Systemd includes a feature to restrict which IP addresses can communicate with a service. As an example, let's use this to SSH to the 192.168.1.0/24 subnet…
read more...Built-in Firewall for Systemd Services
on
Connecting Network Namespaces with veth
on
This post will look at how to define network namespaces and connect to and between them using veth pairs…
read more...Process Privilege Escalation with SUID
on
Did you know that on a Linux system running the ping command requires root privileges? Normal users are able to run the command through a special permission known as setuid…
read more...Network Isolation of Services with Systemd
on
This tutorial will look at how network namespaces can be defined in systemd service unit definitions. This example will at running the Nginx service inside a separate network namespace that has its own physical interface. Like most of my tutorials, this will be done on a Fedora system.…
read more...Firewalld Tutorial
on
Comprehensive and example rich reference on Firewalld, the default firewall for RHEL/CentOS/Fedora…
read more...Protect your infrastructure with SSH Jump Hosts
on
This post shows you how to use SSH jump hosts to access internal SSH servers. It also shows how to create limited accounts that can only be used for jumphost access…
read more...Self Hosted DNS using NSD
on
In this tutorial, I'll be setting up a pair of authoritative DNS servers using the NSD DNS server daemon.…
read more...Script to detect firewall misconfiguration
on
This script will detect if SSH has inadvertently been exposed to the outside world.…
read more...OpenWRT/LEDE Bridging Firewall
on
It would be neat if my wireless access point could bridge directly to my cable modem so that clients would have proper public IP addresses. Being directly connected to the internet significantly increases vulnerability so the aim is to address this with a bridge firewall.…
read more...Reactive malware blocking with ipset
on
This tutorial will demonstrate how to create reactive firewall rules. If a device attempts to communicate with known malware command-and-control servers, the potentially compromised device will be added to a blacklist, and its internet access will be immediately disabled.…
read more...Building a SMS gateway from a Huawei USB Modem
on
In this tutorial, we will use a cheap usb modem to send SMS messages over the internet. It can be accessed via a Web GUI or command line…
read more...Per-User VPN Routing
on
This tutorial will show how to route all the traffic belonging to particular user account through an OpenVPN tunnel…
read more...Setting up Ghost 2.0 with Cloudflare
on
This tutorial will show you how to set up a blog using Cloudflare and Ghost. Cloudflare will improve performance and security by acting as a caching reverse-proxy.…
read more...Sed Substitution Cheatsheet
on
This is a comprehensive list of examples for the sed (stream editor command). This command is used to find, replace, refactor, and modify text.…
read more...Improved IPtables Tutorial
on
This tutorial is a beginner friendly introduction to the iptables firewall and includes a number of practical examples.…
read more...Using CloudFlare 1.1.1.1 with TLS
on
Released in April 2018 by Cloudflare, 1.1.1.1 is a very attractive choice for resolving your DNS queries. It claims to be the fastest although it depends on your location. It gets top marks for privacy by holding logs for a max of 24 hour and it offers an encrypted link with TLS. Here is how to use the encrypted TLS version of their service (on a Linux box) Install Unbound sudo apt-get install unbound Configure Unbound cp /etc/unbound/unbound.conf /etc/unbound/unbound.conf.original cat > /etc/unbound.conf server: verbosity: 1 do-tcp: yes do-udp:…
read more...Routeable Loopback Addresses
on
Today we will learn about loopback addresses that can be reached from the outside via routing. This is useful for running services on a router In a previous post, I talked about the loopback interface and how we can locally bind services to any address in the range 127.0.0.1-127.255.255.254. This is useful if 127.0.0.1 is already in use on a particular port. The main advantages of loopback addresses are: Adding additional addresses without the need to add extra interfaces Better availability of services, as long as you have a route to…
read more...Block all traffic from your neighbours using iptables
on
This tutorial creates rules to limit traffic (both ingress/egress) only to gateway. This prevents traffic from other patrons reaching you when using public wifi…
read more...Using Ferm to sweeten IPTables
on
Ferm is a 'frontend' for iptables written in Perl. The best way to describe it is a firewall compiler (although it can do more than that, as we'll see later). Ferm provides a syntax that is simple, rich, and flexible for writing rules, ferm then generates a list of iptables rules.…
read more...Writing a port scanner in Bash shell
on
A primitive port scanner can be constructed using solely the bash shell via its /dev/tcp virtual file. The script will scan common ports, and if an open port is found, it will display a base64 encoded output of the servers response.…
read more...Rate-limiting logging on the Ubiquiti EdgeRouter Lite
on
The Ubiquti Edgerouter Lite has an iptables based firewall. For each firewall rule (and named set of ules) there is a is an option to enable LOG. Unsolicited traffic to tcp ports, especially ssh, telnet is very common and so our log gets quite large, rather quickly. On a device with limited storage like the EdgeRouter, a barrage of blocked traffic may rapidly fill memory and crash the device. How to do it: We use iptables-save to get the current iptables rules. We then use sed to find/replace. We replace -j LOG with -m limit --limit 3/min -j…
read more...Securing services with stunnel
on
Stunnel is a tool that allows you to seamlessly add TLS to most existing services. Stunnel listens on a port, and can either receive encrypted traffic and pass it to an unencrypted destination, or it can receive unencrypted traffic and forward that to an encrypted destination. TLS is commonly used to protect clients from connecting to untrusted servers by verifying the certificate provided by the server. Conversely, servers can prevent unwanted clients from connecting by demanding they provide a valid cert. This means that a stunnel can add a strong layer of access control Table of contents Providing HTTPS to…
read more...There's more to localhost than 127.0.0.1
on
The loopback interface is most familiarly encountered as 127.0.0.1 and is referred to as the local loopback address. This address is present on every IPv4 host and is given the hostname localhost. Did you know there's ~16 million other addresses that applications can also listen? This means that you can have multiple local services on the same port; as long as they are listening on a dfiferent address. The local loopback address is not a single address, it's the range 127.0.0.1 - 127.255.255.254.…
read more...Script to send a SMS when IP changes
on
So this is one application of the SMS gateway. My home internet gets its address via DHCP, however, unless something goes wrong, the addresses are usually reasonably persistent (generally at least 10 days). I was motivated to set this up because when my ISP was having connectivity issues, it was very frustrating having to sit around and keep trying ping until it came back online. Now I can just wait for a notification :) I have this script running on my Ubiquti EdgeRouter but it would work the same if you had it on a workstation. This goes in /etc/cron.…
read more...Using the ss command to view active and established connections
on
The command known as ss which stands for socket statistics. It is used for listing listening and established connections and to find out which processes and users are associated with them. Finding all outbound connections to a particular port ss -t -o 'dport = :ssh' --resolve | awk '{print $4,$5,%6}' desktop:42444 websrv1:ssh timer:(keepalive,61min,0) desktop:58600 websrv1:ssh timer:(keepalive,36min,0) desktop:56194 virt1:ssh timer:(keepalive,117min,0) Finding all inbound connections to a particular listening port. Remembering that the local side is always on the left, we can see that .6…
read more...