https://hacking.robots.beer/tags/security/ Recent content in Security on Hacking Robots And Beer Hugo -- gohugo.io en-us Mattias Hemmingssion mattias@lifeandshell.com Thu, 01 Dec 2022 13:17:35 +0000 https://hacking.robots.beer/posts/migrate-elasticsearch-helm-to-elasticsearch-operator/ Thu, 01 Dec 2022 13:17:35 +0000 https://hacking.robots.beer/posts/migrate-elasticsearch-helm-to-elasticsearch-operator/ Migrate elasticsearch helm to elasticsearch operator and from version 7 to version 8. So in the start, I used the helm chart for elasticsearch, and everything worked fine. Then elasticsearch 8 comes and the Elasticsearch operator. This broke by helm chart and kind of left me in a stalled state. But now I have to migrate my current elasticsearch that uses a helm chart to start using the operator. https://hacking.robots.beer/posts/boundery-on-kubernetes-with-keycloak/ Sat, 22 Jan 2022 11:43:24 +0000 https://hacking.robots.beer/posts/boundery-on-kubernetes-with-keycloak/ We have 3 clusters running 2 on AWS and 1 on-prem. And to sort out connections for developers and admin the goal is to implement boundary as an access point. To verify the user we use Keycloak and 2FA, Then based on roles we give the different users access to different services inside the cluster. Service The user should be able to connect to an ssh server inside the network but also to service running inside Kubernetes like elasticsearch ore MySQL, https://hacking.robots.beer/posts/vault-eks-aws-to-pod-the-complete-guide/ Thu, 29 Oct 2020 09:17:42 +0000 https://hacking.robots.beer/posts/vault-eks-aws-to-pod-the-complete-guide/ I have bean working some time with vault and to deploy it to our EKS cluster and then to get the secrets into our pods. After many hours of searching i have found out that using kube-vault and vault-env. This gude uses tarraform to setup the resources you need in AWS. Then deploy the kubevault with ui into to cluster that will use a s3 bucket and backend and autoseal it self during boot https://hacking.robots.beer/posts/running-counter-strike-1-6-and-csgo-in-kubernetes/ Wed, 29 Apr 2020 14:09:45 +0000 https://hacking.robots.beer/posts/running-counter-strike-1-6-and-csgo-in-kubernetes/ Yee so it was a long time ago when I spend days playing counter strike 1.6. And now when i got some more power full servers and some time I was thinking of setting up a some counter-strike server for me and some friends so we can play. I have a nice kubernetes cluster in my garage and a run all my stuff inside kubernetes so it was natural to make them into a kubernetes deploy. https://hacking.robots.beer/posts/mesos-cluster-with-marathon-running-docker/ Fri, 11 Dec 2015 21:47:19 +0000 https://hacking.robots.beer/posts/mesos-cluster-with-marathon-running-docker/ Hi So for hosting docker in large scale i have tested mesos cluster. Here is a guide for setting up 3 nodes in mesos running Centos 7. And the adding Marathon to controll the dockers running. The network mesos-master 172.0.0.10 mesos-slave1 172.0.0.11 mesos-slave2 172.0.0.12   The node also have on nic connect to the network with internet access.   Security For this guide stop iptables and turn selinux off setenforce 0 systemect stop firewalld   https://hacking.robots.beer/posts/python-dos-protection-iptablesdos/ Fri, 06 Nov 2015 15:18:51 +0000 https://hacking.robots.beer/posts/python-dos-protection-iptablesdos/ here are a small script I use to have some sort of dos protection on my webservers.   import subprocess whitelist=['192.168.1.2'] blockvalue=2 alertvalue=1 proc = subprocess.Popen("netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n", shell=True,stdout=subprocess.PIPE) running = proc.stdout.read() runing_sorted = running.split('\n') for r in runing_sorted: con =r.split() if len(con) ==2: #If ip has more conenctions then block value ip block if con[0] <= blockvalue: print " https://hacking.robots.beer/posts/foreman-provision-to-bare-and-libvirtd-centos7-foreman-libvirtd-kvm/ Sun, 05 Jul 2015 21:26:46 +0000 https://hacking.robots.beer/posts/foreman-provision-to-bare-and-libvirtd-centos7-foreman-libvirtd-kvm/ So I have started to play around with foreman and to get it to provision my diffrent servers. I started by starting up some local virtual servers on my laptop and played around with them. The flow is i started installing foreman as a virtual server. Then i provisin a new virtual server as bare matal (I created a virtual server in virsh) ater that virtual server is prevision i installed it as a virtual host(kvm on