A common and reliable pattern in service unit files is thus:
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
DevicePolicy=closed
ProtectSystem=strict
ageis
/ systemd_service_hardening.md
Last active
May 14, 2025 22:12
Options for hardening systemd service units
ageis
/ YubiKey-GPG-SSH-guide.md
Last active
April 10, 2025 08:49
Technical guide for using YubiKey series 4 for GPG and SSH
Written for fairly adept technical users, preferably of Debian GNU/Linux, not for absolute beginners.
|
You'll probably be working with a single smartcard, so you'll want only one primary key ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [compressor] # Dynamic range compressor | |
| # RMS/peak (float) | |
| compressor-rms-peak=0.100000 | |
| # Attack time (float) | |
| compressor-attack=50.000000 | |
| # Release time (float) | |
| compressor-release=250.000000 | |
| # Threshold level (float) | |
| compressor-threshold=-20.000000 | |
| # Ratio (float) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [user] | |
| email = kevingallagher@gmail.com | |
| name = Kevin M. Gallagher | |
| signingkey = 0x3B324F4FF73BECF8 | |
| [core] | |
| editor = vim | |
| excludesfile = /etc/gitignore | |
| autocrlf = true | |
| compression = 9 | |
| fscache = true |
ageis
/ Generating stronger DH parameters for nginx
Last active
January 28, 2025 02:45
— forked from plentz/nginx.conf
Generating stronger DH parameters for nginx's SSL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # run in the terminal, then set as ssl_dhparam in nginx.conf | |
| openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096 |
ageis
/ get-figlet-fonts.sh
Last active
January 23, 2025 01:58
Grab all Figlet fonts in existence (WIP)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Installs as many fonts for Figlet/Toilet as possible from multiple sources. | |
| # Author: Kevin M. Gallagher (@ageis) | |
| #set -u | |
| #set -x | |
| export FIGLET_FONT_DIR=$(figlet -I2) | |
| export TMP_FONT_DIR="$(pwd)/fonts" | |
| export TMP_DEST_DIR="$(pwd)/tmp" | |
| export FONT_REGEX=".*\.\(flf\|tlf\|flc\)$" |
⚠️ Content below I now consider obsolete. My latest guide is now located here: Technical guide for using YubiKey series 4 for GPG and SSH. Please consult that resource instead.
ageis
/ testdns.sh
Last active
October 30, 2024 10:38
Bash script that measures ICMP and DNS latency to many popular public nameservers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Measures ICMP and DNS latency to many popular public DNS servers. | |
| # Works concurrently or in parallel. | |
| # Author: Kevin M. Gallagher (@ageis) | |
| #set -x | |
| #set -e | |
| #set -o nounset | |
| #set -v | |
| export ERRFILE="./testdns_errs.txt" |
ageis
/ certbot_exporter.md
Last active
October 24, 2024 17:41
certbot Prometheus exporter (Let's Encrypt metrics)
This is a script written in Python intended to run alongside a certbot instance and export statistics for monitoring purposes. It assumes the existence of certbot in the PATH plus read access to /etc/letsencrypt.
It tracks stuff like: number of certs, number of SANs, expiry time, seconds until expiry, and the status of the certificate per ACME.
Prometheus is a monitoring system and time-series database.
ageis
/ grsec-debian-digitalocean.md
Last active
September 24, 2024 14:39
It's possible to run a custom (instead of hypervisor-managed) kernel for use with Debian 8.x on a DigitalOcean droplet.
We'll build one with grsecurity, "an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening".
Note: The stable patches for Linux 3.14.x and 3.2.x are not publicly available anymore, so we'll be applying the free 4.3.x (test) patch. The URLs and filenames in this document may become outdated, so fetch the latest from grsecurity.net and kernel.org.
Install dependencies:
NewerOlder