Security – Tyler Woods

The Perfect Reverse Proxy (NGINX, SSL, WebUI Management)

September 14, 2017 Tyler Woods

Reverse Proxy. I’ve been implementing reverse-proxy solutions in lab and in production for some time now, but I always come across the same problem; It’s not the easiest type of a system to manage, especially when there are SSL certificates involved. Now, before I started looking for an easy-to-manage SSL solution, I figured I’d find some sort of web interface for the NGINX config files and other basic server management. After some searching and testing, I decided on Ajenti. Ajenti is a python-based linux control panel that makes installing packages…

Easy SSL for ScreenConnect with NGINX Reverse Proxy

May 4, 2017 Tyler Woods

On the topic of NGINX Reverse Proxy, it just so happens that the process for installing an SSL certificate onto your ScreenConnect server can be rather difficult, and a much more flexible approach is by using NGINX over SSL to reverse-proxy to the ScreenConnect instance. This is how you can do it yourself. Modify ScreenConnect settings: To begin, we should change the port that ScreenConnect listens on for incoming web connections. This is so NGINX can use ports 80 and 443. On Linux, screen connect is in installed to /opt/screenconnect/ Open…

netdata: A remarkable server monitoring utility.

May 2, 2017May 4, 2017 Tyler Woods

I wanted to write a short introduction to a tool that I’ve been using a lot on my newest servers and development projects. This tool seriously provides the most amazing way of monitoring and comprehending your server’s performance and other metrics that I’ve seen in such a simple, lightweight installation. Here’s the current RAM utilization of my server, thanks to netdata: From the readme: netdata is a system for distributed real-time performance and health monitoring. It provides unparalleled insights, in real-time, of everything happening on the system it runs (including…

NGINX Security Hardening

May 1, 2017May 2, 2017 Tyler Woods

After setting up an NGINX webserver with a GoDaddy-issued SSL certificate, I did an SSL test and saw that I was graded a C. That’s average! I want a secure site. So I looked around at a couple of things, and decided to put together a small list of things you can add to your NGINX configuration/server block for enhancing security. I’m going to assume you’re already using an SSL certificate. If you aren’t, start there, and THEN look into how you can improve security 😉 1. Redirect all…

How to provide Guest WiFi network access securely with Cisco Meraki Appliances

March 15, 2017May 4, 2017 Tyler Woods

If you have an office, facility, or residence with a lot of guest traffic and are needing to provide the guests with their own network using your existing Meraki equipment, this is the best way to do it. For this example the environment is using the following devices: Cisco Meraki MX100 Router Cisco Meraki MS350-48p Switches Cisco Meraki MR42 APs Brief: The Guest clients should: be denied access to the Secure network (LAN, Secure WLAN, etc) be unable to communicate with each other (client isolation). have bandwidth restrictions. have unique content…

Deny Remote Desktop (RDP) login for all but your account

February 22, 2017 Tyler Woods

My computer is on a domain. I wanted to enable RDP access so I could work remotely, however in doing that, I’m letting my colleagues and others in my organization log in to my PC, as well as potentially allowing an intruder to log in. There are options to disallow logins from specific groups, however I can not block those domain groups because I am part of them. The easier approach for me is to be selective with who is allowed as opposed to defining explicit blocks. To allow…

Secure your Dropbox – store files and data in an encrypted container [Windows + BitLocker]

January 4, 2017January 4, 2017 Tyler Woods

We let our Documents sync to the cloud, download themselves on all of our PCs, and trust that no single person besides ourselves can ever see those files, unless otherwise intended. This may be true that “only you” can see what’s in your Dropbox and other cloud storage, but in reality, your cloud storage has so many gateways that it’s easy to accidentally leave one open, such as a shared home computer. Not only that, but your cloud storage provider could see your files if they wanted to. But isn’t…

Check if your accounts have been compromised in an online data breach

December 20, 2016 Tyler Woods

With all of the recent data breaches, online security is (and has been) becoming a growing concern. If you aren’t aware, hundreds of major breaches have been publicized, and who knows how many smaller breaches are going unnoticed each day? With the “have I been pwned” website, you can both view a list of pwned websites (websites which have been breached and data compromised) and also check your e-mail addresses and online usernames to see if they were included in any of those breaches. What if I’ve been pwned?! How you use…

Secure your Sophos Network: Use Network Groups for Trusted Remote Hosts.

December 20, 2016February 8, 2017 Tyler Woods

My primary concern lately as my internet presence has grown has been in the general realm of security. How do I know that no one is accessing my port-forwarded server? How do I know that no one is logging into my router? […] An easy answer to this has always been limiting inbound connections to trusted hosts; But that’s not always an easy solution. Most consumer routers don’t even support this (correct me if i’m wrong) and in most firewall applications it can be cumbersome to append and manage trusted…

Sophos UTM Country Blocking: Oops!

December 10, 2016February 8, 2017 Tyler Woods

Background: My girlfriend has an AirBnB service for a spare room in her home. I have a Sophos UTM appliance running her home network. Okay! Last night my girlfriend received a text on behalf of our guest stating that the WiFi wasn’t working. We were out for pizza + beer, so we didn’t exactly rush home to check it out. […] This morning we got word again; “the WiFi isn’t working, they say they need to use the WeChat app” I logged in to the Wireless AP and it checked out. It’s…