Security on Janik von Rotz

SSH vs VPN

Mon, 11 Nov 2024 11:45:58 +0100

When I deploy an application to a server that is owned by the customer or the customers IT provider, they very often require me to setup a virtual private network (VPN) connection. I tell them about Secure Shell (SSH) protocol and how is better fit for this use case. As they are used to Windows server environment, where SSH is mostly absent, they insist on using VPNs.

In this post I will compare the two technologies and explain why SSH is the better option in this use case.

Open Source Software = More Security

Mon, 07 Mar 2022 10:53:32 +0100

This post has been translated from Mint System - Open Source Software = Sicherheit.

Why is open source software more secure than closed source software?

Again and again we are confronted with the argument that open source software (OSS) cannot be secure because it is free. The “there is no free lunch” idiom is also often used. We will explain here why this argument is wrong.

Paradigm shift in the handling of data

Sun, 02 May 2021 21:30:10 +0200

The handling of private data is the subject of controversial public debate. Everyone expresses concerns about the handling of private data, but most people pass it on to third parties via social media without hesitation. A controversy that is often left hanging in the air.

Monitor and audit Active Directory user and group management

Thu, 12 Oct 2017 15:54:08 +0000

Traceability is key when collaborating in the Active Directory (AD). Multiple admins changing and updating permissions and policies makes it difficult being compliant with the company’s policies. It is important to monitor mutations in the directory. By default audit policies are disabled for Domain Controllers (DC) and must be enabled explicitly. Enabling auditing for the DCs is quite easy, querying the logs for a specific event is a bit more difficult.

In this guide you’ll learn how to enable auditing for a specific case and how to query the audit logs for a specific event.

Password Generator with PowerShell

Mon, 07 Sep 2015 15:03:41 +0000

Whenever I had to think of a secure password I followed these steps:

The right order of vocals and consonants makes it more easy to remember a password.
And so do three digits of a number.
Add one uppercase Letter. Likely as the first character.
Add a dot or another sign to expand to vocabulary even more.

free SSL for everybody

Mon, 23 Mar 2015 09:09:11 +0000

Let’s Encrypt is the latest initiative by the Internet Security Research Group (ISRG). Their goal is simple, every site on the internet has to be SSL secured.

They want to achieve that by serving an open certificate authority (CA) and also provide a tool to set up a secured site the easiest way possible.

And now the big deal about this, their service is free of charge!

If this is really a thing, it will be a disaster for the SSL economy. As you might know SSL certificates are everything else than cheap. So good luck to every company that relays on selling SSL certificates as their core competence.

Say Goodbye to TrueCrypt

Fri, 30 May 2014 07:21:00 +0000

Apparently the developer of TrueCrypt threw in the towel this week.

The official site http://truecrypt.org redirects to http://truecrypt.sourceforge.net/ where you’ll find instructions to migrate you TrueCrypt disk to Microsofts built-in solution Bitlocker.

The reason for all this is obvious, TrueCrypt can’t compete against Microsofts Bitlocker as their software comes with every Windows 8 version (withWindows 7 you had to have an enterprise license in order to use Bitlocker).

Netwars Project - Today’s IT threads well explained

Thu, 01 May 2014 13:19:00 +0000

This time I want to tell you about the netwars project. It’s a fact based cross platform experience exploring the impending threat of cyber warfare.

There’s a web series, tv production, digital graphic novel and soon an audio book will be released.

Install WPScan

Tue, 29 Apr 2014 07:10:57 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/11214650.

Introduction

WPScan is a black box WordPress vulnerability scanner.

Prevent a lot of spam on your next php form with this simple trick

Mon, 28 Apr 2014 12:08:19 +0000

Spam bots were parsing websites html to code and searching for form patterns. What they luckily don’t do in most cases is running javascript or applying css code. This behaviour is a good way to tell a human from a spambot apart.

Here is a simple example of how to make use of this behaviour to prevent a lot of spam.

Open SSL Heartbleed Bug

Wed, 09 Apr 2014 15:25:47 +0000

For those who missed it. The OpenSSL project has recently announced a security vulnerability in OpenSSL affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160).

Details of the bug are available here: The Heartbleed Bug

You can check you website here: Heartbleed test

Details and update instructions from the websites of your Linux vendor of choice:

On Ubuntu the update is simply done by executing these commands:

sudo apt-get update
sudo apt-get upgrade

The following command shows (after an upgrade) all services that need to be restarted.

Nginx SSL website

Thu, 03 Apr 2014 07:54:04 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9408793.

Introduction

This best practice shows you the most advanced SSL configurations for your Nginx website. For productive usage it’s recommended to use only public-signed certificates.

Node.js Nginx proxy website

Wed, 02 Apr 2014 06:52:03 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9407504.

Introduction

It’s recommanded to publish a Node.js application with a Nginx proxy website.

Get a free verified SSL certificate from StartSSL

Wed, 26 Mar 2014 10:29:07 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9430791.

SSL certificates aren’t cheap. You can create them on your own for private use. However for internet use you have to get a verified certificate.

Luckily there’s https://www.startssl.com/

They offer you a class 1 SSL certificate for free. Their site might not look trustworthy, but I’m quite shure they do a great job.

SSH and network hardening

Fri, 21 Mar 2014 18:19:12 +0000

This post is part of my Your own Virtual Private Server hosting solution project.
Get the latest version of this article here: https://gist.github.com/9346641.

Requirements

Ubuntu server

Instructions

Step by Step: Install Ghost Blog

Mon, 03 Mar 2014 16:34:55 +0000

Latest Version of this guide: https://gist.github.com/8542013

Finishing this guide you"ll get:

A running Ghost installation
Amazon SES mail configuration
Simple ssh hardenings
Nginx proxy
Node.js configured with forever

Specification of latest running installation:

Date: 21.01.2014
OS: Ubuntu 64 bit - 12.04.4 LTS
Provider: Amazon EC2
Mail service: Amazon SES
Browser: Google Chrome - 31.0.1650.63
Ghost: 0.4
Node: 0.10.24
npm: 1.3.21

Manage Security Groups in a organizational Strcture

Mon, 28 Oct 2013 16:22:20 +0000

As in on of my last post I’ve showed you my approach to manage distribution groups in the hierarchical structure of an ActiveDirectory installation. In the mean time I’ve adapted a similiar approach for the security groups.

Here is an example of the structure: