The ability to authenticate with ssh keys, is the most powerful feature of SSH. As a result, the user has to produce a key pair and key in the so called public key into the ~/.ssh/authorized_keys file on the server. Basically, the key is protected by a password and controlled by the ssh-agent. Nevertheless if the key is utilized for automating task it must not include a password.
[georgia@georgia ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/georgia/.ssh/id_rsa):
Created directory '/home/georgia/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/georgia/.ssh/id_rsa.
Your public key has been saved in /home/georgia/.ssh/id_rsa.pub.
The key fingerprint is:
67:5a:60:ac:70:95:18:8d:02:1b:e1:c2:da:5c:88:81 georgia@georgia.rhce.test
[georgia@georgia ~]$ cat ~/.ssh/id_rsa.pub | ssh georgia@greg.rhce.test 'cat >>.ssh/authorized_keys'
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Now, check your configuration by do the following:
[georgia@georgia ~]$ ssh georgia@greg.rhce.test
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Kernel \r on an \m
georgia@greg.rhce.test's password:
Last login: Thu Jul 31 16:23:42 2008
It should work as above.
Thursday, July 31, 2008
Friday, July 18, 2008
Basic IPv4 Firewall Using iptables
Scenario: somebody wants to harden his/her stand-alone server using linux built-in firewall application: iptables. The server only has one NIC.
Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008
2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules
3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
5. You're all set.
Here are the steps:
1. Create a custom chain named HOME-RULES and insert a rule on top of INPUT that will jump all packets to it. Remember, to save the firewall configuration when you're finished.
[root@greg ~]# iptables -N HOME-RULES
[root@greg ~]# iptables -A INPUT -j HOME-RULES
[root@greg ~]# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
[root@greg ~]# less /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sat Jul 19 07:29:26 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:CLASS-RULES - [0:0]
-A INPUT -j HOME-RULES
COMMIT
# Completed on Sat Jul 19 07:29:26 2008
2. In this tutorial, I am going to show you how to populate the HOME-RULES chain by directly editing /etc/sysconfig/iptables. (Note: I assume you understand how to use vim to edit files).
[root@greg ~]# vim /etc/sysconfig/iptables
Insert the following text below the -A INPUT lines.
-A HOME-RULES -i lo -j ACCEPT --> accepts all traffic on the loopback interface (lo)
-A HOME-RULES -p icmp -j ACCEPT --> accepts ping from other host
-A HOME-RULES -m state --state ESTABLISHED,RELATED -j ACCEPT --> enable stateful replies
-A HOME-RULES -p tcp --dport 22 -j ACCEPT --> accepts packets destined for tcp port 22 (ssh)/accepts other host to ssh to the server
-A HOME-RULES -m state --state NEW -p udp --dport 514 -j ACCEPT --> accepts packets with the NEW state destined for udp port 514 (syslog)
-A HOME-RULES -j LOG --> log all packets not matched by one of the above rules
-A HOME-RULES -j REJECT --> rejects all packets not matched by one of the above rules
3. Save the new configuration.
4. Load the new rules.
[root@greg ~]# service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
5. You're all set.
Thursday, July 17, 2008
Installing a Simplistic DNS Server Using BIND
1. Install the required packages (please ignore the warning of a missing named.conf as this one is expected)
... output omitted ...
2. Turn the iptables
[root@greg ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
3. Enforcing the selinux
[root@greg ~]# vim /etc/selinux/config
Make sure the following line appears in your configuration
SELINUX=enforcing
4. Inspect what ports are usually used for domain name servers:
[root@greg ~]# grep domain /etc/services
domain 53/tcp # name-domain server
domain 53/udp
domaintime 9909/tcp # domaintime
domaintime 9909/udp # domaintime
5. Inspect if named affected by libwrapped. The result is supposed to be no result.
[root@greg ~]# ldd $(which named) | grep libwrap
6. Review the configuration at /etc/named.caching-nameserver.conf to see the default access control options. Pay attention to the listen on and allow-query directives. And if you forget a directive such as "allow", please go find in man 5 named.conf.
