Security

Area 41

Area41 Looking Forward to the next Security Congress in Zurich https://www.area41.io . It’s sold out since a while, happy i got a early ticket :) … and all the Talks are online … https://www.youtube.com/watch?v=Hs5olUBX2cg&list=PLv-PXy2JVviu32C4U6F8KHKcyL4s-i_Fo sha256: 07f41198ed084963405456466b567179077366052c560295e9868a0046f0a714

Nginx - Log Headers

How to enable Logging with Headers for Nginx Assuming you have a running setup and you want to enable logging with headers for debug and learning purposes ? Add Lua doas pkg_add nginx-lua-- and you get … doas pkg_info -L nginx-lua-- Information for inst:nginx-lua-1.20.1p0 Files: /var/www/modules/ndk_http_module.so /var/www/modules/ngx_http_lua_module.so Enable Modules in /etc/nginx/nginx.conf add two lines on Top load_module "modules/ndk_http_module.so"; load_module "modules/ngx_http_lua_module.so"; Enhance Logging add the following to the “http” Section log_format log_req_resp '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time req_header:"$req_header" ' 'resp_header:"$resp_header"'; Enable Logging add the following lines to your virtual Host Section

AGE - Encrypt Files with SSH Keys

Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :) Source https://github.com/FiloSottile/age Install Package OpenBSD (and most others *nix systems) got a package for age. Just install it. doas pkg_add age Asymmetric Encryption Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’

RPKI for Home Usage

Resource Public Key Infrastructure you may know what RPKI is … It’s a PKI Framework for improving Security for the Internet Routing Infrastructure based on BGP. As a HomeUser or Small/Medium Size Company, you normally don’t have a Full BGP Table and multipe Upstream Providers. You have one Internet Router or Firewall and you get a Default Route from your ISP. With OpenBGPD and the current rpki extensions, you “just” need a Full BGP Feed and then, you can filter all invalid ROA’s and keep your Routing (and Internet Access) more Secure.

SSH Audit

ssh-audit is a tool for ssh server auditing. Features SSH1 and SSH2 protocol server support; grab banner, recognize device or software and operating system, detect compression; gather key-exchange, host-key, encryption and message authentication code algorithms; output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc); output algorithm recommendations (append or remove based on recognized software version); output security information (related issues, assigned CVE list, etc); analyze SSH version compatibility based on algorithm information;

Ed25519

like ssh and secure keys ? Generate Secure Key ssh-keygen -o -a 100 -t ed25519 -C "MyFamousComment" ssh-keygen -o -a 100 -t ed25519 -C "`whoami` `hostname`" ssh-keygen -o -a 100 -t ed25519 -C "`whoami` `hostname` `date \"+%Y-%m-%d\"`" ssh-keygen -o -a 100 -t ed25519 -C "`whoami` `hostname` `date \"+%Y-%m-%d %H:%M\"`" What’s ed25519 ? Wikipedia about Curve25519 Distribute Key ssh-copy-id user@remote-server-ip-or-dns-name Connect to Remote Connect to Remove without Agent Forwarding (use this unless you know what you’re dooing …)