How to create the simplest possible nftables firewall

Create the simplest possible firewall using nftables framework with relaxed rules that will allow all outgoing traffic, incoming ICMP echo requests, and ssh connections. ...

How to create site-to-site connection using IPsec

Use the native IPsec stack to connect multiple networks over the internet. ...

How to configure the Vagrant virtual machine to use a specific proxy

Configure the Vagrant virtual machine to use a specific proxy using the vagrant-proxyconf plugin. ...

How to log SSL cipher and protocol information in Nginx

Define custom Nginx log format to store SSL cipher and protocol information. ...

How to trace packets as they pass through the firewall

Trace packets as they pass through the iptables firewall. ...

How to enforce specific referer header using nginx

Enforce specific referer header using nginx directives. ...

How to enable debugging log in nginx

Enable debugging log in Nginx to inspect internal behavior and upstream interactions. ...

How to clear bash history on logout

Automatically clear GNU Bourne-Again SHell history when you exit a login shell. ...

How to check available security updates

Check available security updates for CentOS 7. ...

How to test TLS/SSL encryption anywhere on any port

Test TLS/SSL encryption anywhere on any port ...

How to determine available authentication methods

Determine available authentication methods on the specified OpenSSH server. ...

How disable network redirections

Create custom Bourne Again SHell package to disable network redirections and enhance system security. ...

How to find out whether remote port is open using network redirections

Find out whether remote port is open using Bourne Again SHell network redirections. ...

How to log every executed command

Log every executed command to syslog. ...

How to generate password digest for basic authentication of HTTP users

Generate password digest for basic authentication of HTTP users. ...

How to revoke specific key used to login with OpenSSH

Revoke specific key used to perform key-based login with OpenSSH utilizing simple public key revocation list or OpenSSH Key Revocation List (KRL). ...

How to protect Netdata instance using basic access authentication

Protect Netdata using basic access authentication. ...

How to determine which key was used to login with OpenSSH

Determine which SSH key was used to perform key-based login using public key fingerprint. ...

How to stop requests with empty or incorrect host header

Handle domains that are not defined in the configuration using dedicated backend. ...

How to create VLAN interface using the ip utility

I have already described how to create VLAN interface, but things have changed over time, so I decided to update the know-how. ...

How to display and verify certificate chain for specific domain

Use openssl utility to display and verify the certificate chain for a specific domain. ...

How to perform dictionary attack on LUKS passphrase

Perform a dictionary attack on the forgotten LUKS passphrase to access the encrypted device. ...

How to erase LUKS header

Learn how to erase the LUKS header on a specific device. ...

How to locate LUKS devices

Discover two distinct and easily sriptable methods and combine features from both of these to locate and identify LUKS devices. ...

How to test LUKS passphrase

Learn how to test LUKS passphrase on a specific device. ...

How to check external IP address using DNS service

I have already described how to check external IP address using curl or your own SSH service, but you can also use dig utility to take advantage of the OpenDNS, Google or Akamai DNS service. ...

How to determine maximum LUKS passphrase length

Determine maximum LUKS key file size or maximum interactive passphrase length. ...

How to assign binary key to LUKS key-slot

Learn how to create and assign binary key instead of passphrase to LUKS key-slot on a specific device. ...

How to display TLS server extensions

Use openssl command-line utility to display TLS server extensions. ...

How to non-interactively manage LUKS passphrases

Learn how to non-interactively manage LUKS passphrases on a specific device using files or a named pipe. ...

How to interactively manage LUKS passphrases

Learn how to interactively manage LUKS passphrases on a specific device. ...

How to erase all LUKS key slots

Learn how to erase every defined LUKS key slot on a specific device. ...

How to backup or restore LUKS header

Learn how to create LUKS header backup and restore it in case of emergency. ...

How to encrypt portable external hard drive

Encrypt portable external hard drive using Linux Unified Key Setup to protect data in transit. ...

How to make iptables configuration persistent using systemd

Make iptables configuration persistent using systemd file with additional possibility to disable firewall after defined period of time. ...

How to make iptables configuration persistent using custom service file

Make iptables configuration persistent using custom service file with additional features like configurable wait time, so you can safely interrupt execution and test mode that will disable firewall after defined period of time. ...

How to make iptables configuration persistent

Make iptables configuration persistent using essential system utilities or a designated boot-time loader. ...

