News items for tag security - Koos van den Hout

IPv6 is growing up: I saw an ssh attempt to an inside machine, reachable only via IPv6. The source was a Chinese IPv6 address which had not tried anything on any other public service.

Jul 30 18:39:02 ritchie sshd[27454]: Bad protocol version identification '\026\003\001' from 240e:d9:d800:200::212 port 44926

A month later I'm still seeing SMTP floods from 185.222.211.11 and adjacent addresses. I activated the sendmail-reject filter ruleset in fail2ban which keeps several addresses in that range blocked most of the time.

Given reports like 185.222.211.238 | Cloud Core LP | AbuseIPDB and 185.222.211.243 | Cloud Core LP | AbuseIPDB I'm not the only one seeing abuse from this range.

I was looking at the options for implementing DNSSEC on the domains I have, and started doing this on a domain name that is just used for web redirects, so I won't break anything serious when I make an error. And I am looking at monitoring options at the same time.

Looking for usable documentation I found DNSSEC signatures in BIND named - sidn.nl which shows and explains a lot of the options for doing this with bind9, including full automation. I want to take steps I understand, so I will start with careful minimal automation on a domain name that I can 'break'.

Following that documentation I created a key-signing key (KSK) and a zone-signing key (ZSK). I used the /etc/bind/keys directory which is the standard location.

The first dnssec-signzone action took 54 minutes. After waiting for a bit I started wondering what was happening and it turned out to be a problem with entropy: the signing uses a lot of data from /dev/random. I have the virtio-rng module loaded but the host wasn't making randomness available to the guest operating system. The host server does run randomsound to get more entropy since there is no hardware random number generator available.

Documentation on how to 'forward' randomness from the host to the client virtual machine: Random number generator device - Domain XML format

So I did some tests with a test virtual machine with a similar configuration. The results:

• Just software kernel rng in the virtual machine: 54 minutes.
• Offering virtio-rng randomness from the host from /dev/urandom running randomsound: less than 1 second.
• Offering virtio-rng randomness from the host from /dev/random running randomsound: 11 minutes 10 seconds.
• Offering virtio-rng randomness from the host from /dev/random running randomsound and haveged: less than 1 second.

Installing haveged which gathers entropy from hardware processes fixes the whole problem.

Now to implement the same settings for the virtual machine running the production nameserver and I'll be able to take the next step.

I noticed a really big load of probes for names under idefix.net, maybe looking for possible ways to attack systems. Source is a resolver at a VPS hoster (linode). I can find websites that will do such a search for me (some even hosted at linode) but in a quick search I can't get the same pattern in names.

