HSTS Implementation

What is HSTS
HSTS is the great little response header that tells a browser to always use SSL/TLS to communicate with your site. It doesn’t matter if the user, or a link they are clicking, specifies HTTP, HSTS will remove the ability for a compatible browser to use HTTP and will enforce the use of HTTPS. This still leaves a user vulnerable on their very first connection to a site though. HSTS preloading fixes that.
If a site uses SSL/TLS, and redirects traffic from HTTP to HTTPS using a 301/302, then their implementation can’t be complete without issuing the HSTS response header. This protects the user in every circumstance apart from their very first visit to the site.
In this post, we will overview of all supported features and directives in HTTP Strict Transport Security. This post can be used as a quick reference guide to identify valid and invalid directives and values. I also provide a working example of policies and guidance on how to use HSTS effectively.

Directives – a list of all HSTS directives.

  • max-age
  • includeSubDomains
  • preload
HSTS Directives 

max-age=[seconds];

This is the time, in seconds, that the browser should cache and apply the given HSTS policy for.

includeSubDomains;

This flag indicates that the browser should also apply this policy to all subdomains below the current domain.

preload;

This flag indicates that the site wishes to be included in the HSTS Preload list.

Here are a few example policies ranging in purpose and strength

To start out, sites should issue a very relaxed HSTS policy for testing purposes. It is also possible to issue a policy on certain endpoints only advertised to staff or beta testers for example. That way only they will pick up the policy.

Strict-Transport-Security: max-age=600

This policy will only apply for 10 minutes so if it does have undesired side effects they will not last long until the policy expires.

Once you are sure that you can meet the requirements of HSTS you can introduce the includeSubDomains directive should you wish.

Strict-Transport-Security: max-age=600; includeSubDomains

Again, the low max-age means you can stop issuing the policy and it will expire quickly for those that have received it. After this, the next step is to start increasing the max-age value.

You should aim for a max-age value of 1 year after making many, small incremental increases to test your ability to support HSTS.

Strict-Transport-Security: max-age=31536000; includeSubDomains

The final step for an HSTS policy is to include the preload directive for inclusion in the HSTS Preload list.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Warning: You should ensure that you fully understand the implications of HSTS preloading before you include the directive in your policy and before you submit. It means that your entire domain and all subdomains, including those managed or maintained by third parties, will only work with HTTPS. Preloading should be viewed as a one-way ticket. Whilst it is possible to be removed, it can take a long time and you may not be removed from all browsers.

What is HSTS preloading

HSTS Preloading is a mechanism whereby a list of hosts that wish to enforce the use of SSL/TLS on their site is built into a browser. This list is compiled by Google and is utilised by Chrome, Firefox and Safari. These sites do not depend on the issuing of the HSTS response header to enforce the policy, instead the browser is already aware that the host requires the use of SSL/TLS before any connection or communication even takes place. This removes the opportunity an attacker has to intercept and tamper with redirects that take place over HTTP. This isn’t to say that the host needs to stop issuing the HSTS response header, this must be left in place for those browsers that don’t use preloaded HSTS lists.

To implement HSTS using .htaccess
header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS

The env=HTTPS is meant to make the rule only activates when it’s https.

Useful Links

Redirect HTTP to HTTPS using Nginx

In this post, I will share my very simple configuration to redirect HTTP to HTTPS using Nginx web server.

With my configuration below, Nginx will simply forwards port 80 to 443. Very useful when you have a service that only listens on 443 (https) then you can use Nginx to forward all of your HTTP requests to HTTPS (your actual service)

In nginx/conf/nginx.conf

worker_processes  1;
events {
worker_connections 1024;
}

http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
server {
listen 80;
server_name host.saputra.org;
return 301 https://$host$request_uri;

access_log logs/host.access.log main;
}
}

I tested using Nginx v1.14.2 (Stable)
Download Link: .tar.gz | .zip

I hope this post is useful for you, if you have any questions or comments, feel free to post them down below.

