I recently heard of HSTS which is a way to force users to come back to your website in SSL if they’ve already be to HTTPS once. It is simple, just add this line: # HSTS (force users to come in SSL if they've already been once) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; If you want to have an overview of a complete configuration with it, look at the my wiki.

Continue reading

As you may know, related to a previous post, I was using Aviate launcher on Android. I was so happy with it that I started to speak about it around me and promoted it. My friend Romaric (@evoxmusic) informed me that this software required too much access in his opinion and that I should look at the privacy policy of Aviate. After starting reading it, I could find this: we may collect Personal Information such as your name, email address, phone number, location information, unique device identifier, and third-party account credentials (for example, your log-in credentials for Facebook or other third party sites)

Continue reading

Last week, have been faced on a big sniffing issue on my wiki. The guy wanted to download all my wiki content. In reality I do not really care as it is open, free for read and contribution is welcome. However, the current VM where the blog and wiki are running didn’t support aggressive sniffing that this guy made. That’s why CPUs were at 100% of usage because of PHP requests, PHP-FPM was overloaded (reached my configuration limits).

Continue reading

NAXSI means Nginx Anti Xss & Sql Injection. Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘< ‘, ‘|’ or ‘drop’ are not supposed to be part of a URI. It’s been a while that I wanted to test NAXSI and it seams working not so bad.

Continue reading

A big and major issue on OpenSSL has been discovered and everybody is talking about it. To get more informations, there’s a website. How to check the vulnerability, download this file: chmod 755 ssltest.py Now launch it: ./ssltest.py blog.deimos.fr Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 5559 .

Continue reading

I already talked about nftables and it has now been implemented in the 3.13 kernel ! For those who never heard of that, it’s a kernel built in replacement of iptables. All features are not there yet but should be implemented in 3.15. If you like Packet Filter, you’ll be happy. If you’re not sure of the advantages of it, simply read that short comparison and you’ll be convinced : https://home.

Continue reading

If you’re not aware that the next kernel version will replace iptables by nftables, it’s time to learn on how it works, what are the features, why the change and how to use it. If like me, you love PF, you’ll be pleased to find a similar syntax on NFtables ! To have a good introduction on it, look at those slides : Kernel Recipes 2013 - Nftables, what motivations and what solutions from Anne Nicolas

Continue reading

Author's picture

Pierre Mavro / Deimosfr


BirdSight Co-Founder and CTO  •  Staff SRE Lead at Criteo

Paris - France