Debian is a flexible, reliable, and widely supported distribution of GNU/Linux with a long and well established track record. It’s been my distro of choice for many years now, primarily because it tends to strike a good balance between stability and freshness. RamNode provides fast, reliable hosting at an inexpensive price point, and they offer Debian as an OS installation choice for their VPS offerings.
The out-of-the-box Debian experience on RamNode has improved drastically in recent days, but it can still be quite a chore to get your vanilla VPS to the point where it’s ready for the challenges of the hostile, wild west climate of the Internet. That’s why I wrote a script that will get your RamNode hosted Debian VPS tuned, hardened and fit for production use in the fastest possible time. Continue reading →
Let’s Encrypt is a popular, free certificate authority provided by the Internet Security Research Group (ISRG). It is 100% automated, open source, and the results of each signing or revocation are transparent to the public. Let’s Encrypt (aka “LE”) makes it easy for admins to not only utilize HTTPS everyplace, but its emphasis on automation allows us to do so in a hassle-free manner. Recent versions of the security-oriented Hiawatha webserver ship with a script that makes this process even easier. Continue reading →
Nessus is a popular vulnerability scanner by Tenable Network Security. According to Tenable, it’s the most widely used of its kind worldwide. There are several license flavors available, including a free basic edition for home users. Unfortunately, Nessus requires root permissions to run correctly. This means that ironically, not unlike its namesake, the vulnerability scanner itself may be vulnerable to attack. Enter the security-aware Hiawatha webserver and its reverse proxy capabilities. Continue reading →
In light of the recent spate of certificateauthoritycontroversies, the next entry in my series of Hiawatha tutorials will focus on one particular countermeasure: HTTP Public Key Pinning, or HPKP for short. In a nutshell, HPKP helps to avoid the scenario where an antagonist issues an SSL certificate for your domain which is signed by a rogue CA. Normally the client browser will implicitly trust any cert which is signed by a valid certificate authority, even if that CA happens to be, say the Hong Kong Post Office or the China Certification Authority, for example.
To avoid this, HPKP tells a capable client via an HTTP header that, for your particular domain, it should trust only certs signed by a particular set of keys. After the first time they’ve visited your site, even if an adversary issues a certificate for your domain which isn’t signed by one of the keys in your HPKP list, the browser will behave as if the certificate is untrusted and issue the appropriate warning to the user. While imperfect, this method can at least present a fairly effective hurdle to would-be attackers looking to harass your users. Continue reading →
As of this writing, WordPress is the most ubiquitous CMS and/or blogging platform in the world. WordPress 4.1 alone has been downloaded over 23 million times. It is actively developed, frequently updated, and boasts a vast ecosystem of themes, plugins, books, services, even conferences. And though WordPress’ security track record did improve substantially in 2010 over previous years, its popularity and accessibility has nevertheless left it among the most often targeted web software out there today. If you’re going to self-host WordPress, what better webserver to accommodate this than the secure, lean and high-performance Hiawatha? Continue reading →
The concept of caching in HTTP should be familiar to just about everybody who’s ever worked with web technology. So, it goes without saying it’s a great deal more efficient to load an asset from a client-side cache than requesting and re-downloading the same asset for every subsequent page view. While proper caching strategies are sometimes overlooked, they’re an important element of a well-optimized website and worth implementing correctly. Continue reading →
Hiawatha webserver has an interesting approach to HTTP compression. In a typical scenario involving HTTP compression, the webserver serves up compressible static assets as GZip files, the contents of which are in turn extracted and displayed by supported browsers. This can often save a substantial amount of bandwidth and reduce page load times. Most webservers accomplish this by essentially piping all content through a GZip module or external binary, thus compressing all content which passes through it before serving it out. Where things get intriguing is that Hiawatha doesn’t do anything like this. Continue reading →
As it has been for many years, Apache is the incumbent web server used to host a majority of websites in the world. According to the most recent Netcraft survey, it still runs around 52% of all active sites on the Internet. It’s also been showing its age for some time, often having major difficulties in scaling. Ironically, this is especially true in its most common incarnation, the prefork processing module. For example, without special (and rarely-used) tuning and configuration, prefork is extremely vulnerable to resource exhaustion attacks including the well-known Slowloris method. By simply hanging on to HTTP sessions for as long as possible, a single malicious user with an ancient computer and an average Internet connection could tie up any one of the majority of websites in the world. Indefinitely. Continue reading →
A few months back I wrote a bit about my unusual home network topology and, in particular, how I’d been planning to modernize it. Though it had worked pretty well for years already, the aim then was to improve it further by moving the firewall to newer, more power-efficient hardware and from pfSense to Vyatta, my favorite network operating system. Well, that’s essentially what happened, but with a slight detour.
When Brocade acquired Vyatta, it didn’t seem that they fully comprehended just what they had their hands on. Vyatta was an efficient, powerful, flexible network operating system based on Linux, which could run just as easily on commodity hardware or (para)virtualized infrastructure. The possibilities were endless. Unfortunately, the result was predictable. Continue reading →