https://www.michelebologna.net/categories/security/ Recent content in Security on Michele Bologna Hugo en Wed, 13 Feb 2019 00:00:00 +0000 https://www.michelebologna.net/2019/la-mia-esperienza-con-spid-e-poste-italiane/ Wed, 13 Feb 2019 00:00:00 +0000 https://www.michelebologna.net/2019/la-mia-esperienza-con-spid-e-poste-italiane/ <p>Questa settimana ho deciso di attivare lo SPID (Sistema Pubblico di Identità Digitale).</p> <h2 id="cosa-è-lo-spid"> Cosa è lo SPID <a class="heading-link" href="#cosa-%c3%a8-lo-spid"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>L&rsquo;identità digitale SPID è rappresentata da un username e una password che vi permettono di autenticarvi sui siti della Pubblica Amministrazione (PA). I suoi usi sono molteplici e sta prendendo sempre più piede per le comunicazioni online tra cittadino e PA.</p> https://www.michelebologna.net/2017/secure-your-ssh-server-against-brute-force-attacks-with-fail2ban/ Mon, 05 Jun 2017 00:00:00 +0000 https://www.michelebologna.net/2017/secure-your-ssh-server-against-brute-force-attacks-with-fail2ban/ <h1 id="the-problem-ssh-can-be-brute-forced"> The problem: SSH can be brute-forced <a class="heading-link" href="#the-problem-ssh-can-be-brute-forced"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <p>I usually leave an SSH server on a dedicated port on every server I administer and, as you may recall, <a href="https://www.michelebologna.net/2015/hardening-services-lets-review-our-config-files/" class="external-link" target="_blank" rel="noopener">I even linked two well-written guides to properly configure and harden SSH services</a>.</p> https://www.michelebologna.net/2016/unusual-way-of-backup-sensitive-data/ Tue, 11 Oct 2016 00:00:00 +0000 https://www.michelebologna.net/2016/unusual-way-of-backup-sensitive-data/ <p>Over the weekend I was in a <em>backup mood</em>, so I decided to start backup everything on my local computers. First of all, I started with sensitive data (which I call <em>vault</em>), namely:</p> https://www.michelebologna.net/2016/openvpn-with-multiple-configurations-on-the-same-host-with-systemd/ Sat, 09 Jul 2016 00:00:00 +0000 https://www.michelebologna.net/2016/openvpn-with-multiple-configurations-on-the-same-host-with-systemd/ <p>As much more people are getting worried about their <strong>online privacy</strong> (including me), <a href="https://www.michelebologna.net/2015/12/workaround-for-openvpn-pam-authentication-broken-on-ubuntu-15-10/" class="external-link" target="_blank" rel="noopener">I started to use a server as a VPN termination (with OpenVPN)</a> when I need to access the Internet via non-secure wired or wireless networks (e.g., hotel wireless network, airport Wi-Fi, etc.).</p> https://www.michelebologna.net/2015/fun-with-python-powered-telnetd-honeypot/ Fri, 04 Sep 2015 00:00:00 +0000 https://www.michelebologna.net/2015/fun-with-python-powered-telnetd-honeypot/ <h2 id="reason-hardening-serendipity-and-curiosity"> Reason: hardening, serendipity and curiosity <a class="heading-link" href="#reason-hardening-serendipity-and-curiosity"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>As you already know, in the past weeks I hardened all of my boxes: while doing it, I flushed all iptables/ipfw rules, changed the default policy to DROP and take it from there to enable every rule as soon as I need it. Whilst Ubuntu uses <a href="https://help.ubuntu.com/community/UFW" class="external-link" target="_blank" rel="noopener">ufw</a> as a fronted for iptables, Fedora uses <a href="https://fedoraproject.org/wiki/FirewallD" class="external-link" target="_blank" rel="noopener">firewalld</a>.</p> https://www.michelebologna.net/2015/hardening-services-lets-review-our-config-files/ Sun, 28 Jun 2015 00:00:00 +0000 https://www.michelebologna.net/2015/hardening-services-lets-review-our-config-files/ <p>It&rsquo;s <strong>hardening</strong> Sunday here: I reviewed the config files of my main daemons (<em>nginx, openvpn, tinc, sshd</em>) with the help of two resources that I want to share with you, fellow readers.</p> https://www.michelebologna.net/2013/ruby-e-osx-problemi-coi-certificati-ssl-durante-linstallazione-delle-gem/ Mon, 04 Nov 2013 00:00:00 +0000 https://www.michelebologna.net/2013/ruby-e-osx-problemi-coi-certificati-ssl-durante-linstallazione-delle-gem/ <p>Nella nuova versione dell&rsquo;installer di <a href="https://rubygems.org/" class="external-link" target="_blank" rel="noopener">RubyGems</a> è presente un check di sicurezza sul certificato SSL del sito da cui si scaricano le gem che si stanno per installare. Questo può comportare un errore durante l’installazione di una qualsiasi gem:</p> https://www.michelebologna.net/2012/https-e-le-applicazioni-di-terze-parti-attenzione/ Sat, 01 Dec 2012 00:00:00 +0000 https://www.michelebologna.net/2012/https-e-le-applicazioni-di-terze-parti-attenzione/ <blockquote> <p>&ldquo;È sufficiente usare HTTPS per essere sicuri: protegge la comunicazione cifrando il traffico e usando certificati validati da CA riconosciute&rdquo;.</p> </blockquote> <p><strong>SBAGLIATO</strong>. Spesso si sente pronunciare questa frase, ma non è del tutto vero: ho recentemente letto con molta attenzione un paper presentato alla conferenza <a href="https://www.sigsac.org/ccs/CCS2012/" class="external-link" target="_blank" rel="noopener">CCS 2012</a>, una conferenza dedicata alla <strong>Computer Security</strong>. Il paper ha un titolo curioso: &ldquo;<a href="https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf" class="external-link" target="_blank" rel="noopener"><em>The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software</em></a>&rdquo;.</p> https://www.michelebologna.net/2012/wordpress-plugin-chap-secure-login/ Wed, 08 Aug 2012 00:00:00 +0000 https://www.michelebologna.net/2012/wordpress-plugin-chap-secure-login/ <p>Ho recentemente installato <a href="https://wordpress.org/extend/plugins/chap-secure-login/" class="external-link" target="_blank" rel="noopener"><strong>Chap Secure Login</strong></a>, un plugin molto utile per Wordpress che risolve un problema da non sottovalutare: l&rsquo;autenticazione su un canale non cifrato quale HTTP (è buona norma usare HTTPS quando si effettua uno scambio di informazioni riservate, quali password, numeri di carta di credito, etc. per evitare che eventuali <em>eavesdropper</em> possano carpire le informazioni scambiate ed utilizzarle a vostro svantaggio).</p> https://www.michelebologna.net/2011/facebook-e-la-navigazione-https-da-abilitare/ Sun, 06 Mar 2011 00:00:00 +0000 https://www.michelebologna.net/2011/facebook-e-la-navigazione-https-da-abilitare/ <p><a href="https://www.michelebologna.net/images/2011/03/facebook_https.png" ></a><a href="https://www.michelebologna.net/images/2011/03/facebook_https.png" ></a>Mi sono accorto che Facebook offre un&rsquo;opzione molto utile e assolutamente da abilitare. Infatti, sotto <em>Account &gt; Impostazioni Account &gt; Protezione dell&rsquo;Account</em> troviamo un&rsquo;opzione per abilitare la navigazione HTTPS quando possibile.</p>