stupid docker tricks #239192

 cats, hack, security, virtual  Comments Off on stupid docker tricks #239192
Feb 022016
stupid docker tricks #239192

1) Limit max processes on container; unfortunately docker seems intent on me not doing docker stupid tricks, so this is actually a bit of a pain on some systems… but if you figure out/etc/security/limits.conf, or can use prlimit (or write your own; use RLIMIT_NPROC instead of RLIMIT_NOFILE), you can do “prlimit –pid 666 –nproc=3:3” to limit the processes on the system to a very small number. Say… only what you’re running inside […]

d3ck, d3ck, goose

 code, crypto, hack, philosophy, security  Comments Off on d3ck, d3ck, goose
May 132015
d3ck, d3ck, goose

A bit over 2 years ago I started on a journey that has become a bit surreal; I had what seemed like a modest goal, simply create something that would facilitate confidential (e.g. encrypted) sharing of information in an easy way. Then snowden came along, and things started become even more… interesting, in the Chinese way. Tragedy, comedy, farce, delays and complications beyond belief followed. But the basic problem […]

From A on B to C on D

 code, hack, security, tech  Comments Off on From A on B to C on D
Apr 272014

I find iptables to be a bit of a beast… so for posterity (or my own sanity, in case I lost this, I might recover from search engine caches!) this simply forwards a port (A) of a certain protocol from one host (B) to a second port (C) on a 2nd IP (D). Linux only, unless your OS happens to support iptables… no error checking, although it will echo […]

shotgun scanning

 art, hack, ipmi, perl, philosophy  Comments Off on shotgun scanning
Jun 242013
shotgun scanning

UDP scanning has always been slow. Slower than slow, slower than molasses, really fucking slow. So when I started being interested in scanning for IPMI out in the wild, which runs on UDP 623, I first fired up trusty ol’ nmap… but bless it’s heart, it’s a cautious, robust scanner that is outrun by crippled snails on UDP scanning. So I thought… well, most scans don’t really need a request-response-follow-up… […]

one packet auditing

 hack, ipmi, python, security  Comments Off on one packet auditing
Jan 262013

Not all packets are equal. If you send a single UDP packet to port 623 that contains an “Get Channel Authentication Capabilities” (see secion 22.13 of the IPMI v2 spec), you’ll get back a packet that has some interesting features. You can get this by parsing the output of “ipmitool -v -v -H -U user -P password lan print”, but more systems have python than ipmitool, so I […]