Security on traviscj/blog

switching over to https

Fri, 15 Apr 2016 00:00:00 +0000

One of the things I’ve been meaning to do forever is switch things over to https. By “things”, I mean the set of websites I run for some family and friends. I tried it out with my personal website first, then flipped over the rest.

implementation notes

I used the letsencrypt start guide to generate the certificates.
Modified the nginx config to: a. serve ssl/https traffic on port 443 for the given domain with the proper https certificates/etc. b. forward non-ssl/http traffic on port 80 to port 443 for the given domain

verification

It turns out that the nginx configuration files are a little bit error prone. This probably means that I am doing something wrong, like not using some configuration management tool like puppet or ansible or whatever. But for something as small scale as my site, it doesn’t really meet the cost-benefit threshold for learning a new tool/language. I also even considered spinning up a simple one-off configuration generator that I’d need to figure out how to override and extend as needed.

SSL Cert Reissue

Wed, 09 Apr 2014 00:00:00 +0000

Like many others, I have been hit by the heartbleed bug, which kinda sucks. I don’t use SSL for anything very critical, but I do use it at [tcj.io tcj.io], my “projects” website. My host, Linode, has done a great job of providing tutorials on how to deal with the situation. The obvious first step (a couple of days ago) was to upgrade openssl itself:

apt-get update
apt-get upgrade

But this only prevents the server from leaking keys going forward. Since the vulnerability was in the wild for quite some time, I thought it prudent to reissue the certificates as well. Now that I had a bit more time, I went ahead and did a reissue to make sure that nothing going forward gets leaked. This is (as usual) a bit annoying, because of the verification procedure at [Gandi gandi.net]. Otherwise, they’re pretty solid though, so I guess I’ll give them a pass on this one. And they did allow a reissue without revoking, so that’s a good step!

More cracking D-Link Files

Wed, 27 Jun 2012 00:00:00 +0000

Somehow, in the process of a router reconfiguration, I reset the password without the new password getting saved into 1Password. So I found myself locked out of my own router. I was about to reset it, thinking, “Hey, at least I have a backup of the settings from 2 nights ago!” and then realized, “I bet that settings file has the password right in it.”

Googling around a bit turned up this guy, but he only wrote VBA and a Windows binary. His pseudo-code looked pretty easy to translate into Python, so I did just that. Here’s the result: D-Link DIR615 B2 v2.25 Decoder (no encoder, yet…)

Found - Wordpress Spam Virus in Theme files

Wed, 01 Apr 2009 00:00:00 +0000

Almost a month ago, I was helping my good buddy Beals get his Wordpress website set up. On looking close, I noticed something a little weird in a theme he had found(NOT Wordpress proper, to be clear):

D-69-91-134-36:black-abstract-20 tjohnson$ ls -alh *
-rw-r--r--  1 tjohnson staff  528 2008-07-24 08:35 404.php
-rw-r--r--  1 tjohnson staff 3.9K 2008-07-24 08:35 comments.php
-rw-r--r--  1 tjohnson staff 8.0K 2008-10-22 20:44 footer.php
-rw-r--r--  1 tjohnson staff  871 2008-10-22 10:10 functions.php
[more removed here]

As you can see, the footer and functions files are both modified much more recently than every other file, which seemed strange to me. So I took a look at the file:

GenHosts

Tue, 24 Feb 2009 00:00:00 +0000

Winter quarter 08, the hosts.allow files used by tcpwrappers was getting unwieldy. For one thing, we had certain groups of hosts that were all allowed to connect to eachother anywhere, some groups that were only allowed one port on one computer, some that were allowed certain parts of machines. It was basically a mess to try and keep up with it. So I wrote a set of scripts to let us update one place and have it synchronize everywhere else, all in very simple XML files.

Johnson vs Acronis

Sat, 02 Aug 2008 00:00:00 +0000

The story goes something like this: Originally, we used external hard drives plugged in via USB to our servers to back up our servers. This worked well, except that we had two external drives and 7 servers. About this time I started working this job and immediately set up a MediaWiki website for storing documentation and a Mantis Bug Tracker website for storing information about ongoing projects–I think I’ll try to write a post about that at some point as well. Anyways, these two websites originally ran on my personal webserver in Prosser, but we decided to run them on a company-owned server instead, and that this new machine could act as both a backup server and a webserver for those two websites.

PHP Vulnerability Checklist

Thu, 10 Jul 2008 12:00:00 +0000

Ray(the boss) and I were chatting about how we should implement our secure upload page. The way it should work is, an IP is added to the genhosts database, it sets up a 5 minute wait, and at the end of five minutes, redirects to the data upload page, at which point the computer is allowed to connect, since the new IP has propogated into /etc/hosts.allow(via a cronjob that takes MySQL entries and parses them(via HTTP and XML) into the standard /etc/hosts.allow format). It’s basically working, but we’re having a bunch of trouble getting IE and Firefox to redirect, since IE apparently detects my window.location.href and location.replace calls as popups, and blocks them.

NSA's RHEL5 Guide

Mon, 07 Jul 2008 00:00:00 +0000

One of my tasks at work is to write up a security checklist of sorts, and from one of Ryan’s notes, I happened across the NSA’s Red Hat Enterprise Linux 5 guide. It’s pretty cool and covers basically everything. Have a look