slowhttptest showing up as service unavailable, but is inaccurate service still up and running

Backstory: I’ve got a small contract with a website; they have given me permission to stress test their website, testing for DOS attacks. I have some experience in the field, but I am no omniscient hacker.

Problem: I’m running kali linux in a VM, with plenty of computing power allocated for a slowhttptest. I’ve tried the different tests that the program has to offer, and it appears to slow the website to some degree, temporarily, but my slowhttptest is coming up as service unavailable (it doesn’t connect from the VM browsers). However, when I try to visit from any other browser the site loads a bit slower at best (no success in a temporary DOS). I’m wondering if it is some kind of filtration or if (more likely?) I need to run through a proxy or something of the sort. Here is an example of the command I am running:

slowhttptest -c 100 -X -g -o slow_read_stats -r 15 -w 512 -y 1024 -n 10 -z 32 -k 3 -u {weburl} -p 10

IIS CMS access web service

We are creating a new web site and it’s using a CMS that will connect to a internal web service that will connect to a sql database. The cms will be in the DMZ and the web service will be in the protection network with the database. My question is would the web service need https and bearer auth ? Or would just http be fine?

Are web worker / service worker secure environments to store a password, credit card information, access tokens?

If there is a case where I wish to store sensitive data like a password, credit card information, or access tokens:

Are web workers / service workers a secure environment, where such data can not be compromised? If so, what to do to really secure it? If not so, why not exactly?

Kerberos tickets for service accounts and NFSv4 id mapping

I have a Synology NAS that I’m trying to access over NFS from a couple of systems running archlinux (a laptop and a server). I’d like to get NFSv4 id mapping working so that I don’t have to align the user ids between all these systems, and also so that there’s some modicum of security. I’ve set up a Kerberos KDC on the arch server and configured the NAS and both the laptop and server NFS clients to perform id mapping using sec=krb5 for authentication. This seems to be working as intended for my own user account after much fiddling – I can run kinit to authenticate as myself and the files I own are mapped properly.

Now onto my question: I’d also like to do id mapping for an account that exists on my server only for running a service and can’t be logged into (specifically the plex account running plex media server). Is there a good way to get a kerberos ticket for accounts like this?

I considered getting a ticket from a keytab for the plex account, somewhat like what’s described here but I’m not sure that would work since the ticket would eventually expire. Ideally whatever I do for the plex user would be permanent. Is something like this possible? I’m quite new to Kerberos.. I know there’s a concept of “service principals” that might be applicable here but as I understand it that would need to be implemented as part of plex software, I couldn’t just associate it with the plex account and have it work.