Posts tagged "internet"
How to Check If an RSA Cert Matches an RSA Key
Problem: you find a key and a cert file on your server, and want to check if the cert matches the key. Solution: Check the modulo (n=p*q) of both key and cert to see if they are equal. $ openssl rsa -modulus -noout -in yourrsa.key Modulus=C8BEE8B687CC... $ openssl x509 -modulus -noout -in yourrsa.crt Modulus=C8BEE8B...
Block Internet per User/Service
If you like to block network access for certain users on a linux box it's as simple as that: /sbin/iptables -I OUTPUT -m owner --uid-ower <USERNAME> -j DROP Username might also be the username of a running service.
My Contact was Shared with Facebook
Facebook gives a list of companies who run Facebook ads, and sent my contact information (tel, email) to Facebook. This list for my account lists some obvious companies, some companies I never heard of, and some companies who really should never have forwarded my contact information to Facebook! Look up your own lis...
Ubiquiti UniFi the Next Botnet ?
I tested a Ubiquiti access point today. UAP-AC-Lite seems to be a very good and cheap access-point. When you take it out of the box and connect it to the network it gets an IP address using DHCP and waits for a configuration. In this mode it sends broadcasts to find a controller and listens on port 22 (ssh) with sta...
Sophos UTM BGP Announces 0 Prefixes
Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix. Discussion: an outbound filter list is set to pr...
PaloAlto Packet Loss of 1% and More
Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode. Solution: disable the following check box in the Ethernet interface Advanced - LLDP settings: "Enable in HA Passive ...
Generate CSR using openssl
Browsers started to warn users about certificates with Sha1 signature. Sha256 is needed now a days. So it's time to renew certificates from Thawte, Godaddy, etc You can generate a new Certificate Signing Request with openssl with this command: openssl req -nodes -newkey rsa:2048 -keyout servername.key -out servernam...
F5 data flood
Problem: A F5 load balancer LTM sends lots of data to some clients. Sometimes this fills up all the available bandwidth with 1 Gbit or more. At the same time the input traffic does not raise. The traffic charts look like if F5 is attacking some clients (reversed DDoS :-) ) Discussion: After some time of staring at t...
Howto generate an SSL key and self signed cert with openssl
For SSH, HTTPS, TLS SMTP,POPS, IMAPS you need a RSA key pair. Most Linux package installers produce this pairs automatically, but if you like, you can generate them yourself. The quickest method I found is: openssl req -x509 -nodes -newkey rsa:2048 -keyout servername.key -out servername.crt -days 1024 This command a...
AVM Fritz!box DHCP Problem
Problem: I wanted to provide a CWMP (TR-069) ACS URL to an AVM modem using DHCP on the WAN Interface, but the DHCP server ignores this vendor-option. Discussion: Following the TR-069 specs, the CWMP-ACS Server can be included in an dhcp response using vendor-option (SubOption 1). Usually vendor options should work w...