Using CloudFlare 1.1.1.1 with TLS

Released in April 2018 by Cloudflare, 1.1.1.1 is a very attractive choice for resolving your DNS queries. It claims to be the fastest although it depends on your location. It gets top marks for privacy by holding logs for a max of 24 hour and it offers an encrypted link with TLS. Here is how to use the encrypted TLS version of their service (on a Linux box) Install Unbound sudo apt-get install unbound Configure Unbound cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original cat > /etc/unbound.conf server: verbosity: 1 do-tcp: yes do-udp:…

read more...

Setting up Tor and Hosting a Hidden Service

This tutorial will show you how to set up TOR as a daemon and host hidden services. Hidden services are only available on the TOR darknet and allow you to host services without revealing your IP. Tor hidden services can be accessed via a special .onion domain. Although it hides your IP address, Tor isn't completely untracable. If using Tor for illegal activity, you CAN and WILL get tracked down and held accountable. Table of contents Introduction to Tor Setting up and testing Tor Setting up a Hidden Service Redirect user traffic through Tor Conclusion Introduction to TOR Tor is…

read more...

Customizing Digitalocean Floating IPs

Digitalocean allows, for free, the option to add an additional IP address to your virtual machine ("droplet"). These floating IPs are similiar to Amazon AWS Elastic IPs and are tied to your account and location, rather than any specific instance This means that when an instance is destroyed, you can still preserve the floating address and migrate it to your new instance, providing it's in the same datacenter location. Floating IPs also have load balancing features, where if a site/instance goes down, it can automatically redirect to a backup instance. It is for these reasons it is…

read more...

Migrating Nginx to a Docker Container

This is a write-up of how I migrated my Nginx web server from running as a standard service to running inside a Docker container. We will also see how to customize logging and network options, including configuring docker for IPv6 Preparing nginx.conf For me, I find it easier having a single nginx.conf file, appending the single flat file with vhosts generated from a template. For example, for additional vhosts, you could use this template The main things you'll need to comment out any access_log or error_log entries, created on a per-vhost basis. For now, I'm just…

read more...

Routeable Loopback Addresses

Today we will learn about loopback addresses that can be reached from the outside via routing. This is useful for running services on a router In a previous post, I talked about the loopback interface and how we can locally bind services to any address in the range 127.0.0.1-127.255.255.254. This is useful if 127.0.0.1 is already in use on a particular port. The main advantages of loopback addresses are: Adding additional addresses without the need to add extra interfaces Better availability of services, as long as you have a route to…

read more...

Comprehensive OpenVPN Tutorial

In this tutorial, we will look at managing an openvpn server and certificate authority and will provide a detailed breakdown of the configuration options Table of contents Setting up a CA Build the CA environment Generate the CA certificate Generate the CRL certificate Server Preparation Build the server environment Generate DH parameters Generate the certificate signing request Remove the passphrase on the server key Setting up the HMAC/TLS auth static key Creating a template for clientsIptables Firewall settings Client preparation Build the client environment Generate the certificate request Connecting clients Signing requests on the CA Importing a requestSigning a…

read more...

Secure SSL configuration for Nginx

Here is a handy snippet for configuring a hardened SSL/TLS on Nginx. It receives a A+ rating when tested at Qualys. A later post will discuss the configuration options in detail, what they do, and how SSL works. Just a word of warning, this configuration enables HSTS by default. If enabled, it tells the browser that it (and its subdomains) must only operate in HTTPS mode. Nginx configuration server { ###------IPv4 Listen Address listen <ipv4address>:443 http2 ssl; ###------IPv6 Listen Address # listen <ipv6address>:443 http2 ssl ipv6only=on; ###------Host name server_name <fqdn>; ###------Enable…

read more...

