security

Things that shouldn’t be online

Slashdot is running a story about a researcher who scanned all Australian IP addresses and found a whole bunch of things that shouldn’t be online.

As interesting as it is, this comment to the thread offers a lot more:

Pffft Only one country?
At a defcon talk in 2014 (talk [youtube.com] slides [defcon.org]) they scanned the whole IPv4 space live, looking for VNC instances. At least, anything that responded to a SYN packet.
Then they took a couple months to connect to each VNC instance, if no password was required, grab a screen shot.
Leading to a series of talks of things that shouldn’t be on the internet [youtube.com].

I am still watching the video, but even in the first few minutes, you’ll see some crazy stuff. And let me get you started with a quick quiz question: if you had 7 servers, each connected to the Internet via a 1 Gb/s link, how long would it take you to scan the whole of Internet (all IP addresses), assuming 10 ports per IP?

Well, five years it took 12 minutes only, and it was done on stage at the conference! To me, this is somewhat mind-blowing. We keep hearing how huge and enormous the Internet is. So the idea of being able to scan all of it in just a few minutes sounds insane. Today, you’ll probably need even less time, with more better broadband and hardware.

And if you are curious about the tool that the guys used, it was massscan. It’s a lot faster than nmap for this kind of jobs, even though they are somewhat compatible.

How To Secure A Linux Server

How To Secure A Linux Server is a nice collection of tips and tricks on improving the security of a Linux server. There are some well-known bits like SSH key authentication and firewall configuration, as well as some less common bits like multi-factor authentication and RAM disk for /tmp.

Nginx Quick Reference

Nginx Quick Reference is an excellent summary of notes on tweaking the performance and security of the Nginx web server configuration.

UUIDs in MySQL are really not random

Jouke Waleson points out to an interesting fact about UUIDs in MySQL, which you might have missed in the documentation:

Warning: Although UUID() values are intended to be unique, they are not necessarily unguessable or unpredictable. If unpredictability is required, UUID values should be generated some other way.

Make a note!

Why does APT not use HTTPS?

In the ever changing world of technology, people often rush to get the latest. Hype for new features, improved performance and security is everywhere, and anybody rarely stops to think about things in depth.

Use the best tool for the job, they say. And the latest is always the best.

In that, I found it surprising that APT (advanced packaging tool) used for a variety of popular Linux distributions, such as Debian, does not use HTTPS, no matter how much people push for it. For all the arguments of HTTP/2 performance and Let’s Encrypt free certificates, APT developers have their own counterarguments.

“Why does APT not use HTTPS?” is a simple website that explains the reasons behind that decision. And they kind of make a lot of sense for their particular use case.