Kevin M. Gallagher ageis

⚠️ Content below I now consider obsolete. My latest guide is now located here: Technical guide for using YubiKey series 4 for GPG and SSH. Please consult that resource instead.

Quick GPG Smartcard Guide

Keybase proof

I hereby claim:

I am ageis on github.
I am ageis (https://keybase.io/ageis) on keybase.
I have a public key whose fingerprint is 2C84 664F 26AA E27B AD57 90FD B604 C32A D5D7 C6D8

To claim this, I am signing this object:

Building a grsec-patched Linux kernel for Debian 8 and DigitalOcean

It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet.

We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening".

Note: The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.3.x (test) patch. The URLs and filenames in this document may become outdated, so fetch the latest from grsecurity.net and kernel.org.

Install dependencies:

security and hardening options for systemd service units

A common and reliable pattern in service unit files is thus:

NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict

	Andy Greenberg of WIRED reports that the FBI has finally revealed how they allegedly located the server on which Silk Road was hosted, and it didn't require parallel construction. http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server

	It was a security fail.

	According to FBI agent Christopher Tarbell, as related by Greenberg: "They found a misconfiguration in an element of the Silk Road login page, which revealed its internet protocol (IP) address and thus its physical location... And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared."

	While I can only speculate about what gave away the IP address, here's a few suggestions for avoiding the latter problem, which should make your .onions slightly more secure.

	First off, the webserver never should have responded to HTTP requests on the server's IP address. Only traffic which comes through the Tor hidden service, which connects to the webserver's port 80 on the loopback in

	## Address Space Protection
	# Disable privileged io: iopl(2) and ioperm(2)
	# Warning: Xorg without modesetting needs it to be 0
	kernel.grsecurity.disable_priv_io = 1
	kernel.grsecurity.deter_bruteforce = 1

	kernel.grsecurity.deny_new_usb = 0
	kernel.grsecurity.harden_ipc = 1

	## Filesystem Protections

	#!/usr/bin/python3
	# -- coding: utf-8 --

	import sys
	import subprocess
	import argparse
	import re
	import mailbox
	import email.utils
	import os

	/hex
	scd serialno
	scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
	scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40

	### Keybase proof

	I hereby claim:

	* I am ageis on github.
	* I am ageis (https://keybase.io/ageis) on keybase.
	* I have a public key whose fingerprint is 2258 6762 C39A 5DFF F7D7 FDC5 5F4F 4788 5921 D69C

	To claim this, I am signing this object:

	# run in the terminal, then set as ssl_dhparam in nginx.conf
	openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096