about and security
This commit is contained in:
parent
5dfd50d796
commit
a224a40492
|
@ -101,6 +101,9 @@
|
||||||
<link rel="stylesheet" href="{{ site.data.origin[type].magnific-popup.css | relative_url }}">
|
<link rel="stylesheet" href="{{ site.data.origin[type].magnific-popup.css | relative_url }}">
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
<!-- my extra css -->
|
||||||
|
<link rel="stylesheet" href="/assets/css/extra.css">
|
||||||
|
|
||||||
<!-- JavaScript -->
|
<!-- JavaScript -->
|
||||||
|
|
||||||
{% unless site.theme_mode %}
|
{% unless site.theme_mode %}
|
||||||
|
|
|
@ -4,5 +4,36 @@ icon: fas fa-info-circle
|
||||||
order: 100
|
order: 100
|
||||||
---
|
---
|
||||||
|
|
||||||
> Add Markdown syntax content to file `_tabs/about.md`{: .filepath } and it will show up on this page.
|
This is the personal website and blog if *Christoph J. Scherr*.
|
||||||
{: .prompt-tip }
|
|
||||||
|
## Professionally
|
||||||
|
|
||||||
|
I am currently a student of Cybersecurity at [DHBW Mannheim](https://www.mannheim.dhbw.de/) and work at
|
||||||
|
[NewTec](https://www.newtec.de). Computer Technology, especially with a focus on
|
||||||
|
security is my passion.
|
||||||
|
|
||||||
|
## Technology
|
||||||
|
|
||||||
|
I like managing and administering servers and services. This website is hosted
|
||||||
|
on a [VPS](https://en.wikipedia.org/wiki/Virtual_private_server) hosted in
|
||||||
|
Germany, which I pay [Netcup](https://www.netcup.de) for. Hosting your own services
|
||||||
|
and managing your own servers is fun and I regularly learn new computer related
|
||||||
|
things from it.
|
||||||
|
|
||||||
|
I like Open Source Software, working on my own projects and using mostly OSS on
|
||||||
|
my devices where possible. All my servers run [Debian](https://www.debian.org),
|
||||||
|
and I use GNU/Linux on my PCs too.
|
||||||
|
|
||||||
|
I mainly program in [Rust](https://rustlang.org) at the time of writing this,
|
||||||
|
but I know many programming languages.
|
||||||
|
|
||||||
|
## Other Interests
|
||||||
|
|
||||||
|
I've been learning Japanese for over a year by now. I find myself often
|
||||||
|
stumbling over Japanese media, and I've built a liking to the language by now.
|
||||||
|
My Japanese is still pretty bad, and I still struggle to understand basic sentences,
|
||||||
|
but I'm constantly learning.
|
||||||
|
|
||||||
|
<pre class="text-center fs-4">「今年には春が好きですけど、それまで好きじゃなかったです。」</pre>
|
||||||
|
|
||||||
|
When I feel creative, I sometimes make music. Some of that can be found [here](https://www.youtube.com/@plexsheep1296).
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
icon: fas fa-legal
|
icon: fas fa-legal
|
||||||
order: 200
|
order: 200
|
||||||
|
title: Imprint & Legal
|
||||||
---
|
---
|
||||||
|
|
|
@ -2,3 +2,79 @@
|
||||||
icon: fas fa-lock
|
icon: fas fa-lock
|
||||||
order: 6
|
order: 6
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Security Guidelines, Scope for cscherr.de and associated hosts
|
||||||
|
|
||||||
|
- **[A] Scope**
|
||||||
|
- You may search for security issues ONLY on public facing services,
|
||||||
|
such as <https://git.cscherr.de>, <https://www.cscherr.de>, the
|
||||||
|
Minecraft server and others. You may not do so on sites
|
||||||
|
not visible without authentication. For example, <https://git.cscherr.de> is okay
|
||||||
|
(except private repositories), but <https://transmission.cscherr.de> is not
|
||||||
|
(I seed only Linux images). The ONLY machine you may target is my public
|
||||||
|
facing VPS (IP: `194.13.82.193` (`cscherr.de`)) and those machines
|
||||||
|
virtualised on it.
