Battle of the secure messaging apps: how Signal beats WhatsApp

​“While all three apps use the same secure-messaging protocol, they differ on exactly what information is encrypted, what metadata is collected, and what, precisely, is stored in the cloud—and therefore available, in theory at least, to government snoops and wily hackers.” Bottom line: Micah Lee recommends that you use Signal by Open Whisper Systems whenever you can.
theintercept.com

Time synchronisation with NTP

The NTP protocol allows you to synchronise the clock of your computer with that of dedicated time servers on the Internet. Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install ntp-simple ntpdate

Stop the ntpd daemon and manually synchronise your computer’s clock with the following two commands:

user@ubuntu:~$ sudo /etc/init.d/ntp-server stop
user@ubuntu:~$ sudo ntpdate pool.ntp.org

Modify the file /etc/ntp.conf to read:

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
#server ntp.ubuntu.com
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org

Start the ntpd daemon with the following command:

user@ubuntu:~$ sudo /etc/init.d/ntp-server start

After about one minute, query the status of the ntpq daemon with the following command:

user@ubuntu:~$ sudo ntpq -p

You can further increase the accuracy of time synchronisation by using the time servers in your continental or country zone.

Sharing a PostScript printer with CUPS and Samba

Using Samba and CUPS, the Common UNIX Printing System, Ubuntu can easily be configured to provide printing services to a heterogeneous network of Windows, Macintosh and Linux clients.

Printing with CUPS

Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install cupsys foomatic-filters-ppds

Add the user cupsys to the group shadow:

user@ubuntu:~$ sudo adduser cupsys shadow

Get the file cupsd.conf and move it to /etc/cups/:

user@ubuntu:~# sudo wget "https://edafe.org/ubuntu/cups/cupsd.conf"
user@ubuntu:~# sudo mv cupsd.conf /etc/cups/

The downloaded file contains the following changes from the Ubuntu default configuration:

# Default authentication type, when authentication is required...
DefaultEncryption IfRequested
# Restrict access to the admin pages...
<Location /admin>
  Allow @LOCAL
</Location>

Setting these options enables members of the admin group to modify the configuration of the CUPS server from clients sharing the same local network.
Modify the file /etc/cups/cups.d/ports.conf to read:

Port 631
Listen localhost
Listen 192.168.0.123
Listen /var/run/cups/cups.sock

For 192.168.0.123, substitute the IP address of your machine on the local network.
Restart cupsd with the following command:

user@ubuntu:~$ sudo /etc/init.d/cupsys restart

Use a web browser to access http://localhost:631/admin (or http://192.168.0.123:631/admin from another machine on your local network). Go to Administration > Add Printer and begin to set up your printer. When prompted by the system, authenticate yourself as a member of the admin group. If necessary, obtain the correct PostScript Printer Description (PPD) file for your printer model. Print a test page to confirm that your printer is working properly with CUPS.

Making Printers Available over the Network

Install and configure a Samba server and then add the following options to /etc/samba/smb.conf:

[global]
  printing = cups
  load printers = Yes
  printcap name = cups
[printers]
  comment = All Printers
  printable = Yes
  path = /var/spool/samba/print
  browseable = No
  guest ok = Yes
  read only = Yes

Create the directory /var/spool/samba/print and set its permissions with the following two commands:

user@ubuntu:~$ sudo mkdir -p /var/spool/samba/print
user@ubuntu:~$ sudo chmod 1777 /var/spool/samba/print

Restart the Samba server with the following command:

user@ubuntu:~$ sudo /etc/init.d/samba restart

Set your Samba clients to use a printer driver that outputs generic PostScript. Use the the Apple LaserWriter driver on Windows, the Generic PostScript driver on Mac OS X or the Raw Standard driver on Ubuntu.
wiki.ubuntuusers.de, www.samba.org

Configuring a static IP address

Edit the file /etc/network/interfaces to contain the following entries:

# The primary network interface
auto eth0
iface eth0 inet static
  address 192.168.0.20
  netmask 255.255.255.0
  broadcast 192.168.0.255
  gateway 192.168.0.1

Reconfigure the network interfaces with the following command:

user@ubuntu:~$ sudo /etc/init.d/networking restart

www.ubuntuforums.org

Samba as a file server

Samba enables Linux to speak the Server Message Block (SMB) protocol, which is also used by Windows and Mac OS X to exchange data over a network. Get the necessary packages with the following command:

user@ubuntu:~$ sudo apt-get install swat netkit-inetd

For an initial configuration, edit the file /etc/samba/smb.conf to contain the following entries:

[global]
  workgroup = SAMBA
[homes]
  comment = Home Directories
  valid users = %S
  read only = No
  create mask = 0640
  directory mask = 0750
  browseable = No

Continue by adding local users to the smbpasswd file:

user@ubuntu:~$ sudo smbpasswd -a user

Restart the Samba server with the following command:

user@ubuntu:~$ sudo /etc/init.d/samba restart

The server ubuntu now joins the SAMBA workgroup, giving users who have been added to the smbpasswd file access to their respective home directories.

Using SWAT

Using the Samba Web Administration Tool (SWAT), you can access help, obtain status information and change the configuration of your Samba server. Use a web browser to access http://localhost:901/ and log in as the local root user. In principle, SWAT can also be reached from other machines on your local network. However, such connections are vulnerable to password sniffing because of the clear text protocol that SWAT uses to authenticate users.
www.samba.org, copia.ogbuji.net

Public/private key authentication with SSH

Updated 09/10/2016

SSH is a protocol that enables secure logins over a network. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

On the local machine

Use the following command to generate a new key pairs for the local user schmidt:

schmidt@exhaustpiano:~$ ssh-keygen -t ed25519 -o -a 100
schmidt@exhaustpiano:~$ ssh-keygen -t rsa -b 8192 -o -a 100

Use an appropriate passphrase to secure the private key (don’t be tempted to use an empty passphrase).
Deploy the public key with the following command:

schmidt@exhaustpiano:~$ ssh-copy-id schmidt@pizzaposition

On the remote machine

Delete any unused host keys with the following command:

root@pizzaposition:~$ rm /etc/ssh/ssh_host_dsa_key* /etc/ssh/ssh_host_ecdsa_key* /etc/ssh/ssh_host_rsa_key*

Create the group ssh-users with the following command:

root@pizzaposition:~$ addgroup --system ssh-users

Add the local user schmidt to the group ssh-users:

root@pizzaposition:~$ adduser schmidt ssh-users

Make the following changes in sshd_config to improve on the default configuration:

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key

# Specify allowed key exchange algorithms
KexAlgorithms curve25519-sha256@libssh.org

# Specify the ciphers allowed for protocol version 2
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr

# Specifiy the available MAC (message authentication code) algorithms
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com

# Logging
LogLevel VERBOSE

# Authentication:
AllowGroups ssh-users
LoginGraceTime 20
PermitRootLogin no
MaxAuthTries 1

RSAAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

ClientAliveInterval 15

MaxStartups 3:60:20

UsePAM no
UseDNS no

Restart the SSH server on the remote machine with the following command:

root@pizzaposition:~$ systemctl restart ssh.service

Setting these options will make root logins impossible. Only users belonging to the group ssh-users may establish a connection. Access is strictly tied to the private key and the passphrase used to encrypt it. Using the private key stored on exhaustpiano, local user schmidt should now be able to remotely log into pizzaposition:

schmidt@exhaustpiano:~$ ssh pizzaposition
Enter passphrase for key '/home/schmidt/.ssh/id_ed25519':
Last login: Sun Oct 9 15:51:15 2016 from 12.34.56.78
schmidt@pizzaposition:~$

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.
stribika.github.io

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

I did not come up with exhaustpiano and pizzaposition. The NSA Name Generator did.