Aria2 disable P2P BitTorrent? - aria2

Is it possible to disable P2P BitTorrent in aria2c?
If it's not possible in aria2, how could I block P2P with iptables?

According to the docs, you can start aria2c with the --enable-peer-exchange set to false and that's that.
--enable-peer-exchange [true|false]
Enable Peer Exchange extension. If a private flag is set in a torrent, this feature is disabled for that download even if true is
given. Default: true
However, if you want an aria2 version that does not support BitTorrent or Metalink, you can built it yourself and just provide --disable-bittorrent and --disable-metalink to the configure script.
You can find building instruction on its README.

Related

how to enable local bridge/httpget/task api connection to chainlink node?

I have a custom API running on http://127.0.0.1:8080 and I have my own chainlink node running on http://127.0.0.1:6688. I get the error saying "Connections to local/private and multicast networks are disabled by default for security reasons: disallowed IP" when sending requests.
I guess maybe we can enable it by modifying the env file, but I don't know which configuration should I change. Does anyone know if we can enable these local/private connections? and how to do that?
Per the chainlink docs on the http task:
allowUnrestrictedNetworkAccess (optional): permits the task to access a URL at localhost, which could present a security risk. Note that Bridge tasks allow this by default.
ie:
my_http_task [type="http"
method=PUT
url="http://chain.link"
requestData="{\\"foo\\": $(foo), \\"bar\\": $(bar), \\"jobID\\": 123}"
allowUnrestrictedNetworkAccess=true
]
You can also use this flag in JSON

How do I implement per-app routing behavior on windows?

I am running a VPN in windows 10 desktop (using OpenVPN) and the VPN is the default gateway, so that all traffic by default goes through the VPN tunnel.
However, I would like to exempt certain apps from the VPN, so that their traffic goes directly out the physical interface instead, by passing the VPN (so-called "split tunnelling")
I assume this solution would involve the WFP (Windows Filtering Platform) API, and perhaps the Windows equivalent of
setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, device, sizeof(device))
I have this working in Linux currently via "cgroups" and policy-based routing/multiple routing tables.
But it is my understanding that Windows has neither policy based routing or multiple routing tables. But i can still think of a way of achieving this in Windows, but I cannot find the APIs to make it happen
One way is to hook the socket creation of a specific app and then use the windows equivalent of SO_BINDTO_DEVICE socket option (setsockopt()) to force the socket to be bound to the physical interface rather than the tap driver.
But, again, I cannot find the relevant APIs to make the above happen.
So I have a few questions:
(1) Is what i want to do possible within the given APIs of WFP (Windows Filtering Platform) or Windows APIs in genral? if so, which APIs do you advise i look at?
(2) Or, must i write a "WFP call-out driver" ? If so, would you be able to point me towards some resources for this, and possibility a good starting point for my particular problem? :)
(3) Is there anything else I might be missing? a simpler approach to achieve what i want? I know that it is possible in windows, as i have see the feature in some VPNs, but i would like to replicate it in my own personal VPN :)
Yes, you can force an app to use your VPN connection by copying and editing your (Windows) VPN connection.
Open the run prompt with: WIN+R
Type: ncpa.cpl
Copy your "old VPN" to APP_VPN (for example)
Open a Normal user Powershell
Change the new VPN connection with:
Add-VpnConnectionTriggerApplication -Name "APP_VPN" –ApplicationID "C:\path-to-your\game.exe" -Force
# Enable (Application) split-tunneling
Set-VpnConnection -Name "APP_VPN" -SplitTunneling $True
You can also check the VPN settings details in the phonebook in:
C:\Users\<User>\AppData\Roaming\Microsoft\Network\Connections\Pbk
Done!

Consul TLS CRL checking

We're implementing consul with TLS security enabled, but it doesn't look like the consul agent performs any revocation lookup on the incoming (or local) certificates. Is this expected behavior? We'd like to be able to lock rogue/expired agents out.
Does anything reliably implement CRL/OCSP checking? As far as I know the answer is basically no.
From what I understand, the current best practice is just to have very short-lived certs, and change them all the time. letsencrypt is good for external services, but for internal services (which you likely use consul for), Vault(done by the same guys that do consul) has a PKI backend that does exactly this. It publishes CRL if you have any tools that bother, but as far as I can tell, basically nothing does, because it's sort of broken (denial of service, huge CRL lists, slower, etc) More info on Vault here: https://www.vaultproject.io/docs/secrets/pki/index.html
Also, there are other internal CA tools, and for larger infrastructure you could even use the letsencrypt code(it is open source).
By default, Consul does not verify incoming certificates. You can enable this behavior by setting verify_incoming in your configuration:
{
"verify_incoming": true,
"verify_incoming_rpc": true,
"verify_incoming_https": true,
}
You can also tell Consul to verify outgoing connections via TLS:
{
"verify_outgoing": true,
}
In these situations, it may be necessary to set the ca_file and ca_path arguments as well.

What open ports are required on firewall to allow for salt-stack remote execution?

The documentation on saltstack appears to be unclear regarding what ports are required from the salt-master -> salt-minion (apparently none are required).
It suggests that ports only need to be opened from the salt-minion -> salt-master.
(See: http://docs.saltstack.com/en/latest/topics/tutorials/firewall.html)
If however commands are executed remotely on the salt-master targeted to a minion, surely the master needs to be able to push this into the minion and therefore require a network opening to allow for this.
Therefore my question is if the saltstack ports (4505 & 4506) need to be opened in both directions, or whether the remote commands are triggered over another protocol?
[A bit of background: My team want salt-stack setup to manage a server landscape in quite a restrictive network where each individual network route needs to be requested in the security concept. This is not controlled by our company and I need to explicitly request all required routes and in each direction.]
Salt uses a zeromq pub/sub interface to communicate with the minions. Indeed, you only need to open ports 4505 and 4506 on the master's firewall.
The minions listen on one port on the master, which is the "pub" port, and then return results to the master on the other port.
The master never actually "pushes" commands to the minions. The minions listen for commands published on the pub port. Which is why you don't need to open any incoming ports on your minions.

How to reach used cipher key of current SSL connection under Firefox?

I would like have one quick question. Is there any addon for Firefox or tool how to get session key generated from master secret during SSL handshake by which is encoded symmetrically whole client/server communication? I need it due to decoding of communication (POST/GET/etc..) via Wireshark or PCAP library. As I can see Firebug is showing decrypted communication so I hope there exist some proper ways how to reach this session key :)
Thank you all for a help.
I have good news for you. You can actually get the Master-Key data that you need from both Firefox and Chrome. And you can use the output file in Wireshark to decrypt the SSL/TLS traffic without the need for the private key from the SSL/TLS server. Check out "Method 2" here: http://www.root9.net/2012/11/ssl-decryption-with-wireshark-private.html
As a tip, if you don't want to reboot your machine just open a command prompt and run:
set SSLKEYLOGFILE=c:\sslKeyLogFile.txt
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Since Firefox is being launched from the same session that you added the environment variable in, it will launch with that variable set. Otherwise a restart of Windows will be required after setting it in the System settings dialogs.
I also want to point out that the answer from Chris wasn't necessarily wrong, this is a fairly new feature. It didn't make it into release until Wireshark 1.6.
If you want to use Wireshark then the pre master secret will be of no use for you (you refer to it as 'cipher key' in your question).
Wireshark can only decrypt traffic if you specify the RSA private key of the server, which doesn't change on every connection unlike the pre master secret. However, you can't get that through your browser or anything else for obvious reasons.
If you want to decrypt SSL traffic I suggest using an intermediate proxy instead, like Fiddler. It does not passively capture traffic but proxies the traffic, which enables it to actually decrypt the data sent and received.

Resources