This article explains how to set up a codespace to allow for signing git tags.
Multi-stage Docker Builds and Extended File Attributes
Multi-stage builds are a great way to keep the size of the resulting image down. They are extremely useful if you want to use scratch-based images for your application. However, unless you are using Buildx or BuildKit, there is a limitation regarding copying extended file attributes across stages. In this post, we discuss several workarounds to this issue.
ConfigServer’s Login Failure Daemon is Vulnerable to Denial of Service Attacks
Login Failure Daemon (lfd) is a process that monitors the authentication log and matches all its lines against the set of regular expressions to detect login attempts that continually fail within a short period of time. It is often used to detect login failures of SSH connections. However, the regular expressions lfd uses to detect brute force attacks contain severe errors, and an attacker can exploit those bugs to cause a denial of service attack.
A Secure Way to Run npm ci
No matter how much you trust in the npmjs package registry in general and in packages you are using in particular, Bad Things™ always happen. They happen to the best of us. Even a small Node.js project may have thousands of dependencies, which makes it virtually impossible for a developer to monitor and audit them all.
An NPM package has two main ways to harm you: the first one is when you install it, and the second one is when you actually use it. The first way is possible because of the so-called “lifecycle scripts” run by npm. And even though one of the earliest attacks exploiting lifecycle scripts dates back to 2017, developers still do not take measures to protect their data.
This post explains how to protect sensitive information (such as authentication tokens) when running CI builds.
How to Restrict Access to User REST API in WordPress
By default, WordPress allows an unauthenticated user to view the list of the registered users with the help of the REST API. But, for example, to view the list of the users in the Dashboard, the user needs to have
list_users capability (that is, be an Administrator). While the REST API does not expose sensitive information (such as emails) to unauthenticated users, it may be desirable to restrict
users endpoint form unauthenticated users.
How to Enable Two Factor Authentication with pam-u2f
We live in a world where data is an incredibly valuable currency, and you are always at risk of loss. Because of this, you must do everything you can to ensure what you hold on your desktops and servers is safe. If you are looking to lock down your Linux servers and desktops as tight as possible, you should consider to make use of two-factor authentication. This article explains how to configure two factor authentication using pam_u2f.
How to Enforce Read-Only Mounting of USB Drives
A Facebook user asked how to forbid write access to an external USB drive, allowing only for read-only access. This article explains how to do that with the help of udev.
How to Make System Logs Append-Only
During an intrusion, an intruder leaves signs of his actions in various system logs. Without reliable logs, it could be very difficult to figure out how the attacker got in, or where the attack came from. This information is crucial in analyzing the incident. It is evident that the logs are a valuable audit trail that should be well protected.
Of course, when an intruder gets in to the system, they will try to remove all traces. So, how can we stop an intruder from removing evidence?
nginx: Mitigating the BREACH Vulnerability with Perl and SSI or Addition or Substitution Modules
BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext) is a security exploit against HTTPS when using HTTP compression. This article shows several ways to deal with BREACH using Length Hiding technique with nginx’s builtin modules.
How to Import Cloudflare IP List into nginx ACL Automatically
When using Cloudflare to hide IP address of the origin server (for example, to protect against DoS attacks), it is important to configure ACLs to allow connections to the origin server only from Cloudflare IPs. However, the list of Cloudflare IP ranges is not static, it changes over time. This post describes how to import this list into nginx automatically.