Updating To OpenSSL 1.0.2g On Ubuntu Server 12.04 & 14.04 LTS To Stop CVE-2016-0800 (DROWN attack)

It was a bit difficult to find any real information on fixing the latest openSSL CVE-2016-0800 (DROWN attack) so I decided to write this quick post on how to update your Ubuntu Server 12.04/14.04 OpenSSL (or any debian-based distro with apache2) to the latest 1.0.2g build to avoid the DROWN/Heartbleed attacks. I’m not going to go into the details of how the exploit works and how it’s exploited as there are many blogs/sites that already go over this. Instead I will only focus on the fix, I have provided 2 methods, a method using cURL or wget.

cURL Method

  1. sudo apt-get install php5-curl (Install cURL library)
  2. sudo apt-get install make (Install compiling library Make)
  3. curl https://www.openssl.org/source/openssl-1.0.2g.tar.gz | tar xz && cd openssl-1.0.2g && sudo ./config && sudo make && sudo make install (single command that will download latest binaries, extract them, cd into the directory, compile configuration and then install the files)
  4. sudo ln -sf /usr/local/ssl/bin/openssl ‘which openssl’ (This will create a sym link to the new binaries)
  5. openssl version -v (Used to check the version of the Current OpenSSL binaries)

wget method

  1. sudo apt-get install make (Install compiling library Make)
  2. wget https://www.openssl.org/source/openssl-1.0.2g.tar.gz (Download the latest OpenSSL 1.0.2g binaries)
  3. tar -xzvf openssl-1.0.2g.tar.gz (Extract the tar ball to the local directory)
  4. cd openssl-1.0.2g (Enter extracted OpenSSL directory)
  5. sudo ./config (Configure binaries for compiling)
  6. sudo make install (install configured binaries)
  7. sudo ln -sf /usr/local/ssl/bin/openssl `which openssl` (This will create a sym link to the new binaries)
  8. openssl version -v (Used to check the version of the Current OpenSSL binaries)

This was tested on both Ubuntu Server 12.04 & 14.04 LTS versions. Questions? Comments?

Updating To PHP 5.4 On Ubuntu Server 12.04 LTS

If you use php web applications then your know a lot are now demanding to be updated to php 5.4 or higher. To do this in Ubuntu 12.04LTS simply do the following…

If you haven’t already used ppa then you will have to first install python software properties, make sure you’re the root user… ( sudo bash )

apt-get install python-software-properties

PHP 5.4.x run:

add-apt-repository ppa:ondrej/php5-oldstable

PHP 5.5.x run:

add-apt-repository ppa:ondrej/php5

Once you’ve added the repo simply update and upgrade current packages & distribution packages with one simple command :)

apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Installing USB Wireless Card On Kali Linux VMware

So I ran into this problem, I installed a fresh copy of Kali Linux onto a VM (VMware) so I could do some pen-testing on my local network without booting into Linux but couldn’t get Kali to use my external wireless card (I needed packet injection capabilities ;))

To make this short and sweet all you have to do to use your external USB wireless card (In My Case an Alfa Card) is just install updated vmware tools (I am assuming you have already added USB Controller in your VM settings…) you can do this by using the following commands on your shell/terminal:

apt-get update
apt-get install open-vm-tools

Once installed you should see your wireless card detecting new networks. This worked on Kali Linux x64 and because its based on Ubuntu Its safe to assume it will work with Ubuntu. Good luck and good hunting ;)

Listing The Last Modified Files In Debian Or Ubuntu

You might be asking yourself why would I care to list the last modified file/s right? Well if your in the security world then you know sometimes it’s important especially in a compromised server/workstation. It’s important to check what files may have been modified to help the attacker, for example, the editing of native configurations or scripts can facilitate permanent access to a system. It’s also important when trying to identify the potential root of the problem.

 

This command will list all files that were recently modified by without any real order.

ls -t

This command will list all files that were recently modified separating all file names by line by line.

ls -1t

This command will list all files that were recently modified separating all file names by line by line and limiting the amount displayed by 10

ls -1t | tail -10

 

I am sure there are more aggressive methods but this is a simple one that works pretty solid on any Linux distribution with bash.

Checking Total Disk Usage in Ubuntu Or Debian From Terminal

If you need to check how much space is used up on all Filesystems/Drives You can simply run

df -h

Don’t forget to sudo or be root.

Increase In Brute Force Attacks on American Networks By Chinese Networks on 4th of July.

I started to track my security logs a lot more since I began to notice the amount of alerts I was getting via email on holidays. There is definitely a connection, American networks are under attack during American holidays specifically from 00:00 to 14:00, this time the attacks weren’t just coming from Chinese networks but Mexico & France.

Here is a list of the latest culprits…

inetnum:        61.174.51.192 – 61.174.51.255
netname:        HANGZHOU-SRT-TECHNOLOGY-CO-LTD
country:        CN
descr:          HANGZHOU SRT TECHNOLOGY CO., LTD

 

inetnum:        115.239.248.0 – 115.239.248.255
netname:        MOVEINTERNET-NETWORK
country:        CN
descr:          MoveInternet Network Technology Co.,Ltd.
descr:
admin-c:        CJ1872-AP
tech-c:         CS64-AP
mnt-irt:        IRT-CHINANET-ZJ

 

inetnum:        183.0.0.0 – 183.63.255.255
netname:        CHINANET-GD
descr:          CHINANET Guangdong province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN
admin-c:        IC83-AP
tech-c:         IC83-AP

 

inetnum:        111.72.0.0 – 111.79.255.255
netname:        CHINANET-JX
descr:          CHINANET JIANGXI PROVINCE NETWORK
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN

 

inetnum:        117.21.0.0 – 117.21.255.255
netname