Systemd includes a feature to restrict which IP addresses can communicate with a service. As an example, let's use this to SSH to the 192.168.1.0/24 subnet…
read more...Built-in Firewall for Systemd Services
on
Verify TLS Servers with Random Art
on
I've always loved the RandomArt feature in SSH that is used to display a visual representation of a peer's public key. I thought it would be great to extend this to TLS.…
read more...Process Privilege Escalation with SUID
on
Did you know that on a Linux system running the ping command requires root privileges? Normal users are able to run the command through a special permission known as setuid…
read more...Firewalld Tutorial
on
Comprehensive and example rich reference on Firewalld, the default firewall for RHEL/CentOS/Fedora…
read more...Protect your infrastructure with SSH Jump Hosts
on
This post shows you how to use SSH jump hosts to access internal SSH servers. It also shows how to create limited accounts that can only be used for jumphost access…
read more...Encrypting Files using an RSA Public Key
on
This posts looks at how to encrypt files with RSA using the OpenSSL command. It also shows how RSA public keys can be retrieved from SSH and TLS servers…
read more...Lets Encrypt HTTP-01 using Amazon S3
on
How to obtain Let's Encrypt certificates via an S3 bucket with optional Cloudflare origin-host configuration…
read more...Script to detect firewall misconfiguration
on
This script will detect if SSH has inadvertently been exposed to the outside world.…
read more...OpenWRT/LEDE Bridging Firewall
on
It would be neat if my wireless access point could bridge directly to my cable modem so that clients would have proper public IP addresses. Being directly connected to the internet significantly increases vulnerability so the aim is to address this with a bridge firewall.…
read more...Cloud based Two Factor Authentication with gpg+s3
on
This is an experimental script I made to store encrypted TFA credentials in the cloud. It uses GPG to protect the the uploaded data. The tokens can be accessed anywhere on anything that has access to the GPG key.…
read more...Bash port scanner
on
The script, using only Bash, will scan common ports, and if an open port is found, it will display a base64 encoded output of the servers response.…
read more...Reactive malware blocking with ipset
on
This tutorial will demonstrate how to create reactive firewall rules. If a device attempts to communicate with known malware command-and-control servers, the potentially compromised device will be added to a blacklist, and its internet access will be immediately disabled.…
read more...Setting up Ghost 2.0 with Cloudflare
on
This tutorial will show you how to set up a blog using Cloudflare and Ghost. Cloudflare will improve performance and security by acting as a caching reverse-proxy.…
read more...Setting up Tor and Hosting a Hidden Service
on
This tutorial will show you how to set up TOR as a daemon and host hidden services. Hidden services are only available on the TOR darknet and allow you to host services without revealing your IP. Tor hidden services can be accessed via a special .onion domain. Although it hides your IP address, Tor isn't completely untracable. If using Tor for illegal activity, you CAN and WILL get tracked down and held accountable. Table of contents Introduction to Tor Setting up and testing Tor Setting up a Hidden Service Redirect user traffic through Tor Conclusion Introduction to TOR Tor is…
read more...Block all traffic from your neighbours using iptables
on
This tutorial creates rules to limit traffic (both ingress/egress) only to gateway. This prevents traffic from other patrons reaching you when using public wifi…
read more...Using Ferm to sweeten IPTables
on
Ferm is a 'frontend' for iptables written in Perl. The best way to describe it is a firewall compiler (although it can do more than that, as we'll see later). Ferm provides a syntax that is simple, rich, and flexible for writing rules, ferm then generates a list of iptables rules.…
read more...Secure SSL configuration for Nginx
on
Here is a handy snippet for configuring a hardened SSL/TLS on Nginx. It receives a A+ rating when tested at Qualys. A later post will discuss the configuration options in detail, what they do, and how SSL works. Just a word of warning, this configuration enables HSTS by default. If enabled, it tells the browser that it (and its subdomains) must only operate in HTTPS mode. Nginx configuration server { ###------IPv4 Listen Address listen <ipv4address>:443 http2 ssl; ###------IPv6 Listen Address # listen <ipv6address>:443 http2 ssl ipv6only=on; ###------Host name server_name <fqdn>; ###------Enable…
read more...Writing a port scanner in Bash shell
on
A primitive port scanner can be constructed using solely the bash shell via its /dev/tcp virtual file. The script will scan common ports, and if an open port is found, it will display a base64 encoded output of the servers response.…
read more...Securing services with stunnel
on
Stunnel is a tool that allows you to seamlessly add TLS to most existing services. Stunnel listens on a port, and can either receive encrypted traffic and pass it to an unencrypted destination, or it can receive unencrypted traffic and forward that to an encrypted destination. TLS is commonly used to protect clients from connecting to untrusted servers by verifying the certificate provided by the server. Conversely, servers can prevent unwanted clients from connecting by demanding they provide a valid cert. This means that a stunnel can add a strong layer of access control Table of contents Providing HTTPS to…
read more...Docker Firewalling - Unpublishing a port
on
Intro I have a Docker container that has a port unconditionally published (e.g. -p 2368:2368). I've changed my mind and decided I don't want this port exposed to the entire internet; only the docker host should see it. How do I fix this without having to rebuild the container? Table of contents Intro Port publishing: What is it, how does it work? Looking at Docker iptables Changing the rules Using Docker Isolation (it's here where we lockdown our container) Intro This question (and its lack of immediately obvious answer) is one of the many annoying teething pains I've…
read more...TLS Client Authentication with Certificates (nginx + easyrsa)
on
Today we will learn how to set up Nginx so that clients have to authenticate using certs. This provides additional security above basic password authentication.…
read more...Replacing Google Authenticator with oathtool and gpg
on
I've thought it would be cool to have Two Factor Authentication operating on the command line, perhaps in some isolated container, rather than having it in a phone which can easily be lost or broken. We will also combine it with gpg encryption, so that we have an additional layer of security. How TFA works It's important to understand that TFA is a general term for all systems that require multiple authentication factors. However, the vast majority of sites offering TFA for end users are based on the same technology, known as TOTP. TOTP stands for Time-based One-time-password. The site…
read more...sshuttle - a VPN for the lazy
on
sshuttle is a Python based script that allows you to tunnel connections through SSH in a far more efficient way then traditional ssh proxying. By far the greatest perk of sshuttle is that it requires no installation on the server side. As long as you have an SSH server (with python installed) you're good to go. Because it inserts iptables entries, the client running sshuttle must be root however no special privileges are needed on the server. How to use it Install $ sudo pip install sshuttle # you may need to install # python-pip Tunnel to all networks (0.0.0.0/…
read more...My IPTables Configuration Script
on
I've talked quite a lot about iptables but haven't really shown how I actually put it into practice. Today I'll share a shell script I wrote to set up IPTables on my Fedora 25 Desktop. Download Warning: Make sure you check its appropriate for your needs and you understand its functionality before running it. The shell script sets up the following Multiple user based chains for NFS, SSH, and HTTP Organized TCP / UDP chains Source restriction based on the use of IPsets Structure and Functions of the Script We begin by defining the function configures our SSH hardening chain The…
read more...Using Dynamic Blocklists with IPtables + IPset
on
In this tutorial, we will learn how to make automatically updated block lists of known bad addresses using ipset and iptables. This provides a proactive security approach that can use external datasets to discover addresses known for malicious activity and prevent them from accessing your web server. A quick overview on IPSet In some of my earlier tutorials, we learned how we could use ipset to create dynamic filtering rules which are independent of iptables. For example, if we wanted to give our friend temporary access to SSH, # create ipset sudo ipset create ssh_ip hash:ip # add friends ip…
read more...