Archive
Posts from 2005
Testing for expired certificates
I made some major enhancements to ssl-cert-check, and released a new version to the daemons.net web server. The new version no longer requires GNU date, which should make it a bit more portable. If you have never used ssl-cert-check before, you can start by reviewing the available options with the "-h" (help) option: If you wish to view the expiration date for a PEM encoded X.509 certificate, ssl-cert-check can be invoked with the "-c" (certificate file to process) option and a certificate file to process: To check when an SSL-enabled server's certificate will expire, ssl-cert-check can be executed with the "-s" (server name) and "-p" (TCP port to use) options: If you manage dozens of SSL-enabled servers, you can place the server names and port numbers in a file, and run ssl-cert-check against that file: ssl-cert-check can also be used to provide automated alerts when certificates are about to expire. The following example uses ssl-cert-check's "-q" (quiet -- don't write anything to the terminal), "-a" (automated alerts) and "-e" (e-mail address to send alert to) options to send an e-mail to admin@daemons.net if a certificate will expire in the next 60-days: The automated alert option can also be used with the batch processing mode, and will trigger one automated notification per problematic certificate…
$ read more →Visualizing IP Filter and PF state tables
IP Filter is a stateful packet inspecting firewall that ships with FreeBSD and Solaris 10. Stateful packet inspecting firewalls use a state table to maintain established connections, which allows packets to traverse the firewall if they are part of an existing established connection. IP filter comes with the ipfstat(1m) utility, which can be used to print connection statistics, rule definitions, and active connection. When ipfstat(1m) is invoked with the "-t" (Show the state table in a way similar to the way the Unix utility, top, shows the process table) option, a text-based graphical representation of the firewall is continuosly displayed: To adjust the refresh interval, an integer value can be passed to ipfstat's "-T" (Specifies how often the state top display should be updated) option: If you are using the PF firewall, you can use pftop(8) to get a text-based graphical representation of the PF state table: To adjust pftop(8)'s refresh interval, an integer value can be passed to pftop(8)'s "-s" (Set the delay between display updates to time seconds) option: I find myself frequently using these utilities, and find them super useful!
$ read more →Blocking sites with DNS
I came across the following article on blocking sites with DNS while perusing the OpenBSD technical mailing list. I use Mike's Ad block Host file to silently blackhole ad sites, but never bothered to fix this permanetly in DNS. When I covert from BIND to DJBDNS, I will make sure to test this out.
$ read more →Alternative / Hard rock play list
While creating a few setlists today, I came up with the following alternative and hard rock set list: Stereolith -- Save me Jerry Cantrell -- Hellbound Motley Crue -- If I die tomorrow Alice in Chains -- Man in the box Nirvana -- Rape me Metallica -- Nothing else matters 7th Fall -- Hollow Staind / Fred Durst -- Outside from family values tour Godsmack -- Voodoo Dropkick Murphy's -- Sunshine Highway Social Distortion -- Reach for the sky Jerry Cantrell -- My Song L.A. Guns -- No Mercy 10 Years -- Paralyzing Kings Smashing Pumpkins -- Disarm I really dig the tunes, and the set list flows well (I like alternative and hard rock -- so this is a given)!
$ read more →Managing PF logfiles with Hatchet!
I came across Hatchet while reading through my daily news. Hatchet is a program to summarize PF logfiles, and it looks like an extremely useful piece of software!!
$ read more →