I recently heard of HSTS which is a way to force users to come back to your website in SSL if they’ve already be to HTTPS once. It is simple, just add this line:

HSTS (force users to come in SSL if they've already been once) add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; If you want to have an overview of a complete configuration with it, look at the my wiki.


Continue reading

NAXSI means Nginx Anti Xss & Sql Injection. Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple rules (naxsi_core.rules) containing 99% of known patterns involved in websites vulnerabilities. For example, ‘< ‘, ‘|’ or ‘drop’ are not supposed to be part of a URI. It’s been a while that I wanted to test NAXSI and it seams working not so bad.
Continue reading

A big and major issue on OpenSSL has been discovered and everybody is talking about it. To get more informations, there’s a website. How to check the vulnerability, download this file: chmod 755 ssltest.py Now launch it: ./ssltest.py blog.deimos.fr Connecting… Sending Client Hello… Waiting for Server Hello… … received message: type = 22, ver = 0302, length = 66 … received message: type = 22, ver = 0302, length = 5559 .
Continue reading

I already talked about nftables and it has now been implemented in the 3.13 kernel ! For those who never heard of that, it’s a kernel built in replacement of iptables. All features are not there yet but should be implemented in 3.15. If you like Packet Filter, you’ll be happy. If you’re not sure of the advantages of it, simply read that short comparison and you’ll be convinced : https://home.
Continue reading

If you’re not aware that the next kernel version will replace iptables by nftables, it’s time to learn on how it works, what are the features, why the change and how to use it. If like me, you love PF, you’ll be pleased to find a similar syntax on NFtables ! To have a good introduction on it, look at those slides : Kernel Recipes 2013 - Nftables, what motivations and what solutions from Anne Nicolas
Continue reading

I’ve bought 2 Yubikeys several months ago and didn’t really took the time to play with them. A ex-colleague took that time and configured it on his desktop under ArchLinux. I decided to play with it, see how could it works and with his help, put it in place in a very short time. I configured it to work in parallel of my password. With that configuration, I do not need anymore typing my password, but only need to plug in my Yubikey.
Continue reading

Avant d’attaquer le 2 ème jour, je vais finir sur le premier (la suite d’hier). Un des supers sujet était Bind 10 que j’attendais avec impatience. Il n’y a malheureusement eu d’informations sur les nouveautés aidant a la HA. Cependant il a été totalement réécrit pour supporter + de 100 cores alors qu’aujourd’hui au delà de 6, il y a des problèmes de performances. On a également (et étrangement) un serveur DHCP qui est intégré a Bind.
Continue reading

Author's picture

Pierre Mavro / Deimosfr


SRE Lead DevOps at Criteo  •  Nousmotards Co-Founder

Paris - France