Friday, July 1, 2016

Ack !! No Server !!

There's no point in concerning myself with network/server security right now. The Server is gone. Here are the last couple of posts related to this:

http://www.kevinschick.com/2016/06/network-attacks-ufw-is-working-but-more.html

http://www.kevinschick.com/2016/06/tenacious-attackers-network-exploiters.html

I could not resolve the server by IP or name at all yesterday. I quickly found that the systems engineer at the data center didn't verify the asset tags on the servers involved, and wiped out everything of mine by mistake.

It was an experimental server, so I did not panic or freak out. The new set up will be running with ESXi and I will be able re-install and manipulate it via vsphere. I also took this as an advantage to move away from Debian and jump into CentOS. I used Redhat many years ago, pre-Fedora to be more precise, so the transition back to rpm goodness should not present any real issues or giant hurdles.

I look forward to the change.


I will concentrate on hardening the server, and experimenting with attackers. A honeypot is tempting. The first paragraph of the Wikipedia article describes a honeypot very well. I think analysing hacker activity and how attacks develop and progress will be very interesting and make me proficient at securing my server(s).


Saturday, June 25, 2016

Network Attacks. UFW is Working, but More is Needed.

More attacks on the server. Of course. UFW (UFW -Uncomplicated Firewall) is running, which is a must.

Unfortunately, the logs are still full of assholes trying to break in. Shit like this:

Jun 25 20:16:17 vbox sshd[38237]: Invalid user guest from 91.214.130.248
Jun 25 20:16:17 vbox sshd[38237]: input_userauth_request: invalid user guest [preauth]
Jun 25 20:16:17 vbox sshd[38237]: Received disconnect from 91.214.130.248: 11: Bye Bye [preauth]
Jun 25 20:16:18 vbox sshd[38239]: reverse mapping checking getaddrinfo for host-91.214.130.248.ardinvest.net [91.214.130.2
48] failed - POSSIBLE BREAK-IN ATTEMPT!


and...

Jun 25 21:57:32 vbox sshd[38342]: Received disconnect from 95.39.39.5: 11: disconnected by user [preauth]
Jun 25 22:02:43 vbox sshd[38345]: Received disconnect from 116.31.116.7: 11:  [preauth]
Jun 25 22:09:01 vbox CRON[38349]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 25 22:09:01 vbox CRON[38349]: pam_unix(cron:session): session closed for user root
Jun 25 22:09:51 vbox sshd[38371]: reverse mapping checking getaddrinfo for static.customer-201-116-53-85.uninet-ide.com.mx
[201.116.53.85] failed - POSSIBLE BREAK-IN ATTEMPT!


There is more of course. Time to use another tool to make things a bit easier.

After some research, it appears that fail2ban comes highly recommended.


My amazing web writing skill enables me to simply regurgitate words from the fail2ban website:


"Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services."
Setting it up is easy enough. Plenty of tutorials for numerous Linux/OSS distributions out there. If you need a link, just ask. I will try and find a decent one for you.
I have set findtime to 480 seconds,
maxretry to 3,
and offenders are blocked for 6000 seconds (100 minutes)

So if I understand it correctly, if some prick tries 3 times within 480 seconds, he/she gets banned for 100 minutes.

Let's see how that works after a couple days.

Monday, June 20, 2016

Hello Manjaro

Using Debian, or any one of it's derivatives such as Linux Mint or Ubuntu is fine. Multiple systems let me enjoy some of those, but I felt that I wasn't exploring enough of the Linux goodness out there.

Maybe something different would be educational and more fun.

Ladies and gentlemen, my new friend Manjaro.
Note: Blogger offers me the choice of forcing you to leave my page when you click that link, or open it it in a new window. I dislike both choices. Opening this link in a new tab instead would be nice.

I won't go into details about Manjaro, as there are plenty of reviews and related sites out there. I doubt the world needs another one. The fact that is Arch based is important. The change is a challenge.

I grabbed the a recent Xfce edition only because I have never tried that desktop environment. Manjaro has lots of desktop choices. I could have picked KDE, BspWM, Budgie, Cinnamon, Deepin, Enlightenment, Fluxbox, Gnome, i3, JWM, LXDE, LXQT, MATE, Netbook, Openbox and PekWM.

Since my install, just days ago, they have another offering using JWM (Joe’s Window Manager), it is a lightweight stacking window manager for the X Window System written by Joe Wingbermuehle. Incredibly,the system boots up with less than 111MB of RAM usage. Not too shabby considering how powerful Manjaro is.

For me, I like Manjaro a lot. I was concerned with Xfce, having been used to stuff like KDE and MATE, but I am really digging the lighter interface.

That's it! No lengthy review or any of that. Go try Manjaro.

Tenacious Attackers. Network Exploiters Abound.

Hit already.

No surprise, it's just how much the server is attacked that is surprising to me. This is probably typical to the veterans out there.

Tenacious; adjective: persistent in maintaining, adhering to, or seeking something valued or desired
That sounds about right for our network visitors today. Here are just some examples of the activity so far:

Jun 19 03:09:18 vbox sshd[10716]: Invalid user git from 69.10.58.155
Jun 19 03:09:18 vbox sshd[10716]: input_userauth_request: invalid user git [preauth]
Jun 19 03:09:18 vbox sshd[10716]: error: Received disconnect from 69.10.58.155: 3: com.jcraft.jsch.JSchException: Auth fail [preauth]
Jun 19 03:09:19 vbox sshd[10718]: Address 69.10.58.155 maps to server.peopleshosting.in, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT


This little pick (69.10.58.155) tried over and over again, likely as fast as the script he/she was using dictated. Tries with all sorts of possible users were employed, such as tomcat, unbuntu, ubtn, test, ftpuser, and many more. One interesting attempt was for user PlcmSpIp.

Jun 19 07:58:39 vbox sshd[11341]: Received disconnect from 195.20.3.210: 11: disconnected by user [preauth]

It's a party...

Jun 19 11:01:49 vbox sshd[11540]: Protocol major versions differ for 46.105.123.28: SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2 vs. SSH-1.5-NmapNSE_1.0

Another dickhead...

Jun 19 12:33:10 vbox sshd[11636]: Invalid user admin from 23.247.97.147
Jun 19 12:33:10 vbox sshd[11636]: input_userauth_request: invalid user admin [preauth]
Jun 19 12:33:10 vbox sshd[11636]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jun 19 12:33:11 vbox sshd[11638]: Address 23.247.97.147 maps to mail6.xdem067.cc, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!


That IP hammered me for quite a while. "POSSIBLE BREAK-IN ATTEMPT!" is server generated. I didn't place it here for effect. :-)

Jun 19 13:43:01 vbox CRON[12111]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 19 13:43:20 vbox sshd[12114]: Connection closed by 71.6.146.185 [preauth]
Jun 19 13:43:20 vbox sshd[12116]: Connection closed by 71.6.146.185 [preauth]


Far too many others to list here. This is just a sample of one day.

Of course none of those IP addresses are anything I typically use. They're all outsiders. sadly, this activity is probably normal for most servers out there.
Is it bad that I am enjoying this? I definitely have to see where this is going, and consider my security options. More to follow.
Feel free to leave a comment and offer suggestions. Should i change the ssh port? Fail2ban? Am I on the right track?

I am Running an Experimental Server

I have an interest in network security. so I set up a dynamic server testing environment.

It is basically an experiment to learn more about how a typical server is approached by outsiders, specifically those with bad intentions. Really, how bad could it be? Will I be attacked?

Absolutely, no doubt about it.


As time progresses I will occasionally share some of the external hacking attempts and door-knocking the server encounters. The server is set up to log practically everything, but since that data will be enormous, it will be far too much to provide as updates here. Frankly, updates containing anything more than a few periodic examples would be a tedious read and snooze fest.

I am a complete amateur in all network security. Besides me researching a lot, experience is needed. This is not a hacking invitation, especially since I won't need to invite prowling network jackasses anyways. I am fairly good at manipulating a server, but am truthfully just learning the security side of it.

I know some of the risks.


My server is virtual, and hosted nowhere near me. It can be wiped and reinstall all fresh and sparkly after a successful attack. But ... it risks being compromised and used to attack others. This a major concern. As a precaution, as soon as I detect that (and I will if need be), the server will go on complete lockdown and reset.

That said, I do have some security and tightening measures in place. I was tempted to run the server naked and see what happens, but expect it wouldn't last long before it got completely fucked by outsiders. Presently there some protections up, and a way for me to securely access the server to check logs and make changes as needed.

Stay tuned. It could be like watching a car wreck.

Sunday, May 1, 2016

My First Steps at Creating My Own Anvil-like Object

I need an anvil.

The prices of anvils in my area are simply ridiculous. I can't shell out cash for the rusty, banged up shit that is available. Sadly, it seems that some guys (and girls) are hoarding, even owning four or more anvils. It's their right, but they are making it tough for new smiths.
My answer to the dilemma? Make my own. Many have done it  before me, using old rail or other metals, so the possibility exists. I want something specific, a nice clean, heavy block of mild steel.

Anyway...


I thought of checking out the local scrap yard to see if they had a large chunk of mild steel I might use, or perhaps modify for use as an anvil. My first trip was last week, on Friday, during lunch hour, when it was safe and they let me look around the piles. No luck on a big chunk, but I did get some nice coil springs to make tools with, so not a bad first try.

I returned a week later to look around again, and the nice guy at the office informed me that it was my lucky day. A large 5" (12.7mm) plate arrived about 10 minutes before I showed up. I took a look out in the yard and found the plate to be huge. I didn't measure it, but it seemed about 2 metres x 3 metres. Most was cut away as two huge circles were removed, leaving only two corners usable to cut out anything of a decent size. I was able to get 30cm x 30cm x 12cm (1' x 1' x 5") block cut for me.The cost came to $100 CDN, cut, a lot of money for a guy like me.

It is extremely heavy for a small chunk, weighing in at about 90Kg (200 pounds). It was still hot when I moved it 8 hours later. Hot enough to quickly evaporate water sprinkled on it. Here are a few pics of what I brought home. You can click the images to enlarge.





The torch cuts are not what I expected. I know torches are a bit rough, but these are going to take me a ton of work to level and smooth out. The cuts are angled poorly,  and not at 90 degrees on the sides. Maybe this is what torch cuts are supposed to look like. I will pick the best 30cm x 12cm side to use as the anvil face, and at the very least level and flatten the opposite side so that the anvil sits properly on a wooden base.  I hope to use my 5' angle grinder to work it all out.

I have other plans for it, but am unsure how to proceed, due to possible labour pricing and my ability. A hardy hole and pritchel hole would be great, and require a pass-through to allow stuff to drop through. While I may be able to drill neatly enough for a pritchel hole, a square hardy hole is far beyond anything I can achieve. The pass-through or cut away area underneath is likely to require a machinist, or me finding a way to neatly cut something like a large semicircle out of one side.

If the face gets too dinged up, which is okay for a while, I will get a flat piece of something like AR500 welded on top, and do cuts with a small piece of scrap laid on top for those few minutes needed.

I look forward to the challenge.