This tutorial will demonstrate how to create reactive firewall rules. If a device attempts to communicate with known malware command-and-control servers, the potentially compromised device will be added to a blacklist, and its internet access will be immediately disabled.…
read more...In this tutorial, we will use a cheap usb modem to send SMS messages over the internet. It can be accessed via a Web GUI or command line…
read more...This tutorial will show how to route all the traffic belonging to particular user account through an OpenVPN tunnel…
read more...This tutorial will show you how to set up a blog using Cloudflare and Ghost. Cloudflare will improve performance and security by acting as a caching reverse-proxy.…
read more...In this post, I will demonstrate how to use the Ubuntu Pastebin utility with cURL to make pastes from the command line.…
read more...This is a comprehensive list of examples for the sed (stream editor command). This command is used to find, replace, refactor, and modify text.…
read more...This tutorial is a beginner friendly introduction to the iptables firewall and includes a number of practical examples.…
read more...Released in April 2018 by Cloudflare, 1.1.1.1 is a very attractive choice for resolving your DNS queries. It claims to be the fastest although it depends on your location. It gets top marks for privacy by holding logs for a max of 24 hour and it offers an encrypted link with TLS. Here is how to use the encrypted TLS version of their service (on a Linux box) Install Unbound sudo apt-get install unbound Configure Unbound cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original cat > /etc/unbound.conf server: verbosity: 1 do-tcp: yes do-udp:…
read more...This tutorial will show you how to set up TOR as a daemon and host hidden services. Hidden services are only available on the TOR darknet and allow you to host services without revealing your IP. Tor hidden services can be accessed via a special .onion domain. Although it hides your IP address, Tor isn't completely untracable. If using Tor for illegal activity, you CAN and WILL get tracked down and held accountable. Table of contents Introduction to Tor Setting up and testing Tor Setting up a Hidden Service Redirect user traffic through Tor Conclusion Introduction to TOR Tor is…
read more...Digitalocean allows, for free, the option to add an additional IP address to your virtual machine ("droplet"). These floating IPs are similiar to Amazon AWS Elastic IPs and are tied to your account and location, rather than any specific instance This means that when an instance is destroyed, you can still preserve the floating address and migrate it to your new instance, providing it's in the same datacenter location. Floating IPs also have load balancing features, where if a site/instance goes down, it can automatically redirect to a backup instance. It is for these reasons it is…
read more...This is a write-up of how I migrated my Nginx web server from running as a standard service to running inside a Docker container. We will also see how to customize logging and network options, including configuring docker for IPv6 Preparing nginx.conf For me, I find it easier having a single nginx.conf file, appending the single flat file with vhosts generated from a template. For example, for additional vhosts, you could use this template The main things you'll need to comment out any access_log or error_log entries, created on a per-vhost basis. For now, I'm just…
read more...Today we will learn how to create your own recursive DNS server using Unbound. This will improve performance through caching. We will also look at ad-blocking.…
read more...Today we will learn about loopback addresses that can be reached from the outside via routing. This is useful for running services on a router In a previous post, I talked about the loopback interface and how we can locally bind services to any address in the range 127.0.0.1-127.255.255.254. This is useful if 127.0.0.1 is already in use on a particular port. The main advantages of loopback addresses are: Adding additional addresses without the need to add extra interfaces Better availability of services, as long as you have a route to…
read more...This tutorial creates rules to limit traffic (both ingress/egress) only to gateway. This prevents traffic from other patrons reaching you when using public wifi…
read more...Ferm is a 'frontend' for iptables written in Perl. The best way to describe it is a firewall compiler (although it can do more than that, as we'll see later). Ferm provides a syntax that is simple, rich, and flexible for writing rules, ferm then generates a list of iptables rules.…
read more...In this tutorial, we will look at managing an openvpn server and certificate authority and will provide a detailed breakdown of the configuration options Table of contents Setting up a CA Build the CA environment Generate the CA certificate Generate the CRL certificate Server Preparation Build the server environment Generate DH parameters Generate the certificate signing request Remove the passphrase on the server key Setting up the HMAC/TLS auth static key Creating a template for clientsIptables Firewall settings Client preparation Build the client environment Generate the certificate request Connecting clients Signing requests on the CA Importing a requestSigning a…
