January 2, 2020

xt_geoip_dl vs. Maxmind Accounts

Since some time I use a geofence on my servers to ban all incoming requests that do not originate from DE. The company (Maxmind) that distributes up to date mappings from IP ranges to country codes (“geoip tables”) recently changed how they distribute these files. Now, you must have an account and license key to download the geoip tables. Note: everything is still free! The need for login credentials breaks the update mechanism for geoip tables which typically uses xt_geoip_dl. Read more

March 26, 2019

Playing with WireGuard VPN

Since a couple of years I use OpenVPN to access my home network from remote and also to protect my traffic when I am traveling and have to use WiFi networks I do not completely trust. Unfortunately, the iOS VPN client does not work for me anymore so I needed an alternative. My Fritz Box (German home WiFi router brand) actually supports an IPSec VPN. However, iOS's VPN client is horrible. Read more

March 16, 2019

xtables-addons-common on Ubuntu 18.04

Last year in June I set up geofence on my home server to ban all access not coming from DE. In January I noticed that things did not work anymore. A bit of research revealed, that the company that provides the needed GeoIP tables decided to stop shipping them in format A and only offered the tables in format B. So neither the script that downloads the tables (xt_geoip_dl) nor the script that converts the tables (xt_geoip_build) into the binary format that xt_geoip can digest to block connections attempts worked anymore. Read more

July 24, 2018

Hardening a Server with a Geofence

I recently noticed some odd HTTP requests on my web server, which I exclusively use for private purposes like hosting Nextcloud, GOGS, or Wallabag. I did a bit of research where these requests come from – just fire something like for elem in $(awk '{print $1 | "sort | uniq"}' /var/log/nginx/access.log); do curl ipinfo.io/$elem; done – and found out that they all originate from Russia, China or India. That sounds a bit suspicious to me. Read more

January 2, 2017

Automatic Renewal of Let's Encrypt Certificates

Since a couple of months I deliver all my websites by HTTPS only. Certificates are issued by Let’s Encrypt and I use Certbot as a certification client (hope that is the correct word). This works quite well, actually. However, the certificates from Let's Encrypt have one drawback: they expire after 90 days. Hence, you need to renew the certificate now and then. The description from the Certbot page does not work for me as the renew verb of the certbot command would create one certificate (with many common names) for all pages served by the server. Read more

February 12, 2016

Checking a Web Server's TLS Configuration

Yesterday I reinstalled my virtual server and also created a new configuration for the Apache web server that fixed some issues of the old one. I also wanted to know how well the Apache is configured regarding the security of TLS. Some days earlier, I stumbled upon SSL Labs, a site offering some automatic checks regarding certificate, server configuration and the used server software itself. Seems the server is quite fine. Read more

May 15, 2015

Messing With DNS Using NFQUEUE and Scapy

Some days ago I taught myself a little about NFQUEUE and Python. Meanwhile I dug a little more into the matter and looked into building new network packets. In this special case I wanted to create DNS packets. The idea was to intercept DNS requests with Netfilter and return a fake IP address in a faked DNS response. Messing with packets in Python is quite easy to do when you use the Python bindings for Scapy, a quite powerful packet manipulation tool. Read more

March 13, 2015

Publishing PGP keys in DNS

In most cases people publish their GPG Key on a key server which (typically) syncs keys with other key servers. Yesterday I learned that there's an other option: When you are in control of a DNS server you can publish your key (or more specifically: a pointer to that key) in a DNS TXT record. So what you're doing is the following: you export your public key to a file, preferably ASCII armored Read more

March 4, 2015

encfs + GnuPG

Yesterday I discussed with somebody that it would be cool to use encfs on a folder shared with several people. The word “folder” can be understood as a Samba share, a Subversion repository, or a Dropbox. Obviously, the show stopper here is the exchange of the symmetric key needed by encfs. So let's use our GnuPG keys! The idea of the script is as follows: generate a symmetric key $encfsKey for encfs using /dev/urandom wrap $encfsKey using GnuPG; the $receivers variable holds the IDs of all people that should be allowed to decrypt $encfsKey (the folder) plus your own ID (you also want to decrypt! Read more

February 15, 2015

Update PGP Key

Again some notes, mostly for myself… I wanted to update my both (private/office) 2048-bit GPG keys to a (single) 4096-bit key. Here are some handy commands. Start with generating a new key: gpg --gen-key Select a RSA/RSA 4096 bit key… Edit your new key, add all mail addresses you need. Also set your preferred hash and crypto algorithms. gpg --edit-key NEWKEYID > adduid > ... > setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed > quit Make a backup of your new key… Read more

February 12, 2015

Some Notes on GnuPG on Mac

Recently I'm playing a little with GnuPG and I wanted to document some things, mostly for myself… GnuPG on Macs It seems that GnuPG version 2 available in Homebrew is broken. Instead use MacGPG2. If you do not want to compile this by yourself, there is also a handy installer available, which comes with a plugin for Apple Mail and a graphical tool for key management. Command Line Voodoo Creating a signature of a file (= create hash value of file + encrypting hash value with own private key): Read more

August 7, 2014

Bitmessage

I found a nice application which might replace email in some time: Bitmessage. Basically, Bitmessage creates a Peer-to-Peer network, i.e., a network of equal participants. The quite interesting feature of this app is that it broadcasts messages to (all) participants in this P2P network. As the message is encrypted with the public key of the intended receiver, only this person is able to decrypt the message. The cool feature now is that nobody knows who was able to decrypt the message. Read more

July 21, 2014

Using OpenVPN as a Home Gateway + Internet Gateway

Well, first of all I need to explain my headline: Up to now I operated my OpenVPN Server at home as a gateway into my home network. When I connect a mobile device to the OpenVPN I can use the services I run inside the private home network from remote. All other traffic (surfing the web, mailing, etc.) does not flow over the tunnel. This is in most cases what I want as tunneling EVERYTHING through my Home Server would be quite s l o w. Read more

© holger 2015 - 2020 |