How to log dropped connections from iptables firewall using netfilter userspace logging daemon

Log dropped connections from iptables firewall using netfilter userspace logging daemon for further analysis and troubleshooting. ...

How to verify file integrity using GnuPG signature

Verify file integrity using the GnuPG signature without touching your local GnuPG configuration. ...

How to compute and verify file checksum

Compute SHA message digest of a file to verify that its contents have not been altered. ...

How to log dropped connections from iptables firewall using rsyslog

Log dropped connections from iptables firewall using rsyslog for further analysis and troubleshooting. ...

How to disable USB device

Whitelist or render inoperative any USB device to secure your personal belongings. ...

How to create iptables firewall using custom chains

Create an iptables firewall using custom chains that will be used to control incoming and outgoing traffic. ...

How to create iptables firewall

Create iptables firewall that will be used to control incoming and outgoing traffic. ...

How to use HTTP host header to choose HAProxy backend

Dynamically choose HAProxy backend depending on the HTTP host header, Lua programming language and environment variable. ...

How to create simplest possible iptables firewall

Create the simplest possible iptables firewall with quite relaxed rules that will allow all outgoing traffic, incoming ICMP packets, and ssh connections on the eth0 interface. ...

How to use variable to choose HAProxy backend

Define and use a variable to dynamically choose HAProxy backend depending on the URL parameter, HTTP header field, and cookie value. ...

How to block particular IP addresses on HAProxy

Block particular IP addresses on HAProxy load balancer using simple Access Control List. ...

How to determine if web-server still supports deprecated TLS 1.0 protocol

Use essential openssl utility to quickly determine if your web-server still supports deprecated TLS 1.0 protocol. ...

How to define basic authentication on HAProxy

Define basic authentication on HAProxy load balancer limit access to specific backends. ...

How to define allowed HTTP methods on HAProxy

Define allowed HTTP methods on HAProxy load balancer using simple Access Control Lists. ...

How to locally check SSL certificate

Check locally stored SSL certificate using essential utilities like openssl and curl. This knowledge is especially useful when you want to prepare an SSL certificate for a load balancer. ...

How to generate and decode CSR

Create a certificate signing request and use it to generate an SSL certificate. I strongly suggest reading my two earlier blog posts about self-signed SSL certificates and private keys as these contain useful information. I will describe three different ways to generate a certificate signing request. ...

How to setup icinga2 master-satellite-client using director module

Icinga2 documentation clearly describes the master->satellite->client setup, but as of now everything can be configured using director module and top down approach, so you can easily monitor external remote networks that are not accessible from the master server. ...

How to install and configure Pi-hole

Install Pi-hole, a network-wide ad blocking on your own Linux hardware. I have used it on Debian Stretch, but then moved to a small Raspberry Pi, which now acts as DNS and DHCP server. ...

How to generate private key

Generate private key for an SSL certificate and verify its consistency. ...

How to determine encryption algorithm used to store password

Debian supports DES, MD5, SHA256 and SHA512 algorithms for password encryption. These algorithms can be easily spotted and distinguished by their structure. ...

How to display network connections using lsof and GNU awk

Two years ago, I described a simple way to display established TCP connections using ss command. Today I will use lsof and gawk to pretty print network connections. ...

How to stop referral spam using Nginx

Today, I will show you how to stop referral spam using simple nginx directives to return 403 Forbidden HTTP status code after encountering troublesome referer hostnames. ...

How to display days till certificate expiration

Use openssl command-line utility to calculate and display days till the certificate expiration. ...

How to display certificate issuer and dates

Use openssl command-line utility to display common name, certificate issuer, alternative names, start/end dates. ...

How to check Debian CVE status using python script

Check current status of Debian Common Vulnerabilities and Exposures using simple python script and Security Bug Tracker. ...

How to remove invalid entries from known hosts file

There are rare cases when known hosts file becomes corrupted, so basic ssh utilities fail within custom built shell scripts due to ~/.ssh/known_hosts is not a valid known_hosts file error. ...

How to generate self-signed SSL certificate

Today I will show you how to quickly generate ready to use self-signed SSL certificate for nginx HTTP server using command-line. It is a very handy ability that will allow you to perform various tasks locally or in home laboratory without touching dedicated certificates. ...

