Using CloudFlare 1.1.1.1 with TLS

Released in April 2018 by Cloudflare, 1.1.1.1 is a very attractive choice for resolving your DNS queries. It claims to be the fastest although it depends on your location. It gets top marks for privacy by holding logs for a max of 24 hour and it offers an encrypted link with TLS. Here is how to use the encrypted TLS version of their service (on a Linux box) Install Unbound sudo apt-get install unbound Configure Unbound cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original cat > /etc/unbound.conf server: verbosity: 1 do-tcp: yes do-udp:…

read more...

Routeable Loopback Addresses

Today we will learn about loopback addresses that can be reached from the outside via routing. This is useful for running services on a router In a previous post, I talked about the loopback interface and how we can locally bind services to any address in the range 127.0.0.1-127.255.255.254. This is useful if 127.0.0.1 is already in use on a particular port. The main advantages of loopback addresses are: Adding additional addresses without the need to add extra interfaces Better availability of services, as long as you have a route to…

read more...

Rate-limiting logging on the Ubiquiti EdgeRouter Lite

The Ubiquti Edgerouter Lite has an iptables based firewall. For each firewall rule (and named set of ules) there is a is an option to enable LOG. Unsolicited traffic to tcp ports, especially ssh, telnet is very common and so our log gets quite large, rather quickly. On a device with limited storage like the EdgeRouter, a barrage of blocked traffic may rapidly fill memory and crash the device. How to do it: We use iptables-save to get the current iptables rules. We then use sed to find/replace. We replace -j LOG with -m limit --limit 3/min -j…

read more...

Securing services with stunnel

Stunnel is a tool that allows you to seamlessly add TLS to most existing services. Stunnel listens on a port, and can either receive encrypted traffic and pass it to an unencrypted destination, or it can receive unencrypted traffic and forward that to an encrypted destination. TLS is commonly used to protect clients from connecting to untrusted servers by verifying the certificate provided by the server. Conversely, servers can prevent unwanted clients from connecting by demanding they provide a valid cert. This means that a stunnel can add a strong layer of access control Table of contents Providing HTTPS to…

read more...

There's more to localhost than 127.0.0.1

The loopback interface is most familiarly encountered as 127.0.0.1 and is referred to as the local loopback address. This address is present on every IPv4 host and is given the hostname localhost. What people either don't know or seem to forget is that on the lo interface, there's ~16 million other addresses that applications can also listen on. This means that you can have multiple local services on the same port; as long as they are listening on a dfiferent address. The local loopback address is not a single address, it's the range 127.0.0.1…

read more...

Script to send a SMS when IP changes

So this is one application of the SMS gateway. My home internet gets its address via DHCP, however, unless something goes wrong, the addresses are usually reasonably persistent (generally at least 10 days). I was motivated to set this up because when my ISP was having connectivity issues, it was very frustrating having to sit around and keep trying ping until it came back online. Now I can just wait for a notification :) I have this script running on my Ubiquti EdgeRouter but it would work the same if you had it on a workstation. This goes in /etc/cron.…

read more...

Using the ss command to view active and established connections

The command known as ss which stands for socket statistics. It is used for listing listening and established connections and to find out which processes and users are associated with them. Finding all outbound connections to a particular port ss -t -o 'dport = :ssh' --resolve | awk '{print $4,$5,%6}' desktop:42444 websrv1:ssh timer:(keepalive,61min,0) desktop:58600 websrv1:ssh timer:(keepalive,36min,0) desktop:56194 virt1:ssh timer:(keepalive,117min,0) Finding all inbound connections to a particular listening port. Remembering that the local side is always on the left, we can see that .6…

read more...