30-Jun-2019 03:53:24.538 client @0x7f578c0c7230 45.33.59.87#11197 (sync.idefix.net): query: sync.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.539 client @0x7f578c0c7230 45.33.59.87#9151 (bugzilla.idefix.net): query: bugzilla.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.540 client @0x7f578c0c7230 45.33.59.87#64181 (mailgw.idefix.net): query: mailgw.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.540 client @0x7f578c0c7230 45.33.59.87#46518 (se.idefix.net): query: se.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.542 client @0x7f578c0c7230 45.33.59.87#31554 (tw.idefix.net): query: tw.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.544 client @0x7f578c0c7230 45.33.59.87#56050 (origin-www.idefix.net): query: origin-www.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.547 client @0x7f578c0c7230 45.33.59.87#24795 (bugzilla.idefix.net): query: bugzilla.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.558 client @0x7f578c0c7230 45.33.59.87#60127 (log.idefix.net): query: log.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.564 client @0x7f578c0c7230 45.33.59.87#16816 (reseller.idefix.net): query: reseller.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.564 client @0x7f578c0c7230 45.33.59.87#46743 (cdn3.idefix.net): query: cdn3.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.567 client @0x7f578c0c7230 45.33.59.87#15593 (books.idefix.net): query: books.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.568 client @0x7f578c0c7230 45.33.59.87#23918 (adv.idefix.net): query: adv.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.570 client @0x7f578c0c7230 45.33.59.87#24503 (srv1.idefix.net): query: srv1.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.570 client @0x7f578c0c7230 45.33.59.87#20759 (cacti.idefix.net): query: cacti.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.571 client @0x7f578c0c7230 45.33.59.87#62846 (developer.idefix.net): query: developer.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.571 client @0x7f578c0c7230 45.33.59.87#40156 (delta.idefix.net): query: delta.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.571 client @0x7f578c0c7230 45.33.59.87#42375 (logs.idefix.net): query: logs.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.571 client @0x7f578c0c7230 45.33.59.87#25727 (delta.idefix.net): query: delta.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.572 client @0x7f578c0c7230 45.33.59.87#19060 (wpad.idefix.net): query: wpad.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.572 client @0x7f578c0c7230 45.33.59.87#63258 (katalog.idefix.net): query: katalog.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.572 client @0x7f578c0c7230 45.33.59.87#35848 (ftp3.idefix.net): query: ftp3.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.574 client @0x7f578c0c7230 45.33.59.87#50079 (archives.idefix.net): query: archives.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.575 client @0x7f578c0c7230 45.33.59.87#18507 (pg.idefix.net): query: pg.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.577 client @0x7f578c0c7230 45.33.59.87#62479 (manager.idefix.net): query: manager.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.577 client @0x7f578c0c7230 45.33.59.87#41830 (wwwtest.idefix.net): query: wwwtest.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.578 client @0x7f578c0c7230 45.33.59.87#14914 (ocs.idefix.net): query: ocs.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.581 client @0x7f578c0c7230 45.33.59.87#25754 (auction.idefix.net): query: auction.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.582 client @0x7f578c0c7230 45.33.59.87#42057 (students.idefix.net): query: students.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.729 client @0x7f578c0c7230 45.33.59.87#63617 (gosper.idefix.net): query: gosper.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.866 client @0x7f578c4feb30 45.33.59.87#57706 (books.idefix.net): query: books.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.870 client @0x7f578c0d59c0 45.33.59.87#57714 (delta.idefix.net): query: delta.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.872 client @0x7f578c51d780 45.33.59.87#57718 (delta.idefix.net): query: delta.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.874 client @0x7f578c0d59c0 45.33.59.87#57722 (archives.idefix.net): query: archives.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.874 client @0x7f578c4feb30 45.33.59.87#57726 (wwwtest.idefix.net): query: wwwtest.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.875 client @0x7f578c52bda0 45.33.59.87#57728 (auction.idefix.net): query: auction.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.876 client @0x7f578c51d780 45.33.59.87#57708 (katalog.idefix.net): query: katalog.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.879 client @0x7f578c0d59c0 45.33.59.87#57712 (srv1.idefix.net): query: srv1.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:24.943 client @0x7f578c0c7230 45.33.59.87#50168 (wpad.idefix.net): query: wpad.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.945 client @0x7f578c0c7230 45.33.59.87#59186 (cacti.idefix.net): query: cacti.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.947 client @0x7f578c0c7230 45.33.59.87#30509 (ftp3.idefix.net): query: ftp3.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.948 client @0x7f578c0c7230 45.33.59.87#25611 (manager.idefix.net): query: manager.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.948 client @0x7f578c0c7230 45.33.59.87#53201 (adv.idefix.net): query: adv.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.950 client @0x7f578c0c7230 45.33.59.87#25331 (students.idefix.net): query: students.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.954 client @0x7f578c0c7230 45.33.59.87#44043 (logs.idefix.net): query: logs.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:24.954 client @0x7f578c0c7230 45.33.59.87#9075 (ocs.idefix.net): query: ocs.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.236 client @0x7f578c4feb30 45.33.59.87#57748 (wpad.idefix.net): query: wpad.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.245 client @0x7f578c52bda0 45.33.59.87#57752 (adv.idefix.net): query: adv.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.250 client @0x7f578c51d780 45.33.59.87#57750 (ftp3.idefix.net): query: ftp3.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.257 client @0x7f578c0c7230 45.33.59.87#46992 (katalog.idefix.net): query: katalog.