Tag: security

Defend against fake google bots

I can think of some reasons why folks might use the Googlebot user agent on their non-Google bots, but I can’t think of any good, upstanding reasons to do it. Here’s how one might find some fine folks who would do such a thing. As of right now (May 2018), all valid Google Bot source

Allowing bookmarklets to work while NoScript is enabled

The NoScript extension is fantastic at enhancing one’s security while browsing. Sure, it’s a bit of pain to get used to needing to allow scripts for new websites visited (temporarily or permanently). But I wanted to use bookmarklets to post selected stuff in my Dokuwiki with the dokubookmark plugin. The problem was, every time I

LFD stops logging to kern.log

It took a while before I figured out why LFD wasn’t logging any issues to kern.log on my Debian-based systems. I realized at some point that it worked when I first installed CSF, but then logged nothing after the first day.

Allow webapps to make outgoing requests

I was experiencing a pretty bad slowdown while trying to use the admin pages of a WordPress site recently. The load on the machine was quite low, so I began to suspect that it was trying to call out to external services (facebook, pinterest, etc) that might have been blocked by CSF (configserver firewall). I

Fix for LFD error in syslog

I noticed that I was getting emails from LFD (part of the ConfigServer Firewall package) about failing to find some added check line it was sending to syslog. The syslog message looks like this: lfd[%d]: *SYSLOG CHECK* Failed to detect check line [%s] sent to SYSLOG Of course I’ve replaced the pid with %d and

Switching from APF to CSF

I was enjoying trying out APF on my Raspberry Pi, but I noticed that it wasn’t blocking repeat attackers the way I wanted it to. fail2ban was working the way it was supposed to work, but it only blocks temporarily, and I never figured out why the gamin back-end to continuously monitor log files didn’t

Fix the broken APF package on Debian/Ubuntu

The Debian / Ubuntu package for Advanced Policy Firewall (APF) seems a bit unmaintained. By default it won’t run without some initial tweaking. Note that they probably want everyone to just download and run the installer from their site nowadays, but that’s not how I roll (usually). [crayon-5dff2e1979b64892425294/] In functions.apf, change the line [crayon-5dff2e1979b67011803656/] to

APF, fail2ban & more

APF is wonderful for a good-enough firewall solution for a lot of people. But what if you also want the power of another great tool, fail2ban? The problem is, fail2ban wants to make changes directly to iptables, which APF is maintaining. Rules that fail2ban writes will be overwritten by APF. I found the solution is

Raspberry Pi SSH cipher speed

I was curious to see how quickly I could transfer files to my Pi using SSH rather than FTP. Obviously using FTP is way faster than almost any other method, but still I wanted to see how fast I could transfer data over SSH. Here’s the time it took to transfer a 50 MB file

Check certificates for known weak entropy

On Ubuntu/Debian, you can sudo apt-get install openssl-blacklist.Then just run the following: [crayon-5dff2e1979c61411878803/] The last line of output is the most important; It should read “not blacklisted.” :-)

monkeysphere project to add PKI to all the services

looks pretty cool. This project claims to want to apply the PKI web-of-trust to different services like web browsing and SSH. By querying the public keys stored on key servers, you wouldn’t need to guess that the remote site was providing their actual key the first time you connect, like you normally would when connecting

Cryptocat 2: Electric Boogaloo

I wrote before about Cryptocat, and now it seems Schneier has weighed in on the idea, agreeing with researcher Chris Soghoian that depending on host-based security makes it actually not very secure at all.  Enter Cryptocat 2, an iterative improvement moving towards a browser plugin to avoid the host-based dependency. Good on ’em!