Category: Networking

Install PiHole With SSL On Apache Running Ubuntu Server 20 LTS

This is another quick post to serve as a general note. This post will cover the install of PiHole with SSL on Apache. The guide should work for most Debian-based Linux distributions. We are running PHP7.4 as it’s native to the OS and does not require any PPA addons. You can install PHP8/+ if you like.

Step 1: Bash Into root

sudo bash

Enter your password.

Step 2: Install Apache2

apt-get install apache2 -y

Step 3: Install PHP 7.4

apt-get install php -y
apt-get install php-common php-mysql php-xml php-curl php-cli php-imap php-mbstring php-opcache php-soap php-zip php-intl php-sqlite3 -y

Step 4: Install PiHole

curl -sSL https://install.pi-hole.net | bash

During the course of the install, you will be prompted ~5 times. At the last prompt, you will be asked if you want to install the Lighttpd web server. At this point, you want to select no and complete the install process.

Once completed your PiHole setup should work. and should be accessible via ip/domain.com/admin/

Step 5 Cleanup:

As of today, I have noticed a rare glitch that will cause the folder structure to be odd after the pihole install. This can be easily fixed with the following details.

The default install will create folders like this:

pihole folder: /var/www/html/pihole
admin folder: /var/www/html/admin

Although not a big deal, this causes a problem when trying to access the admin dashboard from the default pihole URL (http://ip/pihole), the link on the page that is supposed to link to the admin page will be broken. At this point, you can update the page link manually in pihole/index.php to forward to the correct URL or you can change/move folders to your liking.

To fix this issue, as root, first we move the folder to the correct directory.

mv /var/www/html/admin /var/www/html/pihole

Second, we update the default pihole root index file links

vim /var/www/www/html/pihole/index.php

We want to edit three lines 77, 81, and 83 to reflect the new URL structure.

#Line 77: 
<link rel='shortcut icon' href='/pihole/admin/img/favicons/favicon.ico' type='image/x-icon'>

#Line 81:
<img src='/pihole/admin/img/logo.svg' alt='Pi-hole logo' id="pihole_logo_splash">

#Line 83:
<a href='/pihole/admin/'>Did you mean to go to the admin panel?</a>

Once done you can consider the process complete.

Step S: Installing SSL on PiHole:

To keep things classy, if not already, bash into root:

sudo bash

Let’s enable the PHP’s SSL module and make our SSL folder to house our certs.

a2enmod ssl
mkdir /etc/apache2/certs/pihole

Now let’s generate our self-signed cert:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/certs/pihole/piholio.key -out /etc/apache2/certs/pihole/piholio.crt

Edit our default SSL virtual hosts config:

vim /etc/apache2/sites-available/default-ssl.conf

Replace lines 32 and 33 with the following lines

SSLCertificateFile /etc/apache2/certs/pihole/piholio.crt
SSLCertificateKeyFile /etc/apache2/certs/pihole/piholio.key

Save and exit.

Next, enable SSL and restart the apache service:

a2ensite default-ssl.conf && systemctl restart apache2

At this point, you’ve successfully installed PiHole with SSL. We have another issue, by default apache does not reroute to SSL so you will still be able to visit the non-SSL URL. To fix this we need to enable the Rewrite module and enter our conditions into our domain’s virtual host configuration (or .htaccess).

Let’s enable that rewrite module: 

a2enmod rewrite
systemctl restart apache2

Let’s edit our default virtual host file:

vim /etc/apache2/sites-available/000-default.conf

Add the following three lines of code before the </VirtualHost> closing tag.

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Save the file and restart Apache.

systemctl restart apache2

Your PiHole install should now be “running in SSL”. If anyone viewing my notes has questions feel free to leave a comment.