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.259 client @0x7f578c0d59c0 45.33.59.87#57754 (logs.idefix.net): query: logs.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.263 client @0x7f578c0c7230 45.33.59.87#50662 (ns9.idefix.net): query: ns9.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.264 client @0x7f578c0c7230 45.33.59.87#23392 (eu.idefix.net): query: eu.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.271 client @0x7f578c0c7230 45.33.59.87#62305 (app2.idefix.net): query: app2.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.293 client @0x7f578c0c7230 45.33.48.143#45998 (sam.idefix.net): query: sam.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.293 client @0x7f578c0c7230 45.33.59.87#43255 (banners.idefix.net): query: banners.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.299 client @0x7f578c0c7230 45.33.59.87#29869 (click.idefix.net): query: click.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.302 client @0x7f578c0c7230 45.33.59.87#36595 (customer.idefix.net): query: customer.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.322 client @0x7f578c0c7230 45.33.59.87#6272 (cgi.idefix.net): query: cgi.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.327 client @0x7f578c0c7230 45.33.59.87#23561 (awstats.idefix.net): query: awstats.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.331 client @0x7f578c0c7230 45.33.59.87#58477 (wwwtest.idefix.net): query: wwwtest.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.334 client @0x7f578c0c7230 45.33.59.87#12998 (cgi.idefix.net): query: cgi.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.335 client @0x7f578c0c7230 45.33.59.87#41654 (meeting.idefix.net): query: meeting.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.335 client @0x7f578c0c7230 45.33.59.87#36692 (hd.idefix.net): query: hd.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.337 client @0x7f578c0c7230 45.33.59.87#52048 (webapps.idefix.net): query: webapps.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.471 client @0x7f578c0c7230 45.33.59.87#11817 (ns9.idefix.net): query: ns9.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.479 client @0x7f578c0c7230 45.33.59.87#40723 (webgreenblatt.idefix.net): query: webgreenblatt.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.481 client @0x7f578c0c7230 45.33.59.87#57833 (app2.idefix.net): query: app2.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.499 client @0x7f578c0c7230 45.33.59.87#26285 (click.idefix.net): query: click.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.525 client @0x7f578c0c7230 45.33.59.87#51562 (cgi.idefix.net): query: cgi.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.533 client @0x7f578c0c7230 45.33.59.87#32101 (wwwtest.idefix.net): query: wwwtest.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.534 client @0x7f578c0c7230 45.33.59.87#36210 (meeting.idefix.net): query: meeting.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.543 client @0x7f578c0c7230 45.33.59.87#57693 (webapps.idefix.net): query: webapps.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.568 client @0x7f578c53a3c0 45.33.59.87#57768 (katalog.idefix.net): query: katalog.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.569 client @0x7f578c565900 45.33.59.87#57772 (eu.idefix.net): query: eu.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.598 client @0x7f578c557170 45.33.59.87#57776 (banners.idefix.net): query: banners.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.617 client @0x7f578c590fb0 45.33.59.87#57780 (customer.idefix.net): query: customer.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.620 client @0x7f578c52bda0 45.33.59.87#57782 (awstats.idefix.net): query: awstats.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.630 client @0x7f578c0d59c0 45.33.59.87#57790 (hd.idefix.net): query: hd.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.637 client @0x7f578c5489e0 45.33.59.87#57788 (cgi.idefix.net): query: cgi.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.664 client @0x7f578c0c7230 45.33.59.87#35680 (app2.idefix.net): query: app2.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.765 client @0x7f578c582820 45.33.59.87#57800 (ns9.idefix.net): query: ns9.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.786 client @0x7f578c0c7230 45.33.59.87#59047 (sk.idefix.net): query: sk.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.805 client @0x7f578c565900 45.33.59.87#57802 (click.idefix.net): query: click.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.825 client @0x7f578c590fb0 45.33.59.87#57804 (wwwtest.idefix.net): query: wwwtest.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.840 client @0x7f578c0c7230 45.33.59.87#6873 (app2.idefix.net): query: app2.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.843 client @0x7f578c0c7230 45.33.49.87#39819 (img4.idefix.net): query: img4.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.848 client @0x7f578c0c7230 45.33.49.87#35699 (registration.idefix.net): query: registration.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:25.856 client @0x7f578c0d59c0 45.33.59.87#57806 (webapps.idefix.net): query: webapps.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:25.942 client @0x7f578c0c7230 45.33.49.87#49819 (registration.idefix.net): query: registration.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:26.081 client @0x7f578c51d780 45.33.59.87#57816 (sk.idefix.net): query: sk.idefix.net IN AAAA -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:26.288 client @0x7f578c0c7230 45.33.59.87#49749 (meeting.idefix.net): query: meeting.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:26.309 client @0x7f578c0c7230 45.33.59.87#57344 (ocs.idefix.net): query: ocs.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:26.399 client @0x7f578c0c7230 45.33.59.87#44649 (develop.idefix.net): query: develop.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:26.583 client @0x7f578c50d150 45.33.59.87#57826 (meeting.idefix.net): query: meeting.idefix.net IN A -E(0)TDC (194.145.201.42)
30-Jun-2019 03:53:26.634 client @0x7f578c0c7230 45.33.49.87#9259 (ares.idefix.net): query: ares.idefix.net IN AAAA -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:26.662 client @0x7f578c0c7230 45.33.59.87#9440 (ocs.idefix.net): query: ocs.idefix.net IN A -E(0)DC (194.145.201.42)
30-Jun-2019 03:53:26.694 client @0x7f578c53a3c0 45.33.59.87#57830 (develop.idefix.net): query: develop.idefix.net IN A -E(0)TDC (194.145.201.42)