|
||||||
|
- You may NOT infiltrate any non-public machines (virtual or not).
|
||||||
|
- You may NOT exfiltrate data without explicit permission.
|
||||||
|
- You may NOT endanger the confidentiality, Availability and Integrity of
|
||||||
|
any data, service, or machine, unless with explicit permission.
|
||||||
|
- Any findings must be reported to the server owner (Christoph J. Scherr),
|
||||||
|
you can typically contact me on admin@cscherr.de.
|
||||||
|
- You may NOT cause any effect that would be considered "harmful" to the
|
||||||
|
server owner, the users, any service or machine, or any third party. If
|
||||||
|
you would like clarification on if your case would be considered harmful,
|
||||||
|
seek contact with me (admin@cscherr.de).
|
||||||
|
|
||||||
|
- **[B] Bounty**
|
||||||
|
- If you actually manage to find something good, I would like to reward you with a
|
||||||
|
minor sum of money (~10EUR). I'm only an individual, and still a student,
|
||||||
|
so I cannot offer much, but you would have earned it. Preferably, you have
|
||||||
|
an account in Europe, so I can just use SEPA to transfer money. I don't have
|
||||||
|
PayPal or cryptocurrencies.
|
||||||
|
- You also have my honest thanks! If you want, you can get an entry in the
|
||||||
|
hall of fame below.
|
||||||
|
- I've been getting a lot of mail recently reporting very minor things, that
|
||||||
|
are often not security issues, like "exposed information on
|
||||||
|
https://static.cscherr.de". I encourage you all to report things you might
|
||||||
|
find suspicious, but you will not gain a bounty or entry in the HOF for
|
||||||
|
something that I deem not a thread or unknown risk. Furthermore, I reserve the right to
|
||||||
|
disagree with your reports and not put you in the HOF or pay a bounty as I
|
||||||
|
see fit. Bounties and the HOF are based on goodwill.
|
||||||
|
- If you want your entry removed from the HOF, please mail me (admin@cscherr.de),
|
||||||
|
we can work something out.
|
||||||
|
|
||||||
|
- **[C] Known Risks**
|
||||||
|
- The following is a list of possible risks that are currently accepted:
|
||||||
|
- I don't have CAA Records (just using caddy+letsencrypt)
|
||||||
|
- no MTA-STS for cscherr.de
|
||||||
|
- Including of my sites as I-frames to trick users into clicking on something
|
||||||
|
- No rate limiting on my web server
|
||||||
|
- Possible brute forcing of login forms (I use strong random passwords and MFA)
|
||||||
|
- No BIMI Record for cscherr.de
|
||||||
|
|
||||||
|
- Christoph J. Scherr, 2024
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
<h2 class="display-1 text-center text-huge">Hall of Fame</h2>
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Parth Narula, who found a DOS vulnerability in my WordPress site, resulting in
|
||||||
|
near 100% server load by repeatedly sending requests to an endpoint which
|
||||||
|
allowed users to load multiple JS and CSS files at once, and also tested the
|
||||||
|
other subdomains.
|
||||||
|
|
||||||
|
Mitigation: Removal of the WordPress site, as it wasn't actively used anyway.
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
Mesum Raza, who found an open redirect in authentik (used on <auth.cscherr.de>)
|
||||||
|
prior to version 2024.2.2, and reported it to the authentik maintainers after
|
||||||
|
correspondence. The open redirect has been removed in subsequent versions
|
||||||
|
of authentik.
|
||||||
|
|
||||||
|
See: <https://github.com/goauthentik/authentik/pull/8796>
|
||||||
|
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
.ascii-art {
|
||||||
|
font-family: monospace;
|
||||||
|
white-space: pre;
|
||||||
|
line-height: 1rem;
|
||||||
|
}
|
||||||
|
|
||||||
|
.text-huge {
|
||||||
|
font-size: 9rem;
|
||||||
|
white-space: nowrap;
|
||||||
|
}
|
Loading…
Reference in New Issue