Infrastructure

Security

Security is extreme important forme. A few selected items of what i do:

  • access to my servers (SSH) requires 2-factor authentication (pubkey and password)
  • authorized SSH keys are handed out in hardware (Yubikeys)
  • where supported updates are installed automatically (including automatic reboot when necessary)
  • my domains are DNSSEC signed
  • I support DANE for email traffic
  • HSTS with Preloading
  • I make use of 2-factor authentication for all 3rd-party services where supported (njal.la, 1984.is, stripe, github, twitter, mastodon, …)
  • I monitor certificate transparency logs for our domain to spot rough certificates

Domain Name System

I use njal.la & inwx in combination with 1984.is as the authoritative name servers for “koljasagorski.de” because they:

  • support DNSSEC and security related DNS records (CAA, TLSA and SSHFP)
  • support 2-factor authentication (TOTP, Yubikey)
  • are Tor-friendly
  • are good price service value

Email

I am using my own hosted Mailserver with Mailcow.

  • support DKIM
  • support DANE
  • support 2-factor authentication
  • full encrypted virtual machine on our host-system.

VPN

At home, phone and some virtual machine are running behind a VPN from OVPN.com

  • There have no hard drives
  • don’t log anything
  • pay via bitcoin
  • pay via cash (Amazing!)
  • offers a static IP (for some services)
  • amazing speed and latency