Checking how fail2ban was doing on a wordpress site I noticed the following error in the log:

46.105.99.163 - - [18/Jun/2019:09:03:46 +0200] "GET /wp-content/plugins/ungallery/source_vuln.php?pic=../../../../../wp-config.php HTTP/1.1" 404 15933 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

which is never going to work as an exploit. A full explanation in Hackers Will Try To Exploit Vulnerabilities in WordPress Plugins in Ways That Will Never Succeed - Plugin Vulnerabilities but this entire attempt is based on just the description of a vulnerability and can never ever have succeeded, not even on a system with the vulnerable version of the ungallery plugin.

Noticed in the recent logs, lots of variations on:

Jun  6 19:15:41 gosper sm-mta[22475]: x56HFc06022475: <mail@some.domain>... No such user in domain 
Jun  6 19:15:41 gosper sm-mta[22475]: x56HFc06022475: <support@some.domain>... No such user in domain 
Jun  6 19:15:41 gosper sm-mta[22475]: x56HFc06022475: <reply@some.domain>... No such user in domain 
Jun  6 19:15:41 gosper sm-mta[22475]: x56HFc06022475: srv-eml.info [185.222.211.11]: Possible SMTP RCPT flood, throttling.
Jun  6 19:15:41 gosper sm-mta[22466]: x56HFCbH022466: <financeiro@some.domain>... No such user in domain 
Jun  6 19:15:42 gosper sm-mta[22473]: x56HFVoi022473: <biuro@some.domain>... No such user in domain 
Jun  6 19:15:42 gosper sm-mta[22468]: x56HFItg022468: <michael@some.domain>... No such user in domain 
Jun  6 19:15:42 gosper sm-mta[22471]: x56HFPIC022471: <chris@some.domain>... No such user in domain 
Jun  6 19:16:51 gosper sm-mta[22466]: x56HFCbH022466: lost input channel from srv-eml.info [185.222.211.11] to MTA-v6 after rcpt
Jun  6 19:17:16 gosper sm-mta[22475]: x56HFc06022475: <jobs@some.domain>... No such user in domain 
Jun  6 19:17:17 gosper sm-mta[22475]: x56HFc06022475: <wh5gkoxp5wqk@some.domain>... No such user in domain 
Jun  6 19:17:18 gosper sm-mta[22475]: x56HFc06022475: lost input channel from srv-eml.info [185.222.211.11] to MTA-v6 after rcpt
Jun  6 19:17:18 gosper sm-mta[22475]: x56HFc06022475: from=<20tv13b4bu0h2107@europcar.ua>, size=0, class=0, nrcpts=1, proto=ESMTP, daemon=MTA-v6, relay=srv-eml.info [185.222.211.11]

All from the same IP, trying a lot of addresses (and failing), with a retry later trying all those addresses again.

