cat example.com.crt GandiStandardSSLCA2.pem USERTrustRSAAddTrustCA.crt > example.com.sha2crossed.crt
$ sudo apt-get install certbot -t jessie-backports
$ certbot certonly -w /var/www/example.com -d example.com --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log
$ cat /etc/nginx/sites-available/example.com | grep ssl ssl_certificate ~/letsencrypt/etc/live/example.com/fullchain.pem; ssl_certificate_key ~/letsencrypt/etc/live/example.com/privkey.pem;
$ certbot renew --dry-run --config-dir ~/letsencrypt/etc --work-dir ~/letsencrypt/lib --logs-dir ~/letsencrypt/log
% sudo pkg install py27-fail2ban
% sudo vim /usr/local/etc/fail2ban/jail.local
enabled = true
filter = sshd
action = pf
logpath = /var/log/auth.log
% sudo vim /usr/local/etc/fail2ban/action.d/pf.conf
actionban = /sbin/pfctl -t <tablename> -T add /32
actionunban = /sbin/pfctl -t <tablename> -T delete /32
tablename = fail2ban
% sudo vim /etc/pf.conf
table <fail2ban> persist
block in on $ext_if from <fail2ban>
% sudo vim /etc/rc.conf
% sudo service pf reload
% sudo service fail2ban restart
% sudo pfctl -t fail2ban -T show
A self-signed certificate is issued for web services (IIS) and it has a default validity period of 2 years. After that time, users of web services will be prompted with a dialog box asking if they still want to access a service that uses an outdated certificate. Outlook users could also be prompted with this dialog box. This box will appear every time a new connection is made.
To prevent this, we need to reissue another certificate to replace the old one. Self-signed certificates cannot be renewed.
We can easily do this using the “Fix my network” wizard. On SBS 2008, it can be accessed under Network => Connectivity in the SBS console. I think we can use this same wizard to reissue a certificate up to a month before the old one expires.
On Windows client, we need:
Use PuTTYgen to make key pair, save private key to file and copy public key to clipboard. Add key to Pageant.
On Unix remote, edit ~/.ssh/authorized_keys and add public key from Windows clipboard (one-line).
Use PuTTY to login to remote. WinSCP also uses Pageant when possible.
“This paper demonstrates how to encapsulate any TCP-based protocol (SMTP, POP3, NNTP, telnet…) into HTTP”
Punching holes into firewalls
or “Why firewalls shouldn’t be considered a ultimate weapon for network security”
or “Secure TCP-into-HTTP tunnelling guide”