Let's Encrypt on UniFi Controller (Signed SSL/TLS)

In this tutorial, we will learn how to replace the self signed SSL certificate provided with the Unifi controller with a free trusted certificate from Let's Encrypt. The immediate advantage of this is that your browser will stop complaining that "Your connection is not secure" when you connect to the controller, and having a CA signed certificate provides additional security against man-in-the-middle attacks by proving the authenticity of the controller. It's also just better practice and looks more professional. For this to work, you must have a domain name pointing to your controller (you can't get SSL certs…

read more...

IPset: Automatic Blocking of Portscans

In my last post, we introduced ipset and how it can be used to create aggregated rules for multiple source/destination parameters. Now we will look at how we can create a set of ip addresses who have attempted to connect to the telnet port and block further connections from them. This is a proactive approach and it's quite fun watching how quickly the list grows. We start by creating the set: Note we set a timeout of 3600 (1hr) ipset create denied_telnet hash:ip timeout 3600 Next we create a rule to add telnet connections to the set…

read more...

Dynamic Rules with IPSet

Wouldn't it be good if port scanning IPs could trigger a rule that adds themselves to a 'known offenders' firewall list? Wouldn't it be good if you could combine white and black ACLs into single unified rules. Typically IPTables operates statically from a predefined collection of rules. This has the advantage of allowing you to filter packets to very exact parameters. However at the cost of a lot of tedious and manual work, and when you're manually adding a bunch of these, easy mistakes are all to common with potentially quite severe consequences on a production system. The idea is…

read more...