Taking Advantage of DNSSEC

Great overview of what’s coming (eventually) to DNS and the internet.

SWITCH Security-Blog

According to measurements by APNIC’s Geoff Hustoncurrently 16 percent of Swiss Internet users use a DNSSEC validating DNS resolver. If you want to benefit from the added security with DNSSEC in your network then I suggest you enable DNSSEC validation in your network as well. SurfNet published a deployment guide recently that takes BIND 9.x, Unbound and Microsoft Windows Server 2012 into account.

Enabling DNSSEC validation on your DNS resolvers is one simple step and it protects you from DNS Cache Poisoning. However, if it were only for this, then the DNSSEC protocol complexity would come at a high cost for only providing this one benefit. In fact, DNSSEC is much more than only a protection from Cache Poisoning. It’s a new PKI in DNS and if you have signed your zone and are already validating then you can take advantage of that PKI. Some use cases are…

View original post 582 more words

How to Test DNSSEC and DANE on a Domain

Here’s a simple way to check if DANE is properly setup on a site:

# echo -n | openssl s_client -connect spdysync.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | tr -d :
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
SHA256 Fingerprint=461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD530BF2C2

And then compare that value against published TLSA record:

# dig +short TLSA _443._tcp.spdysync.com
3 0 1 461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD 530BF2C2

These value should match. If they don’t assume the site has been compromised.

This assumes of course the domain is also signed with DNSSEC. A properly configured domain: http://dnssec-debugger.verisignlabs.com/spdysync.com

Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap

Background:

So I host a variety of small websites on a VPS at Ramnode (affiliate link). I’ve been extremely happy with their service, and their performance per dollar ratio. Previously I had been using DigitalOcean, but their VPS performance lately was a bit lacking compared to other providers (sorry DigitalOcean, I still love ya). As part of my evaluation of a handful of providers I performed extensive benchmarking to determine which VPS provider would be best for my (amateur) needs. It was also an excuse to use Excel again — oh Excel how I miss thee — but I digress.

I’ve been a very happy camper at Ramnode until I realized the weaknesses of having picked OpenVZ Linux containers vs. KVM virtualization which I’ve used in the past. Long story short, with OpenVZ containers the user (me) does not have access to much of the low-level system (including the kernel). This leads to problems with things like iptables logging, syslog, or when trying to access information about a given partition within your container. This lack of partition information unfortunately means that when you try to backup your data with a traditional backup solution like R1Soft you — as a lowly user — do not have the right permissions to read and then backup your data within your own container. Not a problem I said — Ramnode provides customers with regular backups. That was one of the reasons I picked them. 

Well, that was the case until recently: https://clientarea.ramnode.com/announcements.php?id=368 They casually announced that they had disabled the weekly automated backup system. So that sucks, a lot. 

My VPS provider decided to stop backing up my data (even though they sold me plan saying they would) and due to OpenVZ limitations many of the common automated backup tools simply won’t work.

So I needed to come up with a solution.

Continue reading “Creating a Simple, Cheap, and Automated Backup Solution with Tarsnap”

NodePing vs. Pingdom — server monitoring

Pingdom:

Positives:

  • mobile app
  • large number of testing locations
  • 10 checks at the yearly price is reasonably priced.
  • Built-in “PageDuty”-lite incident response is handy, though overkill for personal web servers.
  • I like the root cause analysis any time a check fails. Provides full connection output, response headers, etc. Extremely helpful when troubleshooting the cause of the failed check.

Negatives:

  • New website design is painfully slow and confusing.
  • Can’t add a new check via the mobile app
  • No option to specify host headers for a check — such as specify IP and specify the hostname directly.
  • No public status page unless you pay 2x per month.

 

NodePing:

Positives:

  • Free public status page
  • Website is fast and clean, though lacking some features
  • Pricing is attractive, even without a yearly agreement.

Negatives:

  • No mobile app
  • Relatively few testing locations
  • No option to specify host headers for a check — such as specify IP and specify the hostname directly.
  • Virtually nothing in the way of detail when a check fails. Also no easy way to go back and find a failed check after 300 successful checks have passed.

 

They both have a variety of checks — HTTP/HTTPS, UDP/TCP arbitrary port check, POP/SMTP/IMAP, and DNS checks. Both send me an email and push notification via Pushover whenever there’s an issue. Both use 1 minute checks, and confirmation from 3 locations before an alert is triggered.

I like StatusCake, but their checks seem spotty at best. They report all kinds of intermittent downtime when every other monitoring service sees zero issues. Not exactly great when your server monitoring tool is lying to you.

I also tested Monitus and CopperEgg. Didn’t like either one. I use New Relic’s free plan which is handy, also Linode’s Longview tool with the free plan.

Ultimately it looks like I’ll be going with Pingdom, even though it’s not my favourite choice.

Emails Show Feds Asking Florida Cops to Deceive Judges

Police in Florida have, at the request of the U.S. Marshal’s Service, been deliberately deceiving judges and defendants about their use of a controversial surveillance tool to track suspects, according to newly obtained emails.

Source: http://www.wired.com/2014/06/feds-told-cops-to-deceive-courts-about-stingray/

 

When a normal person lies to a judge/court you get an even harsher punishment, BUT if you’re a police officer …apparently you just get more convictions — no questions asked!