PC Engines APU2 with OPNsense firewall on top as homelab gateway

There has always been some testing going on at home, but with the introduction of an extra firewall, there will be a separate network for tinkering and trials at home.

First I decided to buy an APU2 board from PC Engines. Although the APU first generation I had got fried quickly, their new version had the thermal issues the first generation had addressed according to the website.

When it arrived earlier this week, I still had to decide wether to run Linux or a BSD variant on top. After some quick research  I stumbled upon two FreeBSD based products that both seemed a good fit : pfSense and OPNsense. I soon discovered that OPNsense is actually maintained by some guys from my village. So OPNsense it was.

Right now I’ve only done the basic setup stuff, but the web interface et al look very promising. Clean, modern, snappy, complete. No CLI necessary for more advanced stuff.

It also has ‘cloud’ / virtualisation options, so I’m sure I will try that sooner or later.


BTW: For my serial line needs on MacOS I stumbled upon ‘Serial‘. Just evaluating, but it is rather nice. I just might pay the thirty euro for it


Vandaag CISSP examen gehaald

Eind vorig jaar liep ik al met het idee om een security gerelateerde certificering te gaan halen. Mensen die met me gewerkt hebben weten dat ik altijd oog heb voor de security aspecten in mijn werk. Het leek me leuk en goed om dit bevestigen in een certificering.

Het was me niet direct duidelijk welke ik zou moeten kiezen. CISSP was een optie, maar ik heb ook CEH (Certified Ethical Hacker) overwogen. Doorslaggevend voor de keuze was het aan de certificering verbonden toegang tot vakgenoten. De (ISC)2 heeft Nederlandse afdeling waar ik mensen ken. Gezellie. En vast leerzaam.

Dus toen dat ei was gelegd, ergens in mei/juni materialen besteld. Ik heb het gedaan met de ‘Official Study Guide’, gecombineerd met een aantal apps op mijn ipad/iphone.

Het stuk over wetgeving vond ik taai en bovendien teveel op Amerika gericht. Sowieso is het boek overduidelijk heel Amerikaans. Europa wordt nog net genoemd maar ik moet denk concluderen dat ze op alle andere continenten hun eigen certificeringen hebben. Die komen in dit boek in ieder geval niet voor.

Verder was voor mij de CISSP Official Study Guide een goede manier om bij mezelf te checken of ik het vakgebied in de breedte een beetje dekte. Natuurlijk zaten er onderwerpen bij waar ik weinig mee gedaan heb, maar tegelijkertijd zat er weinig echt nieuws in. Voor mij een duidelijke bevestiging dat ik er goed aan deed om mijn security kennis met een certificering zichtbaarder te maken.

Vanmorgen dan toch zitten puffen op het examen. Het is vooral veel en je moet goed op de details / nuances letten. Je krijgt dan ook vier uur voor het examen om 250 vragen te beantwoorden. Gelukkig was ik er een stuk sneller doorheen.

Het wachten is op de administratieve afhandeling waarna ik mijn endorsements kan gaan verzamelen.



Protecting Keepass databases with yubikey on MacOS

Looking for alternate or additional protection for my Keepass databases, I stumbled upon a fork of KeepassX that actually has some nice new features. One of those is the ability to use a yubikey as the key or as an additional key to the password database.

The fork KeepassXC released a version with yubikey support last june. Apparently the windows version Keepass2 has had time support for some time.

Trying a sample database with the default OTP configuration of my yubikey worked just fine, but it did raise the question what would happen if my yubikey would get lost or otherwise unusable. An unacceptable risk of locking yourself out of your password database. Thankfully this was already adressed, but it requires some extra work.

The yubikey has two configuration slots, where the second slot is unused by default. By getting a second yubikey and using the Yubikey Personalisation Tool, you can set up two yubikeys with the same secret for HMAC-SHA1 Challenge Response Mode in the second configuration slot. The yubico website has a pretty clear configuration guide in PDF to on ‘How to Configure Identical Credentials in Challenge – Response‘.

After that, it is just a matter of creating a new password database that requires the Yubikey challenge (maybe combined with a password you still type). That, or reconfigure existing databases to start using the yubikey by adding it in change main key option.

As the feature is still somewhat new, I’m considering keeping a password protected version of my database offline, while protecting the one I use on a daily basis with the additional yubikey protection.



Locking and unlocking MacOS using a yubikey

Some time ago I bought a couple of Yubikeys, but actually start using them ended up on the todo list.

But now I can easily unlock and lock my apple laptop with my yubi key. Unlocking is just done using the standard pam module and the configuration described at the yubikey website.

But getting my screen locked when I unplug the device needed some extra deamon. There is an option to lock the laptop when you unplug the yubikey in the advanced security preferences, but it did not do anything for me

I found a small project at https://github.com/shtirlic/yubikeylockd.git dealing with just that. So now running this small daemon, my screen is locked as soon as I unplug the key.

Improving security by sandboxing work for different purposes on my laptop

During my freelancing time over the last couple of years, I’ve been trying different setups that would satisfy my wish to use a single laptop for different  clients whilst maintaining proper security.

After all, I do not want to explain my client that their servers got infected with Crapware because I felt the need to run Spotify on my laptop or visiting an infected site that one time.

Naturally as a infrastructure guy, I run a lot of virtual machines. The Vagrant + Virtualbox is a very good fit for puppet development work.

I tried running some of the ‘production’ work in VM’s, but it never really panned out. Having a dedicated homebanking VM or a ‘Client X VPN VM’ just was too much a different workflow to feel natural and effective.

So now I decided to split workloads in set of task with a similar security need / boundary and create VM’s for that.

Virtual machine setup on my bring your own device setup.

To improve the security in the virtual machines, there is only limited VMWare filesharing between the VM and the host OS, only a specific folder. Also, I disabled drop and drop + copy and paste support in the VMWare options.

I try to minimize risk in the host operating system, by perfoming the least amount of tasks directly in this layer. I suspect I can further reduce the tasks that I run in the host OS with a future generation of hardware.

Currently I still do puppet development / testing in the host OS. Running the virtualbox VMs nested in a VMware VM leaves me too much of a performance penalty.

The biggest limitation I’ve run into is video support in the OS X virtual machine. Video does work OK enough but it lacks proper retina support, so screen elements are really tiny or kind of blurry as before retina. Not a show stopper though.

Will report in a couple of weeks or so how well it went.

Check your smtp security with TLS receiver test

CheckTLS test result for hosting.maljaars-it.nlI’ve used a webservice to check the TLS settings on a secured website numerous times (ssllabs.com), but I’ve only recently discovered a TLS/SSL testing service that checks if third parties can securely deliver mail on you mailserver.

Using http://www.checktls.com/ I was able to test my mailserver setup and uncovered a minor issue with my TLS certificate chain. After a small fix I was able to verify that third parties should be able to securely deliver mail to my setup. Nice 😉