Diary of an IT Architect

Copypastable tutorials I wrote for my reference. You're welcome.

Uploading websites to their document roots was traditionally done by means of FTP. FTP is an ancient beast which should probably be eradicated from the Internet, mostly because it uses cleartext communication for both authentication (meaning it's trivial to sniff out credentials on the wire) and data transfer (meaning it's prone to MITM attacks). However, a lot of old-school web programmers are used to their FTP clients, such as FileZilla, and not too eager to learn new stuff. This article explains how to set up ProFTPD server in SFTP mode listening on non-standard port, whose clients - virtual users - will be authenticated from MySQL database and chrooted to their directories. Virtual users won't have local shell access, as opposed to local users who can ssh to standard port provided by FreeBSD's built-in ssh server, but they will be able to transfer files securely without the need to move away from FileZilla.

Continue reading...

Large browser vendors have quite some time ago established model of "trusted" web sites based on SSL certificates signed by "trusted" CAs. This trend increasingly spreads to other applications and protocols. This article gives exact steps needed for obtaining Let's Encrypt's wildcard certificates from FreeBSD host, using DNS validation through dynamic updates of a BIND server's zones, using EFF's ACME client, certbot.

Continue reading...

Most of the OpenBSD systems I am in charge of are deployed in data centres, powered by UPSs which provide them with electrical power during periods of public grid power outages. But there is also a number of OpenBSD systems I administer, which are deployed in much less favourable conditions; where frequent power outages last longer than UPS batteries do, or where there are no UPSs at all (such as branch office routers in godforsaken places where having electricity and Internet access at all is considered a lucky circumstance). These latter systems are likely to have high rate of unclean shutdowns caused by prolonged or unexpected power outages, which in turn increase the probability of their inability to boot without human intervention. This article describes steps to make OpenBSD system more resilient to unexpected power outages by minimising the possibility of inconsistent file systems after unclean shutdowns, which is achieved by mounting all disk partitions in read-only mode. Filesystems which have to be writable - /var, dev and /tmp - are mounted as writable memory file systems.

Continue reading...

For the last few years, I have been using net/openntpd instead of FreeBSD's base ntpd(8), exclusively because of the latter's tendency to bind to all available interfaces and addresses, and its inability to be configured in a way that it binds to specific IP address. Things have changed recently, however, and it appears that from FreeBSD 11.1 onwards we can specify ntpd's listen IP address(es). The following article explains how to bind FreeBSD's base ntpd to single IPv4 address, and IPv4 loopback address.

Continue reading...

Once I've obtained free certificates from Let's Encrypt, preferrably with dehydrated on FreeBSD, I'm going to modify Postfix's config file so they can be used to secure SMTP traffic.

Continue reading...