News items for tag english - Koos van den Hout

2021-10-22 Naming interfaces used by libvirt virtual machines
The homeserver conway has an ever growing list of network interfaces, also due to adding a DMZ network.

This was starting to look a bit messy, with things like:
koos@conway:~$ /sbin/brctl show brwireless
bridge name     bridge id               STP enabled     interfaces
brwireless              8000.4ccc6a8efa4b       no              enp10s0.3
                                                        vnet2
                                                        vnet9
Solution: name the interfaces in the VM definitions, like:
    <interface type='bridge'>
      <source bridge='brdmz'/>
      <target dev='dmz-minsky'/>
      <model type='virtio'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
And now names are more logical:
koos@conway:~$ /sbin/brctl show brdmz
bridge name     bridge id               STP enabled     interfaces
brdmz           8000.4ccc6a8efa4b       no              dmz-minsky
                                                        enp10s0.11

Tags: , ,
2021-10-18 Securing the home network: a separate DMZ network
I have a lot of control over the software that runs on systems at home but there are limits to what I can fix and sometimes things are insecure.

Things like the recent wordpress brute force attacks show that random 'loud' attackers who don't care about the chance of getting noticed will try. I sometimes do worry about the silent and more targeted attackers.

So recently I updated my home network and I now have a DMZ network. At this moment it is a purely virtual network as it doesn't leave the KVM server. Hosts in the DMZ have a default-deny firewall policy to the other inside networks. Specific services on specific hosts have been enabled.

I first moved the development webserver, which allowed me to tune those firewall rules and fix some other errors.

Now other webservers and other servers offering things to the outside world have moved.

Tags: , , ,
2021-10-17 New countries in amateur radio and enjoying 10 meter openings
I am sitting behind the radio running FT8 on the 10 meter band and it's open in some interesting directions. According to PSK reporter my signals have been received in India(!) but I haven't made any contacts to India on 10 meters. The interesting contacts I have made on 10 meters were a few new countries on that band: South Africa, Swaziland, Lebanon and Georgia.

Earlier Swaziland was completely new for me thanks to the 3DA0RU DXpedition visiting there. I also got the DXpedition to Sao Tome & Principe in the log: S9OK.

Tags: , ,
2021-10-13 Wordpress brute force attacks
graph of wordpress https requests showing brute force attack The wordpress blog software is a popular target for attacks. I normally have fail2ban running with some rules to detect bad things on sites behind haproxy but due to some other work on the firewall rules I had fail2ban temporarily disabled.

Someone/something at IP address 51.103.24.29 (A Microsoft-managed IPv4 address) noticed this and fired off a brute force script which ended up making 521525 attempts at logging in, none of which worked. It was stopped when I enabled fail2ban again.

The first indication of interesting amounts of things happening was that the disc i/o led of the server was blinking a lot. The second indication was the high amount of traffic seen for the specific backend in haproxy.

Later I also discovered the actual power use of the server was higher.

Tags: ,
2021-10-09 A long bitcoin extortion scam
Cybercriminal This time the scammer / fraud / criminal tries using a lot of text to convince victims to pay bitcoins.

Using bitcoin address bc1qtzqgwqe3cd4cnv26vawxvfg3kr09r0jv53p8nw where it shows this one is already known and no money has been lost.

A bit of a sample, showing that the scammer has some imagination and a good grasp of English:
During the pandemic outbreak a lot of providers have faced difficulties in
maintaining a huge number of staff in their offices and so they have decided to
use outsourcing instead.
While working remotely from home, I have got unlimited abilities to access the
user databases.

I can easily decrypt passwords of users, access their chat history and online
traffic with help of cookie-files.
I have decided to analyse users traffic related to adult websites and adult
content.

My spyware functions as a driver. Hence, I can fully control your device and
have access to your microphone, camera, cursor and set of symbols.
Generally speaking, your device is some sort of my remote PC.
Since this spyware is driver-based, then I can constantly update its
signatures, so that no antivirus can detect it.
While digging through your hard drive, I have saved your entire contact list,
social media access, chat history and media files.
Earlier items about bitcoin extortion scams: Earlier, earlier, earlier, earlier, earlier, earlier, earlier (although I think bitcoin is generally a really bad idea and a huge scam)

Update 2021-10-13: As not enough money is coming into this wallet the scammer tries again. Same address, demanding an amount equivalent to $1150 (USA Dollars). As the mail comes from some random ISP in Chili I think the criminal is somewhere else on this planet.

