Enhanced security

Install Tailscale DERP server for increased privacy and lower latency. ...

Create the simplest possible firewall using nftables framework with relaxed rules that will allow all outgoing traffic, incoming ICMP echo requests, and ssh connections. ...

Use the native IPsec stack to connect multiple networks over the internet. ...

Configure the Vagrant virtual machine to use a specific proxy using the vagrant-proxyconf plugin. ...

Define custom Nginx log format to store SSL cipher and protocol information. ...

Trace packets as they pass through the iptables firewall. ...

Enforce specific referer header using nginx directives. ...

Enable debugging log in Nginx to inspect internal behavior and upstream interactions. ...

Automatically clear GNU Bourne-Again SHell history when you exit a login shell. ...

Check available security updates for CentOS 7. ...

Test TLS/SSL encryption anywhere on any port ...

Determine available authentication methods on the specified OpenSSH server. ...

Create custom Bourne Again SHell package to disable network redirections and enhance system security. ...

Find out whether remote port is open using Bourne Again SHell network redirections. ...

Log every executed command to syslog. ...

Generate password digest for basic authentication of HTTP users. ...

Revoke specific key used to perform key-based login with OpenSSH utilizing simple public key revocation list or OpenSSH Key Revocation List (KRL). ...

Protect Netdata using basic access authentication. ...

Determine which SSH key was used to perform key-based login using public key fingerprint. ...

Handle domains that are not defined in the configuration using dedicated backend. ...

I have already described how to create VLAN interface, but things have changed over time, so I decided to update the know-how. ...

Use openssl utility to display and verify the certificate chain for a specific domain. ...

Perform a dictionary attack on the forgotten LUKS passphrase to access the encrypted device. ...

Learn how to erase the LUKS header on a specific device. ...

Discover two distinct and easily sriptable methods and combine features from both of these to locate and identify LUKS devices. ...

Learn how to test LUKS passphrase on a specific device. ...

I have already described how to check external IP address using curl or your own SSH service, but you can also use dig utility to take advantage of the OpenDNS, Google or Akamai DNS service. ...

Determine maximum LUKS key file size or maximum interactive passphrase length. ...

Learn how to create and assign binary key instead of passphrase to LUKS key-slot on a specific device. ...

Use openssl command-line utility to display TLS server extensions. ...

Learn how to non-interactively manage LUKS passphrases on a specific device using files or a named pipe. ...

Learn how to interactively manage LUKS passphrases on a specific device. ...

Learn how to erase every defined LUKS key slot on a specific device. ...

Learn how to create LUKS header backup and restore it in case of emergency. ...

Encrypt portable external hard drive using Linux Unified Key Setup to protect data in transit. ...

Make iptables configuration persistent using systemd file with additional possibility to disable firewall after defined period of time. ...

Make iptables configuration persistent using custom service file with additional features like configurable wait time, so you can safely interrupt execution and test mode that will disable firewall after defined period of time. ...

Make iptables configuration persistent using essential system utilities or a designated boot-time loader. ...

Log dropped connections from iptables firewall using netfilter userspace logging daemon for further analysis and troubleshooting. ...

Verify file integrity using the GnuPG signature without touching your local GnuPG configuration. ...

Compute SHA message digest of a file to verify that its contents have not been altered. ...

Log dropped connections from iptables firewall using rsyslog for further analysis and troubleshooting. ...

Whitelist or render inoperative any USB device to secure your personal belongings. ...

Create an iptables firewall using custom chains that will be used to control incoming and outgoing traffic. ...

Create iptables firewall that will be used to control incoming and outgoing traffic. ...

Dynamically choose HAProxy backend depending on the HTTP host header, Lua programming language and environment variable. ...

Create the simplest possible iptables firewall with quite relaxed rules that will allow all outgoing traffic, incoming ICMP packets, and ssh connections on the eth0 interface. ...

Define and use a variable to dynamically choose HAProxy backend depending on the URL parameter, HTTP header field, and cookie value. ...

Block particular IP addresses on HAProxy load balancer using simple Access Control List. ...

Use essential openssl utility to quickly determine if your web-server still supports deprecated TLS 1.0 protocol. ...

Define basic authentication on HAProxy load balancer limit access to specific backends. ...

Define allowed HTTP methods on HAProxy load balancer using simple Access Control Lists. ...