Installing USB Wireless Card On Kali Linux VMware

So I ran into this problem, I installed a fresh copy of Kali Linux onto a VM (VMware) so I could do some pen-testing on my local network without booting into Linux but couldn’t get Kali to use my external wireless card (I needed packet injection capabilities ;))

To make this short and sweet all you have to do to use your external USB wireless card (In My Case an Alfa Card) is just install updated vmware tools (I am assuming you have already added USB Controller in your VM settings…) you can do this by using the following commands on your shell/terminal:

apt-get update
apt-get install open-vm-tools

Once installed you should see your wireless card detecting new networks. This worked on Kali Linux x64 and because its based on Ubuntu Its safe to assume it will work with Ubuntu. Good luck and good hunting ;)

Listing The Last Modified Files In Debian Or Ubuntu

You might be asking yourself why would I care to list the last modified file/s right? Well if your in the security world then you know sometimes it’s important especially in a compromised server/workstation. It’s important to check what files may have been modified to help the attacker, for example, the editing of native configurations or scripts can facilitate permanent access to a system. It’s also important when trying to identify the potential root of the problem.

 

This command will list all files that were recently modified by without any real order.

ls -t

This command will list all files that were recently modified separating all file names by line by line.

ls -1t

This command will list all files that were recently modified separating all file names by line by line and limiting the amount displayed by 10

ls -1t | tail -10

 

I am sure there are more aggressive methods but this is a simple one that works pretty solid on any Linux distribution with bash.

Increase In Brute Force Attacks on American Networks By Chinese Networks on 4th of July.

I started to track my security logs a lot more since I began to notice the amount of alerts I was getting via email on holidays. There is definitely a connection, American networks are under attack during American holidays specifically from 00:00 to 14:00, this time the attacks weren’t just coming from Chinese networks but Mexico & France.

Here is a list of the latest culprits…

inetnum:        61.174.51.192 – 61.174.51.255
netname:        HANGZHOU-SRT-TECHNOLOGY-CO-LTD
country:        CN
descr:          HANGZHOU SRT TECHNOLOGY CO., LTD

 

inetnum:        115.239.248.0 – 115.239.248.255
netname:        MOVEINTERNET-NETWORK
country:        CN
descr:          MoveInternet Network Technology Co.,Ltd.
descr:
admin-c:        CJ1872-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ

 

inetnum:        183.0.0.0 – 183.63.255.255
netname:        CHINANET-GD
descr:          CHINANET Guangdong province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN
admin-c:        IC83-AP
tech-c:         IC83-AP

 

inetnum:        111.72.0.0 – 111.79.255.255
netname:        CHINANET-JX
descr:          CHINANET JIANGXI PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN

 

inetnum:        117.21.0.0 – 117.21.255.255
netname:        CHINANET-JX
descr:          CHINANET Jiangxi province network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN

 

inetnum:        202.109.128.0 – 202.109.191.255
netname:        CHINANET-JX
descr:          CHINANET Jiangxi province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN

 

inetnum:        89.248.162.128 – 89.248.162.255
netname:        NL-ECATEL
descr:          AS29073, Ecatel LTD
country:        NL

 

inetnum:        212.83.128.0 – 212.83.153.255
netname:        FRWOL
descr:          Tiscali France
country:        FR

NetRange:       168.243.0.0 – 168.243.255.255
CIDR:           168.243.0.0/16
OriginAS:
NetName:        LACNIC-ERX-168-243-0-0
NetHandle:      NET-168-243-0-0-1

 

Its probably nothing to worry about…

Adding “client denied by server configuration” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is another useful filter for fail2ban. Once this plugin is installed it will prevent malicious visitors from trying to brute-force folder and file discovery. After 5 attempts to visit a non existing file/folder the visitor is banned…

like always… BASH IN! :D

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-clientd]
enabled = true
port = http,https
filter = apache-client-denied
logpath = /var/log/apache*/*error.log
maxretry = 5

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-client-denied.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] client denied by server configuration:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