7. Prepare for a minimal configuration to meet the access requirements. First run the following commands to track the system messages when restarting a service after you change a configuration.
[root@greg ~]# tail -f /var/log/messages
... output omitted ...
[root@greg ~]# tail -f /var/log/audit/audit.log
... output omitted ...
8. Determine what directory is installed as the chroot:
[root@greg ~]# cat /etc/sysconfig/named
Look for the following output for the location of the chroot directory
ROOTDIR=/var/named/chroot
9. Use the named.caching-nameserver.conf as a starting configuration:
[root@greg ~]# cd /var/named/chroot/etc/
[root@greg etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@greg etc]# cp named.caching-nameserver.conf named.conf
10. Test the current configuration, check for the errors in the configuration in /var/log/messages:
[root@greg etc]# service named configtest
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
The above output means our initial config is OK.
11. Start the named service and make it automatically start
[root@greg etc]# service named start ; chkconfig named on
Starting named: [FAILED]
If you had the above output as mine, use tail -f /var/log/messages to see the message ERROR. Here is what I got from my screen:
Jul 18 06:50:20 greg named[3874]: loading configuration from '/etc/named.conf'
Jul 18 06:50:20 greg named[3874]: none:0: open: /etc/named.conf: permission denied
Jul 18 06:50:20 greg named[3874]: loading configuration: permission denied
Jul 18 06:50:20 greg named[3874]: exiting (due to fatal error)
19. It means the named service does not have a permission to load the configuration.
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
20. Run this command
[root@greg etc]# chgrp named /var/named/chroot/etc/named.conf
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
21. There you go the nameserver is running.
[root@greg etc]# service named start ; chkconfig named on
Starting named: [ OK ]
Check the log as well, supposed to be no error.
22. Try to use dig or nslookup for querying site like www.google.com, but remember to edit /etc/resolv.conf so for name server resolution it points to localhost.
[root@greg etc]# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 209.85.175.99
Name: www.l.google.com
Address: 209.85.175.104
Name: www.l.google.com
Address: 209.85.175.147
- bind, bind-utils, bind-chroot, caching-nameserver
... output omitted ...
2. Turn the iptables
[root@greg ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
3. Enforcing the selinux
[root@greg ~]# vim /etc/selinux/config
Make sure the following line appears in your configuration
SELINUX=enforcing
4. Inspect what ports are usually used for domain name servers:
[root@greg ~]# grep domain /etc/services
domain 53/tcp # name-domain server
domain 53/udp
domaintime 9909/tcp # domaintime
domaintime 9909/udp # domaintime
5. Inspect if named affected by libwrapped. The result is supposed to be no result.
[root@greg ~]# ldd $(which named) | grep libwrap
6. Review the configuration at /etc/named.caching-nameserver.conf to see the default access control options. Pay attention to the listen on and allow-query directives. And if you forget a directive such as "allow", please go find in man 5 named.conf.
7. Prepare for a minimal configuration to meet the access requirements. First run the following commands to track the system messages when restarting a service after you change a configuration.
[root@greg ~]# tail -f /var/log/messages
... output omitted ...
[root@greg ~]# tail -f /var/log/audit/audit.log
... output omitted ...
8. Determine what directory is installed as the chroot:
[root@greg ~]# cat /etc/sysconfig/named
Look for the following output for the location of the chroot directory
ROOTDIR=/var/named/chroot
9. Use the named.caching-nameserver.conf as a starting configuration:
[root@greg ~]# cd /var/named/chroot/etc/
[root@greg etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@greg etc]# cp named.caching-nameserver.conf named.conf
10. Test the current configuration, check for the errors in the configuration in /var/log/messages:
[root@greg etc]# service named configtest
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
The above output means our initial config is OK.
