Pretty printing terminal output into JSON/CSV

There is a command called column which allows you to format the lines produced by a command into symmetrical rows/columns, which can then be easily converted into CSV or JSON. This will be quite handy for reading and populating files. In this case, I needed to populate /etc/ethers/ from the arp table More info on column Note: This is based on the column command in fedora linux, it may be different in other distros Creating a table This bit is simple enough, we delete unneeded fields with awk, and then use the command column -t to turn it…

read more...

Docker Firewalling - Unpublishing a port

Intro I have a Docker container that has a port unconditionally published (e.g. -p 2368:2368). I've changed my mind and decided I don't want this port exposed to the entire internet; only the docker host should see it. How do I fix this without having to rebuild the container? Table of contents Intro Port publishing: What is it, how does it work? Looking at Docker iptables Changing the rules Using Docker Isolation (it's here where we lockdown our container) Intro This question (and its lack of immediately obvious answer) is one of the many annoying teething pains I've…

read more...

Replacing Google Authenticator with oathtool and gpg

I've thought it would be cool to have Two Factor Authentication operating on the command line, perhaps in some isolated container, rather than having it in a phone which can easily be lost or broken. We will also combine it with gpg encryption, so that we have an additional layer of security. How TFA works It's important to understand that TFA is a general term for all systems that require multiple authentication factors. However, the vast majority of sites offering TFA for end users are based on the same technology, known as TOTP. TOTP stands for Time-based One-time-password. The site…

read more...

Getting Started with Docker using Cockpit (Fedora 26)

Introduction For ages, I've been wanting to get into Docker, especially how it's now the next big thing. In this tutorial, we will see how Docker works, it's basic commands, what you can do with it and also touch upon Docker security, such as isolation. So what is Docker? Docker is a platform used to deploy applications in a convenient way. It's kinda like virtual machines, but not quite. It's exploded in popularity because it makes system administration a lot more efficient and better. Installing stuff, especially web applications is annoying, compiling stuff, dependencies breaking, extraneous files left everything, then…

read more...

My IPTables Configuration Script

I've talked quite a lot about iptables but haven't really shown how I actually put it into practice. Today I'll share a shell script I wrote to set up IPTables on my Fedora 25 Desktop. Download Warning: Make sure you check its appropriate for your needs and you understand its functionality before running it. The shell script sets up the following Multiple user based chains for NFS, SSH, and HTTP Organized TCP / UDP chains Source restriction based on the use of IPsets Structure and Functions of the Script We begin by defining the function configures our SSH hardening chain The…

read more...

Using Dynamic Blocklists with IPtables + IPset

In this tutorial, we will learn how to make automatically updated block lists of known bad addresses using ipset and iptables. This provides a proactive security approach that can use external datasets to discover addresses known for malicious activity and prevent them from accessing your web server. A quick overview on IPSet In some of my earlier tutorials, we learned how we could use ipset to create dynamic filtering rules which are independent of iptables. For example, if we wanted to give our friend temporary access to SSH, # create ipset sudo ipset create ssh_ip hash:ip # add friends ip…

read more...

IPtables: Constructing user chains

Now that we are familiar with how iptables is organized we can start defining our own chains. This allows for greater control, flexibility, and in some cases, better efficiency. The most profound efficiency gain is not in the processing by the system, it's in the maintenance, upkeep, and auditing by the sysadmin. We'll begin with a simple "LOG 'N DROP" that we will use in place of -j DROP so we can keep tabs of what the system is filtering Creating a logging chain Next we will create a chain called `LOGDROP` This chain logs packets passing through…

read more...

Converting a Hostfile Adblock into Unbound DNS records

There are lots of places where you can download ad blacklists in the form of simple host files, but they require manual installation on every device. Instead we will make records for our DNS server so we can block ads network wide. I used a blacklist from somewhocares. This github page contains a range of different filters and their stats. If you wish to learn more about setting up Unbound, I have an example configuration fileHere is my script to do it. It also allows you to specifiy a different address than "0.0.0.0". This is…

read more...

Let's Encrypt on UniFi Controller (Signed SSL/TLS)

In this tutorial, we will learn how to replace the self signed SSL certificate provided with the Unifi controller with a free trusted certificate from Let's Encrypt. The immediate advantage of this is that your browser will stop complaining that "Your connection is not secure" when you connect to the controller, and having a CA signed certificate provides additional security against man-in-the-middle attacks by proving the authenticity of the controller. It's also just better practice and looks more professional. For this to work, you must have a domain name pointing to your controller (you can't get SSL certs…

read more...

Dynamic Rules with IPSet

Wouldn't it be good if port scanning IPs could trigger a rule that adds themselves to a 'known offenders' firewall list? Wouldn't it be good if you could combine white and black ACLs into single unified rules. Typically IPTables operates statically from a predefined collection of rules. This has the advantage of allowing you to filter packets to very exact parameters. However at the cost of a lot of tedious and manual work, and when you're manually adding a bunch of these, easy mistakes are all to common with potentially quite severe consequences on a production system. The idea is…

read more...