How to prevent non existent domain redirect

My local Internet service provider is redirecting non existent domains to the crappy website used to serve advertisements and compromise user privacy. This behavior can be easily circumvented using third party DNS servers or an OpenWRT small Linux distribution for embedded devices. ...

How to use Let’s Encrypt certificate with Nginx

I am using Let’s Encrypt certificates for several services with great success. It is easy, reliable and very straightforward service. I will share with you my personal setup used to secure AWStats statistics page as a simple example. ...

How to automatically import NordVPN servers

A week ago, I illustrated a simple way to connect to the NordVPN server using Network Manager. Today I will describe a more advanced solution to automatically import NordVPN configuration using a shell script. ...

How to connect to NordVPN server using Network Manager

I am using NordVPN OpenVPN service to protect myself from prying eyes, especially now when the government defined insane data retention laws combined with unstable political situation. It is better to be safe than sorry, so I will illustrate the whole process using very simple step by step instructions. ...

How to generate random password using command-line

I will show you how to generate a random password using the OpenSSL utility, standard command-line utilities, Password Generator (pwgen), and Automated Password Generator (APG). ...

How to change SSH private key passphrase

From time to time I have to update passwords used to secure private keys to keep myself a bit more sane. I will demonstrate simple and straightforward way to accomplish this task. ...

How to use The GNU Privacy Guard

The GNU Privacy Guard is an essential application when you need to ensure the confidentiality and origin of the information, so it helps to protect your privacy and the people you communicate with. ...

How to lock Linux console session

It is easy to lock screen when using any of the available desktop environment or even basic X Window utilities. The more interesting thing is to achieve the same functionality on text only based system. ...

How to enforce read-only mode on every connected USB storage device

Today, I will show you how to put every connected USB storage device in read-only mode using udev dynamic device management, blockdev utility, and systemd service unit configuration. ...

How to terminate active ssh sessions

Several months ago I have shortly described how to close a non-responsive ssh session, which comes in handy at times. Today I will describe how to close every active ssh session by inspecting existing pseudoterminals. ...

How to verify installed packages

I have unexpectedly experienced an issue with a couple of broken packages, which was easily solved using debsums utility. ...

Simple hotlink protection implemented in nginx

This blog does not use more than four or five gigabytes per month, which is only about one hundredth of the available bandwidth. Still, I do not like bandwidth leechers, so I have implemented simple hotlink protection using nginx HTTP server. ...

How to automatically logout user from the login shell after period of inactivity

I want to automatically log out the user from the login shell after a defined period of inactivity but leave X Window Terminals untouched. This will allow me to enhance security slightly, as I will not accidentally leave the superuser session running for a long time. ...

How to find orphaned files

It is easy to overlook orphaned files without an assigned existing owner or group after moving large amounts of data. Fortunately, it is easy to spot these files using the find utility. ...

How to check external IP address

I am constantly on the move, so sometimes I need to quickly verify my external IP address, as I do not want to accidentally block myself on some kind of firewall. ...

How to password protect GRUB entries

I always asked myself how to password protect GRUB entries on an encrypted notebook to lock down the boot loader and protect it from unauthorized access. ...

How to create persistent reverse SSH tunnel

Sometimes I want to access a private server at home from a different network while being on the go. The easiest way to do this is to use autossh utility to create a secure and persistent reverse SSH tunnel to the publicly available server. ...

How to enable VPN connections inside Network Manager

Default Debian installation does not include VPN support inside the Network Manager applet. The reason behind this decision is probably the variety of available solutions. ...

Four live distributions and three different security objectives

At first I wanted to write blog post about how to stay anonymous by using privacy enhanced OS, but changed my mind during research process as I couldn’t pass by other highly useful solutions. ...

Kolab – SSL certificate authentication (web-based interface)

This weekend, I have spent some time investigating SSL certificate-based authentication and implementing it in Kolab web-based user interface. This topic is fascinating but definitely too broad to be briefly described in a single blog post, so do not look at it as a complete solution, but treat it only as a proof of concept. ...

How to access single-user mode without password

Recently I was asked to reset root password on some long forgotten Debian box. It was an easy and straightforward task, but, as there are some interesting pitfalls, I will describe the whole process of acquiring root shell without password using single-user mode and a couple of ways to prevent it. ...

How to redirect command output using sudo

You have probably already noticed my favorite way to overcome the sudo redirection issue, but if you haven’t, then I will write it down here for further reference. ...