11. Start the named service and make it automatically start
[root@greg etc]# service named start ; chkconfig named on
Starting named: [FAILED]
If you had the above output as mine, use tail -f /var/log/messages to see the message ERROR. Here is what I got from my screen:
Jul 18 06:50:20 greg named[3874]: loading configuration from '/etc/named.conf'
Jul 18 06:50:20 greg named[3874]: none:0: open: /etc/named.conf: permission denied
Jul 18 06:50:20 greg named[3874]: loading configuration: permission denied
Jul 18 06:50:20 greg named[3874]: exiting (due to fatal error)
19. It means the named service does not have a permission to load the configuration.
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
20. Run this command
[root@greg etc]# chgrp named /var/named/chroot/etc/named.conf
[root@greg etc]# ls -l /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 1100 Jul 18 06:46 /var/named/chroot/etc/named.conf
21. There you go the nameserver is running.
[root@greg etc]# service named start ; chkconfig named on
Starting named: [ OK ]
Check the log as well, supposed to be no error.
22. Try to use dig or nslookup for querying site like www.google.com, but remember to edit /etc/resolv.conf so for name server resolution it points to localhost.
[root@greg etc]# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.google.com canonical name = www.l.google.com.
Name: www.l.google.com
Address: 209.85.175.99
Name: www.l.google.com
Address: 209.85.175.104
Name: www.l.google.com
Address: 209.85.175.147
Friday, July 11, 2008
How to Configure Kernel Persistently
To adjust the functioning of the Linux Kernel, there are parameters in kernel that can provide such a mechanism. The followings are some of the example:
1. To list all of the parameters and their values, we can use sysctl command and set kernel parameters:
# sysctl -a
2. To set a parameter, to control IP packet forwarding, default setting is net.ipv4.ip_forward = 0
# sysctl -w net.ipv4.ip_forward = 1
or
# echo 1 > /proc/sys/net/ipv4/ip_forward
3. We need to change the parameter to /etc/sysctl.conf in order to make this setting permanent otherwise after we restart the change will be gone. After we finished setting up, we need to synchronize the new config file with the kernel with the following command:
# sysctl -p
1. To list all of the parameters and their values, we can use sysctl command and set kernel parameters:
# sysctl -a
2. To set a parameter, to control IP packet forwarding, default setting is net.ipv4.ip_forward = 0
# sysctl -w net.ipv4.ip_forward = 1
or
# echo 1 > /proc/sys/net/ipv4/ip_forward
3. We need to change the parameter to /etc/sysctl.conf in order to make this setting permanent otherwise after we restart the change will be gone. After we finished setting up, we need to synchronize the new config file with the kernel with the following command:
# sysctl -p
Monday, July 7, 2008
Some Caveats Regarding BIOS and Boot Loader
1. The default boot loader is GRUB, and the first part of it is installed in the MBR of the default drive. Normally, the BIOS should automatically start the boot loader, with a message similar to:
Booting Red Hat Enterprise Linux Server (2.6.18-8.el5) in 5 seconds...
2. For an older PC, unless it's located within the first 1024 cylinders of the hard disk, the BIOS can't find your boot loader that is why the /boot partition installed is normally a primary partition.
3. The workaround for this problem is using logical block addressing, which is also recognized as LBA mode.
LBA mode reads "logical" values for the cylinder, head, and sector, which allows the BIOS to "see" a larger disk drive.
For multiple hard drives:
Here is the caveat:
a. For IDE (PATA) hard drives, the /boot directory must be on a hard drive attached to the primary IDE controller.
b. For all SCSI hard drives, the /boot directory must be located on a hard drive with SCSI ID 0 or ID 1.
c. For a mix of hard drives, the /boot directory must be located on either the first IDE drive or a SCSI drive with ID 0.
Booting Red Hat Enterprise Linux Server (2.6.18-8.el5) in 5 seconds...
2. For an older PC, unless it's located within the first 1024 cylinders of the hard disk, the BIOS can't find your boot loader that is why the /boot partition installed is normally a primary partition.
