Next step in privacy is NextCloud – Have your cloud@Home

in action

I have never felt comfortable with having my phone pictures in the cloud and preferring only Dropbox(supporting Linux properly), since Google retired picasa and Apple only really worth while if you ONLY use apple products despite what fanboys might say, I decided to avoid vendor lock-in. I have exchanged my iMac and MacBook with Lenovo Yoga 2 Pro(Qubes 3.2) and a Purism Librem 13v2(Qubes 4.0).

I want my data to be @home, without being accessible from the internet. No unnecessary risks of breaches, if avoidable and no access from a giant attack vector(The whole internet if it is in the public cloud). Private cloud it is. And NextCloud seems to be best of breed.

I tried to buy a NextCloud Box, but all sold out in Europe and I was too tired to buy in the US, again.

Bought a CubieTruck and enjoyed the easy install of NextCloud, easy updating automatically, easy setting up the iPhone part, etc.)

Not a usual guide, but a simple heartfelt recommend from here. Try it out. You won’t regret it.

Whonix-14 available in Qubes-OS

As advertised in qubes-users mailing list, the templates of whonix version 14 is now available and flawlessly installed on my Qubes 4.0, without much effort.

I had no issues, so after deleting all existing whonix templates and AppVM‘s, the steps to follow were:

sudo dnf remove qubes-template-whonix-ws

sudo dnf remove qubes-template-whonix-gw

sudo qubesctl state.sls qvm.anon-whonix

sudo qubesctl state.sls qvm.whonix-ws-dvm

And then use Chris Laprise’s script to update them:

./qubes4-multi-update whonix-gw-14 whonix-ws-14

I rarely use whonix, but nonetheless, I encourage anyone using it for good, to donate, supporting the project.

Adding a newer AppVM template to the Disposable VM on Qubes 4.0

After installing Qubes 4.0, I’ve not actually used disposable vm’s as much as I should, but after Micah Lee showed me the Thunderbird plugin, I had to make a newer disp-vm template, than the old fedora-26 without libreoffice. Can’t open word documents without it, I’m afraid.

In Dom0:

qvm-prefs –set <AppVM to use as template> template_for_dispvms True

I have a personal-28 template to use for newer stuff, so that’s what I will use instead.

See the “Default DispVM “is changed from fedora-26 to Personal-28.

Kali on Qubes 4 (with katoolin)

To use the great benefits derived from Qubes VM’s, Micah Lee recommended the use of Katoolin, instead of HVM based Kali, I normally use, so let’s try it out:

Clone your fully updated debian-9:

In the “Basic” tab, resize the partition:

Enhance the memory size, if your setup allows it:

Start the terminal to run the commands described on the Qubes Katoolin setup page point 1-6:

When you come to point #6, and have to run

“sudo apt-get dist-upgrade”, don’t…..

I have tried both yes and no to “restarting services automatically”, but the terminal crashes and remains unresponsive. i cannot get in contact with the VM. The latest screenshot was:

It seems the install is running, since my fan speeds up and down continuously.

I tried following this tutorial, and found out that you can install some stuff from the menus, but you have to remove the sources before updating or it will crash. That means no software from Kali will be updated?

For now, I’m continuing to work with my Kali rolling standalone HVM.

10.137.0.23,255.0.0.0,10.137.0.6,10.139.1.1,10.139.1.2

Basic hardening Apache 2.4.6 on Red Hat Enterprise Linux Server release 7.5 (Maipo)

Notes to self:

Installing packages and EPEL:

rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install php php-gd php-mbstring httpd mod_security mod_evasive mod_ssl mariadb-server mariadb
sudo systemctl start httpd.service
sudo systemctl enable httpd.service
sudo systemctl start mariadb.service
sudo systemctl enable mariadb.service
sudo /usr/bin/mysql_secure_installation

Edit httpd.conf or .htaccess file to avoid hidden directories to be shown and redirect to https:

#avoid hidden directories to be shown
RedirectMatch 404 (?i)/\..+

#Redirect http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

harden /etc/httpd/conf/httpd.conf and php.ini

sed -i -e 's/expose_php = On/expose_php = Off/' /etc/php.ini
ServerTokens Prod
ServerSignature Off
TraceEnable Off
FileEtag None
Header always unset X-Powered-By
Timeout 45

Options -Indexes -Includes

add services to the firewall:

firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

edit  /etc/httpd/conf.d/ssl.conf

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off


# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000
sudo systemctl start httpd.service