Check locally stored SSL certificate using essential utilities like openssl and curl. This knowledge is especially useful when you want to prepare an SSL certificate for a load balancer. ...

Create a certificate signing request and use it to generate an SSL certificate. I strongly suggest reading my two earlier blog posts about self-signed SSL certificates and private keys as these contain useful information. I will describe three different ways to generate a certificate signing request. ...

Icinga2 documentation clearly describes the master->satellite->client setup, but as of now everything can be configured using director module and top down approach, so you can easily monitor external remote networks that are not accessible from the master server. ...

Install Pi-hole, a network-wide ad blocking on your own Linux hardware. I have used it on Debian Stretch, but then moved to a small Raspberry Pi, which now acts as DNS and DHCP server. ...

Generate private key for an SSL certificate and verify its consistency. ...

Debian supports DES, MD5, SHA256 and SHA512 algorithms for password encryption. These algorithms can be easily spotted and distinguished by their structure. ...

Two years ago, I described a simple way to display established TCP connections using ss command. Today I will use lsof and gawk to pretty print network connections. ...

Today, I will show you how to stop referral spam using simple nginx directives to return 403 Forbidden HTTP status code after encountering troublesome referer hostnames. ...

Use openssl command-line utility to calculate and display days till the certificate expiration. ...

Use openssl command-line utility to display common name, certificate issuer, alternative names, start/end dates. ...

Check current status of Debian Common Vulnerabilities and Exposures using simple python script and Security Bug Tracker. ...

There are rare cases when known hosts file becomes corrupted, so basic ssh utilities fail within custom built shell scripts due to ~/.ssh/known_hosts is not a valid known_hosts file error. ...

Today I will show you how to quickly generate ready to use self-signed SSL certificate for nginx HTTP server using command-line. It is a very handy ability that will allow you to perform various tasks locally or in home laboratory without touching dedicated certificates. ...

My local Internet service provider is redirecting non existent domains to the crappy website used to serve advertisements and compromise user privacy. This behavior can be easily circumvented using third party DNS servers or an OpenWRT small Linux distribution for embedded devices. ...

I am using Let’s Encrypt certificates for several services with great success. It is easy, reliable and very straightforward service. I will share with you my personal setup used to secure AWStats statistics page as a simple example. ...

A week ago, I illustrated a simple way to connect to the NordVPN server using Network Manager. Today I will describe a more advanced solution to automatically import NordVPN configuration using a shell script. ...

I am using NordVPN OpenVPN service to protect myself from prying eyes, especially now when the government defined insane data retention laws combined with unstable political situation. It is better to be safe than sorry, so I will illustrate the whole process using very simple step by step instructions. ...

I will show you how to generate a random password using the OpenSSL utility, standard command-line utilities, Password Generator (pwgen), and Automated Password Generator (APG). ...

From time to time I have to update passwords used to secure private keys to keep myself a bit more sane. I will demonstrate simple and straightforward way to accomplish this task. ...

The GNU Privacy Guard is an essential application when you need to ensure the confidentiality and origin of the information, so it helps to protect your privacy and the people you communicate with. ...

It is easy to lock screen when using any of the available desktop environment or even basic X Window utilities. The more interesting thing is to achieve the same functionality on text only based system. ...

Today, I will show you how to put every connected USB storage device in read-only mode using udev dynamic device management, blockdev utility, and systemd service unit configuration. ...

Several months ago I have shortly described how to close a non-responsive ssh session, which comes in handy at times. Today I will describe how to close every active ssh session by inspecting existing pseudoterminals. ...

I have unexpectedly experienced an issue with a couple of broken packages, which was easily solved using debsums utility. ...

This blog does not use more than four or five gigabytes per month, which is only about one hundredth of the available bandwidth. Still, I do not like bandwidth leechers, so I have implemented simple hotlink protection using nginx HTTP server. ...

I want to automatically log out the user from the login shell after a defined period of inactivity but leave X Window Terminals untouched. This will allow me to enhance security slightly, as I will not accidentally leave the superuser session running for a long time. ...

It is easy to overlook orphaned files without an assigned existing owner or group after moving large amounts of data. Fortunately, it is easy to spot these files using the find utility. ...

I am constantly on the move, so sometimes I need to quickly verify my external IP address, as I do not want to accidentally block myself on some kind of firewall. ...

I always asked myself how to password protect GRUB entries on an encrypted notebook to lock down the boot loader and protect it from unauthorized access. ...

