Nginx: enable HSTS (force SSL for users)

18 September 2014 in Debian, Hi-Tech, Linux, Red Hat, Security, Web

I recently heard of HSTS which is a way to force users to come back to your website in SSL if they’ve already be to HTTPS once. It is simple, just add this line: # HSTS (force users to come in SSL if they've already been once) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; If you want to have an overview of a complete configuration with it, look at the my wiki.

Android: Aviate launcher danger and F-Droid

25 May 2014 in Android, Hi-Tech, Security

As you may know, related to a previous post, I was using Aviate launcher on Android. I was so happy with it that I started to speak about it around me and promoted it. My friend Romaric (@evoxmusic) informed me that this software required too much access in his opinion and that I should look at the privacy policy of Aviate. After starting reading it, I could find this: we may collect Personal Information such as your name, email address, phone number, location information, unique device identifier, and third-party account credentials (for example, your log-in credentials for Facebook or other third party sites)

Nginx: limit flooding and aggressive sniffing

21 May 2014 in Debian, Hi-Tech, Linux, Security, Web

Last week, have been faced on a big sniffing issue on my wiki. The guy wanted to download all my wiki content. In reality I do not really care as it is open, free for read and contribution is welcome. However, the current VM where the blog and wiki are running didn’t support aggressive sniffing that this guy made. That’s why CPUs were at 100% of usage because of PHP requests, PHP-FPM was overloaded (reached my configuration limits).

NAXSI: Add security to your Nginx

15 April 2014 in Debian, Hi-Tech, Linux, Security

NAXSI means Nginx Anti Xss & Sql Injection. Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘< ‘, ‘|’ or ‘drop’ are not supposed to be part of a URI. It’s been a while that I wanted to test NAXSI and it seams working not so bad.

OpenSSL: diagnose and correct the heartbleed issue

8 April 2014 in Debian, Hi-Tech, Linux, Security

A big and major issue on OpenSSL has been discovered and everybody is talking about it. To get more informations, there’s a website. How to check the vulnerability, download this file: chmod 755 ssltest.py Now launch it: ./ssltest.py blog.deimos.fr Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 5559 .

Nftables : now available on 3.13 kernel !

27 January 2014 in Hi-Tech, Linux, Security

I already talked about nftables and it has now been implemented in the 3.13 kernel ! For those who never heard of that, it’s a kernel built in replacement of iptables. All features are not there yet but should be implemented in 3.15. If you like Packet Filter, you’ll be happy. If you’re not sure of the advantages of it, simply read that short comparison and you’ll be convinced : https://home.

Iptables is going to be replaced by NFtables

24 November 2013 in Debian, Linux, Red Hat, Security

If you’re not aware that the next kernel version will replace iptables by nftables, it’s time to learn on how it works, what are the features, why the change and how to use it. If like me, you love PF, you’ll be pleased to find a similar syntax on NFtables ! To have a good introduction on it, look at those slides :

OLDER POSTS
page 1 of 3