Skip to content disloops

In a previous article I described how to install and run the Port Scan Attack Detector (PSAD) on a Raspberry Pi. It is the closest thing to a full IDS that works on the Raspberry Pi and it's extremely easy to set up.

None of the existing visualization tools for PSAD data really met my needs, so I created a custom Python script that generates an HTML page from the live PSAD data.

The PSADify script is available here: PSADify on Github
You can see the actual data here: Live PSAD Attack Data

On my own host running PSAD, there is a cronjob that runs this script every five minutes and uploads the output to an AWS S3 bucket. If the local configuration or the settings on the AWS side would be useful to anyone, let me know!

I have never gotten a full intrusion detection system (IDS) working correctly on a Raspberry Pi. The two most popular – Snort and Bro IDS – either have problems with their dependencies or the ARM architecture.

I recently came across PSAD – the Port Scan Attack Detector. It is essentially a collection of daemons that analyze iptables logs to identify patterns of malicious traffic. When used in conjunction with fwsnort, PSAD can also correlate blocked traffic with many of the "Emerging Threats" Snort rules.

PSAD was extremely easy to set up on a Raspberry Pi that's deployed as a catch-all DMZ host on my home network. Before diving into the details, you can see live data being collected by that host here: https://psad.disloops.com

...continue reading "PSAD on Raspberry Pi"

I recently needed to run Nmap against a ton of hosts at once but my internet connection died as soon as I launched all the concurrent threads. That had never happened before – turns out that I maxed out the “state table” on my SG-2440 pfSense router.

The default settings allow it to hold 405,000 max connections in the firewall state table. Every million states take about a gig of RAM and the router has 4 gig total, so the default is to let the state table take up 10% of the total memory capacity at most. Apparently running around 50+ Nmap threads against all ports per host maxes that out immediately.

I had to SSH into the router and flush the state table (“pfctl -F states”) to get my connection working again. Then I bumped the max states up to 3M and I scaled back the number of Nmap threads I’m running. Now it works but I thought that was a funny problem to come across; I didn’t foresee my fancy router being the bottleneck.

I recently spent some time exploring the issue of CloudFront domain hijacking. This is not a new issue but I think it has gone mostly unnoticed for a few reasons:

  • CloudFront's default behavior is not intuitive. Some standard DNS configurations can mislead users into thinking that their vulnerable domains are configured correctly.
  • In the past year, misconfigured S3 buckets have been everyone's priority. Other AWS security issues have played second banana.
  • Because a misconfigured domain presents an obvious error message, one would assume there is no "low-hanging fruit" for attackers.

There are a couple reports on HackerOne but I'd say that this issue is still relatively unexplored. So I devoted some time to finding the right targets and scripting the testing process. The results are below.

...continue reading "CloudFront Hijacking"

There are plenty of articles online about the different things you can do with a Raspberry Pi. I recently bought a new one from Adafruit and I wanted to write down the steps I took to create a baseline configuration for future projects.

Setting Up Rasbian

I downloaded the latest version of Raspbian and burned it to a new micro SD card. I plugged that in along with some peripherals I bought:

The Raspberry Pi 3 actually has built-in WiFi but I thought I'd have a stronger connection using an external USB adapter.

After booting for the first time, I wanted to get rid of the default pi user. To do this, go to the start menu, open "Raspberry Pi Configuration" under "Preferences" and turn off the "Auto-Login" option. Then open a terminal and create a password for the root user:

...continue reading "Raspberry Pi 3 Basics"

For the longest time I've gotten the following error from Snort's barnyard2 spooler process:

barnyard2: Could not remove pid file /var/run//barnyard2_NULL.pid: Permission denied

On Ubuntu 16.04, the barnyard2 process is created in this systemd unit file:

/lib/systemd/system/barnyard2.service

This process creates the pid file in the /var/run directory before the user permissions drop to the level provided by the '-u' option. Then when exiting, the process attempts to delete the pid file that was created with elevated privileges.

To fix this, I modified the process's systemd file:

...continue reading "Fixing the Barnyard2 PID File Problem"

Because my router doesn't have WiFi built in, I bought a Unifi Pro AP wireless access point for use at home. The device itself runs on a version of BusyBox, the preferred Linux distribution for embedded systems. A significant piece of software is required for administrative tasks, though – the UniFi Controller. Because it relies on MongoDB, I installed it on a virtual machine that I only spin up when necessary.

After logging into the access point and changing the password, I wanted to change the SSH port to something non-default. BusyBox uses DropBear for SSH, but directly editing these settings on the device doesn't work. The firmware reverts to the default settings with every reboot. Instead, Unifi has a more complicated way to make these changes. (To their credit, this is probably a useful setup for people managing a significant number of access points.)

...continue reading "Changing the SSH Port on the UniFi Pro AP"

2

When trying to print with a Canon iP2702 printer on Ubuntu 16.04 recently, every job was being created with a "Stopped" status. Nothing was printing and there were no error messages.

After investigating, I found the issue by expanding the job attributes for one job: (System Settings → Printer → View Print Queue → Right-click job → View Attributes)

job-printer-state-message: The PPD version (5.2.10-pre2) is not compatible with Gutenprint 5.2.11.

...which lead me to a thread that had a solution. In order to fix the issue, I had to run the following:

sudo /usr/sbin/cups-genppdupdate
sudo service cups restart

I started playing Magic around the time that Fallen Empires came out. We played multiplayer games for ante back then – you would put the first three cards from the top of your deck into the pot and the winner would usually take all. I remember stacking my deck so that I wouldn't lose my lands since we couldn't get enough of them out of booster packs.

After coming back to the game, a lot has changed. Certain heavily-vetted decks have come to dominate the tournament scene, where better access to information has eliminated all but the most successful strategies. Today's players largely seek to pilot a winning deck better than their opponents, who also bring a well-defined list of cards to the table. In fact, original decks that demonstrate any ability to play competitively against the established archetypes are known as "rogue" decks.

...continue reading "Notes on Magic: The Gathering"

I've had ftp.disloops.com running since December of last year. It's an FTP host that's configured to allow anonymous connections and uploads. This creates some security risks that I wrote about when I deployed it. See the original article here.

I wanted to report back on what I've seen since deploying it. Congrats to 188.162.248.28 for being the first one to try to log in as admin.

Malicious Uploads

The first attempt to upload a file came from 14.99.43.70:

...continue reading "Notes on Anonymous FTP"