Pen International gets Caisleán

PEN International is the world’s leading association of writers, working to promote literature and defend freedom of expression around the world. With a dozen permanent staff members and contact with activists all over the globe, the need for efficient collaboration tools and internal data sharing is strong. In addition, in being committed to defending civil rights, PEN International handles information that is often sensitive and must be protected from adversaries.

To fulfill these needs, the organization replaced their in-office Windows server with a dedicated remote machine equipped with Caisleán, an set of Ansible recipes for secure self-hosting. The former setup was proving to be unsatisfactory, notably in terms of reliability, security and flexibility. This article borrows from our experience setting up Caisleán for PEN’s use case and provides insights into migration process from a Windows Server environment.

Working with in a consultative manner meant that a staff team with limited experience of IT were able to avail themselves of a service which has contributed to improving the security of our information and communications, as well as contributing to increased productivity of the entire staff team. ♣

Use case and issues

The primary role played by the office server was file sharing through Windows network folders, a convenient way to access common resources on a local network. Each staff member had an individual account to connect to the Active Directory and access the shared folders.

The setup was considered unreliable: workstations randomly could not access network folders and the server needed frequent reboots due to crashes. Security was also a concern: no disk encryption and low physical security of the server, doubts on whether the server was equipped with proper anti-virus software and lack of trust towards proprietary software (a common scenario). In addition, their setup was designed primarily as an internal office network and staff working remotely could not access the shared storage.

Prior to the migration to a secure online system, we were experiencing frequent downtimes when access to the shared drive crashed, which impacted on our ability to carry out our work. Additionally, it was often difficult for staff to access the shared drive remotely. Now we have next to no down times and staff are able to access the shared drives remotely as if they were in the office.

Our approach was to adapt Caisleán services as a remote server, hosted in a professional data center with removable backup storage. Its configuration would replicate Active Directory possibilities whilst solving some of the crucial security issues and introducing the possibility of remote access.

Adapting and setting up Caisleán for remotely accessed shared folders

Windows network folders can be set up on a GNU/Linux server thanks to Samba. Mimicking local network folder sharing on a remote server is possible by making clients connect through an OpenVPN tunnel. Finally, OpenLDAP can store user accounts and thus be used as an authentication backend for Samba and OpenVPN.

Caisleán is aimed at organizations with multiple users who wish to store and share their data, with ease and security. Caisleán’s functional setups for OpenLDAP and OpenVPN were implemented along with security-related features. Stacking Samba on top of this codebase implied the following changes:

  • implementing template configuration files and Ansible tasks to setup Samba, configured for LDAP-based authentication
  • setting up the creation of a Samba-compatible LDAP tree for user accounts and the installation of Samba-LDAP specific user management tools
  • connecting OpenVPN to OpenLDAP to allow password-based VPN access
  • setting up a restricted Usermin version to allow easy password update.

Pushing the newly adapted version of Caisleán to the server resulted in a fully functioning VPN with user authentication and file sharing. To increase security, the server was set up with full disk encryption (FDE). Caisleán repository provides documentation to set up FDE on a remote server.

The final step was to migrate the data to the new server to finally be able to fully decommission the office server.


Migrating the data and updating workstations’ configuration was the longest and most difficult part of the process.

Data migration

With 300GB worth of data, transferring PEN International’s files from their office to the new server was a challenge in itself. After a night-long copy onto a portable hard disk followed by a roam through a traffic-jammed London undergoing tube strike, it was finally possible to upload the data from a reliable Internet connection.

User accounts transfer

It was important that everyone with an account on the office server kept their user names on the new system. It is conveniently possible to dump the content of a whole Active Directory tree to an LDIF file using a Windows
built-in tool. After dumping the office server Active Directory tree, the generated LDIF files were used to re-create user accounts in the new server’s LDAP.

The occasion was also used to purge obsolete user accounts, as the presence of such accounts is generally a weakening factor for security.

Reconfiguration of workstations

Workstation logon was controlled by the office server holding all user accounts. With the accounts becoming remote and shared folders becoming accessible from anywhere, binding workstation access to a centralized local server was not making sense anymore.

Nevertheless, as commonly observed in this kind of setup, each workstation held local user data for remotely controlled users: e-mail accounts and cache, web browsing data, applications preferences, etc. At the same time, users were prevented from logging on if the workstation could not contact the logon server, making this data inaccessible through the normal logon process. Before unplugging the office server, local accounts thus had to be created on workstations, and data stored on workstations associated with remotely controlled accounts had to be moved to these local accounts.

This process of disconnecting workstations from the local Windows domain proved to be cumbersome, especially as the Windows registry had to be edited. Thanks to a live GNU/Linux distribution together with registry edition tools like chntpw, hivex and FRED, all account data could finally be properly migrated. This was a fairly tiresome process involving repeated manual operations on fifteen workstations.

In the end, a local account could be used on each workstation. OpenVPN was installed and configured to connect to the remote server and ask for the user’s credentials, subsequently making the Samba shared folders accessible.

At this point, all workstations had become fully independent from the office server.

Office server decommissioning

Fully decommissioning the office server firstly required transferring its secondary roles to other devices: DHCP and IP routing were transferred to an already running network appliance, and the printer drivers were uploaded to the
remote server.

The final step was to erase the office server’s hard disk data using a live system. The machine’s inability to boot on USB devices was the last obstacle, and required to burn a live DVD for the occasion.

