All posts by Don Matteo

Firefox Sync in Private Cloud

Firefox Sync Server on its own host

 

Firefox Sync makes bookmarks available synchronously on any device, including the timeline, tabs, add-ons, settings, and credentials, which can be matched on request.

The Mozilla-hosted Firefox account server can be easily used in combination with a self-hosted synchronization server and storage.Authentication and encryption protocols are designed so that the account server does not know the user’s plaintext password and therefore cannot access the stored synchronization data.

CONTENT

Firefox Sync Server Installatio
nFirefox Sync Basic Configurat
ionFirefox Sync Apache Configurat
ionFirefox Sync HTTPS Let’s Enc
ryptFirefox Browser Setting
Troubleshoting & Settings

This tutorial shows how to install Firefox Sync 1.5 servers on Ubuntu 16.04.4 LTS. The Ubuntu server, here sync.server.net as an example, is accessible via the Apache 2.4 web server on the Internet.

Firefox Sync Server Installation

Prerequisite for Sync 1.5 servers is Python 2.7 and Python Virtualenv, python-dev, make, git, as well as the C and C++ compiler. To ensure this, the following pacts will be made available:

$ sudo apt-get install apach2 libapache2-mod-wsgi python-dev python-virtualenv git-core g++ make

We install the sync server under /opt, who prefers /usr/local, can choose this path, we will root and execute the following lines:

$ sudo su -
$ cd /opt
$ git clone https://github.com/mozilla-services/syncserver
$ cd syncserver
$ make build

To verify that the installation was successful, the following can provide the following:

$ make test

Firefox Sync Basic Configuration

Create users and assign permission:

$ useradd -d /opt/syncserver/ -s /bin/false -l -r -U ffsync
$ chown -R ffsync:www-data /opt/syncserver/

The sync server is configured using the ini file to pass different runtime settings.The syncserver .ini file serves as a starting point.

Most settings can be applied before the sync server runs, the URL that can be reached for clients must be adapted to the sync server. For productive use, we open the syncserver .ini file and edit the public_url:

$ vi /opt/syncserver/syncserver.ini

[syncserver]
public_url = https://sync.server.net/

Change the public_url from localhost:5000 to our sync.server.net. In another section, the configuration is set up on the HTTPS protocol.

Then adjust the sqluri for our data beacon:

sqluri = sqlite:////opt/syncserver/syncserver.db

A secret key with the random generator is generated from a terminal, running the following line:

$ head -c 20 /dev/urandom | sha1sum
60bev0b7bd2f56dxea3794fb97f03c824e70e21d

Enter this key generated in the syncserver configuration file .ini:

secret = 60bev0b7bd2f56dxea3794fb97f03c824e70e21d

Assign enough rights to the database:

chmod 660 /opt/syncserver/syncserver.db

Create automatic start in systemd for Firefox Sync:

$ vi /etc/systemd/system/firefox-sync.service

and insert the following content:

$ [Unit]
Description=Firefox Sync Server
After=syslog.target network.target remote-fs.target nss-lookup.target

[Service]
Type=simple
User=ffsync
Group=ffsync
Umask=007
Restart=on-abort
ExecStart=/opt/syncserver/local/bin/gunicorn --paste /opt/syncserver/syncserver.ini

[Install]
WantedBy=multi-user.target

Start the Firefox Sync Service:

$ systemctl start firefox-sync.service

Firefox Sync Apache Configuration

Create an Apache Virtualhost as follows in this example:

$ vi /etc/apache2/sites-available/sync.server.net.conf


ServerName sync.server.net
DocumentRoot /opt/syncserver

CustomLog /var/log/apache2/access_sync.server.net.log combined
ErrorLog /var/log/apache2/error_sync.server.net.log
LogLevel warn


        Require all granted
        Options -Indexes

Activate and restart the Apache Virtualhost:

$ a2ensite sync.server.net.conf
$ sudo systemctl restart apache2.service

Firefox Sync HTTPS Let’s Encrypt

Provide Let’s Encrypt for our sync server, adding the repository and installing the ACME packages:

$ add-apt-repository ppa:certbot/certbot
$ apt-get update
$ apt-get install python-certbot-apache

Now the Let’s Encrypt certificate can be created, certbot makes it easy for us, the SSL configuration required for our virtual host is created automatically.

