cron.weekly issue #63: MongoDB, SELinux, relayd, dgsh, SSH, GPG, /dev/random & more!January 15, 2017 - Mattias Geniar
Welcome to cron.weekly issue #63 for Sunday, January 15th, 2017.
A full issue once again, lots of new projects and guides got posted last week. If those were New Year’s resolutions, keep it up!
Just as a reminder for anyone trying to find a project or guide mentioned in a previous newsletter, all issues are available online in the archive.
Last few weeks, several unfirewalled and unsecured MongoDB instances were held “ransom”: their data was stolen and you had to pay bitcoins to get it back. This article looks at how that could happen and what the value of secure, sane default values are for system packages.
Earlier last week, a Docker vulnerability (CVE-2016-9962) was made public, that allowed code run in a container to escape that container and compromise the host. In this post by Red Hat they explain how SELinux prevents such exploits.
A look at the bad & good parts of systemd. Thankfully, there are more good parts than bad, as we’ll be using systemd for quite some time.
This post has some good insights in how/when to spread your DNS records across multiple providers, what the impact of one offline provider, if you should revoke nameservers or just keep them listed but ‘offline’, …
And vice versa! A well reasoned post about the benefits of knowing both ends of the spectrum in order to build more resilient, reliable and performant applications.
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
The relayd project consists of `relayd`, a load-balancer, application layer gateway, transparent proxy, and SSL/TLS gateway, and `httpd`, a web server that is based on relayd. It is secure, serves static files and supports FastCGI and TLS.
A potential alternative to Ansible, posixcube is a POSIX compliant shell script server automation framework.
pshtt (“pushed“) is a tool to scan domains for HTTPS best practices. It saves its results to a CSV (or JSON).
This might be useful for your desktop, not so much your servers: an open source desktop client for Gmail & Google Inbox. Bringing the online Gmail & Google Inbox experience to your desktop in a neatly packaged app.
This program allows you to centralize and distribute IP blacklists. It can be integrated with fail2ban, where banned IPs on a single host can be exported to other servers and preventively blocked. It’s a tool to build a clustered fail2ban, sharing IP block lists.
Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.
A simple process manager for developers. Start apps from your browser and access them using local .dev domains.
A new shell based on Bash which introduces a very interesting “left to right” syntax at the CLI, offers multi-core processing with piped commands and an expressive syntax. Worth a look, scroll down to the examples to understand its power!
A fast TCP tunnel over HTTP.
Guides & Tutorials
A very detailed write-up by Google on how to run a secure service online. It covers everything from physical security (hardware, on-prem security, …) to secure deployment to secure communication between services. Such amazing value in that document!
A guide by NASA on how to use GPG to encrypt and decrypt a message (or images, binary files, …).
This write-up explains Certificate Authorities and Key Revocation Lists in order to understand how SSH key authentication works.
A guide for the hardcore OSX users that are tired of their OS to switch to Ubuntu. It covers some practical areas like replacing Alfred (task launcher), the File Manager, code editors, … All for Desktop Linux, of course.
This post introduces 2 MySQL options that can greatly decrease MySQL replication lag: ‘slave-parallel-type’ and ‘binlog-group-commit-sync-delay’.
A fund read about the difference between /dev/random and /dev/urandom, where entropy comes from, what ‘randomness’ means in Linux, …
This script by Hector Martin was created to explain the Kernel init process (initrd, initramfs, mounts, etc) more clearly, in Bash. Very technical and to the point, you’ll learn a few lesser-used CLI tools along the way.
Containers with good old fashioned tools: chroot, unshare, nsenter, bind mounts, cgroups, setcap, … To understand what goes on behind a docker CLI command, this post gives a very good idea.
This presentation by Facebook offers more insights into the load balancer they created to serve traffic to Facebook.com and all the different apps. Lots of info on ECMP, ipvs, TCP session sharing, …