Problem: you find a key and a cert file on, and need to check if the cert matches the key. Solution: Check the modulo (n=p*q) of both key and cert to see if they are equal. Version: tested with openssl 3.0.11 on devuan 5
How to Check If an RSA Cert Matches an RSA Key Read More »
If you like to block network access for certain users on a linux box it’s as simple as that: /sbin/iptables -I OUTPUT -m owner –uid-ower <USERNAME> -j DROP Username might also be the username of a running service.
Block Internet per User/Service Read More »
Facebook gives a list of companies who run Facebook ads, and sent my contact information (tel, email) to Facebook. This list for my account lists some obvious companies, some companies I never heard of, and some companies who really should never have forwarded my contact information to Facebook! Look up your own list by: Click
My Contact was Shared with Facebook Read More »
I tested a Ubiquiti access point today. UAP-AC-Lite seems to be a very good and cheap access-point. When you take it out of the box and connect it to the network it gets an IP address using DHCP and waits for a configuration. In this mode it sends broadcasts to find a controller and listens on port
Ubiquiti UniFi the Next Botnet ? Read More »
Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix. Discussion: an outbound filter list is set to prevent sending other than the
Sophos UTM BGP Announces 0 Prefixes Read More »
Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode. Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State” Discussion: Palo Alto uses only one MAC address
PaloAlto Packet Loss of 1% and More Read More »
Browsers started to warn users about certificates with Sha1 signature. Sha256 is needed now a days. So it’s time to renew certificates from Thawte, Godaddy, etc You can generate a new Certificate Signing Request with openssl with this command: openssl req -nodes -newkey rsa:2048 -keyout servername.key -out servername.csr -sha256 “servername.csr” is an ascii file you can send
Generate CSR using openssl Read More »
Problem: A F5 load balancer LTM sends lots of data to some clients. Sometimes this fills up all the available bandwidth with 1 Gbit or more. At the same time the input traffic does not raise. The traffic charts look like if F5 is attacking some clients (reversed DDoS :-) ) Discussion: After some time of staring
For SSH, HTTPS, TLS SMTP,POPS, IMAPS you need a RSA key pair. Most Linux package installers produce this pairs automatically, but if you like, you can generate them yourself. The quickest method I found is: openssl req -x509 -nodes -newkey rsa:2048 -keyout servername.key -out servername.crt -days 1024 This command asks you some questions. The most
Howto generate an SSL key and self signed cert with openssl Read More »
Problem: I wanted to provide a CWMP (TR-069) ACS URL to an AVM modem using DHCP on the WAN Interface, but the DHCP server ignores this vendor-option. Discussion: Following the TR-069 specs, the CWMP-ACS Server can be included in an dhcp response using vendor-option (SubOption 1). Usually vendor options should work with isc-dhcp-servers like that:
AVM Fritz!box DHCP Problem Read More »