Welcome to cron.weekly issue #63 for Sunday, January 15th, 2017.

A full issue once again, lots of new projects and guides got posted last week. If those were New Year’s resolutions, keep it up!

Just as a reminder for anyone trying to find a project or guide mentioned in a previous newsletter, all issues are available online in the archive.

News

The MongoDB hack and the importance of secure defaults

Last few weeks, several unfirewalled and unsecured MongoDB instances were held “ransom”: their data was stolen and you had to pay bitcoins to get it back. This article looks at how that could happen and what the value of secure, sane default values are for system packages.

Docker 0-Day Stopped Cold by SELinux

Earlier last week, a Docker vulnerability (CVE-2016-9962) was made public, that allowed code run in a container to escape that container and compromise the host. In this post by Red Hat they explain how SELinux prevents such exploits.

systemd Sucks, Long Live systemd

A look at the bad & good parts of systemd. Thankfully, there are more good parts than bad, as we’ll be using systemd for quite some time.

How Stack Overflow plans to survive the next DNS attack

This post has some good insights in how/when to spread your DNS records across multiple providers, what the impact of one offline provider, if you should revoke nameservers or just keep them listed but ‘offline’, …

Software Developers Should Have Sysadmin Experience

And vice versa! A well reasoned post about the benefits of knowing both ends of the spectrum in order to build more resilient, reliable and performant applications.

Tools & Projects

DataDog: all your infrastructure, in one place

Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)

relayd

The relayd project consists of `relayd`, a load-balancer, application layer gateway, transparent proxy, and SSL/TLS gateway, and `httpd`, a web server that is based on relayd. It is secure, serves static files and supports FastCGI and TLS.

posixcube

A potential alternative to Ansible, posixcube is a POSIX compliant shell script server automation framework.

pssht

pshtt (“pushed“) is a tool to scan domains for HTTPS best practices. It saves its results to a CSV (or JSON).

wmail

This might be useful for your desktop, not so much your servers: an open source desktop client for Gmail & Google Inbox. Bringing the online Gmail & Google Inbox experience to your desktop in a neatly packaged app.

vallumd

This program allows you to centralize and distribute IP blacklists. It can be integrated with fail2ban, where banned IPs on a single host can be exported to other servers and preventively blocked. It’s a tool to build a clustered fail2ban, sharing IP block lists.

dvws

Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.

hotel

A simple process manager for developers. Start apps from your browser and access them using local .dev domains.

dgsh — directed graph shell

A new shell based on Bash which introduces a very interesting “left to right” syntax at the CLI, offers multi-core processing with piped commands and an expressive syntax. Worth a look, scroll down to the examples to understand its power!

chisel

A fast TCP tunnel over HTTP.

Guides & Tutorials

Google Infrastructure Security Design Overview

A very detailed write-up by Google on how to run a secure service online. It covers everything from physical security (hardware, on-prem security, …) to secure deployment to secure communication between services. Such amazing value in that document!

Using GPG to Encrypt Your Data

A guide by NASA on how to use GPG to encrypt and decrypt a message (or images, binary files, …).

SSH Start to Finish – Certificate Authority Basics

This write-up explains Certificate Authorities and Key Revocation Lists in order to understand how SSH key authentication works.

From OSX to Ubuntu

A guide for the hardcore OSX users that are tired of their OS to switch to Ubuntu. It covers some practical areas like replacing Alfred (task launcher), the File Manager, code editors, … All for Desktop Linux, of course.

Faster MySQL replication with group commit and delay

This post introduces 2 MySQL options that can greatly decrease MySQL replication lag: ‘slave-parallel-type’ and ‘binlog-group-commit-sync-delay’.

Randomness in Linux

A fund read about the difference between /dev/random and /dev/urandom, where entropy comes from, what ‘randomness’ means in Linux, …

Linux kernel initialization, translated to bash

This script by Hector Martin was created to explain the Kernel init process (initrd, initramfs, mounts, etc) more clearly, in Bash. Very technical and to the point, you’ll learn a few lesser-used CLI tools along the way.

Containers from Scratch

Containers with good old fashioned tools: chroot, unshare, nsenter, bind mounts, cgroups, setcap, … To understand what goes on behind a docker CLI command, this post gives a very good idea.

Videos

Building a Billion User Load Balancer

This presentation by Facebook offers more insights into the load balancer they created to serve traffic to Facebook.com and all the different apps. Lots of info on ECMP, ipvs, TCP session sharing, …