Pi-hole on OpenBSD

The problem I don’t like ads for the following reasons: They are obnoxious They are a security risk They waste bandwidth (and my internet connection is often fragile) They collect data and violate my privacy Some options Use a DNS ad blocker on the network, such as a Pi-hole Use a browser-based application firewall such as uBlock origin or uMatrix Use a DNS ad blocker such as the Pi-hole on the host machine, in a VM, or in a Docker container I have done all three of these things (sometimes combining them), and while the Raymond Hill (uBlock / uMatrix) solutions are excellent, they only work in the specific browser they are installed in, and do nothing to prevent any additional telemetry requests from various operating systems or applications. Read more...

802.1X on OpenBSD

I have been using OpenBSD on a daily basis recently, and I have found it possible do do almost everything that I need to in a smooth and well-documented environment, but there are a few quirks that can be difficult to figure out. One such example is that many educational institutions and other large organizations tend to use WPA enterpise / WPA-802.1X mode for authentication to their wireless networks. This is not supported by OpenBSD base (yet? Read more...

SSH, the home network is torifying

I like to be able to access my home network remotely. My connection to the Internet is actually a rebroadcasting of various local WiFi networks, which presents a challenge for remote ssh access, since the IP address is dynamically assigned and changes often. My home network is served by a wireless AP that acts as a router, handing out local IP addresses via DHCP. Also, I like to be able to access the web interface for the upstream wireless access point and change networks remotely, while having the option of using a different internet connection on my laptop. Read more...

Barbra's Pi-Hole

Recently, I have taken to using a VPN for the majority of web-browsing. This helps to prevent common ISP nonsense such as DNS hijacking as well as providing some convenient security on untrusted networks, such as public WiFi. There are a variety of Free Software VPN tools out there, such as OpenVPN, {strong,libre,Open}swan, shadowsocks, and others. Additionally, if you are primarily a Linux user, than you can use the best VPN ever, WireGuard, created by Jason Donenfeld. Read more...

HSTS and http headers redux

This site is now included in in the HSTS preload list, and will not be served over an unsecure connection. In an effort to continually employ best security practices, I have successfully removed the unsafe-inline from the site’s Content Security Policy. I did this by changing way I am using Hugo’s syntax highlighting in the config.toml file. By enabling pygmentsUseClasses, I was able to use CSS to style code blocks as opposed to having the styles in a bunch of ugly <span></span> tags generated by pygments. Read more...

HSTS and http security headers

As I endeavor to learn more about (web)security, I decided to harden this site to serve content only via TLS as well as to include it in the HSTS preload list. By submitting it for inclusion in the list, the domain name bghost.xyz will be hard-coded into Chromium and its proprietary descendant Google Chrome as well as Mozilla Firefox. This is an implementation of IETF rfc6797, HTTP Strict Transport Security (HSTS). Read more...

LibreSSL on funtoo

Recently, I decided to switch to LibreSSL from the default of OpenSSL on my funtoo installation. For the most part everything works. Following the gentoo documentation on the subject, I now have a funtoo system which has everything compiled against LibreSSL. Here is what I did to get things running. This is modified from the instructions at the above link. root# echo 'USE="${USE} libressl"' >> /etc/portage/make.conf We need to get the files to build LibreSSL before we uninstall OpenSSL: Read more...

funtoo kernel upgrade

While I love many of funtoo’s attempts to streamline the install and upgrade process, I still choose to manage my kernel manually. I have been partial to gentoo-sources. Since I am currently using systemd-boot, when I want to boot to a newer kernel, I just change the relevant kernel and initramfs lines in /boot/loader/entries/funtoo.conf However, that doesn’t mean a little automation can’t help. Here’s a trivial script I wrote that accepts user input to decide whether or not to clean the build dir before building the new kernel. Read more...

kvm nat over host wireless

After using virtualbox as my only virtualization for quite some time, I have decided to try out QEMU/KVM. So far, I find this approach to be a better solution for my personal virtualization needs (a couple of BSD/Linux guest machines running on a Linux host), but because of the elusive and fragmented nature of documentation for the project, especially in regards to the available networking options and their various benefits and limitations, I have decided to write up some of my experiences in hopes that they will be useful to others. Read more...

securing X without a display manager

First of all, I should start by describing my desktop setup briefly to provide the context for this post. I use i3 as a window manager, primarily running on funtoo. i3 comes with a really nice screen locking program called i3lock that provides a bunch of well-documented options for your locking pleasure, including the ability to use a background picture, as well as optionally using a windows-style mouse pointer at the lock screen ;-) Read more...