Just seen in an e-mail with a virus, looking like it's something from a bank:

Security tips

1. Install virus detection software and personal firewall on your computer. This software needs to be updated regularly to ensure you have the latest protection.
2. To prevent viruses or other unwanted problems, do not open attachments from unknown or non-trustworthy sources.
3. If you discover any unusual activity, please contact the remitter of this payment as soon as possible. 

But the attachment has malware.

While making a lot of my websites available via HTTPS I started wondering about enabling Server Name Indication (SNI) because the list of hostnames in the one certificate (subjectAltName parameter) keeps growing and they aren't all related.

So on a test system with haproxy I created two separate private keys, two separate certificate signing requests and requested two separate certificates. One for the variants of camp-wireless.org and one for most of the idefix.net names. The whole requesting procedure happened on the system where my automated renewal and deployment of LetsEncrypt certificates with dehydrated happens so the request went fine. For the configuration of haproxy I was following HAProxy SNI where 'terminating SSL on the haproxy with SNI' gets a short mention.

So I implemented the configuration as shown in that document and got greeted with an error:

haproxy[ALERT] 123/155523 (3435) : parsing [/etc/haproxy/haproxy.cfg:86] : 'bind :::443' unknown keyword '/etc/haproxy/ssl/webserver-idefix-main.pem'.

And found out that the crt keyword has to be repeated.

This is why I like having a test environment for things like this. Making errors in the certificate configuration on the 'production' server will give visitors scary and/or incomprehensible errors.

So the right configuration for my test is now:

frontend https-in
    bind :::443 v4v6 ssl crt /etc/haproxy/ssl/webserver-campwireless.pem crt /etc/haproxy/ssl/webserver-idefix-main.pem

And testing it shows the different certificates in use when I use the -servername parameter for openssl s_client to test things.

$ openssl s_client -connect testrouter.idefix.net:443 -servername idefix.net -showcerts -verify 3
..
Server certificate
subject=/CN=idefix.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
..
Verification: OK
$ openssl s_client -connect testrouter.idefix.net:443 -servername camp-wireless.org -showcerts -verify 3
..
Server certificate
subject=/CN=www.camp-wireless.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
..
Verification: OK

The certificates are quite separate. Generating the certificate signing requests with a separate private key for each request works fine.

So if I upgrade my certificate management to renew, transport, test and install multiple certificate for the main webserver it would work.

After upgrading to the new homeserver my old setup to allow two passwords for IMAPS logins so I can use a separate password for IMAPS access for those devices that insist on saving a password without asking.

I have the following PAM libraries:

ii  libpam-modules 1.1.8-3.6    amd64        Pluggable Authentication Modules

And I debugged the problem using the pamtester program which makes debugging this problem a lot easier than constantly changing the configuration and restarting the imap server.

The relevant configuration now is:

# PAM configuration file for Courier IMAP daemon

#@include common-auth
# here are the per-package modules (the "Primary" block)
auth    required    pam_succeed_if.so quiet user ingroup users
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
auth    sufficient      pam_unix.so nullok_secure
auth    sufficient  pam_userdb.so db=/etc/courier/extrausers crypt=crypt use_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
@include common-account
@include common-password
@include common-session

And now both my unix login password and the extra password are accepted.

I noticed a lot of entries in my mail logging about aborted smtp transactions

Mar 22 21:04:04 gosper sm-mta[30180]: x2MK437r030180: [193.169.254.68] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:04:58 gosper sm-mta[30229]: x2MK4vv0030229: [185.234.217.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:05:25 gosper sm-mta[30307]: x2MK5Oas030307: [193.169.254.68] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:06:01 gosper sm-mta[30328]: x2MK5xAc030328: [185.234.217.222] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
Mar 22 21:06:02 gosper sm-mta[30331]: x2MK5xg5030331: [185.222.209.209] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6

And I wondered what was going on, until I did a capture of the session and had a look:

    1   0.000000 185.234.217.222 → 82.95.196.202 TCP 68 55448 → 25 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
    2   0.000314 82.95.196.202 → 185.234.217.222 TCP 68 25 → 55448 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
    3   0.034751 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [ACK] Seq=1 Ack=1 Win=65536 Len=0
    4   6.038967 82.95.196.202 → 185.234.217.222 SMTP 395 S: 220-gosper.idefix.net ESMTP Sendmail 8.15.2/8.15.2/Debian-8; Fri, 22 Mar 2019 21:00:55 +0100; (No UCE/UBE) | 220-   This is a private SMTP server. | 220-   The use of this or any related system for the transmission of | 220-   Unsollicited Bulk E-mail (UBE) is prohibited. | 220 logging access from: [185.234.217.222](FAIL)-[185.234.217.222]
    5   6.072501 185.234.217.222 → 82.95.196.202 SMTP 76 C: EHLO 82.95.196.202
    6   6.072915 82.95.196.202 → 185.234.217.222 TCP 56 25 → 55448 [ACK] Seq=340 Ack=21 Win=29312 Len=0
    7   6.073011 82.95.196.202 → 185.234.217.222 SMTP 267 S: 250-gosper.idefix.net Hello [185.234.217.222], pleased to meet you | 250-ENHANCEDSTATUSCODES | 250-PIPELINING | 250-EXPN | 250-VERB | 250-8BITMIME | 250-SIZE | 250-DSN | 250-ETRN | 250-STARTTLS | 250-DELIVERBY | 250 HELP
    8   6.106154 185.234.217.222 → 82.95.196.202 SMTP 68 C: AUTH LOGIN
    9   6.106585 82.95.196.202 → 185.234.217.222 SMTP 86 S: 503 5.3.3 AUTH not available
   10   6.141445 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [FIN, ACK] Seq=33 Ack=581 Win=65024 Len=0
   11   6.141775 82.95.196.202 → 185.234.217.222 TCP 56 25 → 55448 [FIN, ACK] Seq=581 Ack=34 Win=29312 Len=0
   12   6.174430 185.234.217.222 → 82.95.196.202 TCP 56 55448 → 25 [ACK] Seq=34 Ack=582 Win=65024 Len=0

Each session starts ESMTP and even with the ESMTP reply not listing AUTH the next command is 'AUTH LOGIN' for authenticated smtp, and as soon as my server denies offering this the session gets aborted. This does mean no failed authentication attempt is logged which would trigger fail2ban.

This does look like a bit of a distributed attack, but without the network remembering that the attack is not going to work in this way and therefore trying it again and again.

Update: IPs active in this scanning attack sofar: 185.234.217.222 193.169.254.68 185.234.219.56 37.49.225.232 185.222.209.202 141.98.80.15 114.207.112.188 185.222.209.209 23.227.207.215 185.211.245.170 141.98.80.17 89.248.171.176 185.211.245.198 164.132.45.117 37.49.225.224 119.176.218.216 103.114.104.175 37.49.225.47 103.207.37.40 37.49.227.49 185.234.219.57

Update 2019-03-24: I noticed the incorrect EHLO above and looked at options for HELO/EHLO checking in sendmail. Searching did not show a lot of options, trying with the $&s delayed s macro did not fire on the given HELO/EHLO. So I kept searching and found the latest sendmail administration guide ('Bat book') with FEATURE(block_bad_helo). I activated this feature to see if it stops some of this traffic.

An interesting bit of news: SSH client gets patched after RSA key exchange memory vuln spotted.

The fixes implemented on PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty.

Get your updated putty at the PuTTY download page.

Update: Interesting visual change in putty: informational lines from the client are now prefixed by a putty logo. This could make it harder to mislead the user in certain attacks.

According to “FINAL WARNING” email – have they really hacked your webcam? - Naked Security there is a big flood the last day(s) of "Sextortion" scam mails going around. Don't fall for these. It's all fake.

A new level of stupid in the "I have you on video watching porn" extortion scams: the whole message embedded as an image, including the instructions to carefully cut and paste the bitcoin wallet address.

Links: Report history for 12Vso1cRX7zQovZG4wH7RAz2HqtdW1Lvek - Bitcoin Abuse Database, Bitcoin Address 12Vso1cRX7zQovZG4wH7RAz2HqtdW1Lvek.

Before, before, before.

In the inbox this morning, another attempt at extortion.

Subject: IMPORTANT! You have been recorded masturbating! I have Koos Website.mp4!

Hi there,

The last time you visited a porn website with teens,
you downloaded and installed the software I developed.

My program has turned on your camera and recorded
the process of your masturbation.

My software has also grabbed all your email contact lists
and a list of your friends on Facebook.

I have the - Koos Website.mp4 - with you jerking off to teens
as well as a file with all your contacts on my computer.

You are very perverted!

If you want me to delete both the files and keep the secret,
you must send me Bitcoin payment. I give you 72 hours for the payment.

If you don't know how to pay with Bitcoin, visit Google and search.

Send 2.000 USD to this Bitcoin address as soon as possible:

34vKT8SpK2zYAgJUDww9ih1o7Ky3JKmCdP
(copy and paste)

1 BTC = 3,850 USD right now, so send exactly 0.525386 BTC
to the address provided above.
Do not try to cheat me!
As soon as you open this Email I will know you opened it.
I am tracking all actions on your device.

This Bitcoin address is linked to you only,
so I will know when you send the correct amount.
When you pay in full, I will remove both files and deactivate my program.

If you don't send the payment, I will send your masturbation video
to ALL YOUR FRIENDS AND ASSOCIATES from your contact lists I hacked.

Here are the payment details again:

Send 0.525386 BTC to this Bitcoin address:

----------------------------------------
34vKT8SpK2zYAgJUDww9ih1o7Ky3JKmCdP
----------------------------------------


You саn visit police but nobody can help you. I know what I am doing.
I don't live in your country and I know how to stay anonymous.

Don't try to deceive me - I will know it immediately - my spy software is
recording all the websites you visit and all keys you press.
If you do - I will send this ugly recording to everyone you know,
including your family.

Don't cheat me! Don't forget the shame and if you ignore this message your
life will be ruined.

I am waiting for your Bitcoin payment.
You have 72 hours left.

Anonymous Hacker

Given the address it's clear someone managed to visit this website. Actually hacking my computer and removing the webcam cover or installing the webcam is harder!

Bitcoin links: Report history for 34vKT8SpK2zYAgJUDww9ih1o7Ky3JKmCdP - Bitcoin Abuse Database and Bitcoin Address 34vKT8SpK2zYAgJUDww9ih1o7Ky3JKmCdP.

Het blijft actueel: Verschillende afpersmails in omloop - Fraudehelpdesk.

Ik zie ze zelf ook op verschillende plekken. Trap hier niet in.

Dit keer een bitcoin adres waar nog geen transacties in zichtbaar zijn: 12PUa2SHjWAUEpZZUxQNvxa7epab7g2Ksb alleen is mij niet duidelijk of deze site het verschil tussen een echt aangemaakt adres zonder transacties of een willekeurig adres weet.

Toevoeging 2019-02-07: Een bedrag van 808 dollars in bitcoins staat nu in de wallet, in 2 transacties. Gegeven het bedrag in het originele mailtje zijn er dus 2 mensen ingetrapt.

Toevoeging 2019-02-11: Er is nu over de 3000 dollar in bitcoins binnen. Als ik zo naar de transacties kijk lijken er 7 mensen ingetrapt.

Nog meer informatie: Bitcoin Abuse Database for 12PUa2SHjWAUEpZZUxQNvxa7epab7g2Ksb (engelstalig).

