I recently heard of HSTS which is a way to force users to come back to your website in SSL if they’ve already be to HTTPS once. It is simple, just add this line: # HSTS (force users to come in SSL if they've already been once) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; If you want to have an overview of a complete configuration with it, look at the my wiki.
Last week, have been faced on a big sniffing issue on my wiki. The guy wanted to download all my wiki content. In reality I do not really care as it is open, free for read and contribution is welcome. However, the current VM where the blog and wiki are running didn’t support aggressive sniffing that this guy made. That’s why CPUs were at 100% of usage because of PHP requests, PHP-FPM was overloaded (reached my configuration limits).
NAXSI means Nginx Anti Xss & Sql Injection. Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘< ‘, ‘|’ or ‘drop’ are not supposed to be part of a URI. It’s been a while that I wanted to test NAXSI and it seams working not so bad.
A big and major issue on OpenSSL has been discovered and everybody is talking about it. To get more informations, there’s a website. How to check the vulnerability, download this file: chmod 755 ssltest.py Now launch it: ./ssltest.py blog.deimos.fr Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 5559 .
I already talked about nftables and it has now been implemented in the 3.13 kernel ! For those who never heard of that, it’s a kernel built in replacement of iptables. All features are not there yet but should be implemented in 3.15. If you like Packet Filter, you’ll be happy. If you’re not sure of the advantages of it, simply read that short comparison and you’ll be convinced : https://home.
If you’re not aware that the next kernel version will replace iptables by nftables, it’s time to learn on how it works, what are the features, why the change and how to use it. If like me, you love PF, you’ll be pleased to find a similar syntax on NFtables ! To have a good introduction on it, look at those slides : Kernel Recipes 2013 - Nftables, what motivations and what solutions from Anne Nicolas
- OLDER POSTS
- page 1 of 3