Often when working with a client I’ll have recommendations on server settings and configurations, but sometimes things are not obvious, and I want another set of eyes to audit security settings. External scanners are fine but are mostly relegated to be run by the security teams, so using an open source auditing tool can help with security auditing, hardening, and compliance while helping to determine if you have things configured and setup optimally.
Thanks to Mike Mitchell @sirmitchell for the new 45 logo, inspired by Trumps recent comments on the Charlottesville clash. Here's a high res copy which I'm allowing for personal use (signs, shirts, buttons). Spread it far and wide: https://t.co/k0GqGslx6W 🚫45 pic.twitter.com/1bWM00CHtj — Mike Mitchell (@sirmitchell) August 15, 2017 > “When someone shows you who they are, you should believe them. And Donald Trump is again letting Nazis and white supremacists off the hook for their violence in Charlottesville.
Today I had a case where a coworker wanted a Linux server to connect to a particular VPN, and we didn’t want to make it use some hacky way like putting a script in /etc/rc.local for it to run on boot. By using systemd we learned how to use it to control connecting to the VPNs, using the OpenVPN client. Steps Install the OpenVPN client Verify the openvpn client is installed Debian/Ubuntu apt-get install openvpn RHEL/CentOS yum install openvpn Get VPN keys, certifiates and configs From your remote host, get the files or zip file that includes your VPN keys, certificates and configs Place the files (unzipping any archives) into /etc/openvpn on your client Configure OpenVPN session In the directory /etc/openvpn copy the .
Cheap Girls (photo courtesy of Cheap Girls) The year It’s been a great year (musically), and I’ve kept my head above water by going out to see some great shows. Highlights include; Basia Bulat, Jason Isbell, Shovels & Rope, Neon Indian, Guided by Voices, The Thermals, Summer Canibals, Screaming Females, Aye Nako, The Waco Brothers, Cheap Girls, Bob Mould Band, Lydia Loveless, Will Courtney & the Wild Bunch, Built To Spill, The Posies, Shellac, Shannon Wright, Amanda Shires, Colter Wall, and Sloan.
When getting started with Linux and open source software, running websites was one of the first things I learned how to do. Of course with the way software evolves, I’m still learning new ways to better secure, encrypt and protect web assests. Recently I wanted to build a new project and decided I wanted to use OpenBSD, arguably the most secure operating system out of the box. While years ago I switched to FreeBSD for web and mailserver handling, OpenBSD is just more stringent about how it presents things. There’s more to learn, sure, but that’s all part of the fun. Now, if you look around at normal VPS options like DigitalOcean and Linode won’t allow you to run OpenBSD, but with Vultr (affilate link) you can use any ISO you can point to. They have a $5/month option, but they give you 768M RAM versus the 512M that you get from most other VPS providers for that price. With that decided I ran through the install using their console and was up and running in no time. Now for the fun part, let’s
ssh to the server and setup a very setup a secure webserver!
I’ve wanted to get into tube audio amplifiers for my stereo systems for a long time, so years ago I bought my first ones, a pair of Antique Sound Lab AV-25 monoblocks. One thing that was a bit tricky was to bias the amps, and the units didn’t come with directions, so I eventually got info directly from the company, but could’t find it anywhere online. I’m transcribing them here for my reference and for others, in case they have the same, or similar, amps from Antique Sound Labs.
This is a previously unpublished sketch written on 2007-04-18 of two people talking about the constant state of fear in a nation controlled by the media. Strangely it’s still relevant today. […] “But what about them; what’s the difference?” “What?” “With their outlook on things, everything is just so negative, have we evolved that way?” “You’re telling me you mean we became more negative as a species over 50 years?
Metz (photo from radio1190 ) Another year, another batch of new toons to love. As always, discovering new music never gets old, the endless digging for new sounds continues to be one of my favorite things. Let’s rock! Courtney Barnett “Sometimes I Sit and Think, Sometimes I Just Sit” Built To Spill “Untethered Moon” Deerhunter “Fading Frontier” Hop Along “Painted Shut” Jason Isbell “Something More Than Free” Jamie xx “In Colour” Metz “II” Refused “Freedom” Sleater-Kinney “No Cities To Love” Supersuckers “Holding the bag” Waxahatchee “Ivy Tripp”
UPDATE 02-29-2016 a reader had issues getting this working, and after reproducing his issue I found that the
ssl_cipers HIGH:!aNULL:!MD5;no longer works. Apparently sometime after I wrote this, the HTTP/2 specs were updated, and browsers followed suit. This blog post tells us, “According to the HTTP/2 specification, over TLS 1.2 HTTP/2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list, found here” So now, we have to call out another cipher before the blacklisted ones
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5Thanks for the note Elias!
Last week nginx relased mainline version 1.9.5 which features experimental HTTP/2 module. According to the Internet Engineering Task Force “HTTP/2 enables a more efficient use of network resources and a reduced perception of latency by introducing header field compression and allowing multiple concurrent exchanges on the same connection. It also introduces unsolicited push of representations from servers to clients. This specification is an alternative to, but does not obsolete, the HTTP/1.1 message syntax. HTTP’s existing semantics remain unchanged.” You can get an idea of how HTTP/2 is better and faster on this demo page which shows the multiple connections making a significant difference.
TL;DR it’s faster, backwards compatible and the new hotness (obviously).
I’ve written about Bruce Schnier many times before, but this recent comment perfectly captures why we all need to be concerned about our only privacy