Tag: security

Use a password manager!

In today’s digital age, where we have an online presence for almost everything, from social media to banking, it’s essential to keep our personal information secure. One of the most crucial aspects of online security is using strong and unique passwords for every website. However, with the growing number of online accounts, it can be challenging to remember all the passwords. That’s where password managers come in.

A password manager is a software that stores your passwords securely in an encrypted database. It creates and stores unique, strong passwords for every website you use, so you don’t have to remember them. Instead, you only need to remember one master password to access your password manager.

Using a password manager offers many benefits. Firstly, it eliminates the need to remember multiple passwords, which can be a daunting task, especially when you’re using complex passwords. Secondly, it saves you time since you don’t have to waste time resetting passwords or trying to remember them. Thirdly, it helps protect against phishing attacks, as the password manager only fills in passwords for legitimate websites. Finally, it provides an additional layer of security, as password managers generate random, complex passwords that are much harder to guess or crack.

While using a password manager is undoubtedly beneficial, it’s important to remember that it’s not a silver bullet for online security. It’s crucial to choose a strong and unique master password, preferably a passphrase that’s easy to remember but difficult for others to guess. You should also enable two-factor authentication, which requires you to enter a code sent to your phone or another device to access your account.

Another important aspect of online security is to never write down passwords or store them in unencrypted files. Writing down passwords and leaving them in plain sight can make it easy for someone to gain access to your accounts. If you must write down a password, store it in a secure location like a locked safe.

Finally, it’s important to use a different password for every website. This may seem like a hassle, but it’s crucial for security. If you use the same password for multiple accounts and a hacker gains access to one, they can easily access all your accounts. By using unique passwords for every website, you limit the damage that a data breach can cause.

Using a password manager is an excellent way to stay secure online. It eliminates the need to remember multiple passwords, saves time, and provides an extra layer of security. However, it’s important to use a strong and unique master password, enable two-factor authentication, and avoid writing down passwords. By taking these precautions, you can help protect yourself from the increasing number of online threats.

There are several popular password managers available, each with its own unique features and capabilities. Here are some examples of popular password managers:

  1. LastPass: LastPass is a popular password manager that offers both free and paid versions. It can generate strong, unique passwords and store them securely, as well as autofill login credentials on websites and applications.
  2. 1Password: 1Password is another popular password manager that offers features like password generation, secure storage, and autofill. It also includes a digital wallet for storing credit card information and secure notes.
  3. Dashlane: Dashlane is a user-friendly password manager that offers both free and paid versions. It can generate and store strong passwords, autofill login credentials, and provide secure sharing of passwords with trusted family and friends.
  4. KeePass: KeePass is a free, open-source password manager that allows you to store passwords in an encrypted database. It has plugins available for additional features and supports two-factor authentication.
  5. Bitwarden: Bitwarden is a free, open-source password manager that offers both desktop and mobile applications. It can generate strong passwords, store them securely, and autofill login credentials on websites and applications.
  6. MacPass: MacPass is a free, open-source password manager that is specifically designed for macOS. It stores passwords in an encrypted database and supports two-factor authentication.
  7. KeePassXC: KeePassXC is a community-driven, open-source password manager that is compatible with multiple platforms, including Windows, macOS, and Linux. It offers features like password generation, secure storage, and autofill.

There are many password managers available, each with its own unique features and benefits. It’s essential to choose a password manager that meets your specific needs and preferences to help keep your online accounts secure.

Freeze your credit file!

I’m not one of those crazy fear mongers that like to talk about the end of the world, etc. I am an pessimist most of the time though. There’s been tons of blog posts and even the media has told people to do this. It used to cost money to freeze your credit file. Because of security breaches, the government made this free. You should take advantage of this. The reason I’m posting this is because there are still many people I know that haven’t done this and very few people that I talk to have. You’ll hear about a new data breach once every few months or so and sometimes it’s big, sometimes it’s not. Regardless, your information is probably out there for purchase on the dark web. Back when Scott McNealy was CEO of Sun Microsystems, he said “You have zero privacy anyway … Get over it.” I think it’s truer today than ever.

That said, even if you data isn’t out there, you should protect yourself. One important way is to freeze your credit report. The links are below, but they can change at any time.

Note: You can unfreeze anytime for free and it’s instantaneous, but if you’re looking to get a bank loan, mortgage, credit card or something else that will require your credit to be checked, you might want to do that before freezing your credit files. If you have already frozen your credit files and need credit cards, etc, just ask them which credit bureau they’ll be running. Most banks will tell you. When they do, you can do temporary lifts and it’s a pretty simple process.

https://www.experian.com/freeze/center.html

Experian was hacked a few years ago and gave up a bunch of T-Mobile customer data.

https://www.equifax.com/personal/credit-report-services/credit-freeze/

Oops. I couldn’t freeze on Equifax’ website. Ended up having to call them. 888-298-0045. At least you can do it through the automated system. No need to talk to a person.

https://www.transunion.com/credit-freeze

TransUnion was hacked in 2019 and shared a bunch of data on Canadians.

All credit bureaus have been breached at some point. They will be hit again. Please, freeze your credit files.

Some additional things to do are to keep an eye on your finances and monitor your personal credit report and financial activity. Nearly every bank now will also do credit monitoring for free. Sign up if you need to. If your bank doesn’t do it, find one that does.

Use update-ca-trust! Or update-ca-certificates.

Don’t just append the /etc/ssl/certs/ca-certificates.crt or the /etc/ssl/certs/ca-bundle.crt.

Not long ago, I thought that it didn’t matter. I figured since the update-ca-trust command just updated the bundle, I might as well skip a step and go directly. I was wrong. Don’t do it. I guess that’s why people actually have processes and directions to follow.

The files are not meant to be edited manually. They are generated by the update-ca-trust or update-ca-certificates commands, which scan the /etc/pki/ca-trust/source/anchors or /usr/local/share/ca-certificates directories for custom CAs, and then concatenate them with the system CAs into a single file. If you edit these files directly, your changes will be overwritten the next time these commands are run. This could mean that your changes would not survive a patching if the ca-certificates package is updated.

The reason why you want to put the certificate issuers in /etc/pki/ca-trust/source/anchors/ or /etc/ssl/certs/ and use the update-ca-trust enable/extract commands is so that it can survive an update. If someone decides to patch the machine and there are other certificates being updated, the one that you appended to the bundle will get deleted.

Follow the process! For me, that’s basically:

1. Copy your custom CA file (in PEM format) to the /etc/pki/ca-trust/source/anchors directory on Red Hat-based systems, or the /usr/local/share/ca-certificates directory on Debian-based systems. Make sure the file has a .crt extension.
2. Run the update-ca-trust or update-ca-certificates command as root. This will regenerate the /etc/ssl/certs/ca-certificates.crt or the /etc/ssl/certs/ca-bundle.crt file with your custom CA included.
3. Restart any services or applications that use SSL/TLS connections, such as web servers, browsers, curl, etc. They should now trust your custom CA.

WordPress is under attack! Watch it! Password Protect it!

What? What do you mean? There’s already a password. Yes, you need to log in when you want to put up a new blog post or do maintenance of some sort. However, that doesn’t mean that you can’t have an additional layer of protection. Not only can you have it, WordPress actually recommends it here: https://codex.wordpress.org/Brute_Force_Attacks

I looked in my nginx access log and I saw a bunch of messages that looked like this:

95.219.148.136 - - [16/Nov/2017:06:34:33 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
95.219.148.136 - - [16/Nov/2017:06:34:34 -0800] "GET / HTTP/1.1" 200 21587 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:48 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:49 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

After doing some investigation, it appeard to be the sathurbot attacking my blogsite. It’s some sort of distributed piece of malware that attacks poorly maintained or blogs with weak passwords. The malware tries to attack the wp-login and something else. You can read more about it here: https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/.

The first thing I did to counter this issue was configure Cloudflare to under attack mode. This gives the client a short delay when connecting to your site so that can’t get to the file. This should stop the entries in the log completely, immediately. Since I don’t want users to see the delay all of the time, I decided after the attacks slowed to have nginx password protect the file so that when trying to request it, nginx will ask for a password as well. This way, you’ll need to authenticate twice to get into WordPress, but it’s okay. The extra trouble gives me peace of mind that I’ll less likely be attacked.

With nginx, I did it this way:

location ^~ /wp-login.php {
 auth_basic "Administrator Login";
 auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
 include fastcgi.conf;
 fastcgi_intercept_errors on;
 fastcgi_pass php-wphandler;
 fastcgi_buffers 16 16k;
 fastcgi_buffer_size 32k;
}

The .htpasswd is a hashed file. You can create it with the htpasswd command that comes with the apache2-utils package. The file would look something like this:

alton:$@AFSADF$SDFapr1$yDoxiXVW$aFe

Now in my logs, I get 401 messages instead of 402 messages.

172.68.242.50 - - [29/Nov/2017:09:36:50 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "134.196.23.66"
172.68.246.96 - - [29/Nov/2017:09:45:48 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "193.93.187.11"
162.158.91.51 - - [29/Nov/2017:09:49:22 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "93.172.55.76"
141.101.77.120 - - [29/Nov/2017:10:08:03 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "41.100.125.248"

I also know that they’re less likely to hack my site. 🙂

Happy blogging!

