archive-org.com » ORG » R » RUDERICH.ORG

Total: 336

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".

  • layouts but allow switching to other layouts with bindings The master pane is at the top of the screen To make sure new windows don t spawn in the master pane avoidMaster see below is used Borders are only drawn when the screen has more then one window smartBorders Thanks to jrick in xmonad on Freenode 2009 06 29 22 19 CEST for telling me how to remove the vertical tiled layout JumpToLayout from LayoutCombinators is used to jump to specific layouts thanks to aavogt in xmonad on Freenode 2011 06 12 22 13 CEST named is used to name layouts which allows switching to a specific layout see below thanks to vav in xmonad on Freenode 2011 06 12 22 28 CEST The limit layout displays only one window in the lower pane thanks to to Qantourisc 2010 06 12 15 15 CEST for the hint to use TwoPane onWorkspace is used for a special layout for Gimp thanks to Nathan Howell http nathanhowell net 2009 03 08 xmonad and the gimp for this layout read on 2011 06 19 myLayoutHook onWorkspace 5 gimp named Default smartBorders Mirror tiled named Full smartBorders Full named Vertical smartBorders tiled named Limit smartBorders Mirror TwoPane delta ratio where Default tiling algorithm partitions the screen into two panes tiled Tall nmaster delta ratio The default number of windows in the master pane nmaster 1 Percent of screen to increment by when resizing panes delta 3 100 Default proportion of screen occupied by master pane ratio 1 2 Special layout for Gimp toolbox left dock right main window in the center gimp withIM 0 11 Role gimp toolbox reflectHoriz withIM 0 15 Role gimp dock Layouts for the centered window Mirror tiled Full Don t spawn new windows in the master pane which is at the top of the screen Thanks to dschoepe aavogt and especially vav in xmonad on Freenode 2009 06 30 02 10f CEST Also some applications are spawned on specific workspaces Thanks to dschoepe and ivanm in xmonad on Freenode 2009 07 12 14 50 CEST myManageHook composeOne Browser on 2 className Iceweasel doF W shift 2 Miscellaneous on 3 className Wireshark doF W shift 3 title OpenOffice org doF W shift 3 splash screen className OpenOffice org 2 4 doF W shift 3 className Vncviewer doF W shift 3 Wine on 4 className Wine doF W shift 4 Gimp on 5 className Gimp doF W shift 5 Don t spawn new windows in the master pane return True doF avoidMaster Prevent windows which get moved to other workspaces from removing the focus of the currently selected window Thanks to vav in xmonad on Freenode 2010 04 15 21 04 CEST return True doF W focusDown Switch to next layout but skip all layouts not in layouts argument This allows switching to some layouts with mappings but excluding them from meta space which gets mapped to this function Thanks to aavogt in xmonad on Freenode for this function 2011 06

    Original URL path: http://ruderich.org/simon/config/xmonad (2016-04-29)
    Open archived version from archive