3. The workaround for this problem is using logical block addressing, which is also recognized as LBA mode.
LBA mode reads "logical" values for the cylinder, head, and sector, which allows the BIOS to "see" a larger disk drive.
For multiple hard drives:
Here is the caveat:
a. For IDE (PATA) hard drives, the /boot directory must be on a hard drive attached to the primary IDE controller.
b. For all SCSI hard drives, the /boot directory must be located on a hard drive with SCSI ID 0 or ID 1.
c. For a mix of hard drives, the /boot directory must be located on either the first IDE drive or a SCSI drive with ID 0.
The Fundamentals of the Boot Process
Many people ignore learning about this process, including me as well. When I started learning Linux at the first time, I did not care that this boot process is very important especially for troubleshooting Linux server; in case, the grub is corrupt or forgotten password. Normally, the shortcut will be erasing or formatting the whole hard disk and start installing all over again.
Steps of Boot Process:
1. If your CentOS or RHEL is properly installed, the BIOS points to the GRUB boot loader.
Most of the time, GRUB boot loader is located in the appropriate master boot record (MBR).
2. Then the next step is GRUB points to and initializes the Linux kernel.
3. Starting init as the first Linux process.
4. The init process then initializes the system and moves into appropriate runlevels.
5. When Linux boots into a specific runlevel, it starts a series of services.
6. The good news is we can customize this process.
Steps of Boot Process:
1. If your CentOS or RHEL is properly installed, the BIOS points to the GRUB boot loader.
Most of the time, GRUB boot loader is located in the appropriate master boot record (MBR).
2. Then the next step is GRUB points to and initializes the Linux kernel.
3. Starting init as the first Linux process.
4. The init process then initializes the system and moves into appropriate runlevels.
5. When Linux boots into a specific runlevel, it starts a series of services.
6. The good news is we can customize this process.
Installing and Configuring Chrooted VSFTPD in CentOS 5.0 or RHEL 5.0
Setting vsftpd is not hard but not easy either, if you want to make it secure. Here is some of my notes:
1. Install vsftpd
# yum install vsftpd
2. Start the service
# /etc/init.d/vsftpd start or # service vsftpd start
3. Edit the vsftpd.conf
# vim /etc/vsftpd/vsftpd.conf
4. Uncomment the following directives:
chroot_local_user=YES - to chroot local user
passwd_chroot_enable=YES - prompt the password for the local user
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list - users in this list will be non-chrooted so be careful
1. Install vsftpd
# yum install vsftpd
2. Start the service
# /etc/init.d/vsftpd start or # service vsftpd start
3. Edit the vsftpd.conf
# vim /etc/vsftpd/vsftpd.conf
4. Uncomment the following directives:
chroot_local_user=YES - to chroot local user
passwd_chroot_enable=YES - prompt the password for the local user
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/chroot_list - users in this list will be non-chrooted so be careful
Creating Local Repo for RHEL 5.0 or CentOS 5.0
Dependencies is very troublesome when we use rpm to install packages. Sometimes, it becomes never ending loop until we give up. Packages like dovecot, httpd and so forth are the best installed using yum commands, while installing local repo itself is quite tricky job.
In this post, I try to explain as short and brief as I can:
1. Copy the whole content of the DVD or CDs that you have to folder /var/ftp/pub. In this case we are going to create repo using ftp.
Do this command to copy:
# mount /mnt/cdrom /media/CentOS
# cp -af /media/CentOS/* /var/ftp/pub
2. After you've done copying all of those files (please, note to answer yes when it asked about replacing some files), install createrepo .rpm
# rpm -ivh /var/ftp/pub/createrepo*.rpm
3. After you install createrepo then run this command
# createrepo -v /var/ftp/pub
4. To enable useful yum commands, please, check my previous post like:
yum -y groupinstall "MySQL Database" and so forth, you have to run the following command
