psad – interesting

the man who became a pig

psad is an intruder detector  and teamed up with dshield.org  reports probes  so a honey pot without having to run daemons.  Its a bit of a pig to configure but seems to do concise reporting when somebody in china port scans you* for a microshit sql server.(my blog) after all every monkey house has one

This unlike fail2ban (my blog( is more robust dealing with the services file which is a go to file when you want to know what runs on a port.    Fail2ban deals only with certain services and also can forward reports to third parties** It is still useful.

tube recycle those 1’s and 0’s

Email reporting is in your face i had to delete 2700 emails in a day for psad when it reports and thats with local nets and outward facing ips whitelisted NOEMAIL is the best option or your probably begin wearing tin foil headgear.  Dshield needs an number and i sent 1000+ reports on its second attempt.

I had to install conntrack to get firewall logs.

This is an example part of a report. This is china.

SRC: 115.193.213.79, DL: 2, Dsts: 1, Pkts: 1, Total protocols: 1, Unique sigs: 1, Email alerts: 0

DST: zoo
Scanned ports: TCP 1433, Pkts: 1, Chain: INPUT, Intf: eth1
Total scanned IP protocols: 1, Chain: INPUT, Intf: eth1
Signature match: “MISC Microsoft SQL Server communication attempt”
TCP, Chain: INPUT, Count: 1, DP: 1433, SYN, Sid: 100205

After further testing i also set up psad on another zoo server which probably now is active being i wrote this in the past.

I do warn people if they do try and login  that there attempts are recorded but if your shodan.io (my blog) then there do it anyhow.

I had to white list some ports for public facing services but i like what psad does.

Our server runs a bit warmer than usual with the collection of data required means disk space is used too but does not consume a lot of processing power (two processes) or memory.

greps can be fun – for specifics

grep psad /var/log/syslog > file.txt | grep -e Satan file.txt | awk ‘{prin
t $7’} > /tmp/cut1.txt

but $7 does not always work for src, so some grep’s need $13 – this is all probers by ip – the grep shown  is not very efficient but extracts psad messages first it could be improved but you get the idea.

grep psad /var/log/syslog > file.txt |  grep ” scan detected ” file.txt >
f1.txt | awk ‘{print $13}’ f1.txt > /tmp/cut1.txt;

I do extra processing after this so while the output does look a bit unreadable it can monkey-fied into readable. The zoo will publish this data as usual for the amusement of others after all sharing is caring.

This is our friends in the Seychelles (my blog)

1 SC , 185.10.68.247
2 SC , 185.10.68.28
5 SC , 185.165.169.146
440 SC , 80.82.64.116
1 SC , 89.248.167.131
394 SC , 89.248.168.107
15 SC , 89.248.174.3
1 SC , 93.174.95.106
423 SC , 94.102.56.235
547 SC , 94.102.56.252

If you made a tinfoil hat and are not wearing can i borrow it***

*I KNOW WHAT YOU DID LAST SUMMER. ** useful *** joke

r8169 network card mysteries

tube recycle those 1's and 0's

tube recycle those 1’s and 0’s

I have a 8169 chipset network card (my blog) and i hate it when in this bizarre mode.

Recently it has been playing up, so i decided to disable some restarts of daemons and firewall operations.  The thing still disconnected while the router was happy with another connection, so its been restarting the router to get the connection back so restarting the wrong thing to get the right thing ‘up’.

In the end i regenerate my dnssec and it appears to stay up.  Layers but I really hate that ethernet network card for being awful.

I then explore wol adding a ‘p’ to ug settings (seen with ethtool).

ethtool -s eth1 wol ugp

Becomes

Supports Wake-on: pumbg
Wake-on: pug

And that appears to still not fix my drop out problem.   I have no damm idea why the card now needs a p setting to retain connection, while other things connected to the router are still working and its debian stable.

Grr!

Siliencing ssh probers

mrquietIts been quiet recently for fail2ban (my blog) on ssh.  People cannot get a protocol.

