Well for a couple of weeks (or longer) I have hosted a
forum over a SSL connection which utilises AES-256 from the end user to the apache webserver. This makes the forum reasonably immune to packet sniffing and things like that.
I have played around with cryptoloop before, in fact it started when I started getting into Linux-2.6 a while back. While going though all the options I came across the cryptoloop option and had a look at it. Checking it out, it seemed uber cool so obviously I decided to compile the aes-585 modules as well. I set up a cryptoloop for a while until I got rid of it because I had no real use for a crypto filesystem and needed the freespace.
However, since I had configured the forum and other things I have wanted to do this again. So I finally got to work on it tonight and have finally got it all up and running.
Firstly I followed the
cryptoloop howto and from there I started to setup the cryptodevice. However regarding the packages I ran into a few small
problems regarding the linux-utils package and compling it manually on a system with an advanced package managment system. However thanks to
god of all things linux he gave me some
pointers (basically I read that, set up stuff in my homedirectory, used apt to get the source RPM, copied the patches into my sources directory and added the appropriate specfile entries). Once I got that to install beautifully I was rocking. Then I set up the cryptodevice on an old 1.7gb Hard Drive which gets about 5mb per second (FAST!) with 1.7gb of space. I was thinking of using a loopback however I thought using the spare harddrive would be handy if I ever want to just migrate the database to another system in future, rather then buggering around with moving large files and stuff.
Then I wrote up a couple of scripts, one to mount the cryptoloop: which if that was sucsessful it would automatically start mysqld and then httpd (apache already asks me for a password to start it since I set up the private keys and all that jazz, so I was killing two birds with one stone here because it allows me to enter both passwords and then the server is up). The other script was to take the cryptoloop down which is a handy thing for obvious reasons, like when my house gets invaded or some crap like that, or just general paranoia (maybe I should set up snort somehow to execute that script if it detects large amounts of serious intrusion attempts).
I ran into further troubles with mysql, you see first I tried moving /var/lib/mysql to /crypto/mysql and then symlinking /var/lib/mysql to /crypto/mysql which mysql did not like very much and decided to go on strike and not come into work. Then I discovered I just had to edit /etc/rc.d/init.d/rc.mysqld (or somthing like that) and change a line at the top of the file that says where the database is. At some stage doing this I managed to wipe my database again (sigh), however this time I was prepared and just had to create the databases and restore the backup files.
So then, after I got everything back into place, or in its new place, I started the servers and everything was rocking again, just beautiful.
And now I think I have the most secured phpbb in the universe, w00t.
In future I think I will put the home directories and mailspool for the ssh users on the cryptodevice. Making it a nice little hub for secure communications between users talking to it from their secure ssh connections.
I will have to update the wikipage on my server
exeleven to tell more about its awesome security measures.
W00t.
