Automate log cleanup for GDPR: the Sentry case

Leave a comment
Howtos / System Administration

With the General Data Protection Regulation (GDPR) enforced by European Union logs have to be cleaned regularly to delete IP addresses and other information about visitors. This can be interpreted as a way to protect an emerging and discussed right, the right to be forgotten.

This new regulation is impacting every automated log system out of there. Since Sentry is a good open source error monitoring software* and it’s widely used, this guide will show how to clean Sentry logs on Linux systems according to GDPR using the sentry cleanup command line utility.

Set a time limit for logs

Before starting discover the maximum time limit a log can be kept according to the service policy you’re working on.

In the below examples, the max time a log can be kept is 26 months, one of the sizes proposed by Google Analytics on cleanup settings.

A 26 months limit for stored logs in sentry are set like this:

env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749

where /usr/local/etc/sentry is the directory where config.yml and sentry.conf.py are located or

env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749 --project 5

where 5 is the id of the project you can find in Project settings > Client Keys (DSN) as the very last part of the DSN path (always an integer number).

749 days are calculated like this:

30 days × 26 month = 780 days – 31 days = 749

31 days are a margin to safely delete logs the same day of each month.

Apparently, sentry cleanup needs to be root to access to postgres user and thus all sentry database tables so we have to put it on the cron for root.

Schedule the cleanup

  1. Login as root with su – or sudo bash
  2. crontab -e
  3. add a command line like this
. /usr/local/etc/virtualenvs/sentry/bin/activate && env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 758 --project 5 && deactivate

leading dot . is an alternative for source available on /bin/sh (environment of cron) and not only by /bin/bash. This avoid to set the environment variable SHELL=’/bin/bash’ on crontab.

The resulting cron entry would be:

20 3 28 * * . /usr/local/etc/virtualenvs/sentry/bin/activate && env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749 --project 5 && deactivate

It isn’t a bad idea to add a fallback cleanup command the day after, so if you forget to cleanup logs for a specific project it will be done automatically:

20 3 29 * * . /usr/local/etc/virtualenvs/sentry/bin/activate && env SENTRY_CONF='/usr/local/etc/sentry' sentry cleanup --days 749 && deactivate

Now even your Sentry logs are GDPR compliant. The power of this method is that you can set a different cleanup limit for every project, according to its policies. And you haven’t to use any proprietary software to do this, just free/libre open source software.

If you are in a hurry to publish privacy policies and you have a dedicated hosting, give a try to JournaKit legalazy on GitHub.

* Plus it’s written on top of Django.

Advertisements

Cannot connect to wired connection on Ubuntu (SOLVED)

Leave a comment
Howtos / System Administration

When your Wireless interface is working and the ethernet isn’t working on Ubuntu, here’s a quick howto to check and fix a misconfiguration. It doesn’t solve any ethernet issues but you can give a try and on an Asus laptop (with JMicron chipset) I worked on it makes the job done.

Tested on Ubuntu 16.04 LTS

First steps

To detect Ethernet interface:

ifconfig

To check and configure connection:

apt-get install ethtool

To save the current status of network interface:

ethtool ens5f5 > ethernet_before.txt

Make ethernet interface works

ethtool -s ens5f5 speed 1000 duplex full autoneg on

or:

ethtool -s ens5f5 speed 100 duplex full autoneg on

Then to check what is the difference between the old non-working configuration and the configuration that works:

ethtool ens5f5 > ethernet_after.txt
diff ethernet_before.txt ethernet_after.txt

If it doesn’t work try other ways, e.g. looking for specific issue on your Ethernet driver:

lspci | grep Ethernet

or

lspci | grep ethernet

to check your driver.

If the issue reappears after reboot, to make the command to run on startup do:

sudo bash
crontab -e

And add:

@reboot /sbin/ethtool -s ens5f5 speed 100 duplex full autoneg on

Now reboot to check if changes takes effect

Delete git files from public GitHub history

Leave a comment
Coding / Howtos

To delete git files uploaded accidentally to GitHub (or any other public repository) do these steps:

  1. Download https://rtyley.github.io/bfg-repo-cleaner/ as suggested by GitHub
  2. git clone –mirror GIT_REPOSITORY_URL
  3. cd path/to/cloned/repository
  4. Download BFG
  5. java -jar /path/to/download/dir/bfg-VERSION.jar –delete-files filename.ext
  6. Run the command specified by BFG (usually git reflog expire –expire=now –all && git gc –prune=now –aggressive)
  7. git push

If you get an error on pull, probably you haven’t cloned the repository as step 2.

Browsing the public history, any reference to the filename.ext file disappear.

Read more about BFG and the –mirror option on this discussion.

Mass delete old email on Gmail preserving Special and Tagged ones

Leave a comment
Howtos

To mass delete old emails on Gmail type this search query in the search box of mail.google.com (or Gmail for Business):

after:2017/01/01 before:2017/31/12 -has:userlabels -is:starred

You can use these filters in any language but remember to use the YYYY/DD/MM format for the data (Year/Day/Month) for the after and before filters.