  • Don t respect the tabindex element as it causes link numbering see above to not work properly As I use the link number tabindex is not useful anyway set document browse links use tabindex 0 Open links with target blank in the current tab I want to decide where to open a link set document browse links target blank 0 Use basic regexes while searching set document browse search regex 1 Ask if login passwords should be saved set document browse forms show formhist 1 DEFAULT DOCUMENT COLOR SETTINGS Use the color settings of the loaded page except background color and from CSS files My custom CSS file see below overrides all settings so only my colors are used set document colors use document colors 1 CASCADING STYLE SHEET OPTIONS Enable usage of CSS Necessary to use my custom CSS settings set document css enable 1 Don t fetch any external CSS files set document css import 0 Use my custom CSS file set document css stylesheet user css FILE HANDLING AND DOWNLOAD OPTIONS Don t ask when using handlers defined by mailcap So images are opened without a dialog set mime mailcap ask 0 Save downloads into my home directory set document download directory Use timestamp stored on the server for downloaded files set document download set original time 1 Play an audio notification if a download is completed if it was in the background set document download notify bell 1 PLAIN TEXT PAGE OPTIONS Display URIs as links in plain text documents so they can accessed easily set document plain display links 1 PROTOCOL SPECIFIC OPTIONS My proxy settings set protocol http proxy host 127 0 0 1 8118 set protocol https proxy host 127 0 0 1 8118 set protocol ftp proxy host 127 0 0 1 8118 Don t use a proxy for local pages set protocol no proxy 127 0 0 1 localhost Send the requested page as referrer to prevent privacy problems set protocol http referer policy 1 Don t send Accept Language headers as this may reveal parts of my identity set protocol http accept ui language 0 URI REWRITE RULES Remove default rewriting rules include elinks rewrite reset conf Search engines scroogle and metager2 set protocol rewrite smart s https ssl scroogle org cgi bin nbbwssl cgi Gw s set protocol rewrite smart sm http www metager2 de search php q s Search pages on web archive org set protocol rewrite smart a http web archive org web s Search English and German Wikipedia set protocol rewrite smart w https secure wikimedia org wikipedia en wiki s set protocol rewrite smart wd https secure wikimedia org wikipedia de wiki s SSL Logins for Wikipedia set protocol rewrite dumb wl https secure wikimedia org wikipedia en w index php title Special UserLogin set protocol rewrite dumb wdl https secure wikimedia org wikipedia de w index php title Spezial Anmelden Search English German translations with dict leo org set protocol rewrite smart d http

    Original URL path: http://ruderich.org/simon/config/elinks (2016-04-29)
    Open archived version from archive


  • t use SHA1 and disable elliptic curves whose security regarding the parameters is still in debate KexAlgorithms diffie hellman group exchange sha256 Use stronger cipher versions Disable CBC ciphers to prevent unlikely plaintext recovery attack 1 disable RC4 because it s broken 2 this leaves only AES No GCM ciphers yet because they are still very new 1 http www openssh com txt cbc adv 2 http www schneier com blog archives 2013 03 new rc4 attack html Ciphers aes256 ctr Don t use weak MACs like MD5 or SHA1 However strong MACs are not as important as strong ciphers because an attacker must be able to break a MAC in real time to modify the data in transmit Prefer etm algorithms which use encrypt then mac which is more secure than the default encrypt and mac in SSH 1 available since 6 2 1 http cseweb ucsd edu mihir papers oem html MACs hmac sha2 512 etm openssh com hmac sha2 512 Disable DSA host keys because they are weak only 1024 bit and elliptic curves I don t need certificates therefore disables those algorithms as well cert HostKeyAlgorithms ssh rsa Disable X11 and agent forwarding for security reasons defaults ForwardX11 no ForwardAgent no Don t trust remote X11 clients If enabled allows bad admins complete access to local X11 ForwardX11Trusted no Disable authentication methods I don t use ChallengeResponseAuthentication no GSSAPIAuthentication no HostbasedAuthentication no KbdInteractiveAuthentication no Only enable those I need PasswordAuthentication yes PubkeyAuthentication yes Use only authentication identity files configured in ssh config even if ssh agent offers more identities IdentitiesOnly yes Bind local forwardings to loopback only This way no remote hosts can access them default GatewayPorts no Abort if not all requested port forwardings can be set up ExitOnForwardFailure yes Allow using M ControlMaster to

    Original URL path: http://ruderich.org/simon/config/ssh_config (2016-04-29)
    Open archived version from archive


  • PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this file If not see Listen on this port address Port 22 Only use protocol 2 Protocol 1 is insecure default Protocol 2 Stronger algorithms See ssh config for details KexAlgorithms diffie hellman group exchange sha256 Ciphers aes256 ctr MACs hmac sha2 512 etm openssh com hmac sha2 512 Only use specific host keys HostKey etc ssh ssh host rsa key Use privilege separation for increased security sandbox applies additional restrictions on the unprivileged process UsePrivilegeSeparation sandbox Don t use PAM because it may circumvent other authentication methods used below default UsePAM no Disable authentication methods I don t use ChallengeResponseAuthentication no GSSAPIAuthentication no HostbasedAuthentication no KerberosAuthentication no PasswordAuthentication no Only enable those I need PubkeyAuthentication yes Don t allow empty passwords default PermitEmptyPasswords no PermitRootLogin without password Be strict when checking user file permissions default StrictModes yes Allow more sessions per network connection e g from ControlMaster M When not enough sessions are available this message is sent by ssh mux client request session session request failed Session open refused by peer MaxSessions 30 Don

    Original URL path: http://ruderich.org/simon/config/sshd_config (2016-04-29)
    Open archived version from archive


  • version This file is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this file If not see DISPLAY Don t display the copyright notice no greeting Use long keyids because the short ones have collisions keyid format 0xlong KEY GENERATION Use stronger preferences These are not enforced but tried in the given order and the first supported by all recipients is used Ciphers for encryption personal cipher preferences AES256 AES192 AES CAST5 Don t use insecure hashes like SHA1 or MD5 and prefer stronger hashes personal digest preferences SHA512 SHA384 SHA256 SHA224 Prefer better compression methods personal compress preferences BZIP2 ZLIB ZIP Uncompressed Default preferences when generating a new key Use the three settings above combined to create stronger keys default preference list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed Don t use SHA1 when signing keys this includes self certificates This setting is separate from the settings above and needs to be explicitly

    Original URL path: http://ruderich.org/simon/config/gpg.conf (2016-04-29)
    Open archived version from archive


  • See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this file If not see SETTINGS Display all files including hidden ones with ls set ftp list options a Enable colors in interactive mode Used by e g directory listings which use LS COLORS set color use color auto Use a colorized prompt Hostname in bold green current directory in bold blue set cmd prompt lftp e 01 32m h e 00m e 01 34m w e 00m Store passwords in the bookmarks file set bmk save passwords yes Don t store current directory of each server in lftp cwd history set cmd save cwd history no Don t store transfer logs in lftp transfer log set xfer log no No retries after a failed connection prevents long delays e g for automated jobs set net max retries 1 If SSL is used make sure the data connection is encrypted as well This should be the default behavior set ftp ssl protect data yes set ftp ssl protect fxp yes Same for control connections default set ftp ssl protect list yes Make sure SSL is not dropped

    Original URL path: http://ruderich.org/simon/config/lftprc (2016-04-29)
    Open archived version from archive

