2021-10-23 More 10 meter openings, and another new country
Things are going well with amateur radio: today I managed to make contacts with Australia and Indonesia on the 10 meter band in FT8 mode. That was a nice opening to the east, probably with some greyline on their side. It was morning here, so after the greyline for me. And later when 10 meter was silent I tried the 20 meter band, where a station from New Caledonia answered my call. I realized later that was a new country/entity for me, by that time the contact was already confirmed! Update 2021-10-25: Actually looking at maps made me realize New Caledonia is quite far away: the distance was about 16330 kilometers! I will need to tweak the generated maps on pe4kh.idefix.net a bit to actually show the worked gridsquares in New Zealand and New Caledonia.
2021-10-23 Something weird with sendmail and Let's Encrypt
Read the rest of Something weird with sendmail and Let's EncryptNoticed this in the logs:
Sep 30 14:02:04 wozniak sendmail[25878]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Sep 30 15:02:04 wozniak sendmail[27149]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=OK, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Sep 30 16:02:04 wozniak sendmail[28400]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256 Sep 30 17:02:04 wozniak sendmail[29654]: STARTTLS=client, relay=postbode.idefix.net., version=TLSv1.3, verify=FAIL, cipher=TLS_AES_256_GCM_SHA384, bits=256/256This is exactly the expiry of the DST Root CA:koos@wozniak:/usr/share/ca-certificates/mozilla$ openssl x509 -in DST_Root_CA_X3.crt -noout -startdate -enddate notBefore=Sep 30 21:12:19 2000 GMT notAfter=Sep 30 14:01:15 2021 GMTBut now to find out where this goes wrong...
2021-10-23 Woningnet fraude weer
Uit de inbox, weer een 'WoningNet' verhaal, zie ook Spam/phishing/fraude woningnet. Bekend natuurlijk al bij FraudeHelpdesk: Laatste Herinnering - Fraudehelpdesk.
U heeft een inschrijving bij WoningNet. Over 2 weken verloopt uw inschrijving. Uw inschrijving verlengen wij met een jaar als u de verlenginskosten van €8,00 betaalt. U kunt betalen via iDEAL. Via de onderstaande link word u automatisch doorverwezen naar onze betaalpagina Als u niet binnen 2 weken betaalt, schrijven wij u uit. Uw opgebouwde inschrijfduur en eventuele reacties komen dan te vervallen.Het pad van URLs:De methode is al bekend (berucht) bij de fraudehelpdesk. Ook even getest met lucid-wu.45-88-108-231.plesk.page - urlscan.io en gemeld bij google safe browsing. En dan
- hxxps://t9y.me/Q2Su
- hxxps://rplg.co/d9b377a0
- hxxps://lucid-wu.45-88-108-231.plesk.page/woningnet
- hxxps://lucid-wu.45-88-108-231.plesk.page/woningnet/
- Kies ING → hxxps://lucid-wu.45-88-108-231.plesk.page/ing/ En dan een volle phishing kit voor Mijn ING credentials.
Take a second to rejoice merrily for doing your part in making the web a safer place.
2021-10-22 Naming interfaces used by libvirt virtual machines
The homeserver conway has an ever growing list of network interfaces, also due to adding a DMZ network. This was starting to look a bit messy, with things like:koos@conway:~$ /sbin/brctl show brwireless bridge name bridge id STP enabled interfaces brwireless 8000.4ccc6a8efa4b no enp10s0.3 vnet2 vnet9Solution: name the interfaces in the VM definitions, like:<interface type='bridge'> <source bridge='brdmz'/> <target dev='dmz-minsky'/> <model type='virtio'/> <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> </interface>And now names are more logical:koos@conway:~$ /sbin/brctl show brdmz bridge name bridge id STP enabled interfaces brdmz 8000.4ccc6a8efa4b no dmz-minsky enp10s0.11
2021-10-18 Securing the home network: a separate DMZ network
I have a lot of control over the software that runs on systems at home but there are limits to what I can fix and sometimes things are insecure. Things like the recent wordpress brute force attacks show that random 'loud' attackers who don't care about the chance of getting noticed will try. I sometimes do worry about the silent and more targeted attackers. So recently I updated my home network and I now have a DMZ network. At this moment it is a purely virtual network as it doesn't leave the KVM server. Hosts in the DMZ have a default-deny firewall policy to the other inside networks. Specific services on specific hosts have been enabled. I first moved the development webserver, which allowed me to tune those firewall rules and fix some other errors. Now other webservers and other servers offering things to the outside world have moved.
2021-10-17 New countries in amateur radio and enjoying 10 meter openings
I am sitting behind the radio running FT8 on the 10 meter band and it's open in some interesting directions. According to PSK reporter my signals have been received in India(!) but I haven't made any contacts to India on 10 meters. The interesting contacts I have made on 10 meters were a few new countries on that band: South Africa, Swaziland, Lebanon and Georgia. Earlier Swaziland was completely new for me thanks to the 3DA0RU DXpedition visiting there. I also got the DXpedition to Sao Tome & Principe in the log: S9OK.
