Tag Archives: security

Rant: Why DevOps is not an answer? Because there was no question

Why do I think that DevOps is not going to last too long as it is now – widely marketed and hyped? Because there was really not that much demand for it in the first place – it was hyped and brought up by project management and some marketing people that always know better how programming and software development should be done.
I’ve seen some IT hypes rise and go

  • XML is the answer for all your data representation needs
  • Javascript/Ruby/C# is the only programming language you need to know
  • Unix is obsolete – Windows NT can cover all your server demands (yes I am that old)

As the experience shows in 2-3-4-5 years hype dies out and most of things return back the way they were before, may be with the new twist. Of course there is always some market share leftovers staying on so much hyped technologies just because big investments were made into it and these could not be unmade without some unpleasant discussions so at the end it was just decided to call this innovations a success.
What I think, that the whole DevOps deal was an attempt of some management to cut costs ™ namely make software developers do sysadmin tasks without hiring professional sysadmins and basically without salary rise. Round of applause ensued, big bonuses signed and reports of innovations issued. Nice and shiny face of the capitalism here. New tools and technologies came out shortly after and placing DevOps into the title and somewhere on the resume will ensure recruiters interest in you.
Why do I think this is totally wrong? From my more then 20 years experience I could say that software developers and system administrators have not only different skill set but also very different mindset and way of solving problems. You know what they say – “If you are a hammer most of the problems start looking like a nail”? Software developers/programmers are set to solve a problem with writing new code or modifying an existing code. All side problems like configuring development environment, setting up networking, backups and information security are seen as an obstacles to the final and ultimate goal – software development. So you would naturally assume that performing “Op” tasks will be quick, inaccurate and well yeah mediocre in order to achieve an ability to do “Dev” part. You want an example? Here you go – saving AWS credentials in github repository is widely known security problem nowdays, and guess what – in most cases that was done by some CI/CD tool or some high and mighty DevOp that was harmless and respected programmer in his previous life.
I wouldn’t say that DevOps is total pure evil in itself – there are some good ideas in it, but dumping all system administration tasks on developers usually wouldn’t lead to any good outcome. Just like widely popular tape recorders with bundled radio long time ago – both functions were way below average.
I hope that at the end the common sense will prevail.

Please follow and like us:

Windows: What do I want to see as default browser

Why Did I bother with it at all?

As I wrote before it is more convenient and secure to have something small, fast and feature limited as your default browser (valid decision for all OSes out there).
Well times go by and nice small Qtweb got outdated with development on it stopped about 6 years ago and new standards (namely SSL/TLS) and new vulnerabilities came out, so I decided
Read more »

Please follow and like us:

Sysadmin: Letsencrypt renewal htaccess redirect bypass

With increasing role of HTTPS websites (Google pushing everybody to run only HTTPS websites considering regular HTTP as insecure) the service provided by Let’s encrypt becomes critically important. But there is a catch – once you get the certificate and redirect your site to HTTPS using .htaccess you will get a problem renewing certificate because 301 redirect breaks the challenge verification and the command

gives an error about authorization problem.
Read more »

Please follow and like us:

Sysadmin: Brute force detection – custom rule for SMTP and SSH

I wrote before about excellent tool BFD that allows to block brute force password guessing attempts on different network services.
I prefer it to Fail2ban because of portability (bash script) system resource consumption (bash script!) and extendĐ°bility (true “unix way” modularity).
I also wrote before a brief instruction on how to extend BFD with your own rule to fight with apache/Wordpress DOS attack.
In this post I will show you how to write custom rules to block SMTP password guessing brute force attempts and SSSHD

Read more »

Please follow and like us:

Windows: Set lightweight web browser as MS windows default web browser application.

qtwebI was thinking the other day – it’s not really safe to have MS windows default browser set to MS Internet Explorer, so any URL you accidentally click will be open with it. For the work related activity I user portable browsers. But what about everything else – this is not really safe no matter how many MS security updates are published every week.
So, I decided to find something really small and “feature-poor” to assign it to the default browser.
Read more »

Please follow and like us:

Sysadmin: How to see the name of PHP script that sent that e-mail

phplogo SPAM e-mail is the common problem these days and in most cases the cause of this problem is the lack of security on the hosted web sites. Various badly designed PHP scripts expose the hosting server MTA to be used as SPAM e-mails source. First and foremost step in resolving this problem would be to determine the originating PHP script that was used to send e-mails.
Read more »

Please follow and like us:

How to use BFD tool to block WordPress brute force attacks

I have written about the excellent and lightweight (unlike fail2ban which is more popular but too resource consuming and 3rd party tools dependent) tool BFD earlier. This tool is actually the set of bash scripts that looks for known pattern in the logs and executes actions against offending IPs based on the configuration. Little is known that it’s also modular and allows to extend it’s behavior by writing custom rules to assist with more uncommon situations.

I’ve also written about widespread WordPress brute force attacks that targets wp-logon.php script. The solution I’ve offered there takes care of single WordPress site. It’s getting more difficult to mitigate the attack in case you have multiple servers with multiple WordPress sites. So I decided to come up with more general approach.

Read more »

Please follow and like us:

Rant: Why I would never have facebook account

no-fb First of all – this is my opinion, it’s emotional, biased, personal and has nothing to do with you. If you are offended by my opinion – you are not required to read, agree with it or argue with me.
Read more »

Please follow and like us:

Sysadmin: block these pesky recursive DNS queries with iptables rate limiting rules

dns-reflectIf you are managing Linux server you have probably heard about recent DNS amplification attacks that were using misconfigured DNS servers.
Read more »

Please follow and like us:

Sysadmin: correcting file permissions recursively from the shell

In a way of troubleshooting web application there is the step when all known reasons why it doesn’t work exhausted so they just change permissions on everything to 0777 and hope that this drastic step would fix the problem. Most likely it does not but leaves the permissions broken and and the whole site wide open.
Usually nobody cares until first break-in, then everybody start looking for the responsible parties, and host is first and most likely last to blame.
In order to avoid this problem permissions (and possibly ownership) of the web content should be corrected.
Read more »

Please follow and like us: