Sysadmining Like an Amateur

A little over a year ago, I bought a domain at get.tech since the .tech TLD is pretty cool and the domains there are fairly cheap. I never really knew what to use with it, but I always wanted a server that I could put some of my files and maybe run a little web server. Over the past couple of years, I have been using my school’s SSO connected with a NFS for the CS department at my school to store my data. That was a simple solution because I could access the data from anywhere, and I knew my data was relatively secure.

Still, the goal of any security-conscious computer science professional is to own their own data. There are some services you can trust, and some you have to use due to work related use of services. For me, it especially doesn’t help that I’m graduating this year, so in a matter of months all the data that I have stored on the school’s server will no longer be accessible. Now I have a specific criteria I need to fulfill if I want to own it:

  • Easily accessible
  • Verifiable
  • Secure
  • host and serve files as I deem necessary
  • Bonus: sandbox server, install and configure what I want

There are a few services available online that provide the above. The two big names are Amazon Elastic Compute Cloud (EC2) via Amazon Web Services and DigitalOcean. While DigitalOcean provides a more simple interface and potentially better support, EC2 has a free tier (for the first 12 months, anyways), and provides a way to upgrade an instance if necessary. For a single core and 1GB of RAM (and up to 30GB of storage on SSD), it seems small but should be entirely manageable for a minor web server. It’s also worth mentioning that you can run multiple “free” instances under the same account. If you want modularity, you aren’t hampered by your frugality. If it is not obvious at this point, I decided to go with EC2.

In terms of easily accessible, it depends on how I hook it up to my domain and what security groups I assign to my instances. The biggest pain of working with DNS is waiting until whatever TTL that was defined for a field expires and the new one that I created takes over. It is only a matter of time, but it can be a pain to figure out whether the problem is on my end or if it is because of the TTL. As for security groups, I have managed a firewall before, and it is not a difficult concept. I created a key-pair for SSH and only opened up inbound ports for the services I want accessible.

As for whether an instance is verifiable and secure, that comes down to how I manage the system and if I can install what I want. For web services, the biggest piece is Let’s Encrypt. If you have not heard of it, it is an open certificate authority that supplies free digital certificates for purposes of enabling HTTPS. It was fairly smooth configuring Apache and enabling the certs. Now the instance is verifiable and the back end is still strong.

In order to host and serve files, I decided to split this into two categories, files I want to face the web and files I want behind a wall. Apache was already serving some simple content I created, so there was little to change on that side (aside from installing PHP7 😀 ). For more private files, I created a separate instance and used SSH for the SFTP server, ensuring accessibility by sandboxing a local account with password access.

Finally, I was able to install and configure what I wanted on my instances, much more so than I probably should have. Running RHEL7.3, I desired to upgrade OpenSSL and Apache to include some of the more modern SSL features. That meant downloading, configuring, and compiling newer versions of OpenSSL and Apache. The most difficult part was trying to compile the mod_ssl module for Apache to use – I ended up having to include compiler flags for OpenSSL for Apache to build on. It was a long and frustrating process, but I’m convinced that it has made it at least that slight bit more secure. The main issue now is that if I want to update Apache or OpenSSL, I have to do it manually.

All this goes to show that AWS is pretty alright. I definitely appreciate having little sandboxes with which I can mess around, but even cooler is the fact that it can act as a small but powerful front end. Just wait until next year, when I have to decide between continuing to use EC2 or moving to DigitalOcean. (I shudder at the thought of dealing with those certs issues.) For the first year, anyways, cheap sysadmining is available to all who dare. I would say that it is very much worth it.

P.S. If it was not clear, this post was not meant to be a tutorial, but as a sort of personal update and “hey this thing is possible and exists.” If you would like any help and you are trying it out yourself feel free to contact me.

Resources:

https://www.ssllabs.com/ssltest/analyze.html?d=submelon.tech&latest

https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

[Many StackOverflow pages saying helpful stuff like “no, OpenSSL compiler flags can actually be passed through ./config and they’ll just be appended”]

Advertisements