Tag Archives: Debian

Oh look HTTPS

Leave a reply

Testing out Let’s Encrypt public beta. My thoughts so far:

90 days for the SSL certificate. Does that mean we’ll be seeing spammers setting these up to make their sites look more legit?

Mainly made for HTTPS on web servers. There is a walk through on making it work with email, using links, and some other dark Unix magic (what not everyone is running a linux mail server?). I saw a file for exchange but that’s not my cup of tea. It also brings up that whole 90 days thing again. So for now my mail server has something else.

So while the SSL Cert is good for 90 days, they tell you to update it every 60. Can’t wait to try that in 2 months. (that was sarcasm).

To be honest though, I do like the idea of Let’s Encrypt. I like that it has Debian love and script to make magic happen in the background. Less fiddling under the hood. I like that you can set up either Secure only (all HTTPS all the time) or HTTP and HTTPS. This site used to use a self signed cert for Administration, but now it’s all SSL.

Hopefully in the future we can get at least 365 day certs, more services covered, and most importantly MORE PEOPLE ENCRYPTING their web traffic.

New and Improved WiFi Intrusion Detection System. Pi 2.

Leave a reply

So my last post I was fighting the Raspberry Pi 2, with Kali Linux 2.0.1, when it came to starting kistmet_drone on boot. Ian had a work around, but it wasn’t what I wanted. I wanted the built in tools to do their job. Well it turns out it’s a SystemD problem. I spent probably about 12 hours bashing my head against it, making changes and trying things.

Finally, I got smart with my Google searching, and found a slightly better way, but still didn’t want to call an external shell script. Then I spent time smacking my head on the desk. SSHD works, and starts by systemd, why not look at it’s config. Seriously the better you are at something, the less you think of the simple answers that made you good to start with.

2 new lines. One made SystemD wait until after networking was up. The second was a strange sshd -D option. man ssh. Oh doesn’t run ssh as a daemon…

remove –daemonize from Kismet… It worked.

SO….

 

Now to get everything ready before I leave for GrrCon in 17 hours, I’ll be presenting Saturday last I heard.

More on moving WIDS to the Raspberry Pi 2.

Leave a reply

So I’m using the Raspberry Pi 2 and Kali 2 for this project so far. As I said last time, I had to expand the image to use the full disk. I have a script for that now. I was actually trying to script the whole deployment. These scrips can be found on my WIDS github repository. But fair warning they are still a work in process.

Continue reading

Moving WIDs to Raspi2.

Leave a reply

So I tried to do this back in July but got sick. My next talk is at A2Y.asm on Sept 12, and rebuilding all the Pi2 again with Kali 2.0.1. I have litteraly spent most of the day trying to expand the root directory.

There is a tool called rpi-wiggle, that sounded really cool, but it hasn’t been updated in 3 years. It also didn’t work for the pi2 running Kali 2.0.1. After lots of searching, I found a forum post saying talking about it.

After running apt-get install triggerhappy lau5.1 (from Kali repos) and getting the Debian raspi-config file from Debian. It says it worked. I’m waiting for the reboot to know for sure.

And it worked. from console it says it has full space.

Now if I was making anything other than a drone, I’d run apt-get install kali-linux-full to get the whole Kali experience instead of the light version. But I’m making a drone. So here is what needs to be worked on before I start making images:

  • install: Kismet, NTP.
  • boot to cli instead of gui
  • change the root password
  • configure kismet
  • Clone
  • configure static ip, and daemon mode.

normally I’d disable ipv6, still might. but the ipv4 and ipv6 stacks are working well together right now. In the past they haven’t.

Yet more with Fail2Ban

Leave a reply

So yesterday, I thought I was all good on Fail2Ban today’s logcheck emails show there were still problems with Dovecot.

Continue reading

More Fail2Ban fun with Debian Stretch

Leave a reply

Yesterday, going through email yesterday, mostly logcheck emails, I found that Apache wasn’t blocking the attackers. It was seeing them, but not adding the ip address to iptables block list.

The fix was setting up the maxretry it was set rather high, I moved it down to 1 like I had it in the past. I also adjusted the search time to 1 hour and the ban time to 7 days. I thought I was good, and didn’t give it a second thought.

Today, looking at the logcheck emails (really it’s a great IDS for system admins to get a view into their box), there are a lot of automated attacks on the mail server NOT BEING BLOCKED!!! It worked yesterday, there were even banned ip addresses in the chain.

After lots of digging, and several changes that didn’t work, I decided to go for the bad option.

Really the real reason was that Fail2Ban had been around for a while. Things changed, and I had a weird mishmash of configuration files. After the install I removed the files in the package that were not debian related, not sure why bsd; osx; or fedora are in the Debian package to start with.

Followed the local customization file directions creating jail.d/server-defaults.conf with apache-auth and dovecot in them. ssh is handled by defaults-debian.conf. Why the new file, in case the Debian one gets over-written by new stuff later.

Restart the service and…

Still not working for dovecot.!? (tailing the log and watching iptables).

Turns out, it’s where Fail2Ban was set for default to watch for login errors for Dovecot (also noted through the logs). It’s looking in /var/log/mail.warn. I don’t know if I changed it, or it’s legacy left over, or what, but my box it’s /var/log/auth.log where Dovecot login failures go. So I added the logpath to jail.d/server-defaults.conf, restarted Fail2Ban and it worked.

Fail2Ban problems with Debian Stretch

2 Replies

This week The Debian project released “Jessie” (Debian 8.0) as stable. I like to keep my servers a little more ahead of the curve than that, so I upgraded to the new testing branch “Stretch”.

While going through my logs from yesterday and this morning, log checker is awesome, I saw someone hitting my mail server. Normally you only get 1 chance to log in as a non-existent account before Fail2ban kicks in and adds the ip address to my Netfilter iptables jail. This address kept showing up, hour after hour in the logs, and multiple user names.

Looking, I found out that while running, it wasn’t catching all the rules for Fail2ban. I checked the configuration files, and things checked out OK. So I fell back on the old restart the service and see what errors pop.

Continue reading