Category Archives: Linux

Set up an rsyslog server with multithreaded TLS encryption using stunnel

Linux

If you run a rsyslog server using the rsyslog imtcp module with OpenSSL or GnuTLS enabled for encrypted communication support, chances are, as your infrastructure and/or log traffic grow, you will find out, that for TLS offloading, rsyslog is only able to use one thread of your multithreaded system. This is by design and until today, the imtcp module, which is also the only module supporting TLS, is not able to utilize multiple CPUs.

The imptcp, also known as plaintext-tcp module however, does support multiple threads, but cannot do any encryption.

In my case, I found that the only viable solution to multithreaded TLS offloading with rsyslog is to wrap stunnel in front of it, like this in /etc/stunnel/rsyslog-server.conf:

Continue reading Set up an rsyslog server with multithreaded TLS encryption using stunnel

Data recovery from defective storage media using ddrescue and photorec

Linux, ,

Recently, I found myself in the situation of having to undergo a large-scale recovery operation on a 15-year-old hard drive with a total runtime of nearly 70,000 hours. The drive had long suffered from numerous defective sectors and reading errors.

The specific hard drive model in question was the SAMSUNG HD501LJ, a contemporary model widely used in systems of that time. It was later replaced by 750GB and 1TB models in the following years before the hard drive division of SAMSUNG was partially acquired by Seagate in 2011.

The task at hand was not an easy one, as it involved:

  1. Safeguarding and reading as many data as possible.
  2. Making existing data available on the file systems.
  3. Locating and making available previously deleted data from the distant past.
  4. If feasible, writing the data onto a new storage medium of equal or greater size to restore the original system.
Continue reading Data recovery from defective storage media using ddrescue and photorec

Nextcloud: The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN” (even if it is)

Linux, ,

An interesting anecdote from my work with Nextcloud. In the backend, they offer a “Security- and configuration check” which proposes some tips and recommendations to take with your Nextcloud server instance.

After completing all tasks listed, one persisted:

The “X-Frame-Options” HTTP header is not configured as “SAMEORIGIN”. This is a potential security or privacy risk, and we recommend changing this setting.

Nextcloud Admin Backend -> Overview

As this is an easy check, I opened the developer console of my browser and checked if the header was set. And it was. Weird? At that point, I was pretty certain that something with the detection of that header was wrong, but I could not point it out immediately.

After researching online and fiddling with this for at least an hour, likely more, I decided to utilize the scan.nextcloud.com security scanner to ensure the warning is also shown there. Now the fun part: The scanner showed the warning too, but with cached data from last year. After re-scanning and getting an A+ on the scanner, the warning also disappeared in the Nextcloud backend.

Likely the Nextcloud backend check relies on the same dataset that scan.nextcloud.com uses and by re-doing the security check manually on scan.nextcloud.com, the warning disappeared. No need to fiddle with any webserver-configs, since Nextcloud in all newer versions sets the X-Frame-Options header correctly by itself.

How I run small websites in Docker-containers separated from each other on a small VPS

Linux, , ,

Since I rarely give insights on how websites such as this one are run, I decided it would be a great time to share one very simplistic and efficient approach to host several small websites, separated from each other, on a cheap VPS.

When we talk websites, I mean WordPress instances. WordPress has a few basic requirements:

  • the PHP scripting-language
  • a MySQL database
  • possiblity to use sendmail or a similar software to send mails

To achieve these basic requirements, I employ:

  • one docker-compose stack bundling the MySQL-database as well as the phpMyAdmin-webinterface
  • multiple docker-compose stacks bundling PHP-FPM, nginx as well as exim4 to act as a mailrelay
  • one nginx instance on the VPS (uncontainered as of now) that does the SSL-offloading and acts as a reverse proxy in front of the different docker-compose stacks for WordPress

The setup is:

  • simple
  • easy to handle (upgrades, PHP-version switching etc.)
  • efficient (especially towards RAM usage)
  • easily migrateable to a different machine
Continue reading How I run small websites in Docker-containers separated from each other on a small VPS

Sync time on Linux via GSM

Linux, , , , , , , , ,

The RaspberryPi and many similar single-board computers do not have an RTC or “Real Time Clock” and without internet connectivity cannot retain their time setting. Therefore most RaspberryPi Linux-distributions employ NTP to sync the time right after boot. If you are not able to use an internet connection and therefore no NTP, but have a GSM modem or phone and a valid sim card at hand, this guide may be suitable for your needs.

Continue reading Sync time on Linux via GSM