2021-10-13 Wordpress brute force attacks
The wordpress blog software is a popular target for attacks. I normally have fail2ban running with some rules to detect bad things on sites behind haproxy but due to some other work on the firewall rules I had fail2ban temporarily disabled. Someone/something at IP address 51.103.24.29 (A Microsoft-managed IPv4 address) noticed this and fired off a brute force script which ended up making 521525 attempts at logging in, none of which worked. It was stopped when I enabled fail2ban again. The first indication of interesting amounts of things happening was that the disc i/o led of the server was blinking a lot. The second indication was the high amount of traffic seen for the specific backend in haproxy. Later I also discovered the actual power use of the server was higher.
2021-10-09 A long bitcoin extortion scam
This time the scammer / fraud / criminal tries using a lot of text to convince victims to pay bitcoins. Using bitcoin address bc1qtzqgwqe3cd4cnv26vawxvfg3kr09r0jv53p8nw where it shows this one is already known and no money has been lost. A bit of a sample, showing that the scammer has some imagination and a good grasp of English:
During the pandemic outbreak a lot of providers have faced difficulties in maintaining a huge number of staff in their offices and so they have decided to use outsourcing instead. While working remotely from home, I have got unlimited abilities to access the user databases. I can easily decrypt passwords of users, access their chat history and online traffic with help of cookie-files. I have decided to analyse users traffic related to adult websites and adult content. My spyware functions as a driver. Hence, I can fully control your device and have access to your microphone, camera, cursor and set of symbols. Generally speaking, your device is some sort of my remote PC. Since this spyware is driver-based, then I can constantly update its signatures, so that no antivirus can detect it. While digging through your hard drive, I have saved your entire contact list, social media access, chat history and media files.Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam) Update 2021-10-13: As not enough money is coming into this wallet the scammer tries again. Same address, demanding an amount equivalent to $1150 (USA Dollars). As the mail comes from some random ISP in Chili I think the criminal is somewhere else on this planet.
2021-10-08 Op het spoor van de scammer/spammer
Een redelijk standaard valse mail, al bekend bij de fraudehelpdesk: Diverse onderwerpen Klik op “Lees meer” - fraudehelpdesk.nl
Geachte heer/mevrouw , Er staat een document in uw Berichtenbox van Belastingsamenwerking Gemeenten en Waterschappen. Ga naar [1]MijnOverheid om het bericht te bekijken. Mogelijk moet u naar aanleiding van dit bericht actie ondernemen. Lees het daarom op tijd. Met vriendelijke groet, MijnOverheid Logo Rijksoverheid Technisch onderhoud Berichtenbox app Vanwege technisch onderhoud is het momenteel niet mogelijk om het bericht via de Berichtenbox direct te lezen. Bekijk het bericht daarom direct via uw webbrowser.URL spoor:Niet geheel onverwacht is dit domein vandaag geregistreerd:
- hxxps://t.co/Fpu3LOuf9Y
- https://u.nu/SOGTH
- https://tinee.link/ZJJeb
- hxxps://ukrijgtterug2020.xyz/
Domain Name: UKRIJGTTERUG2020.XYZ Registry Domain ID: D253685109-CNIC Updated Date: 2021-10-08T10:58:04.0Z Creation Date: 2021-10-08T10:44:42.0Z Registry Expiry Date: 2022-10-08T23:59:59.0ZSite staat achter cloudflare IP adressen. Dus het certificaat zegt ook niet zoveel op https://crt.sh/?id=5375183746 en de achterliggende site reageert op dit moment niet dus ik krijg een mooie cloudflare foutmelding.
2021-10-07 Adding security headers to websites I develop and run
As someone interested in security I'm also busy with securing the websites I develop and run. I'm looking at Content-Security-Policy headers and I notice those seem 'easier' for sites that have one task and one source of development like Camp Wireless and somewhat harder for sites that collect pages/scripts/materials over the years like idefix.net. Although Camp Wireless can have some advertising, which suddenly turns the whole thing around since advertising scripts can load other advertising scripts completely dynamic. Searching for 'google adwords' and 'Content-Security-Policy' gave me Can Content Security Policy be made compatible with Google Analytics and AdSense? and the answer seems to be either "no" or "with a lot of work which you have to keep updating". Update: I temporarily added a Content-Security-Policy-Report-Only directive to get an idea what kind of problems I will run into (with my own reporting backend). A lot of them. All inline javascript is suddenly a problem. So a 'fully secured' Content Security Policy header is already hard for single task, single source websites, let alone websites with a lot of history in the pages.