Sometimes I want to access a private server at home from a different network while being on the go. The easiest way to do this is to use autossh utility to create a secure and persistent reverse SSH tunnel to the publicly available server. ...

Default Debian installation does not include VPN support inside the Network Manager applet. The reason behind this decision is probably the variety of available solutions. ...

At first I wanted to write blog post about how to stay anonymous by using privacy enhanced OS, but changed my mind during research process as I couldn’t pass by other highly useful solutions. ...

This weekend, I have spent some time investigating SSL certificate-based authentication and implementing it in Kolab web-based user interface. This topic is fascinating but definitely too broad to be briefly described in a single blog post, so do not look at it as a complete solution, but treat it only as a proof of concept. ...

Recently I was asked to reset root password on some long forgotten Debian box. It was an easy and straightforward task, but, as there are some interesting pitfalls, I will describe the whole process of acquiring root shell without password using single-user mode and a couple of ways to prevent it. ...

You have probably already noticed my favorite way to overcome the sudo redirection issue, but if you haven’t, then I will write it down here for further reference. ...

By default dmesg command print kernel ring buffer using the timestamp for each logged message. It is easy to change this behavior and display date/time in a human-readable form using just one additional parameter. Still, sometimes it is not supported, so I will shortly touch upon this topic. ...

It is very easy to tell how long the system has been running using uptime command, but the information when exactly it was booted is not so apparent, so I will show you two different ways to get it. ...

Static key configuration is the easiest and shortest way to set up OpenVPN tunnel. ...

I am using Firefox web browser most of the time, but you need to know that I have drawn a clear line between daily browsing and strictly private usage by using browser sandbox. I will shortly describe whole process so you could also benefit from it. ...

Last year I wrote a short article about how to set up SSH port forwarding but I forgot to mention that you can quickly terminate existing port forwardings and create new ones during the SSH connection. ...

Today I will mention about arpwatch utility (developed by LBNL’s Network Research Group) as it is a small and very useful tool that will keep track of the Ethernet/IP address pairings and log every change which you can monitor and analyze. ...

I am constantly using SSH to transfer files between home notebook and remote servers. Basic scp tool is great but sometimes it is more convenient to mount remote file-system to easily access files over SSH protocol. ...

Change the MAC address of an Ethernet interface and make this change permanent. I will briefly explain how to do this using standard commands and one particularly useful tool MAC Changer. ...

VLAN (virtual local area network) is very useful concept as you can easily separate device management from users by using appropriate network devices and configuration. I will describe here in a form of a short note how to create VLAN interface using Debian system. ...

Recently I installed OpenWRT on Ubiquiti AirRouter as original firmware lacks in couple of areas. Installation is easy and straightforward as all you need to do at the time of writing this post is to use Attitude Adjustment release. ...

SSH port forwarding is a nice feature that allows to create encrypted tunnels over unsecured network. It is easy and straightforward to remember and use in daily work so I will describe it here with couple of examples. ...

Simple solution using Linux Unified Key Setup. ...

The answer is to recreate encrypted tmp partition every boot with random key as you do not need to keep temporary data in memory. ...

Create partition for swap (/dev/sdaX in this example). Prepare and enable it using mkswap and swapon commands. If you already use swap partition then omit these steps. $ sudo mkswap /dev/sdaX Setting up swapspace version 1, size = 4194300 KiB no label, UUID=325d9718-8532-460d-afec-74e6aee9ae5f $ sudo swapon /dev/sdaX Execute ecryptfs-setup-swap script (it is part of ecryptfs-utils package): $ sudo ecryptfs-setup-swap WARNING: An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format....

Sometimes it a good idea to check or just store contents of the virtual console terminal (/dev/vcs[1-63] device). ...

Display established TCP connections inside the terminal. ...

Use the following command when you want to leave terminal open but force sudo to forget password. ...

I tend to forget passwords from time to time so I installed KeePassX today. Now I can store them in one place, organize and perform auto type. ...

I prefer to use a small netbook over a desktop pc for light web browsing at home. It’s very comfortable but I need something to filter out advertisements. ...

Simple answer is a lot! ...

A long time ago my provider had some temporary problems with DNS service. The solution was quite simple – use the Google Public DNS servers: 8.8.8.8 8....

Checkout HTTPS Everywhere (Firefox and Chrome extension) to automatically rewrite your requests to use HTTPS protocol. ...