read more...Here is a handy snippet for configuring a hardened SSL/TLS on Nginx. It receives a A+ rating when tested at Qualys. A later post will discuss the configuration options in detail, what they do, and how SSL works. Just a word of warning, this configuration enables HSTS by default. If enabled, it tells the browser that it (and its subdomains) must only operate in HTTPS mode. Nginx configuration server { ###------IPv4 Listen Address listen <ipv4address>:443 http2 ssl; ###------IPv6 Listen Address # listen <ipv6address>:443 http2 ssl ipv6only=on; ###------Host name server_name <fqdn>; ###------Enable…
read more...A primitive port scanner can be constructed using solely the bash shell via its /dev/tcp virtual file. The script will scan common ports, and if an open port is found, it will display a base64 encoded output of the servers response.…
read more...The Ubiquti Edgerouter Lite has an iptables based firewall. For each firewall rule (and named set of ules) there is a is an option to enable LOG. Unsolicited traffic to tcp ports, especially ssh, telnet is very common and so our log gets quite large, rather quickly. On a device with limited storage like the EdgeRouter, a barrage of blocked traffic may rapidly fill memory and crash the device. How to do it: We use iptables-save to get the current iptables rules. We then use sed to find/replace. We replace -j LOG with -m limit --limit 3/min -j…
read more...Stunnel is a tool that allows you to seamlessly add TLS to most existing services. Stunnel listens on a port, and can either receive encrypted traffic and pass it to an unencrypted destination, or it can receive unencrypted traffic and forward that to an encrypted destination. TLS is commonly used to protect clients from connecting to untrusted servers by verifying the certificate provided by the server. Conversely, servers can prevent unwanted clients from connecting by demanding they provide a valid cert. This means that a stunnel can add a strong layer of access control Table of contents Providing HTTPS to…
read more...The loopback interface is most familiarly encountered as 127.0.0.1 and is referred to as the local loopback address. This address is present on every IPv4 host and is given the hostname localhost. Did you know there's ~16 million other addresses that applications can also listen? This means that you can have multiple local services on the same port; as long as they are listening on a dfiferent address. The local loopback address is not a single address, it's the range 127.0.0.1 - 127.255.255.254.…
read more...So this is one application of the SMS gateway. My home internet gets its address via DHCP, however, unless something goes wrong, the addresses are usually reasonably persistent (generally at least 10 days). I was motivated to set this up because when my ISP was having connectivity issues, it was very frustrating having to sit around and keep trying ping until it came back online. Now I can just wait for a notification :) I have this script running on my Ubiquti EdgeRouter but it would work the same if you had it on a workstation. This goes in /etc/cron.…
read more...The command known as ss which stands for socket statistics. It is used for listing listening and established connections and to find out which processes and users are associated with them. Finding all outbound connections to a particular port ss -t -o 'dport = :ssh' --resolve | awk '{print $4,$5,%6}' desktop:42444 websrv1:ssh timer:(keepalive,61min,0) desktop:58600 websrv1:ssh timer:(keepalive,36min,0) desktop:56194 virt1:ssh timer:(keepalive,117min,0) Finding all inbound connections to a particular listening port. Remembering that the local side is always on the left, we can see that .6…
read more...There is a command called column which allows you to format the lines produced by a command into symmetrical rows/columns, which can then be easily converted into CSV or JSON. This will be quite handy for reading and populating files. In this case, I needed to populate /etc/ethers/ from the arp table More info on column Note: This is based on the column command in fedora linux, it may be different in other distros Creating a table This bit is simple enough, we delete unneeded fields with awk, and then use the command column -t to turn it…
read more...Intro I have a Docker container that has a port unconditionally published (e.g. -p 2368:2368). I've changed my mind and decided I don't want this port exposed to the entire internet; only the docker host should see it. How do I fix this without having to rebuild the container? Table of contents Intro Port publishing: What is it, how does it work? Looking at Docker iptables Changing the rules Using Docker Isolation (it's here where we lockdown our container) Intro This question (and its lack of immediately obvious answer) is one of the many annoying teething pains I've…
read more...