Help! SSH attack on Ubuntu 14.04.2 LTS – use sshdfilter with ufw

If you’ve got a *Nix machine on the public Internet, you will experience this at one time or another. If you run sshd on its’ known port 22, some script kiddie out there will attack it. With that, you’ll see that you’ll have a bunch of connections that probably and hopefully will never succeed. I saw these messages in my /var/log/auth.log:

Nov 15 06:44:26 chunli sshd[20634]: Failed password for root from 43.229.53.13 port 41751 ssh2
Nov 15 06:44:26 chunli sshd[20636]: Failed password for root from 43.229.53.13 port 41921 ssh2
Nov 15 06:44:26 chunli sshd[20638]: Failed password for root from 43.229.53.13 port 42948 ssh2
Nov 15 06:44:26 chunli sshd[20546]: message repeated 2 times: [ Failed password for root from 43.229.53.13 port 27586 ssh2]

I’ve experienced this before and to alleviate this problem, I used sshdfilter in the past. I know that there are others out there like sshblack that can do blacklisting of attackers or one of the easiest ways to alleviate this problem is just to run ‘sudo ufw limit ssh’. This is a way to block them from coming back for a while.

To get started, first stop SSH:

sudo initctl stop ssh

Then move /etc/init/ssh.conf out. We’ll start SSH with sshdfilter instead.

You’ll get a message in the auth.log here:
auth.log:Nov 16 19:54:36 chunli sshd[1150]: Missing privilege separation directory: /var/run/sshd

Because of this, we’ll just add a line in the /etc/init.d/sshdfilter file like this:

start() {
 echo -n $"Starting sshdfilter: "
 export PATH=$PATH:/usr/local/sbin
 mkdir /var/run/sshd
 sshdfilter
 RETVAL=$?
 return $RETVAL

In /etc/sshdfilterrc, I changed the chain from:

#chain=’SSHD’ to

chain='ufw-reject-input'

Under the “Add a block rule” section, I changed some iptables commands to ufw commands. You can see the comments ones here:

#firewalladd='iptables -A $chain -p tcp -s $ip --dport 22 -j DROP'
#firewalladd='iptables -A $chain -p tcp -s $ip --dport 22 -j DROP'
firewalladd='ufw insert 1 reject proto tcp from $ip to any port 22'
# Delete a block rule:
firewalldel='ufw delete reject proto tcp from $ip to any port 22'
#firewalldel='iptables -D $chain -p tcp -s $ip --dport 22 -j DROP'

That’s about it! With that, my machine started to grow a big list of IP addresses to block from failed logins.

 

Slipstream drivers! N-Lite! Driverpacks.net – cool!

Ran into an interesting, fun thing recently; saw this in MaximumPC once, but didn’t really care as I didn’t think I’d need to use it, but just did it recently and found it a lot of fun.

Anyways, this all started when Windows XP was unable to find the hard disk on a new laptop I had to install it on. (The laptop came preinstalled with Vista, but since Vista sucks, we wanted XP on it.) It took forever for us to figure it out. We probably should’ve just bought a USB floppy from eBay or something, but slipstreaming seemed interesting and would’ve been a cool challenge.

There are various links that help out in the process. Here they are:
1) N-Lite – I used N-Lite to build the cd and strip out the garbage I didn’t need. Make sure you put the disk controller drivers in txt mode opposed to pnp. It will only work if you slipstream them.
http://www.nliteos.com/download.html
2) Driverpacks – here’s where you can get almost every driver you’ll ever need:
http://www.driverpacks.net/
You can find slipstreaming instructions here:
http://forum.driverpacks.net/viewtopic.php?id=1449
3) Windows Offline Update – I used this to grab my security patches and hotfixes. You can integrate them right into N-Lite, so you have a faster installation.
http://www.heise.de/ct/projekte/offlineupdate/
4) DriverMagician – this is one of my old favorites – it only works after you’ve got the correct drivers installed, but I like to use it to backup my drivers.
http://www.drivermagician.com/

That’s about it. With that, you can build your own install cd or dvd and strip stuff out, make tweaks to the registry, change the installer, so that it looks like you’re installing Windows 2000, etc. It didn’t help in installing all of the drivers that I wanted, but for the most part, things worked. I’ve yet to test it on a physical machine as I did it only in a VM. The laptop I did just with slipstreaming the Intel SATA controller driver.

Sendmail Routing with LDAP

Sendmail Routing with LDAP

One of the reasons you might want to do this is if you just acquired a new company and want mail to be routed through your same old sendmail relays as you had previously or if you’re running some kind of spam or virus scanner that requires sendmail or maybe you just want to have a relay in between your the Internet and your mail server for security purposes.

Note: In this case, this is for routing mail with sendmail and not accepting mail and putting mail into /var/mail on this machine. If you want the mail stored on this machine, you should be able to get on this machine with an ‘su – uid’ command. Otherwise, you will probably get the message, “User unknown”.

