Portable servers w/ questionable security benefits

I’ve discovered systemd added a container utility called systemd-nspawn. It’s basically chroot on steroids. I don’t think it’s comparable with Docker. (I think Docker is an overengineered solution on the microkernel path anyway)
Well, I decided to give it a shot even they don’t consider it stable yet.

I tried to implement encryption a bit. Data normally sitting duck on bare-metal unencrypted servers (mainly because encryption seems hard or you trust your data center & country). If someone reboots the server and adds “rescue” to grub kernel line, (s)he will get a root user prompt, bye to personal/commercial sensitive info!

I’m not sure about the security aspect, yet I’m still exploring possibilities. But at least I can say it’s “good enough”.

Here is the plan;

  • Install your favorite distro on the server (with systemd) (Let’s call it L0)
  • Create and mount an encrypted block device large enough for you (use luks for example)
  • Create a chrooted install inside this partition (L1)
  • Dive in and setup your apps inside this chroot. Everything is inside; your apps, your configs, your data.
  • Backup this block device in binary form (from L0). rsync’s “copy-devices” parameter can use diffs on the encrypted files.
  • Profit!?

This prevents someone with a physical touch to interfere with data. If someone reboots the server, (s)he will need to remount encrypted partition manually (needs decryption password). You can also copy the partition n times (L2, L3…) for other services (lol Docker?!).

Also moving your fully-working server will be copying one big file with this method, a.k.a. portability.
One other plus should be using cgroups-related benefits on containers (didn’t try this one) for example: resource-limiting!!

Maybe you can create more secure/easy solution with an encrypted lvm partition and even Docker/LXC but hey, we’re experimenting here!

So far, my experiment works (you can access my blog, right?).


[TR] Papers, Please Türkçe Yama (+18)


Bu aralar steam’daki “Papers, Please” oyununa sardım. Şu adresteki hazır yapılı TR paketini denerken (genelde küfürler yetersiz geldiği için) biraz modifiye ettim, yani işin %90’ı orada ismi yazan arkadaşların. Düzenlenmiş dil paketini buradan indirebilirsiniz.

Glory to arstotzka!


S██████ Sansürü! – [Tr]


TTNet’in Gezinti saçmalığı, durduk yere beni tuhaf reklam sayfalarına götürmeye başladı. Dikizlemeye çalışıp onu bile beceremiyorlar. Dün gece kriz geçirip, artık büyük download’larım hariç tüm bağlantıları OpenVPN üzerinden, DNS sorgularımı da dnscrypt ile halletmeye karar verdim. Neler döndüğü ile ilgili detaylı bilgiyi kame‘den alabilirsiniz.




htaccess[Link to original xkcd]


Drop the Dropbox

I’ve closed my Dropbox account (you might guess the motive behind it) and migrated my files to my fresh-installed OwnCloud 7.

Configuring owncloud is still kind of pita. Here is the configuration file for Nginx/PHP-fpm virtualhost. Also follow this documentation to prevent bruteforce attacks to owncloud.