sysadmin and security
I've had ftp.disloops.com running since December of last year. It's an FTP host that's configured to allow anonymous connections and uploads. This creates some security risks that I wrote about when I deployed it. See the original article here.
I wanted to report back on what I've seen since deploying it. Congrats to 188.162.248.28 for being the first one to try to log in as admin.
Malicious Uploads
The first attempt to upload a file came from 14.99.43.70:
I recently saw an article by @dnlongen on potential uses for OpenDNS:
Detecting Malware Through DNS Queries
It made me want to take advantage of OpenDNS on my home network. OpenDNS allows users to configure DNS servers that block requests for many types of content, including known malicious domains.
Because OpenDNS is owned by Cisco, you may want to consider if it offers the level of privacy you need. It's safe to assume that they log every request and provide the information to others. But does a real internet super-villain rely on their DNS server? At least we know who owns OpenDNS – who owns your VPN?
I recently installed Snort 2.9.8.3 on Ubuntu 16.04 LTS. I used the directions on the sublimerobots.com web page, which worked well aside from a couple issues described below.
Note: I had originally planned to install it on a Raspberry Pi but nothing works natively for the ARM architecture, especially Snort's Shared Object libraries, which need to be compiled differently for ARM.
Changes to Ubuntu
Newer versions of Ubuntu require some changes that aren't covered in the PDF guide on the Snort website. The web-based instructions cited above have more details.
For example, network interfaces no longer have names like eth0 on Ubuntu 16.04. This wasn't captured in the PDF guide but it was covered in the web-based instructions cited above. I also found this guide to be reliable. My default network interface is called ens2 now and it had to be changed throughout the directions.
Note: This article is outdated now. I published a new one for the latest versions of Snort (2.9.8.3) and Ubuntu (16.04). You can also probably visit sublimerobots.com for the most up-to-date information on this process.
I've been playing with Snort a lot lately. I installed it on my home network using a switch that does port mirroring. I also created a Snort virtual machine that I can use with a laptop and a network tap to diagnose other people's problems. I picked up a SharkTap Gigabit Network Tap for that. It's really just a hub though, and I had to make sure I wasn't sending any traffic back into a tapped network with it.
First I'll explain how I installed Snort at home.
Snort on Ubuntu
I used a guide on Snort's website for installation on Ubuntu 14.04 LTS. I had some issues with it, which I will describe below. Note: The author's website makes some of these corrections and may have the most recent information.
...continue reading "Snort 2.9.8.0 on Ubuntu 14.04 and VirtualBox"
I had to investigate this Snort alert (3:31738):
PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected
DGA here means "domain generation algorithm" – malware will often find its command and control servers using dynamically-generated domain names. It makes it harder for an infected victim to sinkhole the domains, and a malware author can spin up new ones according to the algorithm as necessary.
The DNS requests causing the alerts looked innocuous to me. It turns out that Chrome purposely issues invalid DNS requests every time it starts in order to root out malicious DNS servers. Discussed here:
https://isc.sans.edu/forums/diary/10312
These invalid requests occur independently of Chrome's prefetching behavior. This is a good Snort rule but it might be incompatible with Chrome.
I recently started using CloudWatch, Amazon's host monitoring service. It has a number of features but I just wanted a way to view all my logs in one place. Configuring hosts to use CloudWatch was easy, and I described the process in an article on setting up Anonymous FTP.
Timeout Errors
With monitoring in place, I noticed a lot of 408 errors coming from the Apache logs on my WordPress instance. The errors appeared in:
/var/log/httpd/access_log /var/log/httpd/ssl_access_log
I'm using a desktop that I got from System76 with an NVIDIA graphics card. Installing the NVIDIA drivers on Ubuntu wasn't simple, so here are the steps that I've gotten to work across multiple installations.
First remove any existing NVIDIA packages:
sudo apt-get remove --purge nvidia* sudo apt-get autoremove
Next blacklist the nouveau driver. Without this step, the driver can re-appear after an update and cause problems. Create the blacklist file:
sudo vi /etc/modprobe.d/blacklist-nouveau.conf
And add the following lines:
I wanted to create an FTP server to share some of the media that I've saved over the years. I like the old protocols and services and I plan to stand up more of them. Because each service has its own inherent security issues, the deployment process becomes an exercise in mitigating the risks. Check it out at ftp.disloops.com
I used an Ubuntu Server 14.04 LTS instance for the FTP server and gave it an AWS Elastic IP (EIP). An entry must be added to the /etc/hosts file when deploying Ubuntu instances in AWS:
127.0.0.1 (hostname here)
Without specifying the hostname, using sudo creates an error message. Next I ran updates and changed SSH to a non-default port, then installed VSFTPD and backed up the config file:
sudo apt-get update sudo apt-get dist-upgrade sudo vi /etc/ssh/sshd_config sudo apt-get install vsftpd sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.old
This site is being hosted in Amazon Web Services (AWS). It relies on a number of cloud services, including RDS, S3, and CloudFront. The following are some of the steps that were required to set it up.
Provisioning a Server
Create an AWS account if you don't already have one and complete the steps listed in the Identity and Access Management (IAM) service. It's especially important to set up multi-factor authentication (MFA) for your account. You should have an IAM user in the "Administrators" group when you're done.
Next go to the EC2 service, Amazon's storefront for virtual machines. Before launching a new instance, we'll create a key pair than can be used to access it securely. Use the following command locally to create a key pair:
ssh-keygen -t rsa -b 4096
Upload the public key by clicking "Key Pairs" and then "Import Key Pair" from the EC2 dashboard. Now we can launch an instance.
I'm still using Ubuntu as my preferred Linux distro on personal machines. These are some of the settings that I configure each time I have to install it. Starting from the beginning:
Installation
Download the ISO image for the latest Long-Term Support (LTS) version and burn it to a disc. Boot from the disc to reach the installation menus and configure according to your needs. My own preference: