I was recently tasked with auditing the AMIs we are currently using for our AWS account. I could have just checked all machines but thought jq might be a better way to do it, and it actually is.
It is always better to tighten the firewall configuration on your servers. Limiting SSH connections from a defined list of IP addresses greatly reduces the attack surface as well as load; the firewall is much more efficient at blocking connections than sshd. The best approach is to have a static IP or connect through a bastion host which is protected via a VPN. But sometimes that is not feasible.
We’ve all been there, something gets stuck and there is no way to fix it except for a reboot, but even rebooting through SSH isn’t working and you don’t have physical access to the server or an out-of-bound way to power cycle. This has mostly bit me while working on NFS but there has been other cases. Adding it here for reference.
It’s been a long time since I have added anything to my blog; I wanted to update my site to use the newer version of Hugo. I also wanted to update the theme to remove some of the older componets and disable Disqus. One of the things I wanted to do is to use Parcel to learn how it works. I got halfway through the HTML and then real life got in the way. For some reason I kept delaying adding new content because I thought updating the theme to the newest Hugo version would take a long time.
I’ve become a big fan of static site generators lately, especially Hugo. It’s true, static site generators are not for everybody, but most websites on the Internet can be easily implemented as static sites. Also, static sites are great for those websites that you can’t regularly maintain, they are secure, fast, and very easy to set up. Take this blog for example, I don’t have much time to maintain and apply security patches so having it set up as HTML is perfect for me.
Why? You might ask yourself. Isn’t it just better to upgrade the web application and save yourself the trouble of all the security issues? True, but sometimes it’s just not possible or feasible. The other day I helped a friend of mine migreate from a VPS he got in 2008 to a brand new FreeBSD 11 droplet on DigitalOcean. His customer has still not updated their site, and they were paying the same rate they’ve been paying since 2008. So it was better and cheaper to move them to a new VPS even though we kept the same code. At least the OS and all other components in the stack were updated.