We’re Gonna Need a Bigger Boat
Earlier this year, the FreeAgent marketing website www.freeagent.com was the target of a volumetric Distributed Denial of Service (DDoS) HTTP flood attack. This was a relatively unsophisticated attack in that it targeted a particular static endpoint of our website with a massive number of HTTP GET requests from multiple remote IP addresses around the globe, as visualised on the map below. Predominantly serving the UK small business base, FreeAgent wouldn’t… Continue reading
External authentication scripts in OpenVPN the right way
OpenVPN is a wonderfully flexible piece of software in anyone's toolkit, but recently we found a sharp edge that wasn't the most obvious thing to work around. After spinning up a new VPN server we wanted to add username/password authentication against an external source. Looking at the OpenVPN documentation, the --auth-user-pass-verify <script> flag provides this functionality. Writing the script for this was easy enough — read the credentials from a… Continue reading
Passphrase generation using awk
Given a requirement of generating a temporary passphrase that can be communicated over the phone to another person, I thought of XKCD #936 which suggests using four random words together as a passphrase. Then there's just the question of how to generate that easily. On each system there's a file containing a list of words somewhere, on OS X it's located at /usr/share/dict/words. This contains a good ~236,000 words on… Continue reading
Weak DH – Time to Level Up
SSL vulnerabilities have been big news over the last few years. We've had Heartbleed, CSS Injection, POODLE and FREAK among others. At FreeAgent we take these vulnerabilities very seriously and work to mitigate these as fast as possible. The one we will be looking at today is Weak Diffie-Hellman and the Logjam Attack and some changes we are going to be making in the coming months. SSL configuration can be… Continue reading
System hardening leads to CVE-2015-3341 and fun with DTrace
Here at FreeAgent, security is a never-ending project. We are never finished, and we are always looking for ways to harden our platform, ensuring data is kept safe. Security should not be taken for granted – it is not just about technical mitigations or fancy enterprise firewalls, equally important is developing the right set of processes and procedures. One important aspect is testing your security controls. You need to be… Continue reading
Speeding up SSL
SSL is great; widely supported, easy to set-up, relatively cheap these days and (relatively) secure. We've required it from our early days and it hasn't caused us too many issues other than needing us to renew our SSL certificates from time to time and requiring a few more IP addresses than we otherwise would have needed1. That said, I recently visited Portland to attend PuppetConf (all about Puppet, a configuration… Continue reading