Arch - enable https-only upgrades

lapsio · 2017-02-24 18:21:38

Hello

I'm using Arch as VPS hosting OS and I'm trying to limit its interaction with WAN as much as possible. However it's Arch so I suppose it's not really wise idea to cut it from internet completely as it'd prevent updates and due to quite rolling release nature of Arch it's probably really bad idea. I already lost one Arch machine during upgrade after 3 years because everything exploded.

So I'd like to enable only https mirrors and explicitly add them to firewall allowed addresses. I'm able to open dst addresses basing both on IPs and DNS names. As environment provides DNSSec enabled DNS server i think second option seems to be safer. So how do I allow only https mirrors and how can i check their hostnames to configure firewall?

Last edited by lapsio (2017-02-24 18:22:34)

eschwartz · 2017-02-24 18:47:19

The mirrorlist includes both HTTP and HTTPS mirrors (and FTP or RSYNC, even), so, generate an HTTPS-only mirrorlist....

I don't know why you care though, since all packages are PGP-signed and invalid or untrusted signatures on the repo packages are a fatal error.

lapsio · 2017-02-24 19:08:07

I enabled only https repositories but on older Arch installation I'm getting error:

error: failed retrieving file 'archlinuxfr.db' from repo.archlinux.fr : Connection timed out after 10000 milliseconds
error: failed to update archlinuxfr (download library error)

jasonwryan · 2017-02-24 19:12:14

So you profess to be concerned about security, and you enable archlinux.fr?

Moving to NC...

lapsio · 2017-02-24 19:17:01

What is archlinux.rf? I don't remember enabling it. It's AUR? I needed one packet from it once but I don't need it any longer.

After removing yaourt and x2x which was from AUR it still asks about it ._.

EDIT: Okay solved it I removed archlinux.fr. Thanks for pointing out an issue somehow I forgot I enabled AUR on this machine long time ago.

Last edited by lapsio (2017-02-24 19:23:46)

eschwartz · 2017-02-24 19:29:31

archlinuxfr is not "the AUR". Also, it doesn't use the mirrorlist, so so no wonder this (horribly broken) repo is being firewalled...

jasonwryan · 2017-02-24 19:40:17

So this isn't an Arch install, but one of those spinoffs that comes with additional repos "helpfully" configured?

lapsio · 2017-02-24 19:46:07

I think I need to reinstall this machine anyways then... I mean well this one with archlinuxfr was mentioned DNSSec server in network, another machine, but uh... I installed X server and lots of unnecessary garbage here I don't really remember now, but there may be lots of other misconfigurations that could put machine in danger. I thought I removed all this junk but leaving something like this unnoticed suggests that my actions were only partially successful and It's probably impossible now to find out what exactly remains from old flaws. It was my first arch machine I've ever set up after working exclusively with OpenSUSE which has installed like... EVERYTHING out of box (~16gb of soft) and moving to minimalistic, single purpose systems was quite hard for me back then :V So I thought X server and x2x and xpra and VNC and open X server ports so on, so on... are absolutely, totally necessary for headless DNS server...

On OpenSUSE it was quite normal that home laptop has intalled Apache and Avahi and bind server and KVM, Virtualbox and Xen all in one, because well it always had installed absolutely everything ever... So i just tried to install everything on Arch... Just like it was done on OpenSUSE xD

Welp. Mistakes were made.

Last edited by lapsio (2017-02-24 19:52:03)

Arch Linux

#1 2017-02-24 18:21:38

Arch - enable https-only upgrades

#2 2017-02-24 18:47:19

Re: Arch - enable https-only upgrades

#3 2017-02-24 19:08:07

Re: Arch - enable https-only upgrades

#4 2017-02-24 19:12:14

Re: Arch - enable https-only upgrades

#5 2017-02-24 19:17:01

Re: Arch - enable https-only upgrades

#6 2017-02-24 19:29:31

Re: Arch - enable https-only upgrades

#7 2017-02-24 19:40:17

Re: Arch - enable https-only upgrades

#8 2017-02-24 19:46:07

Re: Arch - enable https-only upgrades

Board footer