1

So I think I have answered this, but here goes.
I have ddns service I need to update periodically. I chose once every 5 minutes. I am using this command:
/usr/bin/wget -O /dev/null -o /dev/null <webcall url>
I have it running every 5 minutes in a cronjob. I checked and wget is using port 443 to connect to my webcall url which is https. I am assuming this is hiding the details of the url. Is this true? Also, I don't like that the cronjob is sending the whole command to syslog. Is there a way to prevent it from syslogging this? I would rather keep the details of the url hidden as much as possible. I am the only user on the server, but am curious if there is a way.

So questions are:
1. Is wget hiding the details of the url from prying eyes? It is using port 443 for https.
2. Cannot I not log the cronjob command in syslog? I supose I could create a script that hides this.

Comments
  • 1
    Obviously, it depends on what your threat model is. I'm going to assume that you trust the server. So that leaves a third party eavesdropping.

    For question 1, the answer is yes and no. With https the path part of the url is encrypted, but the hostname of the server is not.
  • 3
    I dislike the approach...

    Nothing's worse then a cronjob command who doesn't log.

    HTTPs is fully encrypted, so you are worried about another user on the same server reading configuration / logging files, I think?

    If that is true, please stop.

    You're obfuscating and that can be a pain in the arse to debug later.

    At least the crontab (or cron configuration) must contain a script, and as such it's not hard to figure out what's happening...

    If you want a "cleaner" approach, systemd timer / systemd services might be an idea. Mostly because it offers several extras compared to a simple crontab entry, and you can handle logging via the systemd unit in a cleaner way.

    But please - don't obfuscate because of paranoia, it can make administration a real nut job.
  • 0
    On the topic of obfuscation: Why are you worried about webcall URL leaking out? Is the endpoint not using authentication? Because security through obscurity doesn't work.
  • 0
    @korrat It does no checking to determine if I should be making the call. Zero authentication. It just happily updates the ddns entry with whatever ip accessed it.
  • 1
    @Demolishun if you control this endpoint, that's where I would start. HTTPS might hide the endpoint from eavesdroppers but anyone could still bruteforce it
  • 1
    @korrat

    It has some long hash looking number. I think its a UUID. That is what the docs for the ddns feature of cpanel points to.

    https://w3.org/TR/capability-urls/...

    I think it would take a long time to guess it. cpanel also makes it easy to regenerate a new url. I will probably change it periodically.
Add Comment