blog.mirabellette.eu

A blog about digital independence and autonomy

Some news about the blog

Written by Mirabellette / 28 february 2018 / no comments

Hello everybody
I hope you are going fine. Today I would like to talk about the blog and his life. I don't know if you see it but I made some chances.
  • Installation of a new theme created by Dada. Thanks to him for his wonderful works. If you have some time and speak French, feel free to visit his blog.
  • Creation of a Mastodon account in laquadrature instance. La Quadrature du Net is a French non-profit association that defends the rights and freedom of citizens on the Internet. I will use the Mastodon account to communicate about news articles and share some interesting links I find on internet. I wrote a first "Pouet" some days ago.
  • Creation of a Media section, you can see it on the right above the category section.
  • After some time to think about it, I decided to create three new categories. The first one is about Digital independence, this category will welcome articles about self hosting or thought relative to that. The second new one is about Privacy and it will welcome article about privacy (Obvious isn't it? :p). The last one is about the blog himself, If I wanted to start a new project for example.
  • I changed category from published articles in order to be more logical and coherent..
  • I changed the subtitle of the blog by A blog about digital independence and autonomy..
  • I rewrite the services page with advice and warning about when to use services.
Concerning the future, I will continue to made tutorial about services you can host for yourself. I will also work in order to make the blog known a little bit more. I don't have a lot of visit now. I would like to increase this in order to help other people and maybe one day earn money with it. About the money part, I will publish a lot of things about how I see things. In all case, it is something very far from the current situation. ^^ I also want to create a community to share useful and interesting information with respect and tolerance. I am exhausted to read criticize and comments without any analyze or taking a moment to reflect. I want to bring something different, interesting things, quality and respect.

I hope you will like this changes. Feel free to use services I offered here, especially my Searx instance. It increases privacy for all of us if there are different user who use it. More information about services available are in the services static page.

Of course, don't hesitate to follow me on Mastodon.

Classified in : Blog / Tags : none

Installing and configuring Ethercalc in a LXC container

Written by Mirabellette / 09 february 2018 / no comments

Disclaimer
Installing and configuring a server is not something easy. It requires time, perseverance, money and knowledge. Don't forget that your server , Raspberry or I don't know stuff could be compromised and used, for example, against yourself or in a botnet network (like Mirai).

Since years, I used an instance of Ethercalc hosted by framasoft. EtherCalc is a web spreadsheet wh ich could be used by multiple user. It is quite powerful and you can, for example, manage most of your accountability with it. If you want to know more, yo u can test Ethercalc here.

If you have to give it back, feel free to do a little donation to Framasoft. They host a lot of very usefull services and works to empowered people. Even 10 (dollars, euros, something) could make a difference. You can also help in developing Ethercalc features in or helping to fix bugs.

In order to understand and control services I use, I decided to install an instance of Ethercalc. To give back to the community, I create this article in order to explain how I did.

System Configuration:
@host Debian Stretch (with apache as reverse proxy)
@installation_container Installation container (lxc)
@production_container Production container (lxc)

It is quite similar if you only have once environment.

Advices

  • Test this tutorial in a local network which is not directly connected to internet. I mean, protected by firewall.
  • Use a dedicated machine to do all of your test. A dedicated machine could be an unused computer, a virtual machine or a container. Be ready to reinstall your system, this could happened, especially when you begin with computer science.
  • I recommended to use another Linux container to build an application. In general, you have to avoid to install compilator and building application in a production machine. You must only have in production what it is required to work, nothing more! This reduce significantly the risk to be hacked.
  • In a container, I copy everything I need in /opt. It helps me to easily administrate container because I know everything I need to run the application is stored here.
  • All variable that you have to change are prefixed with $, you have to remove the $ too.

Let's get started!
First of all, before installing Ethercalc, it is recommended to use a Redis server to manage Ethercalc data.

Information

All information stored by Redis are stored in clear. That means if someone is able to access to the dump.rdb file, he will be able to read all informations stored in your Ethercalc. I didn't find a solution to encrypt data from Redis and it doesn't seem to be developed yet.

