[WayBack] Steve Losh on Twitter:
“HTTP status ranges in a nutshell:
- 1xx: hold on
- 2xx: here you go
- 3xx: go away
- 4xx: you fucked up
- 5xx: I fucked up”
–jeroen
via: [WayBack] HTTP status ranges in a nutshell… – This is why I Code – Google+
Archive for the ‘Communications Development’ Category
Steve Losh on Twitter: “HTTP status ranges in a nutshell: 1xx: hold on 2xx: here you go 3xx: go away 4xx: you fucked up 5xx: I fucked up”
Posted by jpluimers on 2018/08/17
Posted in Communications Development, Development, HTTP, Internet protocol suite, Power User, TCP | Leave a Comment »
TIME_WAIT and MaxUserPort – what it is, what it does, when it’s important – Blog du Tristank
Posted by jpluimers on 2018/08/01
Despite many posts saying you can use it on other than outbound connections, lets quote that it doesn’t:
MaxUserPort controls “outbound” TCP connections
[WayBack] MaxUserPort is used to limit the number of dynamic ports available to TCP/IP applications.
…
It’s never going to be an issue affecting inbound connections.
MaxUserPort is not the right answer if you think you have an inbound connection problem.
Source: [WayBack] MaxUserPort – what it is, what it does, when it’s important – Blog du Tristank
The side of the TCP connection that closes is gets the TIME_WAIT state, which means you should avoid your server to terminate connections because it then will run out of available ports. Clients should disconnect when done (or when done for the foreseeable future) otherwise the server gets the 2MSL TIME_WAIT penalty as for instance explained by [WayBack] TIME_WAIT and its design implications for protocols and scalable client server systems – AsynchronousEvents.
The solution for inbound connections is that your TCP based protocol should enforce either the client to close the connection, or to use some form of client pooling so there is no need for many connection setup/teardowns of short lived connections.
TIME_WAIT can last for about ~10 minutes if you are unlucky.
More recommended reading:
- [WayBack] TIME_WAIT and its design implications for protocols and scalable client server systems – AsynchronousEvents
- [WayBack] TcpTimedWaitDelay
- [WayBack] draft-faber-time-wait-avoidance-00 – Avoiding the TCP TIME_WAIT state at Busy Servers
- [WayBack] Indy: IdTCPClient leaves connection in status TIME_WAIT
- [WayBack] Large number of TCP connections with Time_Wait status – Remoting SDK – RemObjects Talk
- [WayBack] sockets – TCP option SO_LINGER (zero) – when it’s required – Stack Overflow
- [WayBack] delphi – Force Http 1.0 idHttpServer and TIME_WAIT – Stack Overflow
- [WayBack] Transmission Control Protocol – Wikipedia
- Diagrams:
- [WayBack] TCP states – explained – Apigee Community
–jeroen
Share this:
Posted in Communications Development, Development, Internet protocol suite, Software Development, TCP | Leave a Comment »
Restrict SSH User Access to Certain Directory Using Chrooted Jail
Posted by jpluimers on 2018/06/11
In this article, we will explain you how to restrict a SSH user access to a specific directory using chrooted jail in Linux systems.
Source: [WayBack] Restrict SSH User Access to Certain Directory Using Chrooted Jail
via: [WayBack] Restrict #SSH User Access to Certain Directory Using Chrooted Jail #Linux – Linux Inside – Google+
–jeroen
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, TCP | Leave a Comment »
GDPR for database professionals and DBAs. Poster.
Posted by jpluimers on 2018/05/17
A poster showing how to prepare your Oracle database for GDPR. Wait for the email download link by visiting GDPR for database professionals and DBAs. Poster (they mention to be GDPR compliant in [WayBack] their policy), or look at the WayBack machine to download it now.
One takeaway for me: you also need to scrub backups when removing someone your records.
Via: [WayBack] sqldev.tech/gdpr_poster – Michael Thuma – Google+
–jeroen
Share this:
Posted in Communications Development, Database Development, Design Patterns, Development, Software Development | Leave a Comment »
Interesting ways to obtain MTU and MSS sizes – via Troubleshooting Bitbucket Cloud MTU/MSS issues – Atlassian Documentation
Posted by jpluimers on 2018/03/29
I will probably need the netstat/tcpdump/wireshark tricks here in the future: [WayBack] Troubleshooting Bitbucket Cloud MTU/MSS issues – Atlassian Documentation
via: [WayBack] Atlassian Bitbucket Status – Network maintenance; MTU/MSS changes coming
–jeroen
Share this:
Posted in Communications Development, Development, Internet protocol suite, Network-and-equipment, Power User, TCP | Leave a Comment »
Packet Sender is a good tool when debugging protocols: free utility to send & receive network packets. TCP, UDP, SSL
Posted by jpluimers on 2018/03/07
It was fitting to bump into [WayBack] Packet Sender is a good tool when debugging protocols…” Written by Dan Nagle… – Lars Fosdal – Google+ on the day presenting [WayBack] Conferences/Network-Protocol-Security.rst at master · jpluimers/Conferences · GitHub
It also means that libssh2-delphi is getting a bit more love soon and will move to github as well after a conversion from mercurial.
