free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Heartbleed vulnerability mitigation

Bob Mottram 11 years ago
parent
6a79259d0a
commit
a47e4db354
2 changed files with 50 additions and 2 deletions
Split View Show Diff Stats
  1. 2
    0
      README.md
  2. 48
    2
      beaglebone.txt

+ 2
- 0
README.md View File 

@@ -1,5 +1,7 @@
1 1 
 <img src="https://github.com/fuzzgun/freedombone/blob/master/images/logo120.png?raw=true"/>
2 2
3 
+**Note: for information on fixing the "heartbleed" vulnerability see the section called "Regenerating SSL certificates"**
4 
+
3 5 
 FreedomBone is a personal home communications server based upon the BeagleBone Black hardware. It's small and cheap and will allow you to use email, have your own web site and do social networking in a federated way without needing to rely upon any intermediary companies other than your ISP.
4 6
5 7 
 beaglebone.txt is in Emacs org-mode format.

+ 48
- 2
beaglebone.txt View File 

@@ -478,7 +478,7 @@ wget http://freedombone.uk.to/hashlet-1.0.0.patch
478 478 
 Install some dependencies.
479 479
480 480 
 #+BEGIN_SRC: bash
481 
-apt-get install gnupg build-essential libgcrypt11-dev
481 
+apt-get install gnupg build-essential libgcrypt11-dev texinfo
482 482 
 #+END_SRC
483 483
484 484 
 Verify it.
 
@@ -508,6 +508,7 @@ tar -xzvf hashlet-1.0.0.tar.gz
508 508 
 cd hashlet-1.0.0
509 509 
 patch -p1 < ../hashlet-1.0.0.patch
510 510 
 chmod o+rw /dev/i2c*
511 
+./autogen.sh
511 512 
 ./configure
512 513 
 make
513 514 
 make check
 
@@ -544,7 +545,7 @@ Add the following:
544 545
545 546 
 while :
546 547 
 do
547 
-hashlet --bus=/dev/i2c-2 random > /dev/hashletrng # 32 bytes at a time...
548 
+hashlet --bus=/dev/i2c-2 --Bytes 32 random-bytes > /dev/hashletrng
548 549 
 done
549 550 
 #+END_SRC
550 551 
 
@@ -6268,6 +6269,51 @@ apt-get remove --purge mysql\*
6268 6269 
 apt-get clean
6269 6270 
 updatedb
6270 6271 
 #+END_SRC
6272 
+** Regenerating SSL certificates
6273 
+If a security vulnerability arrises which requires you to regenerate your SSL certificates, such as [[http://filippo.io/Heartbleed]["heartbleed"]], then this can be done as follows:
6274 
+
6275 
+Obtain the latest updates:
6276 
+
6277 
+#+BEGIN_SRC: bash
6278 
+apt-get update
6279 
+apt-get upgrade
6280 
+#+END_SRC
6281 
+
6282 
+Run *makecert <domain>* for each of your sites.
6283 
+
6284 
+Recreate the XMPP certificate:
6285 
+
6286 
+#+BEGIN_SRC: bash
6287 
+openssl genrsa -out /etc/ssl/private/xmpp.key 4096
6288 
+openssl req -new -x509 -key /etc/ssl/private/xmpp.key -out /etc/ssl/certs/xmpp.crt -days 3650
6289 
+chmod 600 /etc/ssl/private/xmpp.key
6290 
+chmod 600 /etc/ssl/certs/xmpp.crt
6291 
+chown prosody:prosody /etc/ssl/private/xmpp.key
6292 
+chown prosody:prosody /etc/ssl/certs/xmpp.crt
6293 
+#+END_SRC
6294 
+
6295 
+And regenerate the IRC server keys:
6296 
+
6297 
+#+BEGIN_SRC: bash
6298 
+openssl genrsa -out /etc/ircd-hybrid/key/ircd.key 4096
6299 
+openssl req -new -x509 -key /etc/ircd-hybrid/key/ircd.key -out /etc/ircd-hybrid/key/ircd.pem -days 3650
6300 
+chmod 600 /etc/ircd-hybrid/key/ircd.key
6301 
+chmod 600 /etc/ircd-hybrid/key/ircd.pem
6302 
+#+END_SRC
6303 
+
6304 
+As an added precaution you may wish to regenerate your ssh host keys:
6305 
+
6306 
+#+BEGIN_SRC: bash
6307 
+rm /etc/ssh/ssh_host_*
6308 
+dpkg-reconfigure openssh-server
6309 
+#+END_SRC
6310 
+
6311 
+Then reboot the server with:
6312 
+
6313 
+#+BEGIN_SRC: bash
6314 
+reboot
6315 
+#+END_SRC
6316 
+
6271 6317 
 * Deprecated
6272 6318
6273 6319 
 The following items have been deprecated until such time as a successful installation is achieved.