# @installation_container

cd /opt
apt install xz-utils gcc make tar
wget http://download.redis.io/releases/redis-4.0.7.tar.gz
tar xvf redis-4.0.7.tar.gz
cd redis-4.0.7
cd deps
make hiredis jemalloc linenoise lua geohash-int
cd ..
make install

cd /opt
wget https://nodejs.org/dist/v8.9.4/node-v8.9.4-linux-x64.tar.xz
tar xvf node-v8.9.4-linux-x64.tar.xz
ln -s /opt/node-v8.9.4-linux-x64/bin/node /bin/node
/opt/node-v8.9.4-linux-x64/bin/npm install ethercalc
vim /opt/node-v8.9.4-linux-x64/lib/node_modules/ethercalc/bin/ethercalc
replace #!/bin/node by /opt/node-v8.9.4-linux-x64/bin/node/bin/node
# we don't need that node is available for all now, we will delete the symbolic link. rm /bin/node

mkdir /container_path/opt/redis-4.0.7 cp -r /opt/redis-4.0.7/src/redis-server /container_path/opt/redis-4.0.7/
cp -r /opt/node-v8.9.4-linux-x64/ /container_path/opt/node-v8.9.4-linux-x64/
# you can delete original source instead of just copying it

We are going to configure Redis in order to store data from Ethercalc where we want. As usual, I stored everything I need in /opt.

mkdir /container_path/opt/redis_data
wget http://download.redis.io/redis-stable/redis.conf -O /container_path/opt/redis.conf
# replace dir ./ by dir /opt/redis.conf

WARNING Redis doesn't implement server side encryption, that means that all your data are accessible from someone who can read the dump .rdb file.

Now, we will create two systemd script to start Ethercalc and Redis automatically each time the container start. We also configure iptables in order to avoid that Redis server is accessible from everywhere.

# @production_container

useradd redis
useradd nodejs
# we will now modify /etc/passwd in order to reduce user right to the strict minimum.
vim /etc/passwd
nodejs:x:1000:1000::/opt/node-v8.9.4-linux-x64/bin/node:/bin/false
redis:x:1001:1001::/opt/redis-4.0.7/redis-server:/bin/false

cd /opt/
chown redis:redis -R redis*
chown nodejs:nodejs -R node-v8.9.4-linux-x64/

vim /etc/systemd/system/redis.service
[Unit]
Description=Redis
After=network.target
[Service]
Type=simple
ExecStart=/opt/redis-4.0.7/redis-server /opt/redis.conf
RemainAfterExit=yes
User=nodejs
Group=nodejs

[Install]
WantedBy=multi-user.target
systemctl enable redis.service
vim /etc/systemd/system/ethercalc.service
[Unit]
Description=Ethercalc
After=network.target

[Service]
Type=simple
ExecStart=/opt/node-v8.9.4-linux-x64/lib/node_modules/ethercalc/bin/ethercalc --host $container_ip
RemainAfterExit=yes
User=nodejs
Group=nodejs

[Install]
WantedBy=multi-user.target

systemctl enable redis.service
# don't forget to change $container_ip by your own interface

In order to have iptables automatically loads when the container start, you have to install the package iptables-persistent. Of course, we will configure it in order to only have Ethercalc accessible from outside.

apt install iptables-persistent
vim /etc/iptables/rules.v4
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

*filter
:INPUT DROP [1:328]
-A INPUT -i lo -j ACCEPT
-A INPUT -s $container_ip -p tcp --dport 8000 -j ACCEPT
-A INPUT -s $apt_cache_or_lxc_network -m conntrack --ctstate ESTABLISHED -j ACCEPT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Now we will configure the apache2 reverse proxy. I choose not to use HTTPS communication between $host and $production_container. The main reason is that both of them are hosted in the same computer. If $production_container was somewhere else on Internet, you MUST configure the proxy in order to have HTTPS communication between your container/virtual machine/whatever or all your traffic will be send in clear text on the network. I also added a web authentication in order to be the only one who can access to it. Feel free to change the $your_name by one of your choice. You have to change the appache2 configuration too. I will not explain how to deploy TLS on your web server, you can find a lot of tutorial in Internet.

# @host
# generate a password for $your_name
htpasswd -c /etc/apache2/password_ethercalc $your_name

vim /etc/apache2/site-available/ethercalc.conf
<VirtualHost *:443>
 ServerName www.example.com

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined


  AuthType Basic
  AuthName "Restricted Files"
  AuthBasicProvider file
  AuthUserFile "/etc/apache2/password_ethercalc"
  Require user $your_name


 SSLEngine on
 SSLCertificateFile /path/to/apache/crt
 SSLCertificateKeyFile /path/to/apache/key

 ProxyPass / "http://$container_ip:8000/"
 ProxyPassReverse / "http://$container_ip:8000/"

</VirtualHost>

ln -s /etc/apache2/site-available/ethercalc.conf /etc/apache2/site-enabled/ethercalc.conf
service apache2 reload

It took me hours to make this article. I hope you will find it useful and interesting Don't hesitate to comment, even if it is about mistake or something that could be improved.
Thank you for reading.

sources

Social media

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Ubuntu 17.10 - tools and configuration

Written by Mirabellette / 01 january 2018 / no comments

I bought a new computer last year and I had to choice to install a new operating system. I am waiting for Qubeos 4.1 (x.0 are most of the time fucked up).
I choice to use Ubuntu 17.10 because packages are quite new and it is easy to use. To get an operative system fully usable, I had to do configure it and do some trick to get it as I want.

You can find below some tools I installed and some configuration I did.

First of all, the first thing you had to know is Ubuntu 17.10 has Gnome installed. Unity was give up by Ubuntu Inc. Astonishingly, even if it is the first release with Gnome, it works pretty well.

Display full date to toolbar

I wanted to display the full date to my toolbar.

sudo apt-get install gnome-tweak-tool

Launch tweaks
Top Bar > clock > Date > Calendar > Show week numbers

An ebook reader

There is no ebook reader by default in Ubuntu 17.10. Calibre is the most famous of them.

sudo apt update && sudo apt install calibre

Network manager

Network manager is installed on Ubuntu 17.10. I don't really like it because it changes your configuration. I try to disable these modifications in order to have a better control.
Randomize your MAC network address
Ubuntu allows by design to generate a random network MAC address at each network connection. It is a basic privacy settings which could help you to prevent mac address ban or to increase the difficulty to track your habits.

vim /etc/NetworkManager/conf.d/30-mac-randomization.conf
[device-mac-randomization]
# "yes" is already the default for scanning wifi.scan-rand-mac-address=yes

[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

To be sure if works well,

ifconfig && service network-manager restart && sleep 5 && ifconfig

The mac addresses from your ethernet interface and wifi interface must be different from the first ifconfig result displayed.
sources:

Disable automatic update of /etc/resolv.conf
When you want to use a specific dns, you have to modify /etc/resolv.conf. NetworkManager modifies this file each time it started. To avoid that:

vim /etc/NetworkManager/NetworkManager.conf
[main]
dns=none

service network-manager restart

To be sure if works well,
cat /etc/resolv.conf
The previous /etc/resolv.conf must be displayed.
sources:

Disable the DNS resolver
Ubuntu comes with his own resolver integrated in Systemd, I don't need it.

systemctl disable systemd-dns
systemctl stop systemd-dns

Speed test in command line

Sometimes it could be useful to measure your bandwidth in CLI.

sudo apt install speedtest-cli
speedtest-cli

Show display picture from others components (usb key, sd cards)

By default, Nautilus shows miniature only from local computer. It could be unconvenient when you have a usb driver which contains pictures. To enable this feature for all devices:
open nautilus (files) > preferences > search & preview > thumbmails > all files

Show information system

If you want to find some information about your own system configuration.