$ certbot --apache -d sync.server.net

Under /etc/apache2/sites-enabled is now the symlink of this to file sync.server.net-le-ssl.conf shows, this i
s stored under/etc/apache2/sites-available.

$ ls /etc/apache2/sites-enabled/sync.server.net-le-ssl.conf
/etc/apache2/sites-enabled/sync.server.net-le-ssl.conf

In the file sync.server.net-le-ssl.conf, the WSGI configuration still needs to be added, we edit wiedersync
.server.net-le-ssl.conf, which then shows the following content:



ServerName sync.server.net
DocumentRoot /opt/syncserver

        WSGIProcessGroup ffsync
        WSGIDaemonProcess ffsync user=ffsync group=ffsync processes=2 threads=25 python-path=/opt/syncserver/local/lib/python2.7/site-packages/
        WSGIPassAuthorization On
        WSGIScriptAlias / /opt/syncserver/syncserver.wsgi

        CustomLog /var/log/apache2/access_sync.server.net.log combined
        ErrorLog /var/log/apache2/error_sync.server.net.log
        LogLevel warn

        Require all granted
        Options -Indexes

SSLCertificateFile /etc/letsencrypt/live/sync.server.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sync.server.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Now the Apache web server needs to be restarted:

sudo systemctl restart apache2.service

Firefox browser setting

In order for Firefox to be able to synchronize via its own sync server, the URL must be changed, for this purpose you enter about:config in the address bar and confirm with the enter key.

Firefox: about:config

After confirming the warning, enter identity.sync.tokenserver.uri into the search box.

identity.sync.tokenserver.uri
Firefox: identity.sync.tokenserver.uri

Double-clicking changes the value to your own sync server
https://sync.server.net/token/1.0/sync/1.5

Finally, the Mozilla account is created via the following URL:

https://accounts.firefox.com

The account itself is located on the Mozilla server, the data is stored on the own sync server.

It is important that the synchronization was made only after the entry to the own sync server in Firefox. If bookmarks and data are on the sync server with Mozilla, the data can be deleted, with the following command lines:

$ apt install python-pip 
$ sudo pip install PyFxA
$ python ./bin/delete_user_data.py email.account@server.net

email.account@server.net with actual account email.

Troubleshoting & Settings

To check that The Firefox Sync sync is running correctly, open the log file /var/log/apache2/access_sync.server.net.log:

$ sudo tail -f /var/log/apache2/access_sync.server.net.log

Note that the Let’s Encrypt certbot for validation, the host must be reachable via port 80, for the firewall included in Ubuntu in the default, the command is as follows:

$ sudo ufw allow http

When you call the Sync Server URL, or https://sync.server.net in the browser, the following output should appear:

$ curl -k https://sync.server.ent
it works!

If the Apache web server does not start, the syntax of the configuration can be validated:

$ apache2ctl configtest
Syntax OK

After all accounts have been created, access to other users can be blocked in the syncserver .ini file:

$ allow_new_users = false

The Firefox Sync protocol contains the debug information in case of errors and can be queried with the following command in the browser line.

about:sync-log


Sources Link:
Run your own Sync-1.5 Server
Github mozilla-services/syncserver

Generate keys using SSH-KEYGEN

How to create KEYGEN use for SSH public key authentication

Public key authentication, also known as asymmetric cryptosystem, is an authentication method used by OpenSSH and OpenSSL to log users on to a server using a key pair consisting of digital signatures, private and public keys. Such a key pair is much harder to compromise than a password.