You can use whatever directory server you want with whatever schema you want as long as you know what you are looking for and how to use the data.

You will need a version of sendmail that has ldap capabilities

compiled into it. You can check this with:

/usr/lib/sendmail -d0.11 < /dev/null

Version 8.12.10+Sun

Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8

When you see LDAPMAP, you know that it will work. Solaris 7-9 should all

work. Patches are available for those that don’t.

In this example, we will use the ldap data from a SunONE Messaging server.

We first do a search to find a user so that we know what we will need.

Here, I pull the user’s ldif data with this command:

/usr/sbin/ldapsearch -b ‘o=isp’ -p 4389 -h flash.atac.ebay.sun.com [email protected]

In this case, I’m looking for alton’s user entry and using the mail attribute.

Here are my results:

uid=alton, ou=people, o=atac.ebay.sun.com, o=isp

objectClass=top

objectClass=person

objectClass=organizationalPerson

objectClass=inetOrgPerson

objectClass=inetUser

objectClass=ipUser

objectClass=nsManagedPerson

objectClass=userPresenceProfile

objectClass=inetMailUser

objectClass=inetLocalMailRecipient

[email protected]

mailUserStatus=active

mailHost=flash.atac.ebay.sun.com

givenName=alton

cn=alton yu

uid=alton

nsdaCapability=mailListCreate

sn=yu

inetUserStatus=active

mailDeliveryOption=mailbox

preferredLanguage=en

nswmExtendedUserPrefs=meDraftFolder=Drafts

nswmExtendedUserPrefs=meSentFolder=Sent

nswmExtendedUserPrefs=meTrashFolder=Trash

nswmExtendedUserPrefs=meInitialized=true

pabURI=ldap://flash.atac.ebay.sun.com:4389/ou=alton, ou=people, o=atac.ebay.sun.com, o=isp,o=pab

So now we know what kind of information to set up sendmail with, we will start tinkering with it.

In the sendmail.mc file, I add:

First, I go to /usr/lib/mail/cf

I make a backup of my old main.mc to create sendmail.mc

cp main.mc sendmail.mc

and then I open the file and add:

define(`confLDAP_DEFAULT_SPEC’,`-h flash.atac.ebay.sun.com -b o=isp -p 4389′)

LDAPROUTE_DOMAIN(`atac.ebay.sun.com’)

FEATURE(`ldap_routing’)

I then build the cf file with:

make sendmail.cf

and now I do my test.

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… User unknown

Hmmm…. I wonder why …

I go to the ldap server access logs and find:

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 SRCH base=”” scope=0 filter=”(objectClass=*)” attrs=ALL

[25/Mar/2004:17:14:38 -0800] conn=347 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:14:47 -0800] conn=348 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=2 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:14:47 -0800] conn=348 op=3 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:14:47 -0800] conn=348 op=4 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 UNBIND

[25/Mar/2004:17:14:47 -0800] conn=348 op=5 fd=44 closed – U1

Okay. It looks like it’s looking for maillocaladdress and mailRoutingAddress. I don’t have either of those, so I think rather than changing it in the ldap server, I will make some changes in the sendmail.mc.

I change just

FEATURE(`ldap_routing’)

to:

FEATURE(`ldap_routing’,`ldap -1 -v mailHost -k (&(objectclass=inetorgperson)(mail=%0))’)

So now instead of searching for maillocaladdress, I’m now searching for mail.

By doing that and rebuilding my sendmail.cf file, I now get:

/usr/lib/sendmail -C/usr/lib/mail/cf/sendmail.cf -bv [email protected]

[email protected]… deliverable: mailer relay, host flash.atac.ebay.sun.com, user [email protected]

Now this looks better. How’s the ldap access log look?

[25/Mar/2004:17:39:03 -0800] conn=383 fd=44 slot=44 connection from 129.149.141.32 to 10.4.18.140

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 BIND dn=”” method=128 version=2

[25/Mar/2004:17:39:03 -0800] conn=383 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn=””

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetLocalMailRecipient)([email protected]))” attrs=”mailRoutingAddress”

[25/Mar/2004:17:39:03 -0800] conn=383 op=1 RESULT err=0 tag=101 nentries=0 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 SRCH base=”o=isp” scope=2 filter=”(&(objectClass=inetorgperson)([email protected]))” attrs=”mailHost”

[25/Mar/2004:17:39:03 -0800] conn=383 op=2 RESULT err=0 tag=101 nentries=1 etime=0

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 UNBIND

[25/Mar/2004:17:39:03 -0800] conn=383 op=3 fd=44 closed – U1

Okay. Good enough.

Hopefully this is enough to get you started on your journey in setting up your sendmail with ldap routing.