Digital Nut

My pathetic & feeble excuse for a blogsite!

Preventing man-in-the-middle attacks by locking servers to Cloudflare

Script to update UFW with Cloudflare IPs This script was kindly written by Leow Kah Man and I’ve added a few tweaks! Setup Assuming that you already have ufw installed (now a pre-installed package in most linux distros), firstly ensure that ufw is not enabled; sudo ufw status verbose If it’s not enabled, the response should be Status: inactive but if not, let’s disable it; sudo ufw disable Clear out any existing rules; sudo ufw reset and set the default rules to deny incoming and allow outgoing connections; sudo ufw default deny incoming sudo ufw default allow outgoing It’s important at this stage to prevent being accidently being locked out of your system by adding 2 rules, before going further.

Reconfiguring the TalkTalk DSL-3680 Router to work with a home network

After switching to TalkTalk, and installing their DSL-3680 Router, the first thing that I noticed was that I was unable to access my Raspberry Pi Apache web server, which serves various things including this personal blog, environmental data feeds and IP cameras. Even trying the private IP addresses I was directed to the router administration page. So after a few frustrating days and lots of reading I managed to get everything to play nice together, so I’ve written it up in case it helps others facing the same problems, but see the warning at the bottom first.

Enable https on a Raspberry Pi using the 'free' StartSSL certificates

SSL certificates can be quite expensive, but StartSSL offer class 1 certificates free, and which on most browsers do not flag up the ‘untrusted site’ warning. However, I found their website wizard quite difficult to follow, and this guide helped me sort it out. NOTE: ensure that you download the sha256 intermediate certificate, and not the sha1 intermediate certificate as prompted in the StartCom toolbox. (see this article). Port forwarding Ensure that port 443 is open in your router Configuration Once you have your certificates, edit your SSL Virtual Host file; sudo nano /etc/apache2/sites-available/default-ssl In the section <VirtualHost _default_:443> add ‘ServerName’ just under ‘ServerAdmin’.