How to generate OpenSSH RSA key

The easiest way to generate a key pair in OpenSSH format is to run ssh-keygen without arguments in the shell. In this case, it asks for the file in which the keys are to be stored. Like here in this example:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:TZ+isKhohYE6wOcKuqWxElclsdZw4UxJwFtnB9txEC8 user@debian.localdomain
The key's randomart image is:
+---[RSA 3072]----+
|   .+.o... +o.    |
|    oOo.oo.+ |
|o o=*o..E .    |
|oo oo. . o o .   |
|o =.  . S o o |
|=.. o . . . |
|+++   . .        |
|oO . .         |
|B.... .          |
+----[SHA256]-----+

SSH keys for user authentication are typically stored in the user base under the .ssh directory.

The key pair can also be generated by passing parameters.

$ ssh-keygen -f.ssh/key_rsa -t rsa -b 4096

The parameters have the following meaning:
-f the key file
-t the algorithm
-b the key length
The longest key is 4096. If no algorithm is passed, the default is an RSA key.

When asking for the passphrase for the private key, a passphrase can be entered, in the next section after that it is shown how it can be generated, by pressing the Enter key, without a passphrase the key is created without password protection.

The purpose of the passphrase is usually to protect the key. It is a second authentication factor. This makes the key file without a public key unusable for attackers.It is not uncommon for hackers to filter for files from compromised systems, including backups and decommissioned hardware.

A secure passphrase can be generated automatically, with the following input a 32-character passphrase is generated.

$ date +%s | sha256sum | base64 | head -c 32 ; echo

OpenSSL can also be used to generate a passphrase with the built-in random number generator (rand), which is output as follows.

$ openssl rand -base64 32

Note. It is important you protect the private key and the associated passphras from unauthorized individuals, if the private key is stolen, a new one must be generated, and the public key has to be changed.

If only the public key is lost, the following input shows how the public key can be recovered from the openSSH private key with the -y option, the passphrase is required for this.

$ ssh-keygen -y -f ~/.ssh/key_rsa > ~/.ssh/key_rsa.pub

It should be noted that at the end of the file key_rsa.pub the comment (key comment) must be added again, after a space, as in this example user@host.localdomain:

$ ssh-rsa AAAA...HPCQ== user@host.localdomain

  The file key_rsa.pub must not be modified in any other place.

If the passphrase is to be removed, this can be performed with the following input:

$ ssh-keygen -p -P old_passphrase -N "" -f ~/.ssh/key_rsa

The empty input between the quotation marks does not write a new passphrase, so it is deleted.

Generate ECDSA key

Next, an ECDSA key pair with a key length of 521 bits is generated and stored under the user base ~/.ssh. Valid lengths are 256, 384 or 521 bits.

$ ssh-keygen -f ~/.ssh/key-ecdsa -t ecdsa -b 521

ECDSA is a new algorithm for digital signatures standardized by the U.S. government using elliptic curves. It’s probably the best algorithm right now. Most SSH clients today support ECDSA.

Two files have now been created in the path ~/.ssh directory. The file with the extension .pub is the public key. The key-ecdsa file in this example is the private key and is readable only by the owner.

-rw-------.  1 user user 801 May 20 20:33 key-ecdsa
-rw-r--r--.  1 user user 279 May 20 20:33 key-ecdsa.pub

The public key key key-ecdsa.pub as SHA2 hash is now stored in the file authorized_keys on the server in the user’s home directory under .ssh.

$ cat ~/.ssh/authorized_keys
ecdsa-sha2-nistp521 AAAAE2vjZHNhLXNoYTItbmlzdHA1MjEFASBIbml
zdHA1MjEAfACFBAHnx0uIYUprY7D7myKMf1H+6NjCIV9U2GhZ69/oRE546i
QsvqSnSBs6SyL2ekvSe2JO3WXkrQ4gGpdLr9+XcLxfbAD79Oc8Z/Gcpr8mN
uKabOc4V/Seyr6AQ3l2KC+k8Wp0SBWG2ZofN0QYsPND8yIUL8Y7bS+t2tH9
dhSmeVwnLHUQNoktbVPoVDHw== user@host.localdomain

Public-Key Transfer with ssh-copy-id

To use public key authentication, the public key must be copied to the server and stored in the authorized_keys file. This can be done conveniently with the ssh-copy-id tool.

