Linux Desktop Firewall and VPN
Posted: 2017-04-29 22:06:05 by Alasdair Keyes
I use Linux Mint as my OS on my Laptop as well as OpenVPN for all external traffic.
The Ubuntu/Mint Network manager can be instructed to connect to a VPN when the network is started up, which is great for privacy however there are three instances I've noticed when this falls short.
- Occasionally the network manager will attempt to start the VPN on network connect but will fail and then you will be connected to the network without VPN.
- If the VPN connection drops network manager will not automatically reconnect and traffic will start going out through the regular Wifi route.
- The setting to connect to VPN as soon as a network is started is not done per-device (e.g. every time you connect via Wifi) but per network. This means I set my home wifi to connect to VPN by default but as soon as I connect to
Coffee House WiFiI have to manually connect.
There have been a few instances where these have occurred and it meant I was sending out traffic insecurely until I noticed.
To combat this I set UFW to automatically reject all packets on the OUTPUT chain. This means my laptop is unable to send any packets over any network device (as long as the firewall is running. I then updated my UFW firewall with the following rules into /etc/ufw/user.rules to allow outbound connections for specific devices etc.
# Allow LXC containers to send traffic out on the LXC bridge
-A ufw-user-output -o lxcbr0 -j ACCEPT
# Allow LXC containers to send traffic onto their virtual ethernet device
-A ufw-user-output -o veth+ -j ACCEPT
### Allow traffic out through the OpenVPN tun0 interface
-A ufw-user-output -o tun0 -j ACCEPT
### Allow traffic to my VPN host
-A ufw-user-output -o wlp8s0 -p tcp --dport 1194 -d 9.8.7.6 -j ACCEPT
### Allow traffic out to my local networks
-A ufw-user-output -d 192.168.0.0/24 -j ACCEPT
### Allow traffic out to virtualbox network devices
-A ufw-user-output -o vboxnet+ -j ACCEPT
Additional rules will be required into your /etc/ufw/user6.rules.
Now if VPN doesn't connect or drops out unexpectedly, I lose connectivity but I won't be sending out unsecured traffic and I can just reconnect.
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
Mozilla Observatory - How safe is your site
Posted: 2017-04-14 22:41:29 by Alasdair Keyes
Someone on the Nottingham Linux User Group posted about Mozilla Observatory today.
If you're a developer/sysadmin for any website it's worth checking out. It checks the security HTTP headers that your site returns and grades it accordingly.
I was getting a B this afternoon and after a crash course in Referrer Policy and Content Security Policy I managed to get it up to an A+.
My site doesn't accept user posted content so the XSS security this provides isn't too important, however if your site does accept user submitted content, then it really is critical that you implement this. XSS is still one of the most common WebApp vulnerabilities, and if you can force the browser to help limit the damage it means you can worry less about any bugs that creep into your code.
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
Slimming down
Posted: 2017-03-24 20:24:16 by Alasdair Keyes
This evening the site has just been migrated from a mostly static using Template Toolkit's ttree with the occasional PHP/Perl script to provide dynamic content to a site built with..
- Slim Framework (v3)
- Doctrine (v2)
- Twig Templating (v2)
- Bootstrap (v3)
- JQuery (v3)
The server is still running NGINX and PHP 5.6
The site is ready to run on PHP 7, however Debian still only provides 5.6. As soon as that's updated, I'll be running twice as fast.
If there's any odd behaviour 404/500/502 type errors, please let me know.
P.S. Whilst writing this, I noticed that Doctrin Project and Twig don't have an HTTPS site.... come on guys!
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
Firejail
Posted: 2017-03-22 23:15:59 by Alasdair Keyes
I recently had some problems with some software on my laptop calling home and receiving an invalid response, this then caused the software to stop working correctly. Until this is resolved, I really want to keep on using the software. After testing in a VM with the network disabled, I realised that if it was unable to call home then it continued to work correctly.
A Virtualbox VM works fine and with the Vbox tools installed I have bi-directional copy/paste etc but it's not an elegant solution and the VM overhead is much greater than the native application.
From this I found out about the firejail tool. This is shipped in the standard Ubuntu repos and provides a great deal of sandboxing utilities that I was unaware of.
For me the --net=none argument was suitable. This creates a new unconnected network namespace before executing the app and restricting it's network access to localhost only.
$ firejail --net=none mytroublesomeapp
This is incredibly useful and a tool I will be making much more use of in future.