Tags: , ,
2021-10-07 Adding security headers to websites I develop and run
As someone interested in security I'm also busy with securing the websites I develop and run. I'm looking at Content-Security-Policy headers and I notice those seem 'easier' for sites that have one task and one source of development like Camp Wireless and somewhat harder for sites that collect pages/scripts/materials over the years like idefix.net.

Although Camp Wireless can have some advertising, which suddenly turns the whole thing around since advertising scripts can load other advertising scripts completely dynamic. Searching for 'google adwords' and 'Content-Security-Policy' gave me Can Content Security Policy be made compatible with Google Analytics and AdSense? and the answer seems to be either "no" or "with a lot of work which you have to keep updating".

Update: I temporarily added a Content-Security-Policy-Report-Only directive to get an idea what kind of problems I will run into (with my own reporting backend). A lot of them. All inline javascript is suddenly a problem. So a 'fully secured' Content Security Policy header is already hard for single task, single source websites, let alone websites with a lot of history in the pages.

Tags: , , ,
2021-09-30 Seeing the expiry of the old LetsEncrypt chain happen
The 'moment of truth' for LetsEncrypt: the end of the validity of the root certificate that was used to kickstart LetsEncrypt before they got their own root certificate in (most) certificate stores.

I notice openssl is still showing the old chain (but not the expired intermediate):
---
Certificate chain
 0 s:CN = koos.idefix.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Which is interesting as the ISRG Root X1 is also in the root store. But it's also cross-signed to the DST Root CA.

Checking the verification steps (and not the chain as given out by the server) gives the new path already:
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = koos.idefix.net
verify return:1
This is a subtle but important difference.

Only hours left until the DST Root expires:
$ openssl x509 -in DST_Root_CA_X3.crt -noout -enddate
notAfter=Sep 30 14:01:15 2021 GMT
If services break after 14:01:15 GMT (UTC) today you're not working according to best practices (replacing the certificate chain with every certificate replacement) or you have old clients.

Slight update: I requested a new LetsEncrypt certificate for a service after 14:01:15 GMT (UTC) and it still has the certificate chain with cross-certification to DST Root CA X3:
---
Certificate chain
 0 s:CN = koos.idefix.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
The verification steps are as above.

Tags: ,
2021-09-28 Debugging a systemd issue .. without having to curse
Today I ran into an issue related to systemd and I decided to try to fix it without too much cursing. The result was a number of google searches ending up on unix.stackexchange.com but eventually I fixed the problem.

At work we use splunk for security monitoring and one of the indexers failed to start the splunk processes after a reboot. On browsing the systemd boot log with journalctl -b -l I discovered that the main issue was that creating files in /opt/splunk failed. This was due to an interesting race condition: splunk may start as soon as target network.target has been reached, but mounting /opt over iscsi also needs network.target to start. So the unit file has been updated to:
[Unit]
Description=Systemd service file for Splunk, generated by 'splunk enable boot-start'
After=network.target opt.mount
The next problem was the systemctl start Splunkd.service failing in some intricate way. I had a look at the logging and saw that it was actually trying to restart the service and failed at killing one of the old processes. It turned out the /opt/splunk/var/run/splunk/splunkd.pid file had old contents and one of the PIDs in that file was now in use by a kernel thread. Those you can't kill, the restart failed and therefore the service did not start at all. Solution: remove the .pid file.

Tags: , ,
2021-09-27 I participated in the CQ World Wide RTTY DX Contest
RTTY Contest on websdr Past weekend was the 2021 version of the CQ World Wide RTTY DX Contest and I participated. I had time to participate in a few intervals during the weekend and it helped that it was a 48-hour contest so I could get some more contacts in the log Sunday evening.

In the end I made 151 contacts, a really nice number.

Tags: , ,
2021-09-23 Phishing with error messages
In the phishing mail today:
   -------- Original Message --------

   Subject: Mail delivery failed: returning message to sender

   From: Mail Delivery System
   Date: 9/23/2021 7:09:49 p.m.

   To: koos@[..]



   This message was created automatically by mail delivery software.



   Some recent messages that you sent could not be delivered to one or
   more of its recipients.
   This is a temporary error tha can be corrected.

   Reporting-MTA: dns;[1]click to retry delivery
   Action: failed
   Status: Queued on server
The 'click to retry' was a link to a phishing site. Nicely copied from a standard mailer error message. Too bad the phishing site doesn't work!

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newstag.cgi,v 1.35 2021/11/09 13:09:49 koos Exp $ in 0.022595 seconds.