Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: cpanel

  • cPanel ❤️ DreamObjects

    cPanel ❤️ DreamObjects

    This is something I’ve wanted for a long time. I opened a ticket with cPanel about it yonks ago as Ceph storage is offered by more than just Amazon, and yet cPanel was making it super hard to use for backups.

    Well in the next release of cPanel, this will no longer be the case! If you’re on version 74 (which is in release stage, but not current, so most people do not have it yet) you can do this.

    Add A New Backup Option

    Go to Home > Backups and open up the settings.

    In there, you can add a new Backup option. Pick S3 Compatible:

    Backing up from cPanel to DreamObjects will soon be a reality.

    Configure for DreamObjects

    Now just throw in the right data:

    You’ll want to use objects-us-east1.dream.io for the endpoint, and then your bucket and keys.

    Back it Up

    And with that you’re done. Thank you, cPanel!

  • Drop DES Ciphers

    Drop DES Ciphers

    My (former) coworker read my recent post about the forward secrecy and noted the following:

    @p0pr0ck5: you really ought to get rid of the DES ciphers too.

    As it happened I was looking into that!

    What Is DES?

    DES stands for Data Encryption Standard. It’s a symmetric-key algorithm using 56-bit keys, which means it applies its magic to a block of data at once, rather than one bit at a time.

    Back in the 1970s, The National Bureau of Standards (in the US) created DES because it occurred to them that secure data was a good idea. A bunch of brains were invited to meet their proposal for a standard, and of them IBM (yes, that IBM) came up with a winner.

    What’s the Problem?

    It’s 2017, not 1971, and data is bigger and more complex. First off, 56-bit keys are too small. AES, the current standard, uses 128-bit and 256-bit keys. But perhaps more importantly, we don’t do symmetric encryption anymore. Sending the keys over the same channel you’re going to encrypt is dangerous and easy to snipe.

    Back in the late 1990s, a big machine could break a DES key in 22 hours. Today, using a cloud network on Amazon, it could be done in seconds, and be worth it.

    Oh and if you’ve heard of 3DES and are wondering if that’s better, it’s not. Remember the massive Target hack in late 2013? A bunch of credit cards were stolen and it turned out Target stored their PINs in 3DES. So no. Not safe at all.

    Why Did You Have It?

    Because Windows XP is a sack of shit and up until last year, I had to support it.

    Seriously, that was it. Now that everyone I know who use some XP (and NT) are on modern OS’s (or blocked from the server… or dead) I don’t have to worry so much.

    How Do We Ditch It?

    Remember, these are the default chiphers:

    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    

    In there you have the following: ECDHE-ECDSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, and DES-CBC3-SHA

    While I already have !DES in my cipher suite (as I posted a few days ago), I should remove it fully. But that also means in the Pre Main Include section, I need to change my value for SSLCipherSuite to match!

    When I tested, I noticed that I was still pulling a TLS suite with 3DES: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

    To fix that, I changed HIGH to +HIGH:+MEDIUM:-LOW and that gave me the following:

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4:!DSS
    

    The -LOW is the magic sauce to say “Don’t use anonymous insecure ciphers.” when you’re on cPanel, you see.

  • cPanel and Two-Factor Authentication

    cPanel and Two-Factor Authentication

    I’m talking a lot about security. There are reasons for that. If you’re not keeping your online behavior safe, you’re in for some headaches. Two-Factor Authentication (TFA or 2FA) is one of the better solutions as it protects you by requiring you to have a password and a physical object in order to log in.

    WebHost Manager (the admin part of a cPanel server) has this.

    Let’s Do This Thing!

    Go to WHM Home » Security Center » Configure Security Policies and check the box for Two-Factor Authentication.

    Set TFA for cPanel

    Next, go to Home » Security Center » Two-Factor Authentication and move the slider to enable:

    Enable TFA

    Click on the tab for “Manage My Account” and set up TFA for your root account.

    The Problem….

    Oh there’s a problem? Yeah, and it’s the age old problem of TFA. You can’t enforce it. I mean, you can’t turn it on for everyone and walk away singing the praises of your success. You have to turn it on as each user. That means they have to turn it on. You can’t even require it.

    None of that means you shouldn’t do it. Everyone should do use TFA for their server connections. I use it for my servers and for my Gmail accounts. Protect yourself.

    Extra Credit

    Did you know you could turn on TFA for APIs on your server as well? Yeah.

  • SSL Security: Forward Secrecy

    SSL Security: Forward Secrecy

    Forward secrecy is actually what it sounds like. It forwards on secrecy. This means that the secret keys you have won’t be compromised even if the server’s key gets hacked. The way it works is by constantly changing things. Basically it’s rotating its encryption forever.

    “You’re constantly generating new keys for new messages,” says Nadim Kobeissi, the creator of Cryptocat, one instant messaging app that was early adopter of perfect forward secrecy. That means if a user’s device is stolen or hacked and eavesdroppers steal a decryption key, it doesn’t matter. “The latest message gets compromised, but any message prior to that message or after it can’t be decrypted,” Kobeissi says.

    This is a good thing to have on your own server, as it means if a secure transaction (like an ebook sale) is compromised, only that one instance is impacted. No one else gets hacked. No other part of the sale is affected. You minimize damage considerably.

    Let’s do this thing!

    On Monday we killed off RC4 by going to WHM Home » Service Configuration » Apache Configuration » Global Configuration and changing the cipher suite to this: ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

    In order to properly handle perfect forward security, we have to reorder things. Instead of using ALL, which calls everything, we need to put the ciphers in a preference and omit the ones we don’t want. That gives us this:

    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
    

    Awesome. Once we set that, and restart Apache, we go to Service Configuration » Apache Configuration » Include Editor » “Pre Main Include” and pick ‘All Versions’ from the drop down. I’ve edited this section before, when adding HSTS support. But then I edited pre_virtualhost_global.conf (“Pre VirtualHost Include”). This is just a different section.

