Utilize crontab to run ssh command in tmux

0 22 * * * /usr/bin/tmux new -d && /usr/bin/tmux send-keys -t 0 “vnstat -l” ENTER
0 23 * * * /usr/bin/tmux send-keys -t 0 C-c

Just for reference, please verify if the command fits your needs. Such as, if there are old tmux sessions in place, the new session number won’t be 0, you might want to specify session name with -s.

Enabling DHE cipher on nginx (for IE 11 compatibility)

# generated 2020-10-27, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.0.2k, intermediate configuration, no HSTS, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.0.2k&hsts=false&ocsp=false&guideline=5.6

ssl_dhparam /path/to/dhparam;

# intermediate configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
}

To add support on IE 11 on Windows 7 / 8.1, add the following ciphers to the ssl_ciphers list.

ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

Realize that dhparam is a must for nginx to enable DHE Cipher, oopsie…

Foward traffic (filter by source ip and dst port) to other public ip

Check it on Gist: https://gist.github.com/richardevs/355d24b25f6c19b698b7134504843dc6

# run all these on the bastion vm
# iptables can not directly route traffic to public ip ( in my test )
# so I insert a socat here to help get the job done

iptables -t nat -F # flush all the current NAT rule ( be careful )
iptables -t nat -A PREROUTING -s 1.1.1.1 -p tcp --dport 443 -j DNAT --to-destination :4433 # all traffic to port 443 from 1.1.1.1 get routed to port 4433
iptables -t nat -A POSTROUTING -j MASQUERADE # let iptables do the NAT work
iptables -t nat -nL # double check if iptables are correctly showing the rules

nohup socat TCP4-LISTEN:4433,reuseaddr,fork TCP4:2.2.2.2:443 & # use socat to forward traffic to final destination, in the demo here, 2.2.2.2:443

【GPG Key Rotation Notice】

– 330CDE83C3337CEADA44CE70BB180B9415CDC81B 已停止使用並遞交 Revoke
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– 新舊 Key 之間存在相互簽名
– Keybase 情報已同步更新
– 新 Key 主要使用 SubKey 進行簽名,SubKey 四年有效期,MasterKey 永久有效

– 330CDE83C3337CEADA44CE70BB180B9415CDC81B has ceased operation and revoked
– Superseeded by 8C095E600D83C696586E0BAAF41C815ACDD22938
– They are cross-signed
– Keybase has all the updated information
– Future operations will mainly be using the SubKey with 4-year validity, while MasterKey never expires

最近感覺被掃描,TCP 通信模式固定如下:

SYN -> PUSH -> FIN

跟正常的通信比對後,發現正常的通信會在所有 TCP 包中帶上 OPTIONS,而不會像這裡一樣只有 SYN 包加了 OPTIONS,而且這個 OPTIONS 值永遠不變。不知道能不能拿這個 OPTIONS 做攔截參數。

Flags [S], seq 1799944867, win 65535, options [mss 1440,nop,nop,sackOK,nop,wscale 8], length 0
Flags [.], ack 4104578379, win 16384, length 0
Flags [P.], seq 0:32, ack 1, win 517, length 32
Flags [.], ack 2, win 517, length 0
Flags [F.], seq 205, ack 2, win 517, length 0