Using the Linux kernel's USB authorization support to lockdown USB

USB is not secure. The way a USB device looks, doesn't necessarily indicate its real functionality. A device which looks like a USB flash drive could act as a keyboard once it is plugged into a machine and inject arbitrary key strokes (thus possibly allowing arbitrary malicious stuff). With BadUSB or devices like the USB rubber ducky such attacks are even more easy to achieve and available to the masses.

This post is about how you can use the Linux kernel's USB authorization support to lockdown USB and check a USB device before you allow the kernel to load the driver.

Read more...

NGINX: Why limiting request methods is not necessary

If you want to harden nginx you might come across this piece of configuration:

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
  return 405;
}

The idea behind this is that nginx checks for any incoming request, if the request method is either GET, HEAD or POST. If the request method is different, nginx will return HTTP status code 405 ("Method is not allowed"). There are other examples which return nginx' non-standard return code 444 ("Connection closed without response") instead. Here is why I think you can omit that piece of configuration and save some CPU cycles...

Read more...