Archive for the ‘Networking’ Category

IT Disaster Prevention on a Budget

by Jason Stewart
When Information Technology (IT) is working, it is a force-multiplier that lets you do more with less. When IT is not working, loss and liability typically ensue: Internet and power outages become lost sales. Data breaches can lead to loss of customers, legal liability, and a damaged reputation. Lost or corrupted data—like customer lists or […]

Blocking TCP/IP Traffic by Country With Pf

by Jason Stewart
How many countries really need to see to your website?

Installing djbdns on Debian 8 “Jessie”

by Jason Stewart
DNS done right!

Browser + (TOR/Proxy/etc): Not Very Private

by Jason Stewart
In the dark old days of not long ago, most web-based interactive content was delivered via ActiveX or NPAPI browser plug-ins (ex: Java, Flash, etc.).  The danger of browser plug-ins is that once installed, they can do just about anything with your computer (read files, install viruses, alter system files, etc.). With the rise of […]

Comcast IPv6 on M0n0wall

by Jason Stewart
System > General Setup > Enable IPv6 Support Interfaces > WAN > IPv6 Configuration > IPv6 Mode: DHCP Interfaces > LAN > IPv6 Mode: DHCP-PD (DHCP Prefix Delegation) Interfaces > LAN > IPv6 Prefix Delegation: 1 / 64 Interfaces > LAN > IPv6 RA: Send IPv6 router advertisements, Flags = “Managed” Firewall > IPv6 Rules […]

ISP Quietly Kills E-Mail Security

by Jason Stewart
To encrypt the transmission of e-mail from our e-mail clients (Outlook, Thunderbird, Windows Mail, iMail, iPhone Mail, Android Mail, etc.) to our e-mail servers, many of us (whether we know it or not) are using STARTTLS. STARTTLS is a way for clear text communication protocols to “upgrade” to a secured connection.  If client and server […]

SSL/TLS Security Theater

by Jason Stewart
Thanks to the recent NSA/Snowden allegations, all of the major websites have been sending every cat picture, post, and tweet over “secure” HTTP (HTTP/S).  This particular usage of HTTP/S is dangerous theater. HTTP/S only secures a connection between two endpoints.  An endpoint would be a device (like your phone or desktop) or a server (like […]

Remote Support with VNC Listening Mode

by Jason Stewart
It is a lot easier to help people with their computers when you can see their screen.  VNC is a great way to share screens, but its traditional configuration can be challenging for someone in need of support. A more user-friendly way to provide support is via VNC Listening Mode.  Instead of setting up a […]

ICMP Firewalling Done Right

by Jason Stewart
Most enterprise firewalls block all traffic not explicitly allowed by a rule. Because of this, people often fail to make proper allowances for ICMP in their firewall rules. The IETF has a great set of guidelines on ICMP filtering here: http://tools.ietf.org/html/draft-ietf-opsec-icmp-filtering-04 Some network guys will say, “I don’t want this server to be pinged or […]

Faster Samba (SMB / CIFS) Share Performance

by Jason Stewart
Is your Samba slow? Samba file sharing is great, but performance under Samba’s default configuration is fairly poor. Here are a few options that I add to my smb.conf to get the speed that I need: [global] # FORCE THE DISK SYSTEM TO ALLOCATE REAL STORAGE BLOCKS WHEN # A FILE IS CREATED OR EXTENDED […]

Just Say NO to Energy Saver Power Strips

by Jason Stewart
I had a terrible experience last week. I had set up brand-new network equipment at a customer’s place. It was a stock configuration that I had deployed several times before. Yet for some strange reason, their network began to fail and recover mysteriously at highly irregular intervals. It took an after-hours troubleshooting session to identify […]

DNS Hostname Resolution Fails, DIG and NSLOOKUP Succeed

by Jason Stewart
If you have ever encountered the situation where name-based resolution fails, yet a check against dig or nslookup succeeds for the same hostname, you may be experiencing a conflict with Multicast DNS (mDNS) name resolution. On February 20, 2013, IETF published and approved RFC 6762 which reserves .local as a fake TLD for hostnames that […]

Experimenting with HomePlug Ethernet over Power

by Jason Stewart
ZyXel PLA-407 Powerline Pass-Thru Ethernet Adapter I have been experimenting with a ZyXel PLA-407 Powerline Pass-Thru Ethernet Adapter.  Per the instruction manual, it “supports a data transfer rate of up to 200 Mbps.”  Like most people, I get a fraction of this at best. Approximately 80 feet of 12 AWG 3-strand copper wiring connects the […]

SSL/TLS for Postfix, Apache, and Dovecot

by Jason Stewart
Step 1: Create the Certificate Signing Request (CSR) openssl req -nodes -newkey rsa:2048 -keyout mysite.com.key -out mysite.com.csr It will ask the following questions. Answer all of them except for the last two (challenge password and optional company name). If you do set a challenge password, each program which uses the certificate will also need to […]

RADIUS on Cisco IOS 12.x

by Jason Stewart
Enter config mode, create a local administrative user (in the event of RADIUS failure), and enable AAA new model: config t username admin privilege 15 password 0 <ADMIN PASSWORD> aaa new-model Specify the RADIUS server information: radius-server host <RADIUS SERVER IP> auth-port <RADIUS AUTH UDP PORT #> acct-port <RADIUS ACCT UDP PORT #> radius-server retransmit […]

Managed Switch Best Practices

by Jason Stewart
DO: Give VLANs descriptive names. Comment configuration lines as much as reasonably possible. Disable TELNET! Use SSH instead. (Requires crypto image on Cisco) Have a dedicated management VLAN and IP subnet. Limit access to the SSH console with layer 3 ACLs if possible. For correct timestamps, configure the clock to synchronize with a Network Time […]