Raspberry Pi

At the end of 2013, I wrote a series of tutorials explaining how to run an email server at home on a raspberry pi, which turned out to be very popular. I'm now aiming to do the same for instant messaging. This tutorial will:

• Introduce the Extensible Messaging and Presence Protocol (XMPP), formerly known as "Jabber"
• Discuss some of the pros and cons of XMPP vs some other proprietary protocols
• Give instructions for the installation and configuration of Prosody, a free and open source XMPP server.
• Discuss various important XMPP Extension Protocols (XEPs) and how to enable them
• Cover transport layer encryption (i.e. client-server and server-server TLS) and end-to-end encryption for clients
• Recommend client software for different platforms

Along the way, I'll expose the underlying protocol to give you the tools you need to debug the problem yourself, instead of relying on obscured error messages from GUI applications. This is part 1 of a 2 part tutorial. Part 2 can be found here.

ModSecurity is a Web Application Firewall: a program that can be used to inspect information as it passes through your web server, intercepting malicious requests before they are processed by your web application. This tutorial will show you how to install ModSecurity on Apache, and configure it with some sensible rules provided by the Open Web Application Security Project's Core Rule Set (OWASP CRS), which will help to protect your server against SQL injection, denial of service attacks, malformed requests, cross site scripting attacks, and more. And yes, you can use this guide with your Raspberry Pi if you're running Raspbian, Ubuntu, or another Debian derivative on it.

By far the most popular set of articles I have written is my Raspberry Pi Email Server tutorial. Clearly, there are plenty of people who don't like relying on freemail providers like Yahoo, Outlook and Gmail for a variety of privacy and security reasons. However, there is one major drawback of hosting your own email server: if your server is taken offline for maintenance, or your internet connection is interrupted, then incoming email can not be delivered and may bounce. This tutorial will describe how to set up another server to act as an MX backup. The backup server will be hosted on a separate internet connection with a different WAN IP address, and have a lower priority than your primary mail server in your Mail Exchanger (MX) DNS record. When your primary server is offline other MTAs will send email to the backup instead, and the backup will hold them until your primary mail server comes back online, and then deliver them. No more bounced emails. The biggest challenge when setting up a backup MX is convincing a friend or family member to allow you to run a RasPi or some other server on their network; the rest of the setup is a breeze compared to the full mail server installation described in the main tutorial, because fewer components are required (just Postfix). This guide is written for Debian and its derivatives (Raspbian, Ubuntu etc.) but since a basic postfix installation is more or less the same across different distributions you should be able to use it for any distro. My backup server runs openSUSE.

I recently received a Bose SoundTouch 10 speaker as a gift. The speaker itself is great, but I've found some of the features of the Android app don't work very well. Specifically, it seems to have trouble detecting the speaker and connecting to a new wifi network, endlessly looping instead. I was convinced that there must be a way to connect to the device using Linux, and doing a little research online led me to this great post revealing that you can telnet to the Bose SoundTouch, and enable a shell. What follows is instructions on how to connect to the SoundTouch manually using Linux (or Mac, or Windows box with PuTTY), and give it the username and password for a new wifi network so that you can start using the app again. Technically, it must be possible to add login details for a Bose account and change the hardware button presets from this interface too, but I'll leave that for you to experiment with.

This tutorial will show you how to configure a caching BIND9 server on your local network, and configure an OpenWrt router to use it. This should result in slightly quicker DNS lookups, but to be honest, you may not notice a huge difference (my DNS lookups now take 30% less time, but I don't think this has made page loading noticeably faster). Here are a few situations where it could be particularly worthwhile:

• You have a large LAN with lots of clients, and you want to take some load off your router
• You are using something like modsecurity's real time RBL lookups and you want to reduce latency
• Your ISP's nameservers are slow but you would still like to use them
• You are a curious soul and you want to learn about DNS ;)

This tutorial will show you how to configure ddclient on Raspbian and Ubuntu. Many tutorials don't explain what to do if your server is behind a router, but this one will. I recently set up a backup server on an internet connection that has a dynamic IP address. So far, I've been spoiled at home because my ISP (PlusNet) makes switching to a static IP address easy and cheap, so obviously I did that. This time though, I didn't have that option, and I didn't want to configure a dynamic dns client on that router either, so I had to set it up on the server itself.

"Shellshock" is the nickname for a recently discovered vulnerability in GNU BASH (Bourne-Again SHell) that has the potential to allow an attacker to execute arbitrary commands through carefully crafted environment variables (see CVE-2014-6271). This is bad for desktop users, but far worse for servers because it's possible to exploit this vulnerability by attacking CGI scripts. The CGI script doesn't even have to be written in BASH; on distributions that use BASH as the default shell, the environment variables will be passed to BASH before any CGI script is executed. Luckily, the default shell in Debian is DASH, which limits the problem for Debian derivatives like Ubuntu and Raspbian. If you run a Linux or UNIX-like system that uses BASH, you should update to the new patched version now. In fact, most Linux users probably updated before they even realised anything was wrong, since the patched version was available in the repositories very quickly. Meanwhile, Mac users were still waiting for Apple to comment... lol.

Google recently announced that it is going to start prioritising websites that offer HTTPS by default in its search engine results. At first, the positive effect will be small to give webmasters time to switch to HTTPS, but it will gradually become more of a significant signal. This is a good thing for the internet: SSL doesn't cost much for webhosts, and it makes it more difficult to spy on everyone all the time! The Electronic Frontier Foundation praised the decision calling it a "bold and welcome move to protect users". I wanted to start offering some of the services I run on my server to other friends and family, and I couldn't easily install the CAcert root on all of their devices, so this seemed like a good time to purchase a cert. The following describes how I configured the various services (Apache, Postfix, Dovecot) to use the new certificate from COMODO.

Fail2ban is a great little tool for system administration. In a nutshell, it watches your log files for pre-defined patterns and then executes actions if it sees them. Ususally, this is of the form "if there are more than X failed authentication attempts in Y minutes from a single IP address, update the firewall to block the offending IP for Z minutes". The actions are not restricted to updating the firewall with iptables - you can also configure fail2ban to send notification emails, for example. This is useful for protecting against brute force attacks against services like:

• SSH (you should be using Publickey authentication if possible which will stop them ever guessing a password, but allowing them to try is still a waste of resources)
• SASL authentication attempts (Postfix and Dovecot)
• Login forms for web based services like Roundcube webmail.

In my previous tutorial for installing Wordpress on a Raspberry Pi, I showed how to do a "quick and dirty" installation, by changing ownership of the whole Wordpress installation folder to the web server process (www-data). This gets the job done, because Wordpress is able to make changes to its own configuration files, themes and plugins.