Yes they still connect like 108.45.93.68 did below and based in the us but with nothing in common so failtoban has little to do.

sshd[x]: Connection closed by 108.45.93.68 [preauth]
sshd[x]: fatal: Unable to negotiate a key exchange method

Its not hard to do if you want it as well it uses protocol 2 selectively for a hint.

Find them in logs with

grep "Connection closed" /var/log/auth.log | awk '{ print $9 }' | sort -n | uniq -c

Writing a duress password script after Anthony R. Silva’s recent experience

securityBananas read that an american mayor was stopped by homeland security/tsa (not here) and mugged of this electronics and his password for reasons best known to the low paid security ‘professionals’ perhaps they wanted a newer phone or some other reason.

A duress password is something you give out willingly when your given no choice as noted in the article above but it is not an option in products say the iphone (my blog) which i dont own so the next time apple say privacy is required take it with a pinch of salt, the same can be said of others too.

Anyhow being a trustworthy figure** comrade Silva complained and while his/city stuff has yet to be given back i thought it well worth having a go at.

So for fun one weekend i wrote a linux based duress script with the help of a virtual server which if i wanted to be really cool i would mention buzz words like sdn, and docker,  its a fun thing to do and i hope i will never have to use it, but i have one now.

Basically it uses shred and dd with some elevated privileges i went for root and disk for this user and an autologin script that works both for a gui and terminal access.  Not a lot remains in the virtual linux box, You probably cannot do this in microsoft products* and you might need root access for android but it was mostly fun cloning vm’s and destroying them. After all in linux land is a lot more reliable than somebody else.

So why would need such an item i guess your saying ‘i have nothing to hide’.  Well imagine your Saeed Malekpour who is a citizen of Canada and is in an Iranian prison awaiting the death penalty for writing web software that many people use but also porn firms use as well.  You can make your mind up on the merits of your ideals and if the Iranians might feel you too deserve a death sentence for perhaps eating bacon or something..

sarahpalinYou reply ‘um yes that is bad but america would never do that’ despite Josh Duggar and Kim Davies and those jesus loving republicans (my blog) well that’s your option to ignore this but please dont become another Saeed in which i write a blog post about you.

So is this a feature or a threat this ? since an admin person has to setup an account and the password with extra rights this is pretty secure after all you have to give the password and you generally would not want to run as that user so i think its pretty safe for the user and the organisation after all cisco employees where once targeted by the tsa for what was on there laptops and who knows where that information finally ended up.

The other option for the script would be a cron and a remote sync kill switch which would be on a par with Plumpergeddon (my blog) and would not be that hard to remote wipe, should a thief crack the password and login then a script would run and the disk would be clean.

That might be next weekends task, it does sound fun…..

*with lots of personal information gathered by microsoft and stored (not here) your probably screwed using microsoft products. **somebody voted.

I love network cables (a tale to amuse)

picardNetwork cables are common, guarantee a specific speed that wifi cannot on daily usage and i take cat5 cables for granted.   Until this moment i never have had a dud cable until this seemingly old cable decided not to work any more.

It looks perfect and i would love my several hours back i spent trying to figure why at that moment after years of being not interfered with when it just then packed up after spending a fun couple of hours troubleshooting the card a r8169** Gigabit Ethernet* and the router both being blameless.

Meh.

* The binary blob driver that is supplied might be damaging the cable ? ** a bit shit until recently with reboots my purchase mistake [edimax].

The game with no players and why ea games should also hated by linux people

MR POO we presume

Bananas in the Falklands (who is an ape) does not play video games – on account that we run linux and I am not doing technical support just to get x working in emulation and then find that is cheating by say steam.  Anyhow occasionally  I subscribe for a month of a indie game and find that it has no players above a count of ten.

It is a large and souless place with the odd human with the one greifer, a couple of veterans go and then sound totally bored with the game and newbies whom dont or cant read.  Recent developments of the game go to one place full of people whom have no charm in game or i assume out of it.

This is a game i can run without wine, and works on phones in a fashion, all it needs is players then again its not an ea game.  It would be nice if those ea haters tried it along with other games not made by ea instead of whinging about ea games and how it works.

I also have no intention to support ea games linux attempt. Why well if windows idiots hate ea why should i like them.    However at least i try to support independents.  Humans …..