modsecurity on debian

Modsecuritty left me confused – i thought i had the basic rules but had the extended crs rules as well and so it did not need configuring.  Debian (my blog) wiki keeps mum on the subject as well.

I know its working although its reporting via ruby,  upgrades via python make it a multidisciplinary tool.

From what i read outside of Debian it seems to work with our stuff so it remains on.  Mystery software that sounds like a future problem for disable.

Its log messages are also hard to grep and awk.

I guess i shall be writing about mod-security rules at some point in the future…

some Debian 9.4 fun

with debian 9.4 postfix (my blog) started working once again, and opendmarc (my blog) had a funny five minutes when pidfile mismatched in the systemd config compared to the opendmarc.conf.I also needed dpkg --configure -a when apt decided stuff was still wrong with opendmarc..

who was right is a debate but I have not changed stuff i still have an opinion of systemd still sucks.

Opendmarc logging for reports also seems broken as to why i will have to look at it but it was and then it did not

I lost cups printers on an separate 686 Debian kernel but the rest of the zoo on i386 printers works so not a terrible headache

Overall forwards and a bit backwards too

the zoo’s Schroedinger’s cat mail server

oh yes they are

Its behind you, no its not makes this post sound like a pantomime thanks to systemd (my blog) i have a postfix instance active (my blog) that postfix even thinks is not active.

Schroedinger would be proud.

So i changed the bind address and server name using .lan tld as .local and corp are now paid tld’s.  Making no sense of up or down an nmap scan says it is working.

I give up at this point and let this paradox be

The next day i notice that the new zoo,lan is sending email  when technically it is not running I am baffled and apart from the postfix instance changes notes  i have not been changing the configuration of it.

Oh well thats systemd for you

i still do not grok hpkp and overriding it like a pro

I have mentioned it before (my blog) and since chrome (the web browser not a metal alloy) eventually gave up on this cryptographic hash to verify sites** i decided to have one last go.

I read online that

openssl ecparam -genkey -name secp384r1 > ec.key openssl ec -in ec.key -pubout | openssl ec -pubin -outform der | openssl dgst -sha256 -binary | base64

Got a backup key or something

That looks like this – note not run on a real certificate

read EC key
writing EC key
read EC key
writing EC key

# cat server.key
4Ej/s4iCfUWgBwYFK4EEACKhZBananas – in  – the – Falklands -M4szuJE0DDh/pLBmob

So it appears to add sections EC PARAMETERS & EC PRIVATE KEY to a file

The magic of openssl is beyond most so i went looking for a hpkp generator which appeared to work although despite not doing ec private keys also got me a backup pin hash.

I still had no idea how i could generate a backup cert from those keys – still think money would need to change hands  with the ssl mafia.

Since i had a commented un-working hpkp block with /” syntax a rather nasty line of config speak compared with most already i copied it and used the hashes from that generator and tested it twice both sites agreed hpkp was there and valid.

But i was unable to reproduce how the backup key was made.   It felt easier than before with less effort but i still felt i have no feel for hpkp

I did not add it to the other zoo domains for reasons of being an unknown quantity i would guess if you asked your tls provider does it generate backup keys – your be told to buy the most expensive ssl they have and be done with you.. It appears that encryption files get some extra section but how it works beyond that is beyond me and the ssl supplier

I prefer tlsa hashes (my blog) rather than magicall stuff that very few seem to get.

If your more illuminated than you where well done, but it still makes it useless.

I also had replace tls and i decided to break hpkp

I discovered that i had no access from firefox or chrome

In firefox to disable hpkp find SiteSecurityServiceState.txt in the profile directory and

vi ~/.mozilla/firefox/<something>.default/SiteSecurityServiceState.txt

search for the domain name and delete them.  Restart and you will gain an uncle Bob.

Chrome is also intentionally screwed up but since i do not use chrome its not an issue, Reseting chrome clears the issue – however if i can find and edit / delete to defaults my hpkp settings i am sure malware / ransomware bot could as well.  I conclude that hpkp is useless

Tomorrow cute kitten pictures*

*i joke ** still requires tls certs from a ‘trusted’ ssl source of which most require money.

rfc ignorant email servers and software things

I am constantly reminded of bad email servers since i get a report each detailing the unclued  and dumb who think email is easy.

Your email server may kind of work but it does has to worry about non email things too as they can reek havoc.   Somebody had all the right things but the sending server screwed up the header, so our spam bot decided to not deliver the email.  I had no issues with that.

The dmarc report sent (my blog) might say we got it but it never hit a human,

Commercial list software is also odd with dmarc two ‘signed up marketing message’ lists also added the dmarc reporing address to them.

Quite how the dmarc address got on the list is something i’d love to know

Since our virus bot is working unlike those email lists and knows a bad header i was happy to accept its judgement as to not being seen by a human, dmarc is working correctly too

So if you think you email is getting through and it is 100% human signed up for it may not be so and if you wish to send the email to the dmarc user or reject dmarc mail because of the compressed file well that’s your choice.

Your still an idiot..

Processor flaws

The ime, spectre and meltdown are issues that affect most processors not just intel’s since amd have those same flaws or different name for there security ‘engine’ which also may or may not be violating an open source license.

This happened to the pentium in the 1990’s too.

I am sure somebody at the nsa is rather sad that these issues have come to light but as all of us are in the same boat it proves that while gentlemen do spy on each other there efforts to spy mean they are as bad as the others and sod democratic ideals.

Baboons give us a, give a b give us a c

While my monkey house screenplay for superape where a monkey flies and saves other apes from disaster is no doubt probably not weapons grade wmd at least the nsa have read it. (my blog)  – is it bird ? no its super ape how dare hollywood not contact me*

It will be interesting to see what happens to hardware post these design flaws, doing an nvida seems the wrong approach so perhaps we might see hardware with open software on the processor something your friends at the nsa wont like

But if they kept mum on the issue perhaps there mission to protect democracy is an false mission and as long as spies seek to undermine all for there career then a rethink is in order.

I kind of doubt that open source processors will become popular, or open firmware will become a thing by looking at routers will tell you that.

I would buy an open processor, being the zoo runs open firmware on its routers, and non fucked up gpus and pci slots (my blog) It shall be interesting to see if it happens. It would be nice to upgrade a video card without throwing away all it if you think about it.

*i joke

lets encrypt tls

Been using for a while now and now i using dns entries to validate , the certbot software (my blog\ is a lot better than it used to be as it does not stacktrace every two seconds.

Having to do multihost is also possible.- although tlsa records is something i have yet to automate in the zone files when the tls renewal happens.

Not that anybody checks those anyhow.

After the change of ownership of paid ssl providers to include a firm that hacks ssl/tls for governments this is not me being cheap but ethical – how safe are those issued certificates (ny blog) from the hacking firm also owned by the parent company.

Cyrus imap fun

One of the zoo’s mail stores stopped working and i was the first to discover this. I had the hunt the new location for ctl_cyrusdb (my blog) since it regularly changes in the distro (my blog) and i was able to fix it and login to this unhappy mail store.

I have no idea how it broke since the logs are keeping mum on the subject but once every five years between commands seems acceptable.