Преглед изворни кода

tlsdated doesn't appear to work well. Use a simpler cron based method

Bob Mottram пре 11 година
родитељ
комит
1f31f6f8b1
1 измењених фајлова са 13 додато и 173 уклоњено
  1. 13
    173
      beaglebone.txt

+ 13
- 173
beaglebone.txt Прегледај датотеку

@@ -732,7 +732,7 @@ Then to obtain some random bytes:
732 732
 cat /dev/hashletrng
733 733
 #+END_SRC
734 734
 
735
-The rate of entropy generation by the Hashlet seems very slow compared to */dev/hwrng*, and this is most likely because of the I2C interface.  So it's probably a good idea to keep hwrng as the main random source and only use the Hashlet's random number generator for any ancillary stuff.
735
+The rate of entropy generation by the Hashlet seems very slow compared to */dev/hwrng*, and this is most likely because of the I2C interface. So it's probably a good idea to keep hwrng as the main random source and only use the Hashlet's random number generator for any ancillary stuff.
736 736
 
737 737
 ** Alter ssh configuration
738 738
 
@@ -803,7 +803,7 @@ Edit */etc/crontab* and append that to the top of the file, underneath the headi
803 803
 # m h dom mon dow user	command
804 804
 #+END_SRC
805 805
 
806
-In general the most frequently run crontab entries should be at the top.  Then save and exit.
806
+In general the most frequently run crontab entries should be at the top. Then save and exit.
807 807
 
808 808
 Via your router's firewall settings you should now open port 22 (secure shell).  This will allow you to ssh into your BBB from any location - not just your own local network.
809 809
 
@@ -916,186 +916,26 @@ make
916 916
 make install
917 917
 #+END_SRC
918 918
 
919
-If you get errors during the /configure/ stage then you may need to reboot so that some of the installed dependencies take effect.  Then create an init script.
919
+If you get errors during the /configure/ stage then you may need to reboot so that some of the installed dependencies take effect.
920 920
 
921 921
 #+BEGIN_SRC: bash
922
-editor /etc/init.d/tlsdated
922
+editor /etc/crontab
923 923
 #+END_SRC
924 924
 
925
-Add the following:
925
+Add the following near the top of the list of tasks.
926 926
 
927 927
 #+BEGIN_SRC: bash
928
-#!/bin/sh
929
-### BEGIN INIT INFO
930
-# Provides:          tlsdate
931
-# Required-Start:    $network $local_fs $remote_fs
932
-# Required-Stop:     $local_fs $remote_fs
933
-# Default-Start:     2 3 4 5
934
-# Default-Stop:      0 1 6
935
-# Short-Description: secure parasitic rdate replacement
936
-# Description:       tlsdate sets the local clock by securely connecting with
937
-#                    TLS to remote servers and extracting the remote time out
938
-#                    of the secure handshake. Unlike ntpdate, tlsdate uses
939
-#                    TCP, for instance connecting to a remote HTTPS or TLS
940
-#                    enabled service, and provides some protection against
941
-#                    adversaries that try to feed you malicious time
942
-#                    information.
943
-#
944
-### END INIT INFO
945
-
946
-# Author: Jacob Appelbaum <jacob@appelbaum.net>
947
-
948
-# PATH should only include /usr/* if it runs after the mountnfs.sh script
949
-PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin
950
-DESC="secure parasitic rdate replacement daemon"
951
-NAME=tlsdated
952
-DAEMON=/usr/local/sbin/tlsdated
953
-DAEMON_ARGS=""
954
-PIDFILE=/var/run/$NAME.pid
955
-SCRIPTNAME=/etc/init.d/$NAME
956
-
957
-# Exit if the package is not installed
958
-[ -x $DAEMON ] || exit 0
959
-
960
-# Read configuration variable file if it is present
961
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
962
-
963
-# Load the VERBOSE setting and other rcS variables
964
-. /lib/init/vars.sh
965
-
966
-# Define LSB log_* functions.
967
-# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
968
-. /lib/lsb/init-functions
969
-
970
-#
971
-# Function that starts the daemon/service
972
-#
973
-do_start()
974
-{
975
-    # Return
976
-    #   0 if daemon has been started
977
-    #   1 if daemon was already running
978
-    #   2 if daemon could not be started
979
-    start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
980
-		--exec $DAEMON --test > /dev/null \
981
-        || return 1
982
-    start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
983
-		--exec $DAEMON -- \
984
-        $DAEMON_ARGS \
985
-        || return 2
986
-    # Add code here, if necessary, that waits for the process to be ready
987
-    # to handle requests from services started subsequently which depend
988
-    # on this one.  As a last resort, sleep for some time.
989
-}
990
-
991
-#
992
-# Function that stops the daemon/service
993
-#
994
-do_stop()
995
-{
996
-    # Return
997
-    #   0 if daemon has been stopped
998
-    #   1 if daemon was already stopped
999
-    #   2 if daemon could not be stopped
1000
-    #   other if a failure occurred
1001
-    start-stop-daemon --stop --quiet --retry=TERM/5/KILL/1 --pidfile $PIDFILE \
1002
-		--name $NAME
1003
-        RETVAL="$?"
1004
-        [ "$RETVAL" = 2 ] && return 2
1005
-    # Wait for children to finish too if this is a daemon that forks
1006
-    # and if the daemon is only ever run from this initscript.
1007
-    # If the above conditions are not satisfied then add some other code
1008
-    # that waits for the process to drop all resources that could be
1009
-    # needed by services started subsequently.  A last resort is to
1010
-    # sleep for some time.
1011
-    start-stop-daemon --stop --quiet --oknodo --retry=0/5/KILL/5 --exec $DAEMON
1012
-        [ "$?" = 2 ] && return 2
1013
-        # Many daemons don't delete their pidfiles when they exit.
1014
-        rm -f $PIDFILE
1015
-        return "$RETVAL"
1016
-}
1017
-
1018
-#
1019
-# Function that sends a SIGHUP to the daemon/service
1020
-#
1021
-do_reload() {
1022
-    #
1023
-    # If the daemon can reload its configuration without
1024
-    # restarting (for example, when it is sent a SIGHUP),
1025
-    # then implement that here.
1026
-    #
1027
-    start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
1028
-    return 0
1029
-}
1030
-
1031
-case "$1" in
1032
-  start)
1033
-    [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
1034
-    do_start
1035
-    case "$?" in
1036
-         0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1037
-              2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
1038
-              esac
1039
-  ;;
1040
-  stop)
1041
-  [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
1042
-  do_stop
1043
-  case "$?" in
1044
-       0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
1045
-            2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
1046
-            esac
1047
-            ;;
1048
-  status)
1049
-       status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
1050
-       ;;
1051
-  #reload|force-reload)
1052
-  #
1053
-  # If do_reload() is not implemented then leave this commented out
1054
-  # and leave 'force-reload' as an alias for 'restart'.
1055
-  #
1056
-  #log_daemon_msg "Reloading $DESC" "$NAME"
1057
-  #do_reload
1058
-  #log_end_msg $?
1059
-  #;;
1060
-  restart|force-reload)
1061
-  #
1062
-  # If the "reload" option is implemented then remove the
1063
-  # 'force-reload' alias
1064
-  #
1065
-  log_daemon_msg "Restarting $DESC" "$NAME"
1066
-  do_stop
1067
-  case "$?" in
1068
-    0|1)
1069
-        do_start
1070
-        case "$?" in
1071
-            0) log_end_msg 0 ;;
1072
-            1) log_end_msg 1 ;; # Old process is still running
1073
-            *) log_end_msg 1 ;; # Failed to start
1074
-            esac
1075
-        ;;
1076
-    *)
1077
-    # Failed to stop
1078
-    log_end_msg 1
1079
-    ;;
1080
-    esac
1081
-    ;;
1082
-  *)
1083
-  echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
1084
-  exit 3
1085
-  ;;
1086
-esac
1087
-
1088
-:
928
+*/15           * *   *   *   root /usr/bin/timeout 20 tlsdate -v -V -l -t -H www.ptb.de -p 443
1089 929
 #+END_SRC
1090 930
 
