It was nice knowing you. No really. It was. I don’t say that because I found anything wrong in the fediverse. Nope. It’s entirely because a recent apt update not only broke my sweetree.ga instance, it irrecoverably broke it. Guess I’ll have to use that domain somewhere somehow somewhen else. Maybe I’ll try you again …
Continue reading goodbye, self-hosted mastodon
Category:technical
a semi-permanent psa on passwords
Passwords should never expire: https://www.sans.org/security-awareness-training/blog/time-password-expiration-die Passwords should not be changed often: https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html Password “complexity” is – mostly – a joke: https://www.xkcd.com/936 You have been breached: https://blog.augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches Passphrases are better than passwords – and https://password.ga will generate them for you (it will also generate random passwords that pass complexity requirements) Use a password manager of some …
Continue reading a semi-permanent psa on passwords
do you leak?
It would seem I have configured {{OpenVPN}}, {{Squid proxy}}, and, to a lesser extent, Pi-hole well – none of the major sites that report IP, {{DNS}}, and other connection-related security issues find anything out of the ordinary when I’m either running “just” proxied, or {{VPN}}, or VPN+proxy. You should check yourself hereon: https://ipleak.net http://ip-check.info/?lang=en (ironic …
Continue reading do you leak?
rethinking pi-hole (again)
About 2 years ago, I started running Pi-hole as a DNS resolver and ad-blocker. Then last year, I ditched it. After seeing a recent post by Troy Hunt, though, I thought it might be worth revisiting..but I needed a better way to control how it worked. Enter {{OpenVPN}} – a service I already run on …
Continue reading rethinking pi-hole (again)
finally starting to get some good docs amassed
I had a decent library of documentation, templates, hand-offs, slide decks, etc in my pre-Splunk consulting life (technically, I still have them). It’s nice to be finally getting a decent collection to draw from for my customers in my post-automation consulting life.
you can’t disaggregate
Had a customer recently ask about to disaggregate a {{Splunk}} search that had aggregated fields because they export to CSV horribly. Here’s the thing. You can’t disaggregate aggregated fields. And there’s a Good Reason™, too: aggregation, by definition, is a one-way street. You can’t un-average something. Average is an aggregation function. So why would you …
Continue reading you can’t disaggregate
stats values vs stats list in splunk
{{Splunk}}’s | stats functions are incredibly useful and powerful. There are two, list and values that look identical…at first blush. But they are subtly different. Here’s how they’re not the same. values is an aggregating, uniquifying function. list is an aggregating, not uniquifying function. “Whahhuh?!” I hear you ask. Here’s a prime example – say …
Continue reading stats values vs stats list in splunk
a fairly comprehensive squid configuration for proxying all the http things
After combing through the docs and several how–tos on deploying the {{Squid proxy}} server – none of which really did everything I wanted, of course – I’ve finally gotten to the format below. Installing Squid is easy-peasy – it’s in the standard package repos for the major platforms ({{CentOS}}/{{Fedora}}/{{RHEL}}, {{Ubuntu}}/{{Debian}}, etc) – so just run …
Continue reading a fairly comprehensive squid configuration for proxying all the http things
ben thompson missed *a lot* in his microsoft-github article
Ben Thompson is generally spot-on in his analysis of industry goings-on. But he missed a lot in The Cost of Developers this week. Here’s what he got right about this acquisition: Developers can be quite expensive (though, $7.5B (in equity) is only ~$265 per user (which is pretty cheap)) Microsoft is betting that a future …
Continue reading ben thompson missed *a lot* in his microsoft-github article
don’t use symlinks unless you *know* you can
I first ran into this on Solaris in the context of [then] Opsware SAS (then HP SA, now owned by Microfocus). Bind mounts might be OK … so unless the tarball has symlinks included, don’t use them – they get traversed differently than “real” directories. In short, when directory traversals are done, sometimes it looks …
Continue reading don’t use symlinks unless you *know* you can
4 places to check your website’s ssl/tls security settings
Qualys – https://www.ssllabs.com/ssltest High-Tech Bridge – https://www.htbridge.com/ssl Comodo – https://sslanalyzer.comodoca.com SSL Checker – https://www.sslchecker.com/sslchecker
hey, virtualbox – don’t be retarded
Ran across this error recently in an Ubuntu guest on my VirtualBox install: VBoxClient: (seamless): failed to start, Stage: Setting guest IRQ filter mask Error: VERR_INTERNAL_ERROR Gee, isn’t that a useful message. Fortunately, there was a forums.virtualbox thread on just this error. The upshot is that this error is actually caused because of a failure …
Continue reading hey, virtualbox – don’t be retarded
more thoughts on `|stats` vs `|dedup` in splunk
Yesterday I wrote-up a neat little find in {{Splunk}} wherein running stats count by … is substantially faster than running dedup …. After some further reflection over dinner, I figured out the major portion of why this is – and I feel a little dumb for not having thought of it before. (A coworker added some …
Continue reading more thoughts on `|stats` vs `|dedup` in splunk
splunk oddity #17681 – stats vs table
It’s fairly common to want to table the data you’ve found in a search in {{Splunk}} – heck, if you’re not prettying the data up somewhy, why are you bothering with the tool? But I digress. There are two (at least) ways of making a table – you can use the |table <field(s)> syntax, or …
Continue reading splunk oddity #17681 – stats vs table
they asked the right question
Let me compare the experience I wrote about yesterday to another I had the same year with the first customer I was ever sent to – HSBC. Just a couple weeks after starting with ProServe in 2008, I was sent to Chicago to do a final PoC for HSBC. Someone else had done a PoC …
Continue reading they asked the right question
but, i got them on sale!