This search will show you all emails between January, 1st and December, 31st 2017 that:

  • Haven’t any User Label
  • Aren’t starred (without Star)

Change dates according to the time period you want to cover and select the select all checkbox inside the header to select all items from the Gmail dashboard.

Optionally, you can select them all using the dedicated link that appears after the step above.

These two criteria are usually enough to don’t delete important e-mails but you can add more exclusion criteria adding a minus sign before any new filter, e.g. unread. However, if you don’t use Stars and Labels you have to double-check email in the list before deletion to prevent to delete useful data.

This approach is very useful in these two scenarios:

  • To free space on the Gmail mailbox when it’s almost full.
  • To delete old emails to comply with regulations like GDPR at the end of their usable life.

Happy houseworks!

How to shrink a scanned PDF on Linux

Leave a comment
Howtos

When you want to reduce the file size of a PDF document, this quick command using convert will shrink the original PDF file.

convert -density 150×150 -quality 60 -compress jpeg -colorspace Gray original.pdf new.pdf

This command is particularly useful against scanned documents, the jpeg quality will be 60% for 150dpi.

Converting an original 300dpi / color PDF to a 150dpi, greyscale PDF can reduce file size up to 50%. There will be some quality loss but in this way you can reduce file size enough to send scanned documents of dozens of pages via e-mail without using third-party services.

How to import .ovpn files on Ubuntu Linux network manager

Leave a comment
Howtos

On Linux you don’t need to install OpenVPN because it’s already installed. However, configuration especially via the network manager can be tricky.

Install this additional package on your distro to display a new OpenVPN option in the network manager:

sudo apt-get install network-manager-openvpn-gnome

If you’re migrating from Windows and you’ve already a Windows installation of OpenVPN you can copy .key, .crt, .conf and .ovpn files from the OpenVPN location. Copy these files to your Linux home (e.g. ~/openvpn/) and reshape permissions to allow the access only to the owner.

After you’ve the .ovpn, .crt, .key files locally, you can test the connection using these commands:

cd ~/openvpn/;
sudo openvpn my-openvpn-file.ovpn

Type the sudo password, wait and the connection should be established successfully. Press Ctrl+C to stop the VPN from command line.

Now you can configure the Network Manager to accept the .ovpn file.

Click on the network icon on the top right corner of the screen and look for VPN Settings.

Click the + icon aside the VPN title and select Import from file…

Select the my-openvpn-file.ovpn you’ve checked before. A form containing user certificate, CA, private key and the gateway will be automatically filled. It’s very important to select .ovpn and not .conf since the latter will not work.

If the private key is password protected you can also type the password and on Advanced you can do some fine tuning but it’s usually unnecessary.

On the Details tab, uncheck the automatic connection option if you don’t want to start the VPN at every login and choose if you want to allow other users to access the connection.

On IPv4 and IPv6 you can disable a specific protocol or limit the connection to “Use this connection only for resources on its network“. This last step is particularly important because using VPN can limit network connection.

Press Apply and you should be able to connect pressing the network icon on the top right corner > VPN > your VPN name.

Tested on Ubuntu 17.

PIL: ord() expected a character, but string of length 0 found (SOLVED)

Leave a comment
django / Howtos / Python
PIL error

Using Django, and easy_thumbnails coupled with Pillow specifically I’m stumbled upon this error in PIL.ImageFile on PIL/_binary.py:

ord() expected a character, but string of length 0 found

This python error was so frequent I’ve done some research, coming up with nothing.

I’ve checked current Pillow version with:

pip freeze | grep Pillow

Getting:

Pillow==3.0.0

Then I’ve upgraded the Pillow package with this:

pip install Pillow --upgrade

The sofware was updated to the very last version (5.0.0) without any issue on easy_thumbnails backend or frontend.

Consequently, pip freeze returned:

Pillow==5.0.0

and errors are gone.

tl;dr: Update Pillow from 3.0.0 to latest version (5.0.0 by now)

Note: this error can be accompained by others:

  • unpack requires a string argument of length 2
  • string index out of range

Upgrading Pillow also correct these.

Failed to start Authorization manager (SOLVED)

Leave a comment
Howtos / System Administration

If you get the “Failed to start Authorization manager” while booting a Linux OS (e.g. CentOS) most likely you’ve a SELinux misconfiguration.

The main issue is that if you’ve restarted the system, you cannot login since OpenSSH service is not running. If you’ve a virtual server, even the console shipped by your provider is stuck on the Authorization manager error.

The reason behind this in my case was a completely wrong value in SELINUXTYPE.

The example below is valid for a Digital Ocean’s droplet running a CentOS 7 but can be adapted to other providers and distro.