Create a new Mac Administrator account using Single User Mode

If you ever need to recreate admin account on your Mac, this is the quickest and safest way to do it without breaking your Mac:

  1. Boot into Single User Mode by pressing ⌘ + S before you hear the Apple chime.
  2. Mount the drive by typing /sbin/mount –uw / then ↩ enter.
  3. Remove the Apple Setup Done file by typing rm -v /var/db/.AppleSetupDone then ↩ enter.
  4. Reboot by typing reboot then ↩ enter.
  5. Complete the setup process, creating a new admin account.

This will force macOS to redo the initial first account creation, and doing so will not affect the current user profiles (they will remain intact) – so, if you prefer to make them as admin later, you can do that as well by logging in using the newly created admin account, then go to System Preferences, then Users & Groups, select the existing user, and tick “Allow user to administer this computer.

I tested on macOS 10.14 Mojave and it worked:

ark:db andy$ pwd
/var/db
ark:db andy$ ls -al .AppleSetupDone
-r--------  1 root  wheel  0 Apr  4  2017 .AppleSetupDone
ark:db andy$ uname -a
Darwin ark.local 18.0.0 Darwin Kernel Version 18.0.0: Wed Aug 22 20:13:40 PDT 2018; root:xnu-4903.201.2~1/RELEASE_X86_64 x86_64
ark:db andy$

If you have any questions or comments, please feel free to post down below. Cheers!

Access Ubuntu Linux using Remote Desktop Connection

In this brief tutorial, I’m going to show you how to use Windows’ own remote desktop connection protocol to connect to Ubuntu Linux 16.04 / 17.10 and 18.04 / 18.10 desktops using Xrdp.

Xrdp is an open-source remote desktop protocol server which uses RDP to present a GUI to the client. It provides a fully functional Linux terminal server, capable of accepting connections from rdesktop, freerdp, and Microsoft’s own terminal server / remote desktop clients including copy + paste content/file, etc.

Step 1: Install Xrdp Server

To get Ubuntu Desktop accepting RDP connections, you must install and enable the Xrdp tool, here are the commands to install and enable the Xrdp tool:

sudo apt install xrdp
sudo systemctl enable xrdp

Step 2: Connect from Windows PC

Now that Xrdp server is installed, go and open Windows Remote Desktop Connection (%windir%\system32\mstsc.exe)

And connect to the server’s IP or hostname.

Type your username in Ubuntu desktop.

Click ‘Connect’ to initiate remote desktop connection to the Ubuntu desktop, you will be warned something like this, but don’t worry that’s perfectly normal:

You can also tick that ‘Don’t ask me again for connection to this computer.’ so it will not warn you again in the future.

Type in your password in Ubuntu desktop.

If your credentials are correct, you should now logged on to your Ubuntu desktop from Windows.

This tutorial should works with other Linux variants as well, especially Debian Linux derivatives, I actually made this tutorial on Kali Linux:

andy@kali:~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: kali-rolling
Codename: kali-rolling
andy@kali:~#

Troubleshooting:

  • If you have followed all the steps above but couldn’t logon, make sure you’re not already logged on to the Ubuntu desktop. Best thing is to restart your Ubuntu and don’t logon directly.
  • If you try Xorg session and it quickly disconnect. Select the X11rdp from the drop-down list, it will hang and not fully logon, close the session and try the Xorg session again. Now it should work…
  • But if it keeps prompting you to authenticate, you can cancel the prompt windows… and restart again if the above step doesn’t work right away.

Let me know by commenting down below if you have any question or comments.

Disable Red Hat Graphical Boot on CentOS 7

Prefer to see what’s actually happening in the background when our CentOS Linux booting up?

Edit /etc/default/grub with your favourite editor, such as nano or vi.

[andy@av ~]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_ba-eraappl-v/root rd.lvm.lv=centos_ba-eraappl-v/swap rhgb quiet net.ifnames=0 biosdevname=0"
GRUB_DISABLE_RECOVERY="true"
[andy@av ~]#

Basically we want to remove both rhgb and quiet above.

If you are curious what are them:

  • rhgb is the red hat graphical boot – This is a GUI mode booting screen with most of the information hidden while the user sees a rotating activity icon spining and brief information as to what the computer is doing.
  • quiet hides the majority of boot messages before rhgb starts. These are supposed to make the common user more comfortable. They get alarmed about seeing the kernel and initialising messages, so they hide them for their comfort.