Some of the things I learned or got confirmed teaching the session (I love learning by teaching):
- Automate the heck out of your job and new work finds you
- There is great integration for [WayBack] Bot Users | Slack which can hugely help you in status monitoring
- If you manage many domains, which might be troublesome to the default “
certbotclient”, so you might want to look into different [WayBack] ACME Client Implementations – Let’s Encrypt – Free SSL/TLS Certificates especially if you run nginx on Alpine Linux (but note you then need [WayBack] license_update.patch\acme-client\community – aports – Main aports tree to avoid [Archive.is] [400] does not match current agreement URL – Help – Let’s Encrypt Community Support)
Here is some more info:
- Blurb: “[a] free utility to send & receive network packets. TCP, UDP, SSL.”
- [WayBack] Packet Sender – Free utility to for sending / receiving of network packets. TCP, UDP, SSL.
- [WayBack] The latest Tweets from Dan Nagle (@NagleCode). Principal SW Engineer @HARMAN_Pro. Speaker. Author packetsender.com, paydowncalc.com, cryptoknife.com, github.com/dannagle . Huntsville, AL,
- [WayBack] Packet Sender – Send / Receive TCP / UDP – Android Apps on Google Play
- [WayBack] dannagle (Dan Nagle) · GitHub dannagle has 23 repositories available. Follow their code on GitHub.
–jeroen
Share this:
Posted in Communications Development, Delphi, Development, Encryption, Hardware, Harman Kardon, Home Audio/Video, HTTP, https, HTTPS/TLS security, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), OpenSSL, Power User, Security, Software Development, TCP, TLS | Leave a Comment »
openSUSE – Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*) – be sure to review your openssh config!
Posted by jpluimers on 2018/01/20
Before upgrading Tumbleweed this week, you need to review your openssh config.
This is not mentioned in Review of the week 2018/03 – Dominique a.k.a. DimStar (Dim*), but very important.
So be sure to read these before upgrading:
- [WayBack] OpenSSH 7.5 has just been released… Future deprecation notice … Potentially-incompatible changes
- [WayBack] OpenSSH 7.6 has just been released… Potentially-incompatible changes
If you forget to review /etc/ssh/sshd_config, you get this in journalctl if you have specified your own MACs for instance when hardening according to [WayBack including rimemd160] Secure Secure Shell:
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, TCP | Leave a Comment »
Using hardware security tokens cross-platform is only slightly more complicat…
Posted by jpluimers on 2018/01/17
Thanks for the excellent comment explaining how to use hardware tokens as a comment to [WayBack] Using hardware security tokens cross-platform is only slightly more complicated than piloting a Space Shuttle. ##sarcasm – Jan Wildeboer – Google+
Jan Wildeboer:
+Jeroen Wiert Pluimers OK. Let’s look a bit at how this works. There are several competing standards/ways to use a security token. Typically you’ll decide between the two most used ones. As a CCID device AKA SmartCard with OpenSC or using gpg-agent. And that’s an either/or question. Some of the security tokens can only work with gpg-agent, some can do both (but not at the same time) and some are only useful as CCID style (e.g. the Nitrokey HSM).
OK. So now we look at platforms. CCID using OpenSC mostly works everywhere, but you might need to install some additional software depending on your OS. Older versions of MacOS X were notoriously bad, since (High) Sierra it has become better.
On Linux it again really depends. The gnome-keyring-agent that is active in a Gnome session really messes everything up, so better deactivate that. Which is not really trivial. But you have to have a socket for ssh-agent to pick up the key, so some stuff goes to your .bash.rc and you have to make some changes to Gnome config.
If you want to use a Yubikey for 2FA, note that it cannot do TOTP (Time based One Time Password) which Amazon wants for AWS auth. So you need another helper app on your computer.
Here’s some articles that explain it in detail:
- Using a Yubikey in CCID for ssh: [WayBack] Yubikey 4 for SSH with physical presence proof
- Using a Yubikey for gpg and ssh in gpg-agent mode: [WayBack] Yubikeys for SSH Auth | EngineerBetter | More than Cloud Foundry specialists
- Using a Yubikey for 2FA: [WayBack] Yubikeys for Two-Factor Auth | EngineerBetter | More than Cloud Foundry specialists
- Yubikey, SSH, gpg and Fedora [WayBack] GPG, Smartcard and ssh – Harald Hoyer
The middle two links are actually part of the series [WayBack] Yubikey All The Things | EngineerBetter | More than Cloud Foundry specialists which has a third post [WayBack] Yubikeys for Static Secrets | EngineerBetter | More than Cloud Foundry specialists
–jeroen
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »
badssl.com
Posted by jpluimers on 2018/01/11
I wish I had bumped into this when it got released in 2015: [WayBack] badssl.com hosted in the cloud and maintained by two people from Google and Mozilla.
Where ssllabs.com is for checking server-side certificates, this one is for checking clients against many, many (did I already write MANY?) server side configurations both good (with a varying set of security settings like cyphers and key exchanges) and bad.
One of the bad ones is expired.badssl.com which your clients should not be able to connect to without throwing a big error.
Sources are at [WayBack] GitHub – chromium/badssl.com: Memorable site for testing clients against bad SSL configs.
Before using, please read their
Disclaimer
badssl.comis meant for manual testing of security UI in web clients.Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)
badssl.com is not an official Google product. It is offered “AS-IS” and without any warranties.
–jeroen
Share this:
Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Security, Software Development, TCP, TLS, Web Development | Leave a Comment »
Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers
Posted by jpluimers on 2017/12/15
Still some work to do for some of my sites:
–jeroen
[WayBack] Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers
Share this:
Posted in Communications Development, Development, Encryption, https, Internet protocol suite, Power User, Security, TLS | Leave a Comment »
The Wiert Corner - irregular stream of stuff 