Rate-limiting logging on the Ubiquiti EdgeRouter Lite

The Ubiquti Edgerouter Lite has an iptables based firewall. For each firewall rule (and named set of ules) there is a is an option to enable LOG. Unsolicited traffic to tcp ports, especially ssh, telnet is very common and so our log gets quite large, rather quickly. On a device with limited storage like the EdgeRouter, a barrage of blocked traffic may rapidly fill memory and crash the device. How to do it: We use iptables-save to get the current iptables rules. We then use sed to find/replace. We replace -j LOG with -m limit --limit 3/min -j…

read more...

Securing services with stunnel

Stunnel is a tool that allows you to seamlessly add TLS to most existing services. Stunnel listens on a port, and can either receive encrypted traffic and pass it to an unencrypted destination, or it can receive unencrypted traffic and forward that to an encrypted destination. TLS is commonly used to protect clients from connecting to untrusted servers by verifying the certificate provided by the server. Conversely, servers can prevent unwanted clients from connecting by demanding they provide a valid cert. This means that a stunnel can add a strong layer of access control Table of contents Providing HTTPS to…

read more...

There's more to localhost than 127.0.0.1

The loopback interface is most familiarly encountered as 127.0.0.1 and is referred to as the local loopback address. This address is present on every IPv4 host and is given the hostname localhost. What people either don't know or seem to forget is that on the lo interface, there's ~16 million other addresses that applications can also listen on. This means that you can have multiple local services on the same port; as long as they are listening on a dfiferent address. The local loopback address is not a single address, it's the range 127.0.0.1…

read more...

Script to send a SMS when IP changes

So this is one application of the SMS gateway. My home internet gets its address via DHCP, however, unless something goes wrong, the addresses are usually reasonably persistent (generally at least 10 days). I was motivated to set this up because when my ISP was having connectivity issues, it was very frustrating having to sit around and keep trying ping until it came back online. Now I can just wait for a notification :) I have this script running on my Ubiquti EdgeRouter but it would work the same if you had it on a workstation. This goes in /etc/cron.…

read more...

Using the ss command to view active and established connections

The command known as ss which stands for socket statistics. It is used for listing listening and established connections and to find out which processes and users are associated with them. Finding all outbound connections to a particular port ss -t -o 'dport = :ssh' --resolve | awk '{print $4,$5,%6}' desktop:42444 websrv1:ssh timer:(keepalive,61min,0) desktop:58600 websrv1:ssh timer:(keepalive,36min,0) desktop:56194 virt1:ssh timer:(keepalive,117min,0) Finding all inbound connections to a particular listening port. Remembering that the local side is always on the left, we can see that .6…

read more...

Pretty printing terminal output into JSON/CSV

There is a command called column which allows you to format the lines produced by a command into symmetrical rows/columns, which can then be easily converted into CSV or JSON. This will be quite handy for reading and populating files. In this case, I needed to populate /etc/ethers/ from the arp table More info on column Note: This is based on the column command in fedora linux, it may be different in other distros Creating a table This bit is simple enough, we delete unneeded fields with awk, and then use the command column -t to turn it…

read more...

Docker Firewalling - Unpublishing a port

Intro I have a Docker container that has a port unconditionally published (e.g. -p 2368:2368). I've changed my mind and decided I don't want this port exposed to the entire internet; only the docker host should see it. How do I fix this without having to rebuild the container? Table of contents Intro Port publishing: What is it, how does it work? Looking at Docker iptables Changing the rules Using Docker Isolation (it's here where we lockdown our container) Intro This question (and its lack of immediately obvious answer) is one of the many annoying teething pains I've…

read more...

Replacing Google Authenticator with oathtool and gpg

I've thought it would be cool to have Two Factor Authentication operating on the command line, perhaps in some isolated container, rather than having it in a phone which can easily be lost or broken. We will also combine it with gpg encryption, so that we have an additional layer of security. How TFA works It's important to understand that TFA is a general term for all systems that require multiple authentication factors. However, the vast majority of sites offering TFA for end users are based on the same technology, known as TOTP. TOTP stands for Time-based One-time-password. The site…

read more...