Shortly after the migration, we experienced a break-in at our office. The burglars targeted IT equipment, and would previously have been able to access our server, had we still had one on site. However, thanks to the work of, our information was secure on the cloud, and our back-up drive was in a safe location, thanks to the advice we received.

Conclusion and remaining challenges

PEN International’s office server has been completely replaced, and the staff can share documents from workstations and personal computers. The service is more reliable, provides better data security and can be used from anywhere.

We are also very pleased with the cost savings we have found since the migration. Our server was due to be replaced, so we have avoided the cost of purchasing a new server. Additionally the level of IT support we have needed has dramatically reduced, leading to further savings.

The main lesson taken from this experience is that the most difficult part was not to set up the new system but to migrate the data and change the configuration of the systems already in place. When migrating a whole set of workstations, a variety of small difficulties have to be anticipated.

A main point of improvement is the integration of the process of connecting to the VPN and accessing the shared folders. As it is now, a user needs to enter credentials to access VPN and subsequently connect to network folders, and a single input would make it more user-friendly but would entail implementation of specific scripts for each operating system.

The PEN case provided the opportunity to implement a Samba-LDAP setup into Caisleán. While functional and available in the repository, improvements are still required to make it applicable in more generic use cases.

♣ All quotes in this article attributed to Ann Harrison, Programme Director, Writers in Prison Committee

Read More

Activists can run independent and secure online services with Caisleán

Small non-profit organizations, civil rights groups and activist clusters use online tools to work collaboratively. Unfortunately, too many rely on centralized platforms that are actively exploiting private data lucratively. It is crucial for these organizations to switch to self-hosted solutions to keep control of their data and protect users. A system administrator then has to be responsible for maintaining and securing the server on which the services run.

System administration is however not an easy task. Installation, maintenance and user support become more time-consuming and prone to mistakes as the number of services increases: from an e-mail exchanger to a VPN, all have their own configuration specificities and must be functional, while following security best practices.

We are developing Caisleán to address this issue: it aims at quickly installing such services without having to tweak each of their configuration details. Among other services, multi-user e-mail, VPN, XMPP and file-sharing platform can be set up within minutes on a bare Debian system. They are automatically configured according to security best practices, thus helping to provide confidentiality, integrity and authenticity of communications to users.

By decreasing the cost for setting up these tools, Caisleán can help activists and organizations increase their independence, efficiency and security. It comes as a set of Ansible recipes, a software that allows the state of a whole system to be described, notably through the use of template configuration files.

Caisleán’s collaborative tools and services

The following services are provided by Caisleán:

  • an e-mail address for every user thanks to Postfix and Dovecot, with access through webmail (using Roundcube) or e-mail client software such as Thunderbird and K-9 Mail;
  • the Prosody XMPP server for instant messaging;
  • web-based file hosting and sharing thanks to Owncloud and the Nginx web server;
  • a blogging platform thanks to WordPress;
  • a VPN service thanks to OpenVPN, to help users evade surveillance or censorship as well as reduce their traceability when browsing the web.

All these services support multiple users thanks to the OpenLDAP backend.

Of course, administrators are free to use only a subset of these services, depending on users’ needs.

Turned towards best security practices

We have made every effort to ensure that the configuration templates follow what we see as best security practices.

To this end, Caisleán firstly improves the security of a bare Debian system, with measures such as:

  • SSH configuration hardening;
  • firewall with iptables and ufw;
  • rootkit and filesystem alteration checking with chkrootkit and rkhunter;
  • e-mail notifications to the administrator when system packages need to be upgraded.

In addition, each service was given time and attention to make sure its configuration provides good security measures to protect users’ privacy and data confidentiality. This includes, for instance:

  • good TLS cipher list on Nginx, Postfix, and all TLS-enabled services;
  • meticulous privilege separation for web-based services and associated PHP processes.

Finally, it bears stating that Caisleán is free and open-source and uses software that is also free and open-source, a well-known mandatory condition to ease peer-reviewing and improvement. Far from pretending that Caisleán is bug-free, we hope this will help detecting and fixing bugs as well as improving the whole system.

Simple to install thanks to Ansible

The use of Ansible allows the setup of all desired services at once without having to configure each of them separately. This helps avoid mistakes and saves precious time.

Installing the services provided by Caisleán on a fresh Debian server consists in these steps:

  • write a few configuration files to tell Ansible which servers Caisleán should be pushed to and which services are desired;
  • perform the manual operations needed as pre-requisites, such as creating TLS private keys or setting up your DNS to allow your server to be an e-mail exchanger for your domain;
  • finally, run Ansible to automatically set up and configure all services.

The Caisleán repository provides sample configuration files as well as full documentation of the parameters or manual operations that certain services require.

Save time and energy for other security-related issues

System administrators should remember that a system that is presented as “secure” still always requires mindful behavior in order to preserve security and privacy of data and users.

Saying that Caisleán is secure means that we try as much as possible to provide software configuration that minimizes the attack surface.

In doing so, we hope that system administrators will be able to focus on other crucial responsibilities: keeping servers up to date, keeping important passwords safe, staying on top of installed WordPress plugins, raising users’ awareness about their personal password policy, etc.

Give it a try

Take a look and give it a try now by fetching Caisleán’s sources from its GitHub repository.

If you have questions or comments, feel free to contact us and/or submit a GitHub issue.

Read More