To fix it I had to:

1. Boot the OS with initramfs (also called Recovery Kernel). You can do this on the dashboard provided by your virtual server provider (e.g. on Digital Ocean)

2. Open the console from your provider’s dashboard

3. Mount the root filesystem, e.g.

mkdir /mnt
mount /dev/vfsa1 /mnt

Where /dev/vfsa1 is your root partition.

4. Move broken configuration and recreate selinux config file manually with:

mv /mnt/etc/selinux/config /mnt/etc/selinux/config.BROKEN
touch /mnt/etc/selinux/config
cat > /mnt/etc/selinux/config

Then type these two lines:

SELINUX=disabled
SELINUXTYPE=targeted

Go to a new blank line after, then type Ctrl+D to quit. Since initramfs hasn’t a text editor like vi or nano, the simple cat > filename do the trick.

5. From your dashboard, change the kernel version to what you’ve used previously and Power Cycle (reboot) the machine using the dashboard because a reboot from initramfs in this state will restart initramfs itself.

Open the provider’s console on boot to see your system working again. Wait the services to start and then connect with your SSH client to see again your files and get again the control of your server.

Be careful when configuring SELinux again and create a shapshot and/or backup after you’ve restored your server…and before changing SELinux again.

HTTPS: how to add TLS ciphers on nginx (update regularly)

Leave a comment
Howtos / System Administration

HTTPS is a great improvement to a website security. However, HTTPS comes in different flavours and among these there are very weak ones.

Among protocols, SSL have to be avoided because it is not secure. Its successor, TLS, comes in different versions and supports different ciphers. To be short, the cipher is the encryption method/algorihms the website and the client use to talk each other.

The combination of protocols and ciphers available to implement HTTPS will limits the type of clients capable to access the website.

To be sure your website will not lose traffic, you have to balance the strongest ciphers available with the most compatible but still secure, dropping all weaker ciphers.

Check the strenght of your HTTPS implementation

If you’ve already implemented HTTPS on your website, first you’ve to check ist current security status of protocols and ciphers.

Check your hostname on Qualys SSL Labs pasting the HTTPS protected domain on the Test your server section. It’s a fast method with a very detailed output for public websites.

The report will give your hostname a rank, a detailed list of issues, browser support, and the complete list of supported ciphers. Among these ciphers, you can get some ciphers highlighted in yellow. You have to get the rid of these no matter what.

The list of ciphers actually differs from a typical cipher declaration on nginx because nginx can use the OpenSSL naming and Qualys uses IANA naming.

Here’s an helpful conversion table by Mozilla where you can convert IANA to OpenSSL and the other way round. Take note of the weak ciphers but wait before start to cut your cipher declaration on nginx.

You’ve to check how many visitors you’ll lose after the cut first.

Get the website statistics

Using Google Analytics or similar services and software, go to the Audience > Technology > Browser to get a list of your visitors’ browsers. Select a timespan like the last year or less.

You can add Browser version or OS version as secondary dimension to match the list of supported browsers from SSL Labs. You’ll get something similar:

analytics-technology-browsers

Well, someone is still using Internet Explorer 9.0 in 2018.

Since Internet Explorer running on old Windows versions (like XP) is one of the most troublesome combination, check how many visitors use this legacy software.

On Google Analytics type on the search box “Internet Explorer” and you’ll get the browser usage of this legacy browser. Select OS version as secondary dimension to get a list of OSes using IE.

Compare this list with the report from SSL Labs and with the conversion table from Mozilla cited above and count the number of visitors you want to cut off from your website in the sake of security.

Cut the weak ciphers

Trimming down the ciphers declaration on nginx conf you’ll get something like this:

ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES’;

Each cipher is separated by a ‘:’ and at the end some elements (typically using OpenSSL naming) are forbidden with a ‘!’.

Here’s the context:

server {
        # the port your site will be served on
        listen      443 ssl;
        # the domain name it will serve for
        # substitute your machine's IP address or FQDN
        server_name example.com www.example.com;
        ssl_certificate /path/to/fullchain.pem;
        ssl_certificate_key /path/to/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        # cfr. ........................................
        ssl_ciphers ** PASTE CIPHERS HERE **;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;
        add_header Strict-Transport-Security max-age=15768000;
        charset     utf-8;
        # This is for Let's Encrypt
        location ^~ /.well-known {
                alias /path/to/.well-known;
                allow all;
        }

        # max upload size
        client_max_body_size 75M;   # adjust to taste

        location /webpath  {
                alias /path/to/web;
        }
}

Change the conf file, reload nginx (on CentOS 7 systemctl reload nginx) and then re-run the SSL Labs test.

The Qualys’ tool will show you the new incompatibility with legacy browsers in the Handshake Simulation section:

tls-handshake

Modern protocols and ciphers implemented using the above declaration on nginx cut off IE 8 on XP and IE 6, the report explain.

According to the technology used by visitors of the analyzed website, few visits are sacrificed for better security for both visitors and host.

Tune these settings according to your needs, keep monitoring the tecnology used by site visitors and dropping legacy system progressively, with Modern compatibility as a (not so) long term objective.