Blog

Purpose

This system hosts the blog, blog.cacert.org. The blog meets the needs of public relations and the CAcert community to publish CAcert’s activities.

Administration

System Administration

Todo

find an additional admin

Application Administration

Role

Users

Wordpress Admin

Dirk Astrath, Mario Lipinski,

Wordpress Editor

PR Team, Support

Wordpress Author

Anyone with a certificate

Wordpress Contributor

Anyone with contributor privileges

Wordpress Subscriber

Any Spammer or person who has not posted or has not logged in

Additional People

Jan Dittberner and Mario Lipinski have sudo access on that machine too.

Basics

Physical Location

This system is located in an LXC container on physical machine Infra02.

Logical Location

IP Internet

213.154.225.234

IP Intranet

172.16.2.13

IP Internal

10.0.0.13

MAC address

00:ff:fa:af:b2:9b (eth0)

See also

See Network

DNS

Name

Type

Content

blog.cacert.org.

IN A

213.154.225.234

blog.cacert.org.

IN SSHFP

1 1 32CA6E4BA3275AAB0D65F0F46969B11A4C4B36E8

blog.cacert.org.

IN SSHFP

1 2 3afb452ac3690cf7cd9a3332813bf7b13dbd288c7a4efbd9ab9dd4b4649ff2b6

blog.cacert.org.

IN SSHFP

2 1 AAFBA94EBE5C5C45CDF5EF10D0BC31BEA4D9ECEC

blog.cacert.org.

IN SSHFP

2 2 4d4384ebd1906125ae26d2fa976596af914b4b3587f2204a0e01368a3640f680

blog.cacert.org.

IN SSHFP

3 1 8fa85a31215f10ea78fd0126d1c705c9a3662c86

blog.cacert.org.

IN SSHFP

3 2 86d330b900db9bf0a8bc9ec34b126aa8261fec9e02b123ab61c2aee0b56ae047

blog.cacert.org.

IN SSHFP

4 1 90903e8f4b35457bf41235f070adf592d7f724dd

blog.cacert.org.

IN SSHFP

4 2 f24b770c16dcb91afc9461e62e6fe63a63d413efa4794751c039ed6d5213127b

blog.intra.cacert.org.

IN A

172.16.2.13

Operating System

  • Debian GNU/Linux 8.11

Applicable Documentation

A small (work in progress) guide can be found in the Wiki BlogDoc.

Services

Listening services

Port

Service

Origin

Purpose

22/tcp

ssh

ANY

admin console access

25/tcp

smtp

local

mail delivery to local MTA

80/tcp

http

ANY

application

443/tcp

https

ANY

application

5666/tcp

nrpe

monitor

remote monitoring service

3306/tcp

mysql

local

MySQL database for blog

9000/tcp

php-fpm

local

PHP FPM executor

Running services

Service

Usage

Start mechanism

Apache httpd

Webserver for blog

systemd unit apache2.service

cron

job scheduler

systemd unit cron.service

dbus-daemon

System message bus daemon

systemd unit dbus.service

MySQL

MySQL database server for blog

systemd unit mysql.service

openssh server

ssh daemon for remote administration

systemd unit ssh.service

Postfix

SMTP server for local mail submission

systemd unit postfix.service

Nagios NRPE server

remote monitoring service queried by Monitor

systemd unit /etc/init.d/nagios-nrpe-server

Databases

RDBMS

Name

Used for

MySQL

blog

Wordpress blog

MySQL

phpmyadmin

PHPMyAdmin settings database

Connected Systems

Outbound network connections

  • HTTP (80/tcp) and HTTPS (443/tcp) Ping-o-matic blog update service 1

  • HTTP (80/tcp) and HTTPS (443/tcp) to Akismet anti spam service 2

  • HTTP (80/tcp) and HTTPS (443/tcp) to wordpress.org

  • DNS (53) resolving nameservers 172.16.2.2 and 172.16.2.3

  • Emailout as SMTP relay

  • Proxyout as HTTP proxy for APT

  • crl.cacert.org (rsync) for getting CRLs

1

http://blog.cacert.org/wp-admin/options-writing.php

2

http://blog.cacert.org/wp-admin/plugins.php?page=akismet-key-config

Security

SSH host keys

Algorithm

Fingerprints

RSA

SHA256:OvtFKsNpDPfNmjMygTv3sT29KIx6TvvZq53UtGSf8rY, MD5:ec:cb:b5:13:7c:17:c4:c3:23:3d:ee:01:58:75:b5:8d

DSA

SHA256:TUOE69GQYSWuJtL6l2WWr5FLSzWH8iBKDgE2ijZA9oA, MD5:c6:a7:52:f6:63:ce:73:95:41:35:90:45:9e:e0:06:a5

ECDSA

SHA256:htMwuQDbm/CovJ7DSxJqqCYf7J4CsSOrYcKu4LVq4Ec, MD5:00:d7:4b:3c:da:1b:24:76:74:1c:dd:2c:64:50:5f:81

ED25519

SHA256:8kt3DBbcuRr8lGHmLm/mOmPUE++keUdRwDntbVITEns, MD5:0c:fe:c7:a1:bd:e6:43:e6:70:5a:be:5a:15:4d:08:9d

Dedicated user roles

Group

Purpose

blog

group owning the blog file content and temporary files. This group is used to execute the Wordpress PHP code.

Non-distribution packages and modifications

Risk assessments on critical packages

Software

Risk rating

Mitigation

Wordpress

high

Regular updates, avoid unnecessary plugins, Consider Wordpress hardening

Critical Configuration items

Keys and X.509 certificates

  • Certificate for CN blog.cacert.org, see details in the certificate list

    • certificate in file /etc/ssl/public/blog.cacert.org.crt

    • private key in file /etc/ssl/private/blog.cacert.org.key

  • /etc/ssl/certs/cacert.org/ directory containing CAcert.org Class 1 and Class 3 certificates (allowed CA certificates for client certificates) and symlinks with hashed names as expected by OpenSSL

  • /etc/ssl/certs/cacert.org.pem CAcert.org Class 1 certificate (certificate chain for server certificate)

Apache httpd configuration

  • /etc/apache2/cacert/blog.inc.conf

    Defines settings that are shared by the HTTP and the HTTPS VirtualHost definitions. This file takes care of the PHP FCGI setup.

  • /etc/apache2/cacert/headers.inc.conf

    Defines HTTP headers that are shared by the HTTP and the HTTPS VirtualHost definitions. The file is included by /etc/apache2/cacert/blog.inc.conf.

  • /etc/apache2/sites-available/blog-ssl.conf

    This file contains the HTTPS VirtualHost definition and defines client certificate authentication for /wp-admin and /wp-login.php.

  • /etc/apache2/sites-available/blog-nossl.conf

    This file defines the HTTP VirtualHost definition and takes care of redirecting /wp-admin and /wp-login.php to the HTTPS VirtualHost.

The following RewriteRule is used to redirect old blog URLs:

RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]

Wordpress configuration

  • /srv/www/blog/wp-config.php contains the Wordpress database configuration. The rest of the Wordpress configuration is stored in the database (assumption).

Tasks

Todo

add a section documenting wordpress and plugin updates

Todo

add a section documenting wordpress user management

Changes

Planned

Todo

switch to Puppet management

Todo

replace nrpe with icinga2 agent

Todo

update wordpress to 5.x

Todo

update to Debian 9/10

Todo

setup IPv6

Todo

setup CRL checks (can be borrowed from Svn) for client certificates

System Future

  • No plans

Additional documentation

References

Wordpress website

https://wordpress.org/