Adding “File Does Not Exist” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is a quick post to a common question… adding a filter to fail2ban for bot/scanners searching for files, folders or simply doing recon which can result in exploit discovery, this filter will automatically block a visitor/bot after 4 attempts to scan for a file that does not exist on your domain/server.

like always… BASH IN! (lol…)

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-nofile]
enabled = true
port = http,https
filter = apache-nofile
logpath = /var/log/apache*/*error.log
maxretry = 4

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-nofile.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] File does not exist:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

The Future Of Decentralized Computing And It’s Impact On Social Justice On The World Wide Web

 

Get ready people we are living once again in exciting times for the internet, it’s evolving! We are living in times where information can no longer be suppressed which will have a major impact in overall society. People all around the world are becoming involved in the preservation of privacy and social justice. Here are some ideas of how I think decentralized computing will change the world.

 

1) Open Source Decentralized Political Registry

Everyone who is a political or public official should be registered on this site, their entire public record could be open sourced and controlled by a community, decentralized platform would eliminate illegal confiscation of infrastructure or prevent censorship. rendering covert corruption difficult.

2) Open Source Decentralized Criminal Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

3) Open Source Decentralized News Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

4) Open Source Decentralized Education Registry

Every Person in the world would now have access to any knowledge without propaganda, lies, manipulation, managed by a global community on a credit system so popular vote always wins.

 

The overall idea is to create an infrastructure that anyone can post any information without censorship, but the information must remain check able, other “wallets” with “coins” or credits should have the ability to change or revise any post, as the post is modified the amount of credits required to modify the post increases, groups of wallets/users could donate amounts to a pool key to also use their limited credits to help causes they might believe in, this will discourage the act of one person acquiring many credits and overwhelming a specific record or trying to hijack its content, a group of wallets/users would always be able to override a single user modifications.

NIC Bonding In Ubuntu 12.04/12.04.2 WORKING!

 

 

A REAL setup guide for NIC bonding in Ubuntu Server 12.04/12.04.2 because everyone online sucks at actually posting the correct information, probably due to the current explosion of online “experts” plagiarizing other “experts” online…

This was tested on a HP DL380 with Dual Broadcom NICS.

enter root mode:

sudo bash

 

then install the bonding drivers:

apt-get install ifenslave-2.6

 

edit /etc/network/interfaces

vim /etc/network/interfaces

 

You can pretty much copy the following into interfaces after line 5 # The loopback network interface

################################################

 

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
 bond-master bond0

auto eth1
iface eth1 inet dhcp
 bond-master bond0

auto bond0
iface bond0 inet static
 address 192.168.1.xxx  <----------( Enter Your Actual Server IP )
 netmask 255.255.255.0  <----------( Enter Your Actual Subnet )
 gateway 192.168.1.1     <----------( Enter Your Actual router/gateway IP )
 bond-slaves none
 bond-miimon 100
 bond-mode balance-rr ( Driver Mode )

 

################################################

edit /etc/modules

vim /etc/modules

 

and add bonding under rtc value

loop
lp
rtc
bonding

 

reboot your box or restart network services, Thats pretty much it… questions or comments? Use the comment functionality :)

Bonding Network Cards & Load Balancing in Ubuntu Server 10.4 LTS

Afters a couple of hours wasted looking online for the answers I ended up coming up with my own. I use vim as my text editor sooooo… if you use nano or whatever just use that.

The Following configuration is ideal for Load Balancing scenarios, you can find our more about different bond modes at the bottom of the post.