# cp /var/ftp/pub/Server/repodata/comps*.xml /tmp
# createrepo -g /tmp/comps*.xml /var/ftp/pub
5. Done and remember to reboot the server.
6. On your client machine please, create a repo file (for example: server1.repo)
7. Here is the content of server1.repo
# Main server
[base]
name=Server1 Server Repository # This could be anything
baseurl=ftp://192.168.0.91/pub/Server # This is the IP address of our ftp server
enabled=1
gpgcheck=0 # Just make it zero if you haven't or don't want to import the GPG key
8. Copy the file server1.repo to your client machine folder under /etc/yum.repos.d/
if you did right the following is the output after you run: yum grouplist
Loading "security" plugin
Loading "rhnplugin" plugin
Setting up Group Process
Installed Groups:
Office/Productivity
MySQL Database
Editors
System Tools
Text-based Internet
Legacy Network Server
DNS Name Server
GNOME Desktop Environment
FTP Server
Network Servers
Windows File Server
X Window System
Web Server
................................................
................................................
In this post, I try to explain as short and brief as I can:
1. Copy the whole content of the DVD or CDs that you have to folder /var/ftp/pub. In this case we are going to create repo using ftp.
Do this command to copy:
# mount /mnt/cdrom /media/CentOS
# cp -af /media/CentOS/* /var/ftp/pub
2. After you've done copying all of those files (please, note to answer yes when it asked about replacing some files), install createrepo .rpm
# rpm -ivh /var/ftp/pub/createrepo*.rpm
3. After you install createrepo then run this command
# createrepo -v /var/ftp/pub
4. To enable useful yum commands, please, check my previous post like:
yum -y groupinstall "MySQL Database" and so forth, you have to run the following command
# cp /var/ftp/pub/Server/repodata/comps*.xml /tmp
# createrepo -g /tmp/comps*.xml /var/ftp/pub
5. Done and remember to reboot the server.
6. On your client machine please, create a repo file (for example: server1.repo)
7. Here is the content of server1.repo
# Main server
[base]
name=Server1 Server Repository # This could be anything
baseurl=ftp://192.168.0.91/pub/Server # This is the IP address of our ftp server
enabled=1
gpgcheck=0 # Just make it zero if you haven't or don't want to import the GPG key
8. Copy the file server1.repo to your client machine folder under /etc/yum.repos.d/
if you did right the following is the output after you run: yum grouplist
Loading "security" plugin
Loading "rhnplugin" plugin
Setting up Group Process
Installed Groups:
Office/Productivity
MySQL Database
Editors
System Tools
Text-based Internet
Legacy Network Server
DNS Name Server
GNOME Desktop Environment
FTP Server
Network Servers
Windows File Server
X Window System
Web Server
................................................
................................................
Using FTP in the Safe Way
a. Using ssh to do port forwarding.
b. Using the following command means that:
c. You are connecting to computer benjamin using ssh, with account username using local port 1234 to connect to port 21 (ftp) at computer abigail.
benjamin$ ssh -l username -g -L1234:abigail:21 benjamin
d. You’ll be asked by the password of username.
e. Then, you need to open another terminal to do ftp session to abigail using the following command
benjamin$ ftp benjamin 1234
Note:
You seem like opening ftp session to your own computer (benjamin); however, what happens is that you are opening a session to port 1234 on benjamin (your computer) which then using its ssh program now forwarding on to abigail. But this time, this forwarded connection is encrypted.
b. Using the following command means that:
c. You are connecting to computer benjamin using ssh, with account username using local port 1234 to connect to port 21 (ftp) at computer abigail.
benjamin$ ssh -l username -g -L1234:abigail:21 benjamin
d. You’ll be asked by the password of username.
e. Then, you need to open another terminal to do ftp session to abigail using the following command
benjamin$ ftp benjamin 1234
Note:
You seem like opening ftp session to your own computer (benjamin); however, what happens is that you are opening a session to port 1234 on benjamin (your computer) which then using its ssh program now forwarding on to abigail. But this time, this forwarded connection is encrypted.
Subscribe to:
Posts (Atom)