2016-11-09 01:16:01    28    0    0

Introduction

Using a firewall is as much about making intelligent policy decisions as it is about learning the syntax. Firewalls like iptables are capable of enforcing policies by interpreting rules set by the administrator. However, as an administrator, you need to know what types of rules make sense for your infrastructure.

While other guides focus on the commands needed to get up and running, in this guide, we will discuss some of the decisions you will have to make when implementing a firewall. These choices will affect how your firewall behaves, how locked down your server is, and how it will respond to various conditions that are likely to occur from time to time. We will be using iptables as an example to discuss specifics, but most of the actual decisions will be relevant regardless of the tools used.

Deciding on a Default Policy

When constructing a firewall, one of the fundamental decisions that you must make

2016-11-09 01:03:33    22    0    0

Introduction

Iptables is a firewall that plays an essential role in network security for most Linux systems. While many iptables tutorials will teach you how to create firewall rules to secure your server, this one will focus on a different aspect of firewall management: listing and deleting rules.

In this tutorial, we will cover how to do the following iptables tasks:

  • List rules
  • Clear Packet and Byte Counters
  • Delete rules
  • Flush chains (delete all rules in a chain)
  • Flush all chains and tables, delete all chains, and accept all traffic

Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved fir

2016-11-09 01:03:32    16    0    0

Introduction

Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday scenarios. This includes iptables examples of allowing and blocking various services by port, network interface, and source IP address.

How To Use This Guide

  • If you are just getting started with configuring your iptables firewall, check out our introduction to iptables
  • Most of the rules that are described here assume that your iptables is set to DROP incoming traffic, through the default input policy, and you want to selectively allow traffic in
  • Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently
  • Use the Contents menu on the right side of this page (at
2016-10-20 02:46:08    26    0    0

Reason Why

Ever get the dreaded error:

  1. Virtual memory exhausted: Cannot allocate memory

With the first iterations of Raspberry Pi the Model A comes with 256mb of memory. While the Raspberry Pi B comes with a modest 512mb of memory. For most applications this amount of memory is actually quiet a bit. As soon as you start compiling your own binaries this amount starts to seem dismal.

Insert reason why swap on flash-based memory is bad here.

Limitations

The Raspbian distribution comes with a 100mb swapfile. This is actually a bit on the small side. A general rule of thumb is swapfile size should be about twice as much as the available RAM on the machine. In the examples below I have a Raspberry Pi B+. So the amount of swap I use is 1024mb.

Commands

We will change the configuration in the file /etc/dphys-swapfile :

  1. sudo nano /etc/dphys-swapfile

The default value in Raspbian is:

  1. CONF_SWAPSIZE=100

We will

2016-10-20 02:46:01    50    0    0

Principle


Using Docker on Raspberry Pi provides many different benefits (most explained here in French). However when developing new containers, it may require much more CPU and RAM power to build them or even to compile the binaries in armhf format. So this blog post describes how to create an ARM v7 image based on QEMU emulating an ARM Cortex-15 chip with 2Gb of RAM running Debian 8 Jessie.

Why Debian 8 Jessie ?

Simply because the embedded kernel is preconfigured for Docker (see the required modules there). I'll probably use HypriotOS in the future but for now that's good enough and i use the Docker packages directly built by Hypriot anyway.

Why not emulating the Raspberry Pi ?

Simply because the performances are really really bad and it is limited to 256Mb of RAM. I tried multiple times but it is really too slow so i preferred to switch to a different emulator but keeping the same CPU architecture.

Why only a Cort

2016-10-20 02:41:28    33    0    0

Commit some changes

  1. # ...
  2. git commit -am "0" # got hash hash0
  3. # ...
  4. git commit -am "1" # got hash hash1
  5. # ...
  6. git commit -am "2" # got hash hash2
  7. # ...
  8. git commit -am "3" # got hash hash3

Revert change 1, 2, and 3

  1. git reset --hard hash0
  2. git reset --soft hash3
  3. git commit -am 'Reverted 1 2 3'
git    2016-10-20 02:41:23    24    0    0

0. Add a submodule

  1. git submodule add [-b <branch>]<repository> [<path>]
  2. git submodule init
  3. git submodule update

1. Remove config entries:

  1. git config -f .git/config --remove-section submodule.$submodulepath
  2. git config -f .gitmodules --remove-section submodule.$submodulepath

2. Remove directory from index:

  1. git rm --cached $submodulepath

3. Commit

4. Delete unused files:

  1. rm -rf $submodulepath
  2. rm -rf .git/modules/$submodulepath

Background

When you do git submodule add, it only adds it to .gitmodules, but once you did git submodule init, it added to .git/config.

So if you wish to remove the modules, but be able to restore it quickly, then do just this:

  1. git rm --cached $submodulepath
  2. git config -f .git/config --remove-section submodule.$submodulepath

It is a good idea to do git rebase HEAD first and git commit at the end, if you put this in a script.

golang    2016-06-16 09:19:36    72    0    0

传输层安全协议(Transport Layer Security,缩写:TLS),及其前身安全套接层(Secure Sockets Layer,缩写:SSL)是一种安全协议,目的是为互联网通信提供安全及数据完整性保障。

SSL包含记录层(Record Layer)和传输层,记录层协议确定了传输层数据的封装格式。传输层安全协议使用X.509认证,之后利用非对称加密演算来对通信方做身份认证,之后交换对称密钥作为会谈密钥(Session key)。这个会谈密钥是用来将通信两方交换的数据做加密,保证两个应用间通信的保密性和可靠性,使客户与服务器应用之间的通信不被攻击者窃听。

本文并没有提供一个TLS的深度教程,而是提供了两个Go应用TLS的简单例子,用来演示使用Go语言快速开发安全网络传输的程序。

TLS历史

  • 1994年早期,NetScape公司设计了SSL协议(Secure Sockets Layer)的1.0版,但是未发布。
  • 1994年11月,NetScape公司发布SSL 2.0版,很快发现有严重漏洞。
  • 1996年11月,SSL 3.0版问世,得到大规模应用。
  • 1999年1月,互联网标准化组织ISOC接替NetScape公司,发布了SSL的升级版TLS 1.0版。
  • 2006年4月和2008年8月,TLS进行了两次升级,分别为TLS 1.1版和TLS 1.2版。最新的变动是2011年TLS 1.2的修订版。
  • 现在正在制定 tls 1.3。

证书生成

首先我们创建私钥和证书。

服务器端的证书生成

使用了”服务端证书”可以确保服务器不是假冒的。

1、 生成服务器端的私钥

  1. openssl genrsa -out server.key 2048

2、 生成服务器端证书

  1. openssl req -new -x509 -key server.key -out server.pem -days 2048

客户端的证书生成

除了”服务端证书”,在某些场合中还会涉及到”客户端证书”。所谓的”客户端证书”就是用来证明客户端访问者的身份。
比如在某些金融公司的内网,你的电脑上必须部署”客户端证

2016-06-03 06:47:30    61    0    0

Prepare Virtual Machine

  • Install OS on VMware or VirtualBox

  • Startup OS, delete the symbolic link of grubenv, then copy the real grubenv file here, like this:

  1. cd /boot/grub2/
  2. rm f grubenv
  3. cp /boot/efi/EFI/centos/grubenv ./

Export VM and Upload into AWS

  • Shutdown OS, export image using OVA type.

  • Login AWS console, then upload this OVA image into S3 bucket, for example: vm-import

  • Create vmimport role

  1. aws iam create-role --role-name vmimport \
  2. --assume-role-policy-document file://trust-policy.json

Here is the content of trust-policy.json

  1. {
  2. "Version":"2012-10-17",
  3. "Statement":[
  4. {
  5. "Sid":"",
  6. "Effect":"Allow",
  7. "Principal":{
  8. "Service":"vmie.amazonaws.com"
  9. },
  10. "Action":"sts:AssumeRole",
  11. "Condition":{
  12. "StringEquals":{
  13. "sts:ExternalId":"vmimport"
  14. }
  15. }
  16. }
  17. ]
  18. }
  • Edit policy for vmiport
  1. aws iam put-role-policy --
golang    2016-05-28 15:19:05    51    0    0

1. Mail Configuration

When we have certificates for our SMTP servers, the TLSSkipVerify should be set to true. Otherwise, set to false

  1. // MailConfig contains all configuration for mail
  2. type MailConfig struct {
  3. AuthMailAddr string
  4. AuthPassword string
  5. SendFrom string
  6. SMTPHost string
  7. TLSSkipVerify bool
  8. }
  9. var config MailConfig
  10. func SendMail(mailto string, subject string, body string) error {
  11. // Code
  12. }

2. Set From and To

  1. from := mail.Address{
  2. Name: "",
  3. Address: config.SendFrom,
  4. }
  5. to := mail.Address{
  6. Name: "",
  7. Address: mailto,
  8. }

3. Setup Header and Message

  1. // Setup headers
  2. headers := make(map[string]string)
  3. headers["From"] = from.String()
  4. headers["To"] = to.String()
  5. headers["Subject"] = subject
  6. // Setup message
  7. message := ""
  8. for k, v := range headers {
  9. message += fmt.Sprintf("%s: %s\r\n", k, v)
  10. }
  11. message += "