I personally prefer a faster bootloader wait time, hence I lowered my GRUB_TIMEOUT from 5 seconds to 1 seconds.

This is my /etc/default/grub output after I removed both rhgb and quiet option:

[andy@av ~]# cat /etc/default/grub
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_ba-eraappl-v/root rd.lvm.lv=centos_ba-eraappl-v/swap net.ifnames=0 biosdevname=0"
GRUB_DISABLE_RECOVERY="true"
[andy@av ~]#

After removed rhgb and quiet option, we need to update our grub2 boot configuration file by issuing this command:

[andy@av ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-862.14.4.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-862.14.4.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-514.2.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-514.2.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.36.3.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.3.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-06d71e1cb34f47898c320b96609134c6
Found initrd image: /boot/initramfs-0-rescue-06d71e1cb34f47898c320b96609134c6.img
done
[andy@av ~]#

Restart your system and you will notice that your system is now booting faster as well as you will be able to see all the boot processes in detailed.

Clone from Larger HDD to Smaller SSD

In this post we will learn how to clone Windows from Larger Disk to Smaller Disk, in most cases we do this when we want to do HDD to SSD Upgrade, the hard disk drive usually has a larger size than our solid-state drive.

  1. We need to make sure that our C drive will fit into our SSD drive.
  2. Click here to download the Renee Becca software, it’s 100% free (no hidden charges or anything like that)
  3. The software requires a license, but don’t worry, a valid free license code will be mailed to your email after you enter your email address. Click here to obtain that free license (you can also use some temporary mail to get the license)
  4. Now install the software and open it, activate the software by entering the key you received in your email.
  5. Click on Clone and then select System Redeploy like shown in the picture below:
  6. Choose the Destination and it should be your SSD. The source is your system drive containing Windows files and boot images, etc. Please refer to the picture below:
  7. Now click the Redeploy button and select Yes as shown in the picture above.
  8. The software will then start the process and will complete the data transfer depending on your source disk size. Your partition will be automatically adjusted to fit with your new destination drive.
  9. Physically swap the old drive with the new drive. You can uninstall the software if you prefer not to keep it.

I hope this works for you. Let me know if you have any question by commenting down below. Cheers!

Disable Boot Splash Screen on Ubuntu Desktop Linux

Prefer to see what’s actually happening in the background when Ubuntu Desktop Linux booting up?

  • Wait for Ubuntu to boot, then login and start a Terminal application
  • Edit /etc/default/grub as root, for example: sudo nano /etc/default/grub
  • Remove splash from GRUB_CMDLINE_LINUX_DEFAULT
  • Save the file and close the editor
  • Run sudo update-grub to regenerate the grub config files

Here’s my /etc/default/grub configuration file looks like after I disabled the splash screen:

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=3
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""

I tested this on:

andy@computestick:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic
andy@computestick:~$

And this is my GRUB version:

andy@computestick:~$ grub-install --version
grub-install (GRUB) 2.02-2ubuntu8.4
andy@computestick:~$

If you have any questions, let me know by commenting down below and I’d happy to answer.

MikroTik Fasttrack with IPsec

Fasttrack is a new feature introduced in RouterOS v6.29 that allows you to forward packages in a way that they are not handled by the Linux Kernel which greatly improves the throughput of your router as well as lowering the CPU load.

Fasttrack allows all packages that have the state Established or Related to bypass the Kernel and be directly forwarded to the target. So, once a connection is marked as established or related, it won’t go through any firewalling or processing and will directly forwarded to the target. Of course – a connection gains the state of established or related once it went through the firewall so it will still be secure.

But there’s a known issue that Fasttrack will not work with IPsec connections, it will result in a rather wonky experience or very unstable IPsec connection. So if you have IPsec connections in your MikroTik but want to take the advantages of Fasttrack, here’s the resolution for you!

Firstly, we want to mark all IPsec connections:

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec

Secondly, we want to create a new Fasttrack rule but excluding all IPsec connections that we have marked with the two mangle rules above:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
/ip firewall filter add chain=forward action=accept connection-state=established,related

Don’t forget to delete your old Fasttrack rule if any.

I’ve been using this rule in my live IPsec site-to-site tunnel and the result is just simply amazing!

Let me know if you have any question or comment by posting down below. Cheers!