    In the Pre Main Include section, put this:

    SSLProtocol all -SSLv3 -SSLv2
    SSLHonorCipherOrder On
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
    

    This forces the SSL protocol to v3 and then v2, but then it demands the order of the ciphers be honored.

    Restart Apache and you’re done.

    Testing it

    If you want to test, go to ssllabs.com/ssltest and you should see something that says A or A+. If you don’t have it right, you’ll max out at an A-.

    HalfElf.org is A+ Secured

    This site? It’s currently an A+, however that target is always moving. Keep safe out there.

  • SSL Security: Killing RC4

    SSL Security: Killing RC4

    In the middle of debugging what turned out to be an unrelated problem, my friend James pointed out that my server was throwing a warning about the RC4 cipher.

    Ciphers?

    When you want to transmit secure data, you use a cipher to encrypt the data. RC4 is a (hah) cipher. It generates a stream of random bits and bytes (they’re not really random) and combine them with plain text using a pattern to make an encrypted message. The secure connection unravels the bits because it knows the cipher too.

    Ciphers only work if no one knows how to crack them. That isn’t the case with RC4 anymore and it was hacked. Sad news. Time to disable it!

    Disable it!

    Why was it enabled at all? As it happens, it was enabled on my servers for browsers that can only use it. Old browsers. The funny part is that those old browsers can’t support SNI (which is what lets me have multiple certificates and multiple https sites on one IP address), so the domains were broken anyway.

    To disable, I went to WHM Home » Service Configuration » Apache Configuration » Global Configuration and changed my cipher suite to ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

    The !RC4 is the part that says “Not this one!”

    Restart Apache and you’re safe to go!

  • Moving cPanel email to Gmail

    Moving cPanel email to Gmail

    There should be a collective gasp here.

    It’s no big secret I dislike Google. I don’t trust them at all. I think Cory Doctorow’s story Scroogled is pretty much on the ball. But I also have been struggling with handling my server’s email and spam situations and if there’s one thing Google has turned out to be pretty good at, it’s spam. Also having my email separate from my hosting means if the site goes down, I’ll still get emails… Which is sort of important.

    So I bit the bullet, sorted out I needed to pay for three emails (making it $15 a month) and a boat load of secondary domains and filters. Since I’d dropped the cost of my hosting by $20 a month, this worked out alright.

    The Setup

    This part is the easy one. Go to https://apps.google.com and put in your information. If, like me, you have multiple domains, pick one to be your ‘master’ domain. I chose ipstenu.org because that’s my main domain in Multisite and there’s some parity going on here. Since this is geared to businesses, you do need to give your business a name. Sorry.

    Next you’ll pick your users. Like I said, I have three: Me, my wife, and my admin account. Why does admin need it’s own account? It doesn’t. But it might. For now I had them email me at my personal gmail (I can always resend later) since I don’t want them to be alerted to things just yet as I planned to import all their old email.

    Finally it does the “Verify your domain and set up email” step. Which failed. And took 50 minutes. Unfunny. Originally I did the TXT domain setup, and when that failed I did CNAME. Longest ‘about 50 minutes’ ever. And that failed too. Finally I did the damned ‘file verification’ which was ridiculous and stupid but that worked and it still took another 50 minutes to set up my emails.

    Eventually, after talking to Google, my web host, and my domain registrar, it turned out there was a glitch in my domain servers… There was no A record for my nameservers. Thank you Carol, Samuel, and Tatyana for helping that one.

    Migrating Data

    I mentioned I have three accounts. They have around 30 megs of email each. But I also have secondary accounts which are basically the same accounts only not… And to be honest I don’t know why I have so many. This was a chance to combine everything, so I set up those three accounts and then I used the IMAP importer to pull in everything. And it worked. That simple.

    Configuring Accounts

    Now that I have three accounts, I needed to add in my ‘other’ emails. I have a lot of weird aliases. I used to have separate accounts for each email but … well that’s a pain in the ass. So instead of that, I set up folders. I made a folder for each domain alias and then set up redirects. If email was sent to the halfelf.org domain, then it went to a folder called ‘HalfElf.’ Originally I had a whole mess of weird redirects going on, like if it was from WP then it went to a WordPress folder and so on, but unraveling that and going simple seemed like a wise choice.

    I went into the cPanel backups page and downloaded all my forwarder information as well and set up email forwards! Well. Not forwards. Aliases. Same idea really. And it was nice, since I added all my domains as aliases, ipstenu@[anydomain] would now work! I set up a lot of filters to keep things out of my inbox and in their proper, attention needing, spots.

    Blocking Users

    Finally it was time for my soon to be favorite step. Blocking users. Blocking senders for every domain is possible in Gmail and in my opinion, it’s huge. I have a list of 66 emails that I block on all my servers. This is for myriad reasons, but primarily is these are people who don’t know how the shut the hell up and leave me alone. Since I’m under no obligation to talk to these people, I blocked them.

    Exporting that list from cPanel was un-fun. You can either manually copy it out, line by line, or you can find the filter rules. They are, sadly, stored in the /etc/vfilters directory, so you need root access (which I have), but it’s not easy to get at. BUT! As of the latest version of cPanel, if you go into backups you can export your filters. They’re in a YAML format, but that’s easier than copy/pasta.

    Cleaning up cPanel

    So now that everything is on gmail, do I even need to run email on the server? Yes. I have to be able to send email. I did go through and delete all the accounts, though, freeing up a bit of space, and I turned off Greylisting (I know, I just did that!), and I hid the ability to add new accounts.