Ne00n

ANSSI

• December 3, 2013: Google finds fraudulent certificates for Google domains, signed by ANSII. The certificates are used for MITM attacks. (source)

CNNIC

• March 3, 2015: An intermediate CA operating under CNNIC (named MCS Holdings) is found issuing fraudulent certificates for various Google domains, for the purpose of MITM attacks. This delegation should have never occurred, as MCS Holdings was not fit to hold this kind of authority. (source)

Comodo

Ne00n

/**
 * Check if a given ip is in a network
 * @param  string $ip    IP to check in IPV4 format eg. 127.0.0.1
 * @param  string $range IP/CIDR netmask eg. 127.0.0.0/24, also 127.0.0.1 is accepted and /32 assumed
 * @return boolean true if the ip is in this range / false if not.
 */
function ip_in_range( $ip, $range ) {
	if ( strpos( $range, '/' ) == false ) {
		$range .= '/32';
	}

Ne00n

#!/bin/bash
#Original: http://www.hyenacloud.com/blog/?p=327
#Modified by Neoon

/sbin/iptables -D INPUT -m set --match-set blacklist src -j DROP
/sbin/ipset create blacklist hash:net hashsize 10000000 maxelem 200000
/sbin/iptables -I INPUT -m set --match-set blacklist src -j DROP
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/root/ip-blacklist.conf
IP_BLACKLIST_TMP=/tmp/ip-blacklist.tmp

Ne00n

systemctl stop rpcbind.service
systemctl disable rpcbind.service
chmod -x /usr/bin/spiceproxy
#/etc/network/interfaces
#Proxmox block
post-up iptables -A INPUT -p tcp --dport 8006 -s 127.0.0.0/8 -j ACCEPT #allow localhost for reverse proxy
post-up ip6tables -A INPUT -p tcp --dport 8006 -s ::1/128 -j ACCEPT #allow localhost for reverse proxy
post-up iptables -A INPUT -p tcp --dport 8006 -j DROP #webinterface
post-up ip6tables -A INPUT -p tcp --dport 8006 -j DROP #webinterface
post-up iptables -A INPUT -p tcp --dport 3128 -j DROP #spiceproxy

Ne00n

#!/bin/bash
#apt
apt-get install curl
apt-get autoremove
apt-get autoclean
apt-get clean
#tmp
rm -rf /tmp/*
rm -rf /var/tmp/*
#logs

Ne00n

frontend https
  bind :443
  mode tcp
  acl tls req.ssl_hello_type 1
  tcp-request inspect-delay 5s
  tcp-request content accept if tls
  #Define hosts
  acl host_nano.test.com_https req.ssl_sni -i nano.test.com
  use_backend nano.test.com_https if host_nano.test.com_https 

Ne00n

apt-get update
apt-get upgrade
apt-get dist-upgrade
sed -i 's/stretch/buster/g' /etc/apt/sources.list
sed -i 's/stretch/buster/g' /etc/apt/sources.list.d/pve-install-repo.list
apt-get update
apt-get upgrade
apt-get dist-upgrade
#Optional clean kernels
dpkg --list|grep pve-kernel

Ne00n

#kubernetes
sudo apt update
sudo apt -y install curl apt-transport-https
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" | sudo tee /etc/apt/sources.list.d/kubernetes.list
sudo apt update
sudo apt -y install vim git curl wget kubelet kubeadm kubectl
sudo apt-mark hold kubelet kubeadm kubectl
#sysctl
sudo modprobe overlay

Ne00n

apt-get install libio-socket-inet6-perl libhttp-daemon-perl libnet-dns-perl libio-socket-inet6-perl libev-dev liburcu-dev libsodium-dev libmaxminddb-dev
./configure --with-rundir=/var/run && make check && sudo make install
https://github.com/gdnsd/gdnsd/blob/master/init/gdnsd.service.tmpl

Ne00n

apt-get update
apt-get install nginx -y