Back in August 2008, I had a one-week “quick start” professional services engagement in Nutley New Jersey. It was a supposed to be a super simple week: install HP Server Automation at BT Global. Another ProServe engineer was onsite to setup HP Network Automation. Life was gonna be easy-peasy – the only deliverable was to …
Continue reading but, i got them on sale!
on entropy, password/passphrase complexity, and if you’ve been part of a data breach (spoiler alert: you have)
I wrote an article on passwords, passphrases, entropy, and data breaches for my employer’s blog: https://augustschell.com/passwords-passphrases-complexity-length-crackability-memorability-data-breaches
what is “plan b” for iot security?
{{Schneier}} has a recent article on security concerns for {{IoT}} (internet of things) devices – IoT Cybersecurity: What’s Plan B? We can try to shop our ideals and demand more security, but companies don’t compete on IoT safety — and we security experts aren’t a large enough market force to make a difference. We need a …
Continue reading what is “plan b” for iot security?
fallocate vs dd for swap file creation
I recently ran across this helpful Digital Ocean community answer about creating a swap file at droplet creation time. So I decided to test how long using my old method (using dd) takes to run vs using fallocate. Here’s how long it takes to run fallocate on a fresh 40GB droplet: root@ubuntu:/# rm swapfile && …
Continue reading fallocate vs dd for swap file creation
simple ip address check – ipv4.cf
I’ve published another super-simple tool. A la whatismyip.com, but with no extra cruft (and no queer formatting of the IP address under the hood), welcome IPv4.cf to the world with me!
wonder how many zombie film/tv/game creators are/were computer science nerds
As you all know, I am a huge zombie fan. And, as you probably know, I was a CIS/CS major/minor at Elon. A concept I was introduced to at both Shodor and Elon was ant colony simulations. And I realized today that many people have been introduced to the basics concepts of ant colony simulations …
Continue reading wonder how many zombie film/tv/game creators are/were computer science nerds
pi-hole revisited
Back in November, I was really up on Pi-hole. But after several more months of running it … I am far less psyched than I had been. I’m sure part of that is having gotten better internet services at my house – so the impact of ads is less noticeable. But a major part of …
Continue reading pi-hole revisited
i wrote a thing – paragraph, a simple plugin for wordpress
Along with becoming more active on Mastodon, I’ve been thinking more about concision recently. One of the big selling points for Mastodon is that the character limit per post is 500 instead of Twitter’s 140. And I was thinking, “what if there was a way to force you to write better by writing less / …
Continue reading i wrote a thing – paragraph, a simple plugin for wordpress
update: keeping your let’s encrypt certs up-to-date
Last year I posted a simple script for keeping your Let’s Encrypt {{SSL}} certificates current. In conjunction with my last post sharing the “best” SSL configs you can use with {{Apache}} on {{CentOS}}, here is the current state of the cron’d renewal script I use. systemctl stop httpd.service systemctl stop postfix ~/letsencrypt/letsencrypt-auto -t -n –agree-tos –keep …
Continue reading update: keeping your let’s encrypt certs up-to-date
ssl configuration for apache 2.4 on centos 7 with let’s encrypt
In follow-up to previous posts I’ve had about SSL (specifically with Let’s Encrypt), here is the set of {{SSL}} configurations I use with all my sites. These, if used correctly, should score you an “A+” with no warnings from ssllabs.com. Note: I have an improved entropy package installed (twuewand). This is adapted from the Mozilla config …
Continue reading ssl configuration for apache 2.4 on centos 7 with let’s encrypt