 

Lets install the correct software to support the bonding…
sudo apt-get install ifenslave 

 

open up a shell/terminal window and edit…
sudo vim /etc/network/interfaces

 

Copy this info, replacing the ip’s provided with your own…

#The Loopback Network Interface

auto lo
iface lo inet loopback

#The Primary Network Interface

iface eth0 inet manual
iface eth1 inet manual
auto bond0

iface bond0 inet static
bond_miimon 100
bond_mode balance-rr
address 192.168.1.x <——————- USE YOUR OWN LOCAL IP (ASSIGN IT ONE)
netmask 255.255.255.0 <—————- USE YOUR OWN LOCAL SUBNET
gateway 192.168.1.1 <——————- USE YOUR OWN LOCAL GATEWAY IP
up ifenslave bond0 eth0 eth1
down ifenslave -d bond0 eth0 eth1


Save and exit

 

now open aliases.conf…
sudo vim /etc/modprobe.d/aliases.conf

 

copy this…

alias bond0 bonding
options bonding mode=0 miimon=100 downdelay=200 updelay=200

 

Save, Exit and Reboot your computer…
sudo reboot

 

This is tested and working in a live environment with dual GB nics, if you have any problems or would like to bond more then 2 nics leave a comment as the topic is beyond this quick post.

 

MODE INDEX

mode=0 (balance-rr) Round-robin policy: Transmit packets in sequential order from the first available slave through the last. This mode provides load balancing and fault tolerance.

mode=1 (active-backup) Active-backup policy: Only one slave in the bond is active. A different slave becomes active if, and only if, the active slave fails. The bond’s MAC address is externally visible on only one port (network adapter) to avoid confusing the switch. This mode provides fault tolerance. The primary option affects the behavior of this mode.

mode=2 (balance-xor) XOR policy: Transmit based on [(source MAC address XOR’d with destination MAC address) modulo slave count]. This selects the same slave for each destination MAC address. This mode provides load balancing and fault tolerance.

mode=3 (broadcast) Broadcast policy: transmits everything on all slave interfaces. This mode provides fault tolerance.

mode=4 (802.3ad) IEEE 802.3ad Dynamic link aggregation. Creates aggregation groups that share the same speed and duplex settings. Utilizes all slaves in the active aggregator according to the 802.3ad specification.

  • Pre-requisites:
  • Ethtool support in the base drivers for retrieving the speed and duplex of each slave.
  • A switch that supports IEEE 802.3ad Dynamic link aggregation. Most switches will require some type of configuration to enable 802.3ad mode.

mode=5 (balance-tlb) Adaptive transmit load balancing: channel bonding that does not require any special switch support. The outgoing traffic is distributed according to the current load (computed relative to the speed) on each slave. Incoming traffic is received by the current slave. If the receiving slave fails, another slave takes over the MAC address of the failed receiving slave.

* Prerequisite: Ethtool support in the base drivers for retrieving the speed of each slave.

mode=6 (balance-alb) Adaptive load balancing: includes balance-tlb plus receive load balancing (rlb) for IPV4 traffic, and does not require any special switch support. The receive load balancing is achieved by ARP negotiation. The bonding driver intercepts the ARP Replies sent by the local system on their way out and overwrites the source hardware address with the unique hardware address of one of the slaves in the bond such that different peers use different hardware addresses for the server.


Can’t Map Windows Server 2003 Network Drive on Windows 7, Enter Network Password Error :(

OK so I kept having this issue with a clients Windows 7 Ultimate PC, every time I would try to map a network drive it would ask me for 2 pairs of credentials. The Regular credentials and then the dreaded “enter network password” credential. Keep in mind that this is a business network so no clients have home groups setup.

Troubleshooting Steps: – Went to Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings and made sure “Password Protected Sharing” was OFF.

– Still didn’t work. – This time I had to check our credentials manager and remove all old credentials it may have stored ( Control Panel\All Control Panel Items\Credential Manager )

– Still Didn’t work WTF! right? At this point I was kinda annoyed and I decided to check the Network Policies on the local computer, TADAAAAAAAA :P

THE SOLUTION:

Start Menu Type run or cmd in search box

Type: secpol.msc

Go to Local Policies | Security Options and choose the “Network Security: LAN Manager Authentican Level” item Set it to “Send LM & NTLM use NTLMv2 session security if negotiated”

Reboot, Remap and everything should be good, enjoy :)