System Administration

System Administration information

Stronger SSL Encryption can be achieved by doing the following:

  • Upgrade your operating system
  • Upgrade Java
  • Upgrade Noodle
  • Set crypto.policy=unlimited in $JRE_HOME/jre/lib/security/java.security
    • Get JCE if it was not included with your JDK/JRE
  • Limit Ciphers
    • multiserver.conf
      • Connection.CM_1.Ciphers[] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
        TLS_AES_256_GCM_SHA384
      • For less security but more compatibility add: ,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384
  • Limit Protocols
    • multiserver.conf
      • Connection.CM_1.Protocols[] = TLSv1.2, TLSv1.3
  • Add a CAA record to your DNS.

The available ciphers and protocols are listed on http://DOMAIN.TLD/Check.po?admin=now
Test at ssllabs.

Windows

  • Updating Java can require a Windows restart to complete and be functional.
  • It is more likely to work properly with the offline installer.
  • if you upgrade a major version be sure to edit intranet.bat accordingly.

Make sure Noodle is not running if/while you uninstall old Java versions.
Noodle Service restart required.

How to prevent emails (memo, reminder, auto-notification, notification, subscription) from Noodle from being marked as spam.

If you are hosted by Vialect and are using mail.vialect.net in the SMTP settings half of it is already taken care of:

  • If using SPF add our mail server.
    • Lin
      dig sub.domain.tld TXT | grep spf
    • Win
      nslookup -type=TXT sub.domain.tld | findstr spf
  • If using Google mail client add a filter (to add a tag) for anything with your Noodle domain name in it.

If hosting Noodle on your own server or using your own SMTP server, additionally:

  • Whitelist the Noodle server (Postfix, Spamassassin, Exchange)
  • Use authentication in the Noodle setting
    • [user:pass@]domain.tld[:port][,protocol]

Another option is to use something like noreply@vialect.com in the "Send system emails from" system setting.

Restarting Noodle service

  • Microsoft
    • sc stop noodle
    • sc start noodle
  • Linux like sysvinit/Upstart
    • service noodle restart
  • Linux like Systemd
    • systemctl restart noodle
  • Linux like launchd
    • launchctl unload /System/Library/LaunchDaemons/noodle.plist
    • launchctl load /System/Library/LaunchDaemons/noodle.plist
  • Linux like SMF
    • svcadm restart noodle

  1. Make sure the port you want to use is not already in use:
    • Linux-like systems
      • netstat -ln | grep ":80 "
    • Microsoft
      • netstat -na | findstr ":80"
  2. Edit the text file cfg/multiserver.conf in the Noodle Home directory changing the line "Connection.CM_0.Port = 80" to an available port.
  3. Remember to update the OS and network firewalls.
  4. restart the Noodle service
  5. Update the Noodle setting “System Tools > Settings > URL for Noodle”

Microsoft Windows runs http.sys on port 80 by default. Disable http.sys by running these 2 commands:

  1. sc config http start= disabled
  2. net stop http /y

Or if you want to use both you can bind them to different IPs:

  1. http.sys IP (netsh http add iplisten ipaddress=192.168.0.101)
  2. Noodle IP (Connection.CM_0.BindAddress = 192.168.0.100)

LAN security options for the server:

  • Whole disk encription (prevents bypassing security by reading the disk with another computer).
  • Dedicated server (reduces exploitable surface area).
  • Linux OS (protects from Windows malware).
  • Firewall blocking all but ssh and the Noodle http[s] ports (reduces exploitable surface area).
  • ssh keys (prevents password guessing on ssh).

LAN security options on a network, listed from most to least secure:

  1. Network not (even indirectly) connected to the internet.
  2. Network with no Microsoft Windows devices only indirectly connected to the internet:
    • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
    • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).
  3. Network only indirectly connected to the internet.
  4. Public network with a firewall or NAT port forwarding blocking all but one port.
  5. Public network.

 

List of most to least secure ways of connecting to the Noodle service:

  1. On a network not (even indirectly) connected to the internet.
  2. On a network only indirectly connected to the internet.
  3. On a public network with a firewall or NAT port forwarding blocking all but one port.
  4. On a public network.

Public network security options:

  • SSL (prevent passwords collection from public wifi).
  • White list (prevent passwords guessing from known hostile networks).
  • "Session Security Level" to 4 (prevent session hijacking).
  • "Minimum password length" to 8 (make password guessing harder).
  • Encrypted VPN or better yet a ssh tunnel (use with keys will prevent MITMA from a spoofed wifi or an untrusted ISP or government).
  • Anonymity networks like tor can be used, optionally with ssl or ssh (in practice will prevent anyone, including governments, from knowing what server a user is talking to).

    • Instead of downgrading we encourage you to report issues and then upgrade to a fixed version.
    • A new unwanted feature can often be made optional by adding a setting to disable it.
    • To test customizations against a new version we recommend cloning the VM or DB to a test instance to try the upgrade out before applying it to the production version.
    • If only the last number of the version has changed, downgrade by replacing its lib directory with the old version.
    • If the second number in the version changes reverting the database structure will require a custom jar.

Windows example of converting a Tomcat SSL certificate to Apache :

keytool -storepass 123 -keystore noodle.jks -export -alias domain.tld -rfc -file server.crt

keytool -storepass 123 -keystore noodle.jks -export -alias root -rfc -file server-ca.crt

keytool -importkeystore -srckeystore noodle.jks -srcalias domain.tld -srcstorepass 123456 -deststorepass 123456 -destkeystore apache.p12 -deststoretype PKCS12
openssl pkcs12 -in apache.p12 -nocerts -nodes > server.key
delete apache.p12

Official keytool manual

Official openssl manual