My name is Philipp C. Heckel and I write about nerdy things.

Posts Categorized / Administration


  • Jan 08 / 2017
  • 30
Administration, Linux

How-To: Using ZFS Encryption at Rest in OpenZFS (ZFS on Linux, ZFS on FreeBSD, …)

An upcoming feature of OpenZFS (and ZFS on Linux, ZFS on FreeBSD, …) is At-Rest Encryption, a feature that allows you to securely encrypt your ZFS file systems and volumes without having to provide an extra layer of devmappers and such. To give you a brief overview of what the feature can do, I thought I’d write a short post about it.

The current ZFS encryption implementation is not (yet) merged into the upstream repository (as of January 2017). There is a pretty big pull request which is still being reviewed, but because the feature is so incredibly cool (and because my colleague Tom Caputi developed it), I thought a sneak preview is absolutely necessary.

Continue Reading

  • Jan 01 / 2017
  • Comments Off on zfsu: ZFS utils for offsite backup, retention and maintaining a slow mirror
Administration, Linux

zfsu: ZFS utils for offsite backup, retention and maintaining a slow mirror

My laptop runs ZFS as its root file system (see this blog post) — meaning that I can snapshot my root file system and I can send it to another machine as a backup very easily. Unfortunately, while ZFS provides the raw functionality, there is no great tool to manage offsite backups and retention. To ease this pain, I wrote/forked and packaged a few helper scripts which I called zfsu, a collection of ZFS utilities.

It consists of the following tools: zfsu tx (aka zfstx) maintains a mirror of a ZFS pool over the network. zfsu ret (aka zfsret) is a simple script to apply local retention (destroy snapshots) of a file system and its snapshots. zfsu res (aka zfsres) is a script to resilver a slow mirror, e.g. a HDD disk if mirrored with a SSD.

Continue Reading

  • Dec 04 / 2015
  • 4
Administration, Code Snippets, Linux, Scripting, Security

Snippet 0x0D: Let’s Encrypt – 5 min guide to set up cronjob based certificate renewal

Let’s Encrypt was officially released to the open public today. That means the Internet can finally get free, trusted SSL/TLS certificates. This quick guide shows how to set up Let’s Encrypt with auto-renewal through a cronjob — using the simp_le client, an alternative client developed by one of the same authors who develop the official client.

Continue Reading

  • Oct 18 / 2015
  • 8
Administration

How-To: Create a Debian package and a Debian repository

Debian packages and repositories are everywhere, yet many people don’t understand that creating them is actually pretty easy. While there are dozens of tutorials out there, none of them seemed to really show a good step-by-step. This is a quick tutorial on how to create a Debian package from scratch, and how to create a simple Debian repository.

Continue Reading

  • Jul 18 / 2013
  • 16
Administration, Linux, Security

How To: DNS spoofing with a simple DNS server using Dnsmasq

The Domain Name System (DNS) is one of the fundamental services of the Internet. By resolving domain names to IP addresses, it makes routing of IP packets possible and thereby lets browsers and other clients connect to remote servers using all kinds of protocols. By blindly connecting to the IP address returned by the DNS server, however, users put a lot of trust into DNS, because by default, DNS responses are not validated or verified.

In this blog post, I’d like to demonstrate how to easily set up a DNS server that allows you to easily forge certain entries manually — thereby allowing you to either block certain domains from your network or to pretend that you are a certain website. This scenario is commonly referred to as DNS forgery or DNS spoofing.

Continue Reading

  • Feb 01 / 2011
  • 3
Administration, Linux, Programming, Security

Altering old SVN revisions: removing confidental data from a Subversion repository

Version control systems like CVS or Subversion are designed for keeping track of the changes of a project and for having the possibility to revert to old revisions if something goes wrong. In contrast to regular relational databases, these systems are made only for adding new content to a repository, and not for removing data from it. In fact, deleting old content is not a built-in functionality in SVN, and mostly requires removing entire revisions from the repository or even creating a new one.

But what happens if you accidentally commit a password or other sensitive information to a repository? This post explains how to remove this confidential data permanently from the repository by simply overwriting it in old revisions, i.e. without having to remove revisions or create a new repository.

Continue Reading

  • Jan 29 / 2010
  • Comments Off on WP-UN: WordPress version update notification with cron
Administration, Linux, Scripting, Security

WP-UN: WordPress version update notification with cron

WordPress is a very popular open-source blog software and is used widely throughout the Internet. However, with great success comes great attack potential: like any other wide spread open-source software, WordPress is target for frequent hacking attacks and spam-bots. All the more important is it to always update the distribution to the latest release.

As Debian/Ubuntu user, I am spoiled when it comes to update management: apt-get updates most of my software, and apticron notifies me when updates are available. For WordPress however, the packaged versions of Debian/Ubuntu are really old and less adjustable which unfortunately makes a manual installation inevitable. While there are several automated WordPress update mechanisms out there, I couldn’t find a simple notify-on-update tool.

This post introduces the WordPress Update Notifier (WP-UN), a simple script that frequently compares the installed WordPress version with the latest available one. If a new version is available, it sends an e-mail to a given address.

Continue Reading

  • Jan 28 / 2010
  • 2
Administration, Linux

How to: Postfix as mail relay with greylisting support using SQLgrey

Greylisting is a very efficient technique for fighting spam and can reduce the spam messages in your mailbox by more than 90%. It uses the fact that most spammers only try delivering their spam-mails once, whereas real mail transfer agents (such as the ones regular e-mail service providers are using) try delivering each message up to 4-5 days before they give up.

I have always wondered why most ESPs don’t offer greylisting for their mailboxes, but only rely on less effective and resource-hungry post-retrieval filter methods. Unfortunately, my e-mail provider is one of them so that I get at least a couple of spam mails a day …

Luckily, it is very easy to set up your own mail relay with greylisting support, i.e. a mail server that simply forwards the mail to your real provider once it passes the greylist-filter.

This little tutorial describes how to set up Postfix and SQLgrey as mail relay.

Continue Reading

  • May 13 / 2008
  • 1
Administration

Hello world!

Hello world!

This is supposed to be my own web log. I’m not really sure if I have many things to share with the world, but I’m going to try my best to come up with some useful things. I guess most of them will have to do with Silversun and/or Linux problems and solutions.

For those of you who’d like to know more about me, please visit my Xing Profile or my private web site.

Thanks for your attention ;)
Philipp