$ ssh-copy-id -i ~/.ssh/key-ecdsa user@host.foo.bar

Now you can log on to the server without having to enter a password, this method is also suitable for automated tasks and for logins from scripts.

$ ssh user@host.foo.bar
Last login: Mon May 20 21:53:46 2019 from 192.168.7.85

Verbose mode can be useful for troubleshooting, with numerous debugging messages about progress, such as connection, authentication, and configuration issues.

$ ssh -v user@host.foo.bar

Note. multiple -v options increase the verbosity to max. -vvv.

OpenSSH config

If you have different hosts and key pairs, this can be defined in the config file under ~/.ssh.

$ vi ~/.ssh/config
Host *.foo.bar
  User user
  Port 22
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa
  IdentityFile key-ecdsa

Host host.fooo.bar
  User user
  Port 22
  HostKeyAlgorithms +ssh-dss
  PubkeyAcceptedKeyTypes +ssh-dss
  IdentityFile id_dss

Browser User Agent Switcher

How to change Browser User Agent use User Agent Switcher

What is a User Agent?

The user agent is a part of the HTTP header that is transmitted on an HTTP request. The user agent transmits information to the server, which usually includes the browser used and its version as well as the user’s operating system.

If you want to give the impression that the web request comes from a different browser than you actually use, this is possible. For example, to use the web server of a website to tell you which browser you are using to open the page. When developing web pages, this is a useful way to check the compatibility of the website for different browsers. For this purpose, all popular browsers have a built-in User Agent Switcher, so you can change the user agent without having to install an extension.

Websites identify browsers by user agent. Changing the user agent of a browser will tell the website you are visiting that it is a different browser. In this way, you can test websites whether they are designed for different browsers or even for different devices such as smartphones and tablets.

Google chrome

Chrome’s User Agent Switcher is part of the developer tools. To do this, open the Chrome Settings menu and go to More Tools and Developer Tools, or by pressing the Ctrl + Shift + I key combination on the keyboard.

The option in the Network conditions tab can be accessed via the Network tab and the three-pin menu on the left.

With User agent – Select automatically deactivate and select Custom, you can now enter any string for the user agent in the field, or select a user agent from the list.

Mozilla Firefox

For Mozilla Firefox, this option is on the about:config page.

To get to the page, enter about:config in the address bar of Firefox and press the Enter key. A warning will be displayed, clicking on I accept the risk! it goes on.

Here you enter general.useragent.override in the search box and press enter, then select String and right click on the plus+.

To the newly created entry general.useragent.override, insert a string for the user agent into the field as a value.

After entering a string value for the desired user agent, click on the hack and restart the browser.

The standard User Agent String of Mozilla Firefox 79 on Windows 10 is as follows:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0

Some examples of the User Agent String of different operating systems (operating system: User Agent String):

Windows XP IE 8.0 : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Windows 7 IE 11.0 : Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Windows 8.1 Chrome: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
WinSrv 2012 IE 11 : Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
WinSrv 2016 Chrome: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Windows 10 Firefox: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Windows 10 Chrome : Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Windows 10 Edge 42: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134
Fedora 30 Firefox : Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Fedora 30 Chrome : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Ubuntu Bionic Lynx: Lynx/2.8.9rel.1 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.1.1b
CentOS (Core) Lynx: Lynx/2.8.8dev.15 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.0.1e-fips    
Android 8.0 Chrome: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.136 Mobile Safari/537.36
iPhone iOS 12.1 : Mozilla/5.0 (iPhone; CPU iPhone OS 12_2 like Mac OS X) AppleWebKit/605,1.15 (KHTML, like Gecko) Version/12.1 Mobile/15E148 Safari/605.1
Linux Mint Firefox: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Linux Mint Chrome : Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
Raspberry Chromium: Mozilla/5.0 (X11; Linux armv7l) AppleWebKit/537.36 (KHTML, like Gecko) Raspbian Chromium/65.0.3325.181 Chrome/65.0.3325.181 Safari/537.36

To verify the user agent of his browser, this shows the query here.