  • Notes
    5 second time frame The knock packets are rejected tcp reset here so they don t clutter the logs A knock m recent rcheck rsource name knock 3rd seconds 5 j knock accept A knock m recent rcheck rsource name knock 2nd seconds 5 j knock 3rd A knock m recent rcheck rsource name knock 1st seconds 5 j knock 2nd First port knocking port A knock p tcp dport 5000 m recent set rsource name knock 1st j REJECT reject with tcp reset Second port knocking port A knock 2nd m recent remove rsource name knock 1st A knock 2nd p tcp dport 6000 m recent set rsource name knock 2nd j REJECT reject with tcp reset Third port knocking port A knock 3rd m recent remove rsource name knock 2nd A knock 3rd p tcp dport 7000 m recent set rsource name knock 3rd j REJECT reject with tcp reset Port knocking successful Add allowed ports to this chain A knock accept m recent remove rsource name knock 3rd For example allow SSH A knock accept p tcp dport 22 j ACCEPT The usual rules A INPUT m conntrack ctstate ESTABLISHED RELATED j ACCEPT A INPUT m conntrack ctstate INVALID j DROP A INPUT i lo j ACCEPT Support port knocking Ports used for port knocking cannot be used for other services with the current setup A INPUT p tcp j knock Reject the rest This prevents access to e g SSH unless port knocking is used A INPUT j REJECT COMMIT Jabber Retrieve TLS certificate of a Jabber server using gnutls cli 2013 08 06 gnutls cli p 5222 starttls print cert jabber org xml version 1 0 stream stream to jabber org xmlns jabber client xmlns stream http etherx jabber org streams version 1 0 starttls xmlns urn ietf params xml ns xmpp tls Send SIGALRM to gnutls cli to initiate the TLS connection GNU Linux Mount disk image with multiple partitions 2014 09 04 Tell loop kernel module to automatically create partition device files rmmod loop modprobe loop max part 63 Then mount the disk image as usual losetup f path to disk image Thanks to Chris comment on http www docunext com blog 2007 07 losetup working with raw disk images html for this great idea Mutt Purge old messages but keep important threads intact 2014 09 04 Remove threads older than 3 months from a mailing list Threads which contain messages from me or are flagged as important are not purged P F r 3m Use with D mapping in mutt delete messages matching a pattern OpenVPN Primitive certificate pinning 2014 12 31 There seems to be no direct way to enable certificate pinning in OpenVPN if you know one please tell me Only the CA can verified by using the following configuration options ca path to certs crt tls remote C ST L OU CN hostname path to certs crt should contain a valid certificate chain as PEM file tls remote should

    Original URL path: http://ruderich.org/simon/notes/ (2016-04-29)
    Open archived version from archive

  • ruderich.org/simon Gitweb - tlsproxy/tlsproxy.git/blob - README
    proxy doesn t perform any validation thus it s important that you make sure 38 the server certificate is the correct one 39 40 Then run tlsproxy add hostname path to certificate in the same directory as 41 above This creates the following files 42 43 certificate example org proxy pem certificate used by the proxy for the 44 connection to the client 45 certificate example org server pem original server certificate used to 46 check if the current server certificate changed 47 48 If the validation is successful the proxy uses the certificate proxy pem 49 certificate to secure the connection to the client signed by proxy ca pem 50 51 If an error occurs in the validation missing certificate pem files 52 fingerprint changed etc it s logged by the proxy stderr and the special 53 proxy invalid pem certificate is used to send a 500 error message to the 54 client The connection to the server is closed so there s no chance that any 55 client data is sent to the possible evil server The invalid certificate is 56 also easy to spot in the browser because it uses an invalid hostname 57 invalid and is self signed 58 59 If an internal error occurs before the TLS connection can be established a 503 60 Forwarding failure is sent to the client unencrypted 61 62 63 u option 64 65 66 The u option passes through connections for hostnames with no stored 67 certificate i e certificate server pem is missing or unreadable In 68 this case the normal CA chain in your browser lets you validate the server 69 certificate If the server certificate changes you re not informed 70 71 This option is useful if you often visit websites using HTTPS but you don t 72 use critical information e g no passwords etc on these websites 73 74 For hostnames with a stored server certificate everything works as usual and a 75 certificate change is detected 76 77 WARNING The option might cause security problems if you re not careful 78 79 For example you normally visit https example org and store the server 80 certificate in certificate example org server pem Without u everything 81 is fine 82 83 But if you use u and an attacker redirects you to e g 84 https www example org leading www or https whatever org for 85 example through a link on a different site then the proxy just forwards the 86 TLS connection because it doesn t know the fingerprint for 87 https www example org that s how u works and you won t be aware that a 88 different server certificate might be used 89 90 If you always verify the authentication of the connection this isn t a 91 problem but if you only check if it s a HTTPS connection then this attack is 92 possible 93 94 Another issue is embedded active content like JavaScript If the website

    Original URL path: http://ruderich.org/simon/gitweb/?p=tlsproxy/tlsproxy.git;a=blob;f=README;hb=HEAD (2016-04-29)
    Open archived version from archive



  •