How to deal with dmesg timestamps

By default dmesg command print kernel ring buffer using the timestamp for each logged message. It is easy to change this behavior and display date/time in a human-readable form using just one additional parameter. Still, sometimes it is not supported, so I will shortly touch upon this topic. ...

How to accurately determine when the system was booted

It is very easy to tell how long the system has been running using uptime command, but the information when exactly it was booted is not so apparent, so I will show you two different ways to get it. ...

How to setup point-to-point OpenVPN tunnel

Static key configuration is the easiest and shortest way to set up OpenVPN tunnel. ...

How to create browser sandbox

I am using Firefox web browser most of the time, but you need to know that I have drawn a clear line between daily browsing and strictly private usage by using browser sandbox. I will shortly describe whole process so you could also benefit from it. ...

How to change port forwardings during the SSH connection

Last year I wrote a short article about how to set up SSH port forwarding but I forgot to mention that you can quickly terminate existing port forwardings and create new ones during the SSH connection. ...

Keep a pulse on the Address Resolution Protocol traffic

Today I will mention about arpwatch utility (developed by LBNL’s Network Research Group) as it is a small and very useful tool that will keep track of the Ethernet/IP address pairings and log every change which you can monitor and analyze. ...

How to easily access files over SSH protocol

I am constantly using SSH to transfer files between home notebook and remote servers. Basic scp tool is great but sometimes it is more convenient to mount remote file-system to easily access files over SSH protocol. ...

How to change the MAC address of an Ethernet interface

Change the MAC address of an Ethernet interface and make this change permanent. I will briefly explain how to do this using standard commands and one particularly useful tool MAC Changer. ...

How to create VLAN interface

VLAN (virtual local area network) is very useful concept as you can easily separate device management from users by using appropriate network devices and configuration. I will describe here in a form of a short note how to create VLAN interface using Debian system. ...

OpenWRT on Ubiquiti AirRouter

Recently I installed OpenWRT on Ubiquiti AirRouter as original firmware lacks in couple of areas. Installation is easy and straightforward as all you need to do at the time of writing this post is to use Attitude Adjustment release. ...

How to set up SSH port forwarding

SSH port forwarding is a nice feature that allows to create encrypted tunnels over unsecured network. It is easy and straightforward to remember and use in daily work so I will describe it here with couple of examples. ...

Ubuntu – How to use persistent encrypted partition

Simple solution using Linux Unified Key Setup. ...

Ubuntu – How to use encrypted tmp partition

The answer is to recreate encrypted tmp partition every boot with random key as you do not need to keep temporary data in memory. ...

Ubuntu – How to encrypt swap partition

Create partition for swap (/dev/sdaX in this example). Prepare and enable it using mkswap and swapon commands. If you already use swap partition then omit these steps. $ sudo mkswap /dev/sdaX Setting up swapspace version 1, size = 4194300 KiB no label, UUID=325d9718-8532-460d-afec-74e6aee9ae5f $ sudo swapon /dev/sdaX Execute ecryptfs-setup-swap script (it is part of ecryptfs-utils package): $ sudo ecryptfs-setup-swap WARNING: An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format....

How to print contents of virtual console terminal

Sometimes it a good idea to check or just store contents of the virtual console terminal (/dev/vcs[1-63] device). ...

OSF Data Loss

Check out OSF Data Loss a research project aimed at documenting known and reported data loss incidents world-wide.

How to check established TCP connections

Display established TCP connections inside the terminal. ...

How to force sudo to forget password

When you want to leave terminal open but force sudo to forget password then enter command: $ sudo -K

Secure personal data management

I tend to forget passwords from time to time so I installed KeePassX today. Now I can store them in one place, organize and perform auto type. ...

Small proxy for enhanced security, privacy and ads filtering

I prefer to use a small netbook over a desktop pc for light web browsing at home. It’s very comfortable but I need something to filter out advertisements. ...

How much your browser tells about you?

Simple answer is a lot! ...

Keep your finger on the pulse with BugTraq

Keep your finger on the pulse with BugTraq which is a mailing list discussing software security related issues. ...

Google DNS servers

A long time ago my provider had some temporary problems with DNS service. The solution was quite simple – use the Google Public DNS servers: 8.8.8.8 8....

HTTPS Everywhere

Checkout HTTPS Everywhere (Firefox and Chrome extension) to automatically rewrite your requests to use HTTPS protocol. ...