May 22, 2020

xtables-addons: How to fix 'Can't open DBIP database' Error

When you are using the 3.8-* version of xtables-addons to harden your server with a geofense, chances are super high that things don’t work anymore… The latest problem occurs after you have downloaded the geo-ip-tables from Maxmind and try to convert the tables for the geofense with xt_geoip_build. You get this error: Can't open DBIP database. The simple reason for this is that the developers of xtables-addons decided to get rid of Maxmind (maybe because they did that thing with the user accounts a couple of months ago? Read more

January 2, 2020

xt_geoip_dl vs. Maxmind Accounts

Since some time I use a geofence on my servers to ban all incoming requests that do not originate from DE. The company (Maxmind) that distributes up to date mappings from IP ranges to country codes (“geoip tables”) recently changed how they distribute these files. Now, you must have an account and license key to download the geoip tables. Note: everything is still free! The need for login credentials breaks the update mechanism for geoip tables which typically uses xt_geoip_dl. Read more

March 26, 2019

Playing with WireGuard VPN

Since a couple of years I use OpenVPN to access my home network from remote and also to protect my traffic when I am traveling and have to use WiFi networks I do not completely trust. Unfortunately, the iOS VPN client does not work for me anymore so I needed an alternative. My Fritz Box (German home WiFi router brand) actually supports an IPSec VPN. However, iOS’s VPN client is horrible. Read more

March 16, 2019

xtables-addons-common on Ubuntu 18.04

Last year in June I set up geofence on my home server to ban all access not coming from DE. In January I noticed that things did not work anymore. A bit of research revealed, that the company that provides the needed GeoIP tables decided to stop shipping them in format A and only offered the tables in format B. So neither the script that downloads the tables (xt_geoip_dl) nor the script that converts the tables (xt_geoip_build) into the binary format that xt_geoip can digest to block connections attempts worked anymore. Read more

July 24, 2018

Hardening a Server with a Geofence

I recently noticed some odd HTTP requests on my web server, which I exclusively use for private purposes like hosting Nextcloud, GOGS, or Wallabag. I did a bit of research where these requests come from – just fire something like for elem in $(awk '{print $1 | "sort | uniq"}' /var/log/nginx/access.log); do curl ipinfo.io/$elem; done – and found out that they all originate from Russia, China or India. That sounds a bit suspicious to me. Read more

January 2, 2017

Automatic Renewal of Let's Encrypt Certificates

Since a couple of months I deliver all my websites by HTTPS only. Certificates are issued by Let’s Encrypt and I use Certbot as a certification client (hope that is the correct word). This works quite well, actually. However, the certificates from Let’s Encrypt have one drawback: they expire after 90 days. Hence, you need to renew the certificate now and then. The description from the Certbot page does not work for me as the renew verb of the certbot command would create one certificate (with many common names) for all pages served by the server. Read more

February 12, 2016

Checking a Web Server's TLS Configuration

Yesterday I reinstalled my virtual server and also created a new configuration for the Apache web server that fixed some issues of the old one. I also wanted to know how well the Apache is configured regarding the security of TLS. Some days earlier, I stumbled upon SSL Labs, a site offering some automatic checks regarding certificate, server configuration and the used server software itself. Seems the server is quite fine. Read more

May 15, 2015

Messing With DNS Using NFQUEUE and Scapy

Some days ago I taught myself a little about NFQUEUE and Python. Meanwhile I dug a little more into the matter and looked into building new network packets. In this special case I wanted to create DNS packets. The idea was to intercept DNS requests with Netfilter and return a fake IP address in a faked DNS response. Messing with packets in Python is quite easy to do when you use the Python bindings for Scapy, a quite powerful packet manipulation tool. Read more

March 13, 2015

Publishing PGP keys in DNS

In most cases people publish their GPG Key on a key server which (typically) syncs keys with other key servers. Yesterday I learned that there’s an other option: When you are in control of a DNS server you can publish your key (or more specifically: a pointer to that key) in a DNS TXT record. So what you’re doing is the following: you export your public key to a file, preferably ASCII armored Read more

March 4, 2015

encfs + GnuPG

Yesterday I discussed with somebody that it would be cool to use encfs on a folder shared with several people. The word “folder” can be understood as a Samba share, a Subversion repository, or a Dropbox. Obviously, the show stopper here is the exchange of the symmetric key needed by encfs. So let’s use our GnuPG keys! The idea of the script is as follows: generate a symmetric key $encfsKey for encfs using /dev/urandom wrap $encfsKey using GnuPG; the $receivers variable holds the IDs of all people that should be allowed to decrypt $encfsKey (the folder) plus your own ID (you also want to decrypt! Read more

© ho1ger 2015 - 2021