If you wish to test, try some of the following.
firejail --net=none firefox
firejail --net=none ping google.co.uk
The man pages show what other options are available too. It's well worth a look
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
bashfunc - Bash Function Library
Posted: 2017-03-08 15:27:11 by Alasdair Keyes
I've been doing some systems scripting in BASH the past couple of days and often find myself recoding the same functionality over and over, not just at work but home too. So I decided that I'd write a library to cover some common functionality I find myself needing.
All functions are explained in the README.md and working examples are in bashfunc_examples.sh in the repo.
It's designed for use with BASH 4 and up. Test it out and let me know if there's other common functionality that could be added. I'm currently adding to it quite frequently as my requirements grow so keep checking for new versions.
https://github.com/alasdairkeyes/bashfunc
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
RSS Feed
Posted: 2017-02-23 22:44:30 by Alasdair Keyes
I've finally got round to re-implementing RSS feed on the site again. Links are here ^^^. Or here 
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
Trello all the things
Posted: 2017-02-11 23:36:51 by Alasdair Keyes
I've used Trello a number of times for work projects and I've always enjoyed using it. It's simplicity is the key to it's usefulness.
I've now moved onto using it personally too. Previously my todos were on a Memo app on my phone. Now I mainly use Trello on my laptop, but also the App on my phone for when I'm out and everything goes on there.
The act of moving cards from Todo to Done fills me with more pleasure than it really should.... but it keeps me productive! It's well worth looking to move to it if you're the kind of person that makes a lot of lists.
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
MySQL encrypted client password storage
Posted: 2017-02-10 14:27:55 by Alasdair Keyes
For years I've been using MySQL's ~/.my.cnf file to automatically manage logins for databases. However it's never sat well with me due to the fact that the file is plain text and even though you can restrict access with 0600 permissions, it's never good to have a password stored in plaintext.
I've recently been working on a MySQL 5.7 cluster and needed access to the production slave database and this issue raised it's head again. However as of MySQL 5.6, there is the option to store login details encrypted using mysql_config_editor
This tool allows you to setup profiles to access servers and store the details encrypted.
For example my previous ~/.my.cnf/ file might have
[mysql]
username=al
password=ComplexPassword
I could then access mysql like so...
# mysql
mysql>
Now you define a profile so for the above example use
# mysql_config_editor set --login-path=localhost --host=localhost --user=root --password
Enter Password: <enter password>
--login-path is just a name and can be anything you like.
I can now login by specifying the login path
# mysql --login-path=localhost
What's nice is that you don't need to specify all the details, if you had a production and beta environment both with multiple servers you could run the following with different passwords and then supply the hostname on the command line
# mysql_config_editor set --login-path=production --user=root --password
Enter Password: <enter password>
# mysql_config_editor set --login-path=beta --user=root --password
Enter Password: <enter password>
# mysql --login-path=production -h proddb3
mysql>
The data is now stored in ~/.mylogin.cnf and is not readable
# cat ~/.mylogin.conf
<<JUMBLEDMESS>>
If you want to make backups or see what profiles you have, you can use
# mysql_config_editor print --all
[production]
user = root
password = *****
[beta]
user = root
password = *****
Removing profiles is as easy as
# mysql_config_editor remove --login-path=production
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
TDD Deciphered
Posted: 2017-02-09 12:16:58 by Alasdair Keyes
I recently happened upon this website about how to use TDD when building a project. Although it's written for PHP and PHPUnit, the premise can be applied to any language. The great thing about this site over others is that it actually shows TDD on the lifecycle of a valid project, not just using trivial one off examples.
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
PHP Apigen
Posted: 2016-12-28 20:34:21 by Alasdair Keyes
After discussions at work on producing code documentation, I was introduced to http://www.apigen.org/.
I'm not quite sure how I've not seen it before, but it is very slick and certainly something I'm going to look at using int he future.
More information about what it does can be seen on their site, but it essentially reads the PHPdoc blocks in your code and outputs to a nice HTML page that you can publish.
The key part is just how easy it is, from the root of your project run
apigen generate --source src_folder --destination public/docs
You can easily add it into a script for jenkins or for local a development branch, add it into the post update/install commands of your composer.json.
If you found this useful, please feel free to donate via bitcoin to 1NT2ErDzLDBPB8CDLk6j1qUdT6FmxkMmNz
© Alasdair Keyes
IT Consultancy Services
I'm now available for IT consultancy and software development services - Cloudee LTD.
Happy user of Digital Ocean (Affiliate link)
Version:master-e10e29ed4b