System Settings > Details > about

Social media

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Classified in : Tricks / Tags : none

Searx 0.12 to 0.13.1 and configuration

Written by Mirabellette / 18 december 2017 / no comments

Hello everyone,

I just upgraded the version of Searx from 0.12 to 0.13.1. The upgrade was quite easy, it needed me around 30 minutes to upgrade it and to verify if everything was ok. If you followed the standard installation, you just have to follow these steps bellow to upgrade it:

sudo -u searx -i
cd /usr/local/searx
mv searx/settings.yml searx/settings.yml.old #(to keep your previous configuration
git pull
# copy your own settings from searx/settings.yml.old to searx/settings.yml
rm searx/settings.yml.old #not needed anymore virtualenv searx-ve
. ./searx-ve/bin/activate
pip install -r requirements.txt
python setup.py install
#exit the virtual_env

Now your application is upgraded, you just have to restart the service with:

sudo /etc/init.d/uwsgi restart

I also add some search engine which respect privacy enable by default like duckduckgo, xquick, qwant, startpage, ixquick.

I hope this article was useful for you to upgrade your version of Searx. I am aware I have a Captcha issue with Google, I am working on it.

Have a nice day

Social media

If you find this article interesting, feel free to subscribe to my RSS flux and to follow me on Mastodon. Don't hesitate to share it if you think he could interest someone else.

Two new services available for you: Lufi and Searx

Written by Mirabellette / 30 november 2017 / no comments

Hello everyone,

Some months since I hadn't published anything, I know that is a very long time ago. :( I had a lot of things to do. Of course, I work and learn new things. For myself and in order to continue to be autonomous about services I used, I hosted two new services for myself. Lufi and Searx.
If I hosted them for myself, I had to share access them to others, It just normal I think, give and receive. You can access to the instances

Lufi

*from the official git repository
Lufi means Let's Upload that FIle. Lufi is tested and working on the following browsers / devices :
  • Firefox
  • Chrome
  • Internet Explorer 11
  • Microsoft Edge
  • Safari
  • iOS devices (ipad, iphone)
  • Android devices (Galaxy tab, Galaxy S8)

It stores files and allows you to download them. Is that all? No. All the files are encrypted by the browser! It means that your files never leave your computer unencrypted. The administrator of the Lufi instance you use will not be able to see what is in your file, neither will your network administrator, or your ISP. The encryption key part of the URL is a anchor (Cf. Fragment Identifier), that means this part is only processed client-side and does not reach the server. :-)

To install it, I mainly used a tutorial created by Framasoft and these contributors. In parallel, I always see the official installation guide before doing anything. Lufi is not so easy to install because it uses Websocket and it is very painful to configure the web server correctly.
configuration
I deliberately choose to allow storage to one week. My Lufi instance must no be dedicated to store files for a long period but to exchange them quickly and securely.
sources

Searx

Searx is a free metasearch engine with the aim of protecting the privacy of its users. If you want to choose searx as default search engine to Firefox, you have to install add-to-search addon.

At the end of the installation, you can get a page which tell you page not found. You can find a solution here, you just have to add a rewrite rule to apache2.
RewriteEngine on
RewriteRule "^/$" "/searx/" [R]
<Location /searx>
 Options FollowSymLinks Indexes
 SetHandler uwsgi-handler
 uWSGISocket /run/uwsgi/app/searx/socket
</Location>
configuration
Searx can also be used as web proxy in order to replace your IP by the server's IP. I disable this feature to avoid any problem because If my IP server was associated to a questionable navigation.
sources

Other maintenance stuff and improvements

I upgrade the Privatebin instance from 1.0.1 to 1.1.1. This update fix an security issue. Even if the version available is not vulnerable, I take no risk and upgrade it. Moreover, application version currently deployed are now display in the services page. I know it is not recommend because it helps attacker to know the version but there are a lot of other way to discover it. I hope users will check before using services in order to see if they are updated or not and choose to use them knowing that. You can also found the date of availability.

Disclaimer

The same last words. Could you please didn't forget to not do anything wrong or use them in an abusing way; I hope you will enjoy these news services as I do. Have a good day,
Mirabellette