1091
-Save and exit, then start the daemon.
931
+Save and exit.
1092 932
 
1093 933
 #+BEGIN_SRC: bash
1094
-chmod +x /etc/init.d/tlsdated
1095
-update-rc.d tlsdated defaults
1096
-service tlsdated start
934
+service cron restart
1097 935
 #+END_SRC
1098 936
 
937
+This should set the date and time from a known source (www.ptb.de) using a SSL/TLS secured connection every 15 minutes.  Obviously if you wish to use a different source for the date and time then the cron entry can be edited accordingly.
938
+
1099 939
 ** Install fail2ban
1100 940
 
1101 941
 #+BEGIN_SRC: bash
@@ -2176,7 +2016,7 @@ chown -R root:root ~/.gnupg
2176 2016
 #+END_SRC
2177 2017
 
2178 2018
 ** Protect processes
2179
-Because the BBB has limited RAM some processes may occasionally be automatically killed if physical memory availability is getting too low.  The way in which processes are chosen to be sacrificed is not particularly intelligent, and so can result in vital systems being stopped.  To try to prevent that from ever happening the following script can be used, which should ensure that at a minimum ssh, email and mysql keep running.
2019
+Because the BBB has limited RAM some processes may occasionally be automatically killed if physical memory availability is getting too low. The way in which processes are chosen to be sacrificed is not particularly intelligent, and so can result in vital systems being stopped.  To try to prevent that from ever happening the following script can be used, which should ensure that at a minimum ssh, email and mysql keep running.
2180 2020
 
2181 2021
 #+BEGIN_SRC: bash
2182 2022
 editor /usr/bin/protectprocesses
@@ -6570,11 +6410,11 @@ service exim4 restart
6570 6410
 You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox.
6571 6411
 
6572 6412
 ** Obtaining an "official" SSL certificate
6573
-You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]].  You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that.  You should also have tested that you can send email to the domain and receive it on the BBB (via Mutt or any other email client).
6413
+You can obtain a free "official" (as in recognised by default by web browsers) SSL certificate from [[https://www.startssl.com/][StartSSL]]. You will first need to have bought a domain name, since it's not possible to obtain one for a freedns subdomain, so see [[Using your own domain]] for details of how to do that.  You should also have tested that you can send email to the domain and receive it on the BBB (via Mutt or any other email client).
6574 6414
 
6575 6415
 When creating a SSL certificate it's important that the private key (the private component of the public/private pair in [[https://en.wikipedia.org/wiki/Public-key_cryptography][public key cryptography]]) be generated on the BBB /and remain there/.  Don't generate the private key via the StartSSL certificate wizard because this means that potentially they may retain a copy of it which could then be exfiltrated either via [[https://en.wikipedia.org/wiki/Lavabit][Lavabit]] style methodology, "implants", compromised sysadmins or other "side channel" methods.  So that the private key isn't broadcast on the internet we can instead generate a certificate request, which is really just a request for authorisation of a public key.
6576 6416
 
6577
-Firstly you should have an Apache web site configutaion ready to go.  See [[Setting up a web site]] for details.
6417
+Firstly you should have an Apache web site configutaion ready to go. See [[Setting up a web site]] for details.
6578 6418
 
6579 6419
 Within StartSSL under the validations wizard validate your domain, which means sending an email to it and confirming a code.
6580 6420