matcha_addict

Hi all,

I found a hobby in trying to secure my Linux server, maybe even beyond reasonable means.

Currently, my system is heavily locked down with user permissions. Every file has a group owner, and every server application has its own user. Each user will only have access to files it is explicitly added to.

My server is only accessible from LAN or VPN (though I've been interested in hosting publicly accessible stuff). I have TLS certs for most everything they can use it (albeit they're self signed certs, which some people don't like), and ssh is only via ssh keys that are passphrase protected.

What are some suggestions for things I can do to further improve my security? It doesn't have to be super useful, as this is also fun for me.

Some things in mind:

• 2 factor auth for SSH (and maybe all shell sessions if I can)
• look into firejail, nsjail, etc.
• look into access control lists
• network namespace and vlan to prevent server applications from accessing the internal network when they don't need to
• considering containerization, but so far, I find it not worth foregoing the benefits I get of a single package manager for the entire server

Other questions:

• Is there a way for me to be "notified" if shell access of any form is gained by someone? Or somehow block all shell access that is not 2FA'd?
• my system currently secures files on the device. But all applications can see all process PIDs. Do I need to protect against this?

threat model

• attacker gains shell access
• attacker influences server application to perform unauthorized actions
• not in my threat model: physical access

The telegram app has a very nice interface, but I want to use a self hosted xmpp chat server.

Is there maybe a fork of telegram that makes it work with a self hosted xmpp server? I would imagine that this is possible.

If not, is there anything that at least gets close to how nice telegram UI is?

I like tasks.org but unfortunately it doesn't look like this will come any time soon.

Plus points:

• if the task can be assigned to multiple sub-lists (or projects, buckets, etc).

I want a to-do list app that syncs from a json file (or other human-readable data format), so that I can view and modify the file (via a CLI like jq) from my computer too, and it would still reflect on my phone when it syncs.

Does this exist? Preferably it uses a format simple enough that makes it possible / easy to modify it via jq.

In the desktop world, we have the option to use the command line: a uniform interface for a multitude of apps that would otherwise be very different when implemented as GUIs.

Using the same interface, I can move or edit files, cross out tasks on my to-do list, retrieve my password for my email account (using Bitwarden or pass), etc. All in the command line. The GUI for each of those are wildly different.

The other benefit is it is very easy to create a new command line app, as opposed to a GUI.

Is anything like this possible for the smartphone world (even if it doesn't or will never exist)? What would it look like?

Since smartphone typing is much slower, we can't simply reuse the command line. We'd need something different. An interface that can still support a various spectrum of different operations, yet ergonomic for a smartphone. What are your thoughts?

I want to self host a suite of services and make them public.

What kind of services? Well, all kinds. Matrix, lemmy, bookwyrm, and I may think of others in the future.

The problem? I don't even know where to begin from a legal stand point. Not only that, I am a barely legal immigrant (vulnerable to deportation) from a country that is not very liked by the gov. I am afraid to put myself in a vulnerable position and get more trouble than the typical US citizen.

Is there a reasonable way to be able to self host public services without legal trouble? Is there a resource I can follow for best practices to avoid issues?

I know Calibre can remove DRM, but it seems that Calibre does not remove things like watermarks, references to the buyer by name, etc. Now maybe I can try to find those manually, but that is an error prone process. Plus, what if they embed a unique digital signature that ties back to me? I understand that this is a very uncommon practice, but I do not want to find myself in a bad place.

I suppose the only way to remove a digital signature of any sort is to buy two of the same e-book by different people, diff them, and remove anything that differentiates them.

Is there any tool that does this or automates the process? am I being too paranoid, and this is not a real threat?

Hello friends,

Just about every guide that comes up on my Google search for "How to create certificate authority with OpenSSL" seems to be out-of-date. Particularly, they all guide me towards creating a certificate that gets rejected by the browser due to the "Common Name" field deprecation, and the requirement of "Subject Alternative Name" field.

Does someone know a tool that creates a Certificate Authority and signs certificates with that CA? A tool that follows modern standards, gets accepted by browsers and other common web tools. Preferably something based on OpenSSL.

If you know a guide that does this using OpenSSL, even better! But I have low hopes for this after going through dozens of guides all having the same issue I mentioned above.

Replies to Some Questions you Might Ask Me

Why not just correct those two fields you mention?

I want to make sure I am doing this right. I don't want to keep running into errors in the future. For example, I actually did try that, and npm CLI rejected my certs without a good explanation (through browser accepts it).

Why not Let's Encrypt?

This is for private services that are only accessible on a private network or VPN

If this is for LAN and VPN only services, why do you need TLS?

TLS still has benefits. Any device on the same network could still compromise the security of the communication without TLS. Examples: random webcam or accessory at your house, a Meta Quest VR headset, or even a compromised smartphone or computer.

Use small step CA (or other ACME tools)

I am not sure I want the added complexity of this. I only have 2 services requiring TLS now, and I don't believe I will need to scale that much. I will have setup a way to consume the ACME server. I am happier with just a tool that spits out the certificates and I manage them that way, instead of a whole service for managing certs.

If I am over estimating the difficulty for this, please correct me.

This meme is from 2004. History repeats itself.