Today I tried to follow a link to http://www.independentri.com/ but I got an error message:

451: Unavailable due to legal reasons

We recognize you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore access cannot be granted at this time

And indeed in the headers:

$ lynx -head -dump http://www.independentri.com/
HTTP/1.1 451 Unavailable For Legal Reasons

I see the real reason as 'not wanting to comply with European consumer protection laws'. I have no idea how many visitors the site is missing due to this regionblock but since it's a regional weekly newspaper in the United States of America: probably not a lot of the intended audience.

Ik kreeg een mail zoals deze Afpersingsmail: Bedreiging voor uw veiligheid! ***@*********.nl is gecompromitteerd. - Fraudehelpdesk.

De tekst leest kwa stijl of de auteur niet echt Nederlands kent en deels hulp heeft gehad van een automatische vertaling of van meerdere mensen die stukjes vertaald hebben.

Het volgen van het bitcoin adres in het mailtje (deels gemaskeerd bij fraudehelpdesk) levert een interresant beeld op: dit levert blijkbaar wel wat op. Als ik de bitcoin rekening opzoek op Bitcoin Address 1PRUG1TrBWKLpvMJYfYXhZVSDagSySqXuz zie ik diverse bijschrijvingen in de afgelopen twee dagen en een afschrijving. De eerste drie bijschrijvingen lijken erg op betalingen in de buurt van de genoemde 35 euro. Maar als ik diep in de transacties duik zonder enige voorkennis van bitcoin zie ik allemaal verwarrende dingen.

Opvallend is wel dat dezelfde wallet dus op meer plekken genoemd is. Daarmee is het traceren van degene die betaald heeft onmogelijk, waardoor het verhaal in de afpersingsmail ook compleet ongeldig is.

I use the logcheck package to monitor for unexpected log entries. Since upgrading to the new homeserver conway I noticed DNSSEC failures coming back regularly, even at weird times of the night while the domain names seemed related to services we sometimes interact with during the day. To search deeper I enabled query logging on DNS (with a short retention period) in order to find the source.

Eventually I found it: the DNSSEC failures came at the time the mail from logcheck was delivered, because it mentioned domain names that cause a DNSSEC failure. So the way to 'fix' this problem and avoid similar other problems was to whitelist logcheck mail.

Update 2018-10-05: That only helps when enabling the Mail::SpamAssassin::Plugin::Shortcircuit plugin and enabling the USER_IN_WHITELIST shortcircuit.

Update 2018-10-07: Even with whitelist and shortcircuit I still see queries for domain names in the logcheck mails. Call to spamassassin is now changed...

Now, once again...this time with FEEwing

This morning I was looking on shodan for open remote desktop servers in the work network since RDP was mentioned as an attack vector in the latest GANDCRAP ransomware.

Searching for '3389' on shodan found something completely different: an open industrial control system (ICS) for tankstation gauges.

IN-TANK VOORRAAD        

TANK PRODUCT             VOLUME TC VOLUME   VULVOL   HOOGTE    WATER     TEMP
  1  UL 98                 9757      9693    10283    939.2      0.0    20.09
  2  EURO                 2...

According to The Internet of Gas Station Tank Gauges -- Take #2 - Rapid7 this was already a reported issue in January 2015 and according to their research it may be possible to do bad things with this access.

The above is from a gas station I can find on google maps.

Oh I found the way to search for open remote desktop servers on shodan: port:3389.

According to this article: Students blamed for university and college cyber-attacks - BBC News the new pattern is that attacks on IT systems in higher education happen in active times in education.

Interesting quote (for me):

There was a very sharp decline in attacks in the Christmas, Easter and summer breaks and during half-terms - with attacks rising again sharply when terms resumed.

I remember starting in system administration and learning quickly that the Christmas holidays period was the busiest period in attempts to break in to computer systems all over the world. This was simply explained by the fact that the Christmas holidays are the most universal school holiday in the world and all the teenage hackers had time to play with computers, modems and networks.