Security

New vuln is out – where do I have that installed? – SamDrucker

Leave a Comment / SamDrucker, Security / By /

I abandoned this post back in March h202 because I was unable to get keycloak to contact samducker. I’m publishing it now mostly because of SamDrucker. keycloak is a vnet jail. Interesting things happen there. From time to time, security issues are found within software. The FreeBSD package management system relies upon pkg-audit and the Vulnerability database to alert system administrators that attention is required. Case in point, My Nagios monitoring is showing […]

New vuln is out – where do I have that installed? – SamDrucker Read More »

Self-hosting Bitwarden / VaultWarden on FreeBSD

6 Comments / FreeBSD, Jails, Open Source, Security, VaultWarden / By /

The time has come for me to consider another application for my TOTP data (think 6-digit codes produced by Google Authenticator or an RSA device. I’ve been using an app called 2STP – I have long liked it. Support for it ended about 7 years ago, yet it continued to slug along on my phone and on my watch. Recently, it stopped working on my watch. That was the tipping point. I decided

Self-hosting Bitwarden / VaultWarden on FreeBSD Read More »

acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable

Leave a Comment / Let's Encrypt, Security / By /

Today, while mucking about with a new cronjob and log file for acme.sh, I stumbled across these error messages: Why was I stumbling around? This email arrived after the daily cert renewal: Three skips. Three error messages. Let’s look at that file: [18:37 certs dan ~] % sudo ls -l /var/db/acme/certs.int.unixathome.org.key -rw-r—– 1 root acme 116 Oct 6 20:21 /var/db/acme/certs.int.unixathome.org.key That should be readable. I checked some ZFS snapshots from earlier this week.

acm.esh key ’/var/db/acme/certs.int.unixathome.org.key’ is unreadable Read More »

Use of K* file pairs for HMAC is deprecated – acme.sh

Leave a Comment / DNS, Let's Encrypt, named, nsupdate, Security / By /

On Wednesday Oct 6th, I was greeted by these log messages: This is the output from the cronjob run by the acme user in my jail called certs. This is the daily run to renew any certificates which are soon to expire. This is the job in question: [19:36 certs dan ~] % sudo crontab -l -u acme 44 16 * * * /usr/local/sbin/acme.sh –cron –home /var/db/acme/.acme.sh > /dev/null [19:44 certs dan ~]

Use of K* file pairs for HMAC is deprecated – acme.sh Read More »

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy

Leave a Comment / DNS, Let's Encrypt, named, Open Source, Security / By /

Today I faced the first implications of deciding to tightly restrict the use of nsupdate keys for modifying TXT records for dns-01 challenges with Let’s Encrypt. Context This section should be on news.freshports.org and you can skip it to get to the real stuff. Today I’m working on a mostly automated FreshPorts node deployment. A FreshPorts node consists of: host server – A FreeBSD host which contains the other nodes database – holds

Today I faced the first consequences of my TXT & Let’s Encrypt strict policy Read More »

Creating a very specific TXT only nsupdate connection for Let’s Encrypt

Leave a Comment / DNS, Let's Encrypt, named, Security / By /

In the interests of maintaining Michael W Lucas in the lifestyle to which he has become accustomed, I am creating this blog post. Although Mr Lucas was the first to post, he is not solely to blame for my burdensome workload. Jan-Piet Mens and Evan Hunt also have much to answer for. Their misdeeds include mentioning newer BIND tools which necessitated an update to an older blog post. The worst of them all,

Creating a very specific TXT only nsupdate connection for Let’s Encrypt Read More »

ssh with 2FA

Leave a Comment / General, Security, ssh / By /

2FA has its critics: It’s so unreliable! Phones are so easily hijacked It’s not a lot of added security etc Some of these make assumptions not necessarily in evidence. In this post: FreeBSD 12.1 pam_google_authenticator-1.08 Most of the 2FA I use is time-based one-off passwords (TOTP), as opposed to text messages. These are often 6-digit numbers which change every 30 seconds. These are hard to guess and cannot be intercepted as they reside

ssh with 2FA Read More »

Which hosts have this vuln package installed? SamDrucker knows.

Leave a Comment / FreeBSD, Open Source, Security / By /

Today I found out about a vuln in net/py-urllib3. Nagios told me: Checking for security vulnerabilities in base (userland & kernel): Host system: Database fetched: Tue Nov 26 18:23:32 UTC 2019 py36-urllib3-1.22,1 I logged into that host and ran a pkg upgrade py36-urllib3. What other hosts have that installed? There. That’s the hosts I have to update. How about a list for csshX? Ideally, I’d like to take the query output, and construct

Which hosts have this vuln package installed? SamDrucker knows. Read More »

scripts for monitoring vulns in FreeBSD jails

Leave a Comment / FreeBSD, Jails, Nagios, Security / By /

I have scripts for monitoring vulns in FreeBSD jails. They use third-party scripts. All I wrote was the Nagios part of the solution. I was preparing slides for my Why I prefer thick jails over thin jails talk at EuroBSDCon 2019. There is still time to register and attend. I was explaining my scripts and was providing links to gist.github.com … I realized I should create a repo: https://github.com/dlangille/freebsd-nagios-jail These scripts do the

scripts for monitoring vulns in FreeBSD jails Read More »

ACME domain alias mode

Leave a Comment / Let's Encrypt / By /

I recently became aware that ACME DNS validation can be accomplished via proxy. By proxy, I mean you can update the DNS records of another domain, not the domain for which the certificate is being issued. Why would you do this (as taken from acme.sh DNS Alias Mode): Your DNS provider does not provide API access; you can’t update the domain easily. You are concerned about the security implications. That is, a third-party

ACME domain alias mode Read More »

Scroll to Top