Security


Encrypted Time Machine Backups on a separate partition

Trying to setup my external with a couple partitions, one for encrypted Time Machine backups, and the other as ext4 for linux stuffs, yielded a no-go. In short, Time Machine wouldn’t let me encrypt my backups which I dumped on the first partition of my disk. Turns out this is because I used the older MBR partition scheme. These are the requirements in order for that check box to be clickable:

Continue reading ↦

Pass-through SSL with HAProxy

As I’ve started to containerize, certain webapps of mine utilize SSL for secure communication. Hence, I usually combine everything the resulting webapp needs to serve the app using SSL, including certificates and keys. HAProxy provides the ability to pass-through SSL via using tcp proxy mode. This is awesome, except you can forget about serving multiple domains/vhosts in this basic configuration. However, SNI to the rescue! From the HAProxy blog, there is indeed a way for HAProxy to inspect the SSL negotiation and find the hostname, sent via the client through SNI:

Continue reading ↦

SSH Identity Management: Multi-key fallacies

This post will talk about how SSH handles private key forwarding and how to utilize it in a common use case for a more secure and seamless experience. You may want to study up a bit before reading on.. The Variables: client/local = host0 (i.e. my laptop) remote host = host1 (my server) secondary host = host2 (another server) ssh-agent = keychain (Keychain Access, gnome-keychain, etc..) tried/sent = offered for authentication The Facts:

Continue reading ↦

GPG to encrypt files and handle private keys

GPG is quite nice. I’ve only come to really appreciate it more recently with my delvation into Keybase.io and all the small, unimportant messages i can send to my friends:) Here are some examples of using symmetric enc on single files. Encrypting a file using AES256: gpg --pgp7 --cipher-algo AES256 -c wallet.dat Use/Load an encrypted private key in ssh-agent for 12 hours (without leaving an unencrypted copy on the fs):

Continue reading ↦

Ensuring your website is secure: Using strong ciphers

This new site, Cipherli.st, allows you to get configurations for the major web server and proxy software suites to ensure they are using the most secure ssl/tls cipher settings for serving out sensitive content, or anything on port 443. The configs are copy/pastable into your web server configuration. Be sure to check there for the latest, most secure confs. Example for nginx: ssl_ciphers "AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Frame-Options DENY; ssl_stapling on; # Requires nginx >= 1.

Continue reading ↦

Making ssh keys work: Permissions

Setting up ssh keys is effectively very easy. You throw your pubkey in its own line in your $HOME/.ssh/authorized_keys file. However, you may not know that it matters very much the permissions that the following files have set: home directory .ssh directory your authorized_keys file After doing this multiple times, here is the corresponding combination that works for me: 755, 750, or 700 (grp and other should have no write perms)

Continue reading ↦

Dealing with VPN on Linux Mint

Setting up VPN via NetworkManager in Linux Mint was actually really simple. But I kept having issues with DNS. I set up my VPN server to push down itself as the dns server to use and a domain-search domain. The domain search domain from vpn was getting mixed in with the other search domains from the local dhcp server when the connection was on eth0. NetworkManager launches dnsmasq when it starts.

Continue reading ↦

Making your client send all traffic through the VPN

This hack will enable your client machines to basically use the internet entirely through the vpn. On the server add the following to your openvpn config file: push "redirect-gateway def1" push "dhcp-option DNS 192.168.1.1" If your vpn is for example your home gateway, you’ll definitely want to use the gateway address. If your vpn server is on a remote server somewhere and it doesn’t run its own dns server or you don’t have a dns server running on the vpn network, you’ll want to just use a public dns server address such as Google’s 8.

Continue reading ↦