Nginx: enable HSTS (force SSL for users)

18 September 2014 in Debian, Hi-Tech, Linux, Red Hat, Security, Web

I recently heard of HSTS which is a way to force users to come back to your website in SSL if they’ve already be to HTTPS once. It is simple, just add this line: # HSTS (force users to come in SSL if they've already been once) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; If you want to have an overview of a complete configuration with it, look at the my wiki.

NAXSI: Add security to your Nginx

15 April 2014 in Debian, Hi-Tech, Linux, Security

NAXSI means Nginx Anti Xss & Sql Injection. Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘< ‘, ‘|’ or ‘drop’ are not supposed to be part of a URI. It’s been a while that I wanted to test NAXSI and it seams working not so bad.

OpenSSL: diagnose and correct the heartbleed issue

8 April 2014 in Debian, Hi-Tech, Linux, Security

A big and major issue on OpenSSL has been discovered and everybody is talking about it. To get more informations, there’s a website. How to check the vulnerability, download this file: chmod 755 ssltest.py Now launch it: ./ssltest.py blog.deimos.fr Connecting... Sending Client Hello... Waiting for Server Hello... ... received message: type = 22, ver = 0302, length = 66 ... received message: type = 22, ver = 0302, length = 5559 .

Nftables : now available on 3.13 kernel !

27 January 2014 in Hi-Tech, Linux, Security

I already talked about nftables and it has now been implemented in the 3.13 kernel ! For those who never heard of that, it’s a kernel built in replacement of iptables. All features are not there yet but should be implemented in 3.15. If you like Packet Filter, you’ll be happy. If you’re not sure of the advantages of it, simply read that short comparison and you’ll be convinced : https://home.

Iptables is going to be replaced by NFtables

24 November 2013 in Debian, Linux, Red Hat, Security

If you’re not aware that the next kernel version will replace iptables by nftables, it’s time to learn on how it works, what are the features, why the change and how to use it. If like me, you love PF, you’ll be pleased to find a similar syntax on NFtables ! To have a good introduction on it, look at those slides :

Yubikey : protect your desktop authentication using pam and yubikey library

9 July 2013 in Debian, Hi-Tech, Linux, Security

I’ve bought 2 Yubikeys several months ago and didn’t really took the time to play with them. A ex-colleague took that time and configured it on his desktop under ArchLinux. I decided to play with it, see how could it works and with his help, put it in place in a very short time. I configured it to work in parallel of my password. With that configuration, I do not need anymore typing my password, but only need to plug in my Yubikey.

2ème et dernier jour au FOSDEM !

5 February 2013 in Debian, Developement, HA, Hi-Tech, Linux, Others, Private life, Puppet, Red Hat, Security, SQL, Virtualization, Web

Avant d’attaquer le 2 ème jour, je vais finir sur le premier (la suite d’hier). Un des supers sujet était Bind 10 que j’attendais avec impatience. Il n’y a malheureusement eu d’informations sur les nouveautés aidant a la HA. Cependant il a été totalement réécrit pour supporter + de 100 cores alors qu’aujourd’hui au delà de 6, il y a des problèmes de performances. On a également (et étrangement) un serveur DHCP qui est intégré a Bind.

OLDER POSTS
page 1 of 2