Blog

Purpose

This system hosts the blog, blog.cacert.org. The blog meets the needs of public relations and the CAcert community to publish CAcert’s activities.

Administration

System Administration

Todo

find an additional admin

Application Administration

Role

Users

Wordpress Admin

Dirk Astrath, Mario Lipinski,

Wordpress Editor

PR Team, Support

Wordpress Author

Anyone with a certificate

Wordpress Contributor

Anyone with contributor privileges

Wordpress Subscriber

Any Spammer or person who has not posted or has not logged in

Additional People

Mario Lipinski has sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.234

IP Intranet

172.16.2.13

IP Internal

10.0.0.13

IPv6

2001:7b8:616:162:2::13

MAC address

00:ff:fa:af:b2:9b (eth0)

See also

See Network

DNS

Name

Type

Content

blog.cacert.org.

IN A

213.154.225.234

blog.cacert.org.

IN AAAA

2001:7b8:616:162:2::13

blog.cacert.org.

IN SSHFP

1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8

blog.cacert.org.

IN SSHFP

1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6

blog.cacert.org.

IN SSHFP

3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86

blog.cacert.org.

IN SSHFP

3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047

blog.cacert.org.

IN SSHFP

4 1 90903e8f4b35457bf41235f070adf592d7f724dd

blog.cacert.org.

IN SSHFP

4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b

blog.intra.cacert.org.

IN A

172.16.2.13

Operating System

  • Debian GNU/Linux 10.3

Applicable Documentation

A small (work in progress) guide can be found in the Wiki BlogDoc.

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

application

443/tcp

https

ANY

application

5665/tcp

icinga2

monitor

remote monitoring service

3306/tcp

mariadb

local

MariaDB database for blog

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for blog

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus

systemd unit dbus.service

icinga2

Icinga2 monitoring agent

systemd unit icinga2.service

MariaDB

MariaDB database server for blog

systemd unit mariadb.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Puppet agent

configuration management agent

systemd unit puppet.service

rsyslog

syslog daemon

systemd unit rsyslog.service

Databases

RDBMS

Name

Used for

MariaDB

blog

Wordpress blog

Connected Systems

Outbound network connections

  • HTTP (80/tcp) and HTTPS (443/tcp) Ping-o-matic blog update service 1

  • HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service 2

  • HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Proxyout as HTTP proxy for APT

  • Puppet (tcp/8140) as Puppet master

  • crl.cacert.org (rsync) for getting CRLs

1

http://blog.cacert.org/wp-admin/options-writing.php

2

http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY, MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d

DSA

-

ECDSA

SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec, MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81

ED25519

SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns, MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d

Dedicated user roles

Group

Purpose

blog

group owning the blog file content and temporary files. This group is used to execute the Wordpress PHP code.

Non-distribution packages and modifications

Risk assessments on critical packages

Software

Risk rating

Mitigation

Wordpress

high

Regular updates, avoid unnecessary plugins, Consider Wordpress hardening

Critical Configuration items

The system configuration is managed via Puppet profiles. There should be no configuration items outside of the CAcert Git repository cacert-puppet.

Todo

move configuration of Blog to Puppet code

Keys and X.509 certificates

  • Certificate for CN blog.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/blog.cacert.org.crt

    • private key in file /etc/ssl/private/blog.cacert.org.key

  • /etc/ssl/certs/cacert.org/ directory containing CAcert.org Class 1 and Class 3 certificates (allowed CA certificates for client certificates) and symlinks with hashed names as expected by OpenSSL

  • /etc/ssl/certs/cacert.org.pem CAcert.org Class 1 certificate (certificate chain for server certificate)

Apache httpd configuration

  • /etc/apache2/cacert/blog.inc.conf

    Defines settings that are shared by the HTTP and the HTTPS VirtualHost definitions. This file takes care of the PHP FCGI setup.

  • /etc/apache2/cacert/headers.inc.conf

    Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost definitions. The file is included by /etc/apache2/cacert/blog.inc.conf.

  • /etc/apache2/sites-available/blog-ssl.conf

    This file contains the HTTPS VirtualHost definition and defines client certificate authentication for /wp-admin and /wp-login.php.

  • /etc/apache2/sites-available/blog-nossl.conf

    This file defines the HTTP VirtualHost definition and takes care of redirecting /wp-admin and /wp-login.php to the HTTPS VirtualHost.

The following RewriteRule is used to redirect old blog URLs:

RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]

Wordpress configuration

  • /srv/www/blog/wp-config.php contains the Wordpress database configuration. The rest of the Wordpress configuration is stored in the database (assumption).

Tasks

Todo

add a section documenting wordpress and plugin updates

Todo

add a section documenting wordpress user management

Changes

Planned

Todo

manage the blog system using Puppet

Todo

setup CRL checks (can be borrowed from Svn) for client certificates

System Future

  • No plans