient FEFEFEFE \
    --encrypt-files backup.tar
Posted in Sysadmin | Tagged , , , | 1 Comment

ISPs: raw speed vs. connectivity

I chose my current ISP on one criteria only: speed, especially upload speed. It’s Numericable fake fiber, i.e. fiber to the building. I really don’t care about the so-called “100 mega” download speed, but the upload speeds are at least 5 fives higher than standard DSL.
However, you don’t get access to the Internet. Dynamic IPv4, no IPv6, “no server allowed” (whatever that means), SMTP blocks, QoS, etc. isn’t Internet.

The logical step was to use my OVH server as a VPN, especially since it has unmetered bandwidth, IPv6, and I already pay for it. I just ran some tests and it’s actually faster going through the VPN! This is seriously broken.

44 down / 4.3 up / 49 ms
64 down / 12.3 up / 29 ms

Now, there are some bias; I get varying results depending on the test servers I’m using. Also, the ping to servers that matters to me are usually around 7 ms without the VPN, and the VPN can add another 7 ms, which is not negligible.

Moreover, using the OVH server IP space has downsides. Some websites give me different treatments. MySpace.com has the funniest behavior: it redirects any request to http://www.google.com/. Another website gave me an explicit message like “no servers allowed”. Some just block everything.

Posted in Networking, Sysadmin | Tagged , , , , , , | Leave a comment