Posts

Locking all the bits with BitLocker

So you want data at rest encryption. Bitlocker by default uses this nasty numeric password as a recovery option. However, you can actually lock this down pretty well after removing this giant security risk of a password and here's how. Requirements: Enable Enhanced Pins I'm going to save some effort and defer to the many articles on the internet for this. You can find a decent article here . Or you can use some google fu to find similar ones. Learn about manage-bde and the other powershell commandletts here . Enable TPM and PIN and Startup Key (flash drive) Add-BitLockerKeyProtector c: -TpmAndPinAndStartupKeyProtector This will make bitlocker require a TPM AND USB flash drive AND  a password on boot. It's the most secure option but a bit annoying. You will be presented with a couple prompts. One for the path to the flash drive and one for the password Enter the path to the flash drive Enter your strong password Enable TPM and Startup Key (flash d...
Post a Comment
Read more

Setting up DNS over HTTPS using cloudflared

I thought this would be a simple task, and it was now that I'm looking back on it. However the cloudflare documentation isn't clear when deploying to a dedicated server/container. So here's how I did it. Install This section is going to walk you through installing the cloudflared client as a service. The documentation is a bit vague and shows you how to spin up the client but leaves out some important info regarding running it as a service. Install the package, as root, for your OS here . Create /etc/cloudflared/config.yml (see below for contents) Run the client to generate the .pem certs. `cloudflared proxy-dns` The certs won't be put in `/etc/cloudflared` by default. Instead they can be found in roots home dir `/root/.cloudflared`. Move the `cert.pem` to `/etc/cloudflared`.  Now you can install the service `cloudflared service install` Ensure that the service enabled and running via systemctl. `systemctl status cloudflared.service` config.yml:...
Post a Comment
Read more

Python Flask: Web apps in seconds

Flask is a python microframework that makes creating web apps easy. It reminds me a lot of AngularJS, but I find it easier to set up and use. Their site is a great live demo  http://flask.pocoo.org/. Create a frontend using this, deploy with docker, app engine, beanstalk, etc... and you have a scalable app that can be used anywhere. Excerpt from their site: Flask is a microframework for Python based on Werkzeug, Jinja 2 and good intentions. And before you ask: It's  BSD licensed ! Latest Version:  0.12.2 Flask  is Fun from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return "Hello World!" And Easy to Setup $ pip install Flask $ FLASK_APP=hello.py flask run * Running on http://localhost:5000/
Post a Comment
Read more

pfSense DHCP: Dynamic DNS Updates to a Windows DNS server over a Site-to-Site VPN.

Image
Scenario: Remote site running on pfSense SG-1000 (or other appliance) isn't updating DNS with hosts obtained via pfSense DHCP. Site1 : AD/DNS/DHCP pfSense firewall Site to Site VPN connection to site2 Site2: pfSense firewall appliance running DHCP Site to Site VPN connection to site1 Prerequisites: DHCP: Credentials for DNS Forward and reverse lookup zones Allow DNS secure/non-secure updates DHCP > IPV4/6 > Properties DNS > domain > properties Solution: On the pfSense box in Site2, enable DNS Dynamic Updates. Services > DHCP Server > Dynamic DNS > Advanced Options Resources : DHCP: Credentials for DNS update should be configured if secure dynamic DNS update is enabled and the domain controller is on the same host as the DHCP server
Post a Comment
Read more