Aller au contenu | Aller au menu | Aller à la recherche
Par Julien Vehent, le mercredi, juin 12 2013 (General)
There is no DKIM signature. It shows right away because of the little icon on the "From" line, displayed by my DKIMStatus plugin for roundcube.Still, this phishing is one of the most dangerously well crafted I've seen in a long time... Stay sharp, and don't click on these links!
Par Julien Vehent, le dimanche, juin 9 2013 (General)
Ossec is a great tool to monitor the security of a set of systems. Servers, VMs, PCs... Ossec can keep an eye on your systems and send alerts when "something" happens. "something" being defined by Ossec rules that can be a little tricky to write and keep under control.
While working at AWeber, I had to integrate the deployment of Ossec agents in Chef. The security model of Ossec requires one agent and one server to share a secret key, and this usually means that someone has to go into the server, generate the key, and push it to the agent. Ossec solved in early 2011 with a daemon called ossec-authd, but the lack of access-control and confidence in the code prevented us from using it. Instead, I wrote a cookbook for chef called chef-autossec that takes care of the entire provisioning of an ossec infrastructure:
The cookbook is available on github: https://github.com/jvehent/AutOssec
Feel free to use it, comment on it, and contribute code !
Par Julien Vehent, le dimanche, mai 26 2013 (General)
It's been a busy 2013 so far! So busy that I'm only now processing the videos I recorded over 2 months ago... But here it is, the recording of my presentation of AFW from the Netfilter Workshop 2013 at Open Source Days in Copenhagen. I was there for a few days, and had a great time with the Netfilter core team and folks passionate enough to attend 3 days of really good technical discussions.
Oh, and I just joined Mozilla as Operations Security Engineer! Really excited about that one, there's a lot of exciting things going on. Stay tuned.
My talk: (click here for the slides)
AFW, Automating host-based firewalls with Chef, Julien Vehent from Julien Vehent on Vimeo.
All of the talks I recorded are here: link. Check it out, they are all really good !
Par Julien Vehent, le jeudi, mars 7 2013 (Debian)
A few weeks ago, I presented my personal email architecture to PLUG, the Philadelphia Linux User Group. I have been using this setup for years now, and every time someone sends me an email at julien[at]linuxwall.info, it reaches one of these server.
A lot of this is documented on http://wiki.linuxwall.info. Maybe some day I'll get around writing an actual documentation. In the meantime, check out the links in the slides below.
Par Julien Vehent, le vendredi, décembre 21 2012 (General)
For the last few weeks, I have been busy building edge-routers in Chef (more on that later). And while I was at it, I fixed a bunch of stuff in the Advanced FireWall cookbook. There is enough bugfixes and new features to release a new version of the cookbook, so, 8 weeks after 0.0.4, allow me to introduce AFW 0.0.5 .
First and foremost, I would like to thank jeremiahsnapp and elliotkendallUCSF for submitting pull requests via github. It's always pleasant to receive help from others ;)
Now, on the list of (significant) changes:
At AWeber, we use a custom Ohai attribute to select the IP of the interface that's on the LAN. Most of the time, this is eth0. We do this because Chef will use the interface that has the default gateway in node'ipaddress', and we don't always set the default gateway on the interface that's on the LAN. Anyway, lanip is a custom attribute that will not exist on other Chef installation. This fix will fallback to using node'ipaddress' if lanip doesn't exist, which is cleaner.
This use to not be needed because we were running Chef as a daemon, and it would run as part of the boot process and load the firewall rules. But it appears that Chef doesn't always clean up correctly, and we ended up with systems that were going down because of chef runs not finishing properly and consuming tons of memory. Instead, we decided to run Chef as a cron job every 30 minutes. As a result, the firewall isn't loaded by Chef anymore, and this commit provides init scripts for both upstart and classic initd.
This is a rather significant change: previously, when no interface was specified, AFW would use the default one (often eth0). But it creates tons of problems on routers that have many interfaces, so instead of multiplying the number of rule, we decided to remove the interface constraint. The new behavior is: if no interface is specific, the iptables rule will not contain an interface parameter, effectively allowing all interfaces. This is mostly OK because all rules are required to have either a source or a destination, so we still limit rule to only a few hosts.
The AFW mode AFW.create_rule() wasn't working right with predefined rules. This fixes it.
OSPF uses multicast, and is another protocol on top of IP. This commit simply adds it to the list of allowed protocols.
After adding the upstart script, we notice that the rule wouldn't get loaded as part of the boot process. The issue was that trying to resolve FQDNs into IPs too early breaks upstart. So, instead, we decided to do the DNS resolution in AFW, and only store IPs in the ruleset. This is cleaner anyway, and ensure that iptables-restore will always be fast.
We use VLANs, and we configure then with Chef using a specific cookbook. The problem is, we run into a race condition when the VLAN interface doesn't exist yet, but AFW tries to create a rule for it. This commit makes AFW skip the rules that have network interfaces that don't exist. The failure will be logged, and the chef run will continue.
AFW was previously storing rules as node attributes on the chef server. This creates problems when rules are removed from the roles or cookbooks, but not from the chef server. This commit makes AFW clean up all the rules after the ruleset template is created. No more stale rules.
That's it. Not a lot of lines a code, but quite a few changes. Those changes are stable and shouldn't create any problem, but feel free to report issues on github if something comes up.
« billets précédents - page 2 de 29 - billets suivants »
