Archives for 3 Jan,2016

You are browsing the site archives by date.

Activists can run independent and secure online services with Caisleán

Small non-profit organizations, civil rights groups and activist clusters use online tools to work collaboratively. Unfortunately, too many rely on centralized platforms that are actively exploiting private data lucratively. It is crucial for these organizations to switch to self-hosted solutions to keep control of their data and protect users. A system administrator then has to be responsible for maintaining and securing the server on which the services run.

System administration is however not an easy task. Installation, maintenance and user support become more time-consuming and prone to mistakes as the number of services increases: from an e-mail exchanger to a VPN, all have their own configuration specificities and must be functional, while following security best practices.

We are developing Caisleán to address this issue: it aims at quickly installing such services without having to tweak each of their configuration details. Among other services, multi-user e-mail, VPN, XMPP and file-sharing platform can be set up within minutes on a bare Debian system. They are automatically configured according to security best practices, thus helping to provide confidentiality, integrity and authenticity of communications to users.

By decreasing the cost for setting up these tools, Caisleán can help activists and organizations increase their independence, efficiency and security. It comes as a set of Ansible recipes, a software that allows the state of a whole system to be described, notably through the use of template configuration files.

Caisleán’s collaborative tools and services

The following services are provided by Caisleán:

  • an e-mail address for every user thanks to Postfix and Dovecot, with access through webmail (using Roundcube) or e-mail client software such as Thunderbird and K-9 Mail;
  • the Prosody XMPP server for instant messaging;
  • web-based file hosting and sharing thanks to Owncloud and the Nginx web server;
  • a blogging platform thanks to WordPress;
  • a VPN service thanks to OpenVPN, to help users evade surveillance or censorship as well as reduce their traceability when browsing the web.

All these services support multiple users thanks to the OpenLDAP backend.

Of course, administrators are free to use only a subset of these services, depending on users’ needs.

Turned towards best security practices

We have made every effort to ensure that the configuration templates follow what we see as best security practices.

To this end, Caisleán firstly improves the security of a bare Debian system, with measures such as:

  • SSH configuration hardening;
  • firewall with iptables and ufw;
  • rootkit and filesystem alteration checking with chkrootkit and rkhunter;
  • e-mail notifications to the administrator when system packages need to be upgraded.

In addition, each service was given time and attention to make sure its configuration provides good security measures to protect users’ privacy and data confidentiality. This includes, for instance:

  • good TLS cipher list on Nginx, Postfix, and all TLS-enabled services;
  • meticulous privilege separation for web-based services and associated PHP processes.

Finally, it bears stating that Caisleán is free and open-source and uses software that is also free and open-source, a well-known mandatory condition to ease peer-reviewing and improvement. Far from pretending that Caisleán is bug-free, we hope this will help detecting and fixing bugs as well as improving the whole system.

Simple to install thanks to Ansible

The use of Ansible allows the setup of all desired services at once without having to configure each of them separately. This helps avoid mistakes and saves precious time.

Installing the services provided by Caisleán on a fresh Debian server consists in these steps:

  • write a few configuration files to tell Ansible which servers Caisleán should be pushed to and which services are desired;
  • perform the manual operations needed as pre-requisites, such as creating TLS private keys or setting up your DNS to allow your server to be an e-mail exchanger for your domain;
  • finally, run Ansible to automatically set up and configure all services.

The Caisleán repository provides sample configuration files as well as full documentation of the parameters or manual operations that certain services require.

Save time and energy for other security-related issues

System administrators should remember that a system that is presented as “secure” still always requires mindful behavior in order to preserve security and privacy of data and users.

Saying that Caisleán is secure means that we try as much as possible to provide software configuration that minimizes the attack surface.

In doing so, we hope that system administrators will be able to focus on other crucial responsibilities: keeping servers up to date, keeping important passwords safe, staying on top of installed WordPress plugins, raising users’ awareness about their personal password policy, etc.

Give it a try

Take a look and give it a try now by fetching Caisleán’s sources from its GitHub repository.

If you have questions or comments, feel free to contact us and/or submit a GitHub issue.

Read More