Skip to content disloops

2

Published on 2 Comments on Fixing the Barnyard2 PID File Problem

For the longest time I've gotten the following error from Snort's barnyard2 spooler process:

barnyard2: Could not remove pid file /var/run//barnyard2_NULL.pid: Permission denied

On Ubuntu 16.04, the barnyard2 process is created in this systemd unit file:

/lib/systemd/system/barnyard2.service

This process creates the pid file in the /var/run directory before the user permissions drop to the level provided by the '-u' option. Then when exiting, the process attempts to delete the pid file that was created with elevated privileges.

To fix this, I modified the process's systemd file:

...continue reading "Fixing the Barnyard2 PID File Problem"

Published on Leave a comment on Changing the SSH Port on the UniFi Pro AP

Because my router doesn't have WiFi built in, I bought a Unifi Pro AP wireless access point for use at home. The device itself runs on a version of BusyBox, the preferred Linux distribution for embedded systems. A significant piece of software is required for administrative tasks, though – the UniFi Controller. Because it relies on MongoDB, I installed it on a virtual machine that I only spin up when necessary.

After logging into the access point and changing the password, I wanted to change the SSH port to something non-default. BusyBox uses DropBear for SSH, but directly editing these settings on the device doesn't work. The firmware reverts to the default settings with every reboot. Instead, Unifi has a more complicated way to make these changes. (To their credit, this is probably a useful setup for people managing a significant number of access points.)

...continue reading "Changing the SSH Port on the UniFi Pro AP"

3

Published on 3 Comments on PPD and Gutenprint on Ubuntu 16.04

When trying to print with a Canon iP2702 printer on Ubuntu 16.04 recently, every job was being created with a "Stopped" status. Nothing was printing and there were no error messages.

After investigating, I found the issue by expanding the job attributes for one job: (System Settings → Printer → View Print Queue → Right-click job → View Attributes)

job-printer-state-message: The PPD version (5.2.10-pre2) is not compatible with Gutenprint 5.2.11.

...which lead me to a thread that had a solution. In order to fix the issue, I had to run the following:

sudo /usr/sbin/cups-genppdupdate
sudo service cups restart

1

Published on 1 Comment on Notes on Magic: The Gathering

I started playing Magic around the time that Fallen Empires came out. We played multiplayer games for ante back then – you would put the first three cards from the top of your deck into the pot and the winner would usually take all. I remember stacking my deck so that I wouldn't lose my lands since we couldn't get enough of them out of booster packs.

After coming back to the game, a lot has changed. Certain heavily-vetted decks have come to dominate the tournament scene, where better access to information has eliminated all but the most successful strategies. Today's players largely seek to pilot a winning deck better than their opponents, who also bring a well-defined list of cards to the table. In fact, original decks that demonstrate any ability to play competitively against the established archetypes are known as "rogue" decks.

...continue reading "Notes on Magic: The Gathering"

Published on Leave a comment on Notes on Anonymous FTP

I've had ftp.disloops.com running since December of last year. It's an FTP host that's configured to allow anonymous connections and uploads. This creates some security risks that I wrote about when I deployed it. See the original article here.

I wanted to report back on what I've seen since deploying it. Congrats to 188.162.248.28 for being the first one to try to log in as admin.

Malicious Uploads

The first attempt to upload a file came from 14.99.43.70:

...continue reading "Notes on Anonymous FTP"

1

Published on 1 Comment on OpenDNS on pfSense

I recently saw an article by @dnlongen on potential uses for OpenDNS:

Detecting Malware Through DNS Queries

It made me want to take advantage of OpenDNS on my home network. OpenDNS allows users to configure DNS servers that block requests for many types of content, including known malicious domains.

Because OpenDNS is owned by Cisco, you may want to consider if it offers the level of privacy you need. It's safe to assume that they log every request and provide the information to others. But does a real internet super-villain rely on their DNS server? At least we know who owns OpenDNS – who owns your VPN?

...continue reading "OpenDNS on pfSense"

Published on Leave a comment on Snort 2.9.8.3 on Ubuntu 16.04

I recently installed Snort 2.9.8.3 on Ubuntu 16.04 LTS. I used the directions on the sublimerobots.com web page, which worked well aside from a couple issues described below.

Note: I had originally planned to install it on a Raspberry Pi but nothing works natively for the ARM architecture, especially Snort's Shared Object libraries, which need to be compiled differently for ARM.

Changes to Ubuntu

Newer versions of Ubuntu require some changes that aren't covered in the PDF guide on the Snort website. The web-based instructions cited above have more details.

For example, network interfaces no longer have names like eth0 on Ubuntu 16.04. This wasn't captured in the PDF guide but it was covered in the web-based instructions cited above. I also found this guide to be reliable. My default network interface is called ens2 now and it had to be changed throughout the directions.

...continue reading "Snort 2.9.8.3 on Ubuntu 16.04"

4

Published on 4 Comments on Snort 2.9.8.0 on Ubuntu 14.04 and VirtualBox

Note: This article is outdated now. I published a new one for the latest versions of Snort (2.9.8.3) and Ubuntu (16.04). You can also probably visit sublimerobots.com for the most up-to-date information on this process.

I've been playing with Snort a lot lately. I installed it on my home network using a switch that does port mirroring. I also created a Snort virtual machine that I can use with a laptop and a network tap to diagnose other people's problems. I picked up a SharkTap Gigabit Network Tap for that. It's really just a hub though, and I had to make sure I wasn't sending any traffic back into a tapped network with it.

First I'll explain how I installed Snort at home.

Snort on Ubuntu

I used a guide on Snort's website for installation on Ubuntu 14.04 LTS. I had some issues with it, which I will describe below. Note: The author's website makes some of these corrections and may have the most recent information.

...continue reading "Snort 2.9.8.0 on Ubuntu 14.04 and VirtualBox"

Published on Leave a comment on Snort DGA Rule with Chrome

I had to investigate this Snort alert (3:31738):

PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected

DGA here means "domain generation algorithm" – malware will often find its command and control servers using dynamically-generated domain names. It makes it harder for an infected victim to sinkhole the domains, and a malware author can spin up new ones according to the algorithm as necessary.

The DNS requests causing the alerts looked innocuous to me. It turns out that Chrome purposely issues invalid DNS requests every time it starts in order to root out malicious DNS servers. Discussed here:

https://isc.sans.edu/forums/diary/10312

These invalid requests occur independently of Chrome's prefetching behavior. This is a good Snort rule but it might be incompatible with Chrome.

Published on Leave a comment on Apache Logs in AWS

I recently started using CloudWatch, Amazon's host monitoring service. It has a number of features but I just wanted a way to view all my logs in one place. Configuring hosts to use CloudWatch was easy, and I described the process in an article on setting up Anonymous FTP.

Timeout Errors

With monitoring in place, I noticed a lot of 408 errors coming from the Apache logs on my WordPress instance. The errors appeared in:

/var/log/httpd/access_log
/var/log/httpd/ssl_access_log

...continue reading "Apache Logs in AWS"