kvm) and connected it to foreman so foreman kan provision kvm host. https://hacking.robots.beer/posts/vmware-to-kvm-owasp-broken-webb-app-on-kvm/ Tue, 09 Sep 2014 10:38:29 +0000 https://hacking.robots.beer/posts/vmware-to-kvm-owasp-broken-webb-app-on-kvm/ So I uses kvm for my virtual server. But i got OWASP broken webb app in vmware format and its not ok. But with the help from google i found some help to get the OWASP Broken Webb App on my kvm hosts. I follewed the info from this page   http://blog.bodhizazen.net/linux/convert-vmware-vmdk-to-kvm-qcow2-or-virtualbox-vdi/     1. Download and unzip Owasp Broken Webb app to you folder (It uses 7zip for some reason) https://www. https://hacking.robots.beer/posts/oauth2-server-on-python-with-flask-on-centos/ Fri, 30 May 2014 20:04:05 +0000 https://hacking.robots.beer/posts/oauth2-server-on-python-with-flask-on-centos/ So at work we have started to look at OAuth2 for our web apps. So on our creativ friday today i started looking at putting together an OAuth2 server using python and flask. I followed the guide from this page http://lepture.com/en/2013/create-oauth-server And after some work I got an working server and client running on my Centos server. The code only uses an sqlite db and are only testing the OAuth functions so for a working solutions there are some more work. https://hacking.robots.beer/posts/install-pandora-fms-monitoring-system-on-centos/ Sat, 22 Mar 2014 13:10:54 +0000 https://hacking.robots.beer/posts/install-pandora-fms-monitoring-system-on-centos/ So for many years i use nagios to monitor my server and now im would say i can handle nagios config files good. But I fund pandora fms monitoring and this i must try. From the pandora console its mutch easy to from the webbrowser setup new task and tweek task so you alarms realy are correct. Doing this in nagios then i had to change config files and restart nagios and nrpe. https://hacking.robots.beer/posts/protecting-you-web-with-modsecurity-on-centos/ Tue, 04 Mar 2014 22:00:40 +0000 https://hacking.robots.beer/posts/protecting-you-web-with-modsecurity-on-centos/ So it you worry about you webb then modsecurity is rely nice to have on your webbserver. I have it installed on my apache server with the regular rules from OWAS and also some rules for my own sites. But here is also how to install it.   1. Download and build modsec on your server Add some packages yum install gcc make yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel Go to http://www. https://hacking.robots.beer/posts/build-you-first-syco-module/ Tue, 18 Feb 2014 22:12:56 +0000 https://hacking.robots.beer/posts/build-you-first-syco-module/ SO from the last post you can install syco but you also need to build and update your own plugins in syco. Here is a small guide how to build you first plugin. Here om building some syco commands for controlling apache and glassfish server. the commands are run from our syco-chuck release commands center so for adding them to syco i can controll the script from sudo and do some extra test before starting and stopping the service. https://hacking.robots.beer/posts/setup-syco-on-you-centos-box/ Tue, 18 Feb 2014 15:27:04 +0000 https://hacking.robots.beer/posts/setup-syco-on-you-centos-box/ So if you care about security and stability you must have syco installed on your server. Read more about syco on the github project https://github.com/systemconsole Im staring to use syco not only production but also on my “Own” server. So more of you should really start using it and here is i guide for you to start using syco 1. Installing and setting up centos yum install git   Gettings syco https://hacking.robots.beer/posts/blocking-unwanted-traffic-ddosscrapers-apache-iptables/ Tue, 11 Feb 2014 23:16:22 +0000 https://hacking.robots.beer/posts/blocking-unwanted-traffic-ddosscrapers-apache-iptables/ So spent last evning blocking ip comming from packetflip to our server. Looks in our Apache access log that there was some evil scraping going on so we started blocking. But its not that funny to block many ip manually so time for some scripts.   First some info to use Packetflip user agent was Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3. https://hacking.robots.beer/posts/apache-strong-ssl-config/ Sun, 19 Jan 2014 22:46:53 +0000 https://hacking.robots.beer/posts/apache-strong-ssl-config/ So only enable SSL on Apache is not good enough there are some config to add to apache to make it stronger.   This are the setting i use in my apache ssl configs. SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLCertificateKeyFile /etc/apache2/ssl/apache.key Header add Strict-Transport-Security "max-age=15768000" SSLCompression off SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4 And for generating you cert I use openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache. https://hacking.robots.beer/posts/no-more-spam-centos-and-postfix/ Wed, 25 Dec 2013 23:11:32 +0000 https://hacking.robots.beer/posts/no-more-spam-centos-and-postfix/ So i HATE spam and now to get rid of as so many as possible i go for 3 step. 1. Postfix Get postfix to restrict witch is to allow to send email to me. No strange name and use spam block lists. Also restrict time in how many connections you can do. 2. Greylisting So the first time some server tries to send email greylist says no resend that email. https://hacking.robots.beer/posts/fail2ban-on-centos/ Mon, 16 Dec 2013 20:58:10 +0000 https://hacking.robots.beer/posts/fail2ban-on-centos/ Fail2Ban is a small service to block unwanted traffic to you server. I use it to block ssh,and postfix loggins in to my virtual hosts. Fail2Ban scans the service loggfiles and if it find any strange traffik like ssh bruteforce. That ip will be blocket for some time. All settings are done in /etc/fail2ban/ folder. Install Have epel repo aktivated on server tha run yum install fail2ban Then do your local config in https://hacking.robots.beer/posts/install-diaspora-one-centos-6-4-with-apache/ Sun, 24 Nov 2013 21:25:42 +0000 https://hacking.robots.beer/posts/install-diaspora-one-centos-6-4-with-apache/ So Im going to test diaspora on one of my virtual server with run centos 6.4. Setup Centos Setup Repos wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm" Install packages yum install tar make automake gcc gcc-c++ git net-tools libcurl-devel libxml2-devel libffi-devel libxslt-devel tcl redis ImageMagick npm mysql-server mysql-devel httpd mod_ssl libyaml libyaml-devel patch readline-devel libtool bison Start services chkconfig --level 3 httpd on chkconfig --level 3 mysqld on chkconfig --level 3 redis on   https://hacking.robots.beer/posts/private-git-server-on-centos-6/ Tue, 15 Oct 2013 14:40:50 +0000 https://hacking.robots.beer/posts/private-git-server-on-centos-6/ So i need to have an private git server. The plan is to fill the git server with my backups so I can see changes done to my git server.   Set up the local GIT server Users adduser git passwd git Become the git user and go to home folder su git cd ~ Create the repo mkdir myrepo.git cd myrepo.git/ git --bare init So now the repo is done lets connect to it and start using it. https://hacking.robots.beer/posts/securing-apache-trace-track-xss/ Mon, 07 Oct 2013 15:12:50 +0000 https://hacking.robots.beer/posts/securing-apache-trace-track-xss/ So i will tryi to updated with some tips on securing apache as I stumbel over them. This will be the first one in not so many I hope (Apache will be secure ) I always scan my servers every month with Openvas as one of my PCI-DSS task. And this week I locking down my Apache servers. Add this in you vhost file ore in the welcome.conf file and rerun you scan. https://hacking.robots.beer/posts/set-up-openvpn-client-on-centos-6-4/ Sun, 21 Jul 2013 22:39:45 +0000 https://hacking.robots.beer/posts/set-up-openvpn-client-on-centos-6-4/ I often use Openvpn to connect my servers toghter over several cloud servers provider. This is my small how to for setting up the openvpn client. Install the openvpn server yum install wget wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm rpm -Uvh epel-release-6-8.noarch.rpm yum install openvpn   Set up the Vpn client In /etc/openvpn extract you vpn config Save you openvpn config file as client.conf Test you vpn openvpn --config client.conf Now when its working restart you openvpn with https://hacking.robots.beer/posts/mail-till-script-zimbra-tex-zimbra-till-redmine/ Mon, 12 Mar 2012 16:20:58 +0000 https://hacking.robots.beer/posts/mail-till-script-zimbra-tex-zimbra-till-redmine/ Så Äntligen Efter en dags hårdargenade har jag äntligen hittat hur man gör för att köra ett script då man mailar till en använare i zimbra. Jag använder det till så man kan maila till tex arenden@fareoffice.com så kommer det som ett ärende in till redmine. 1. Fixa till din transport i zimbra. Öpna filen vi /opt/zimbra/postfix/conf/transport ######REDMINE adding arenden@fareoffice.com local: arenden@fareonline.net local: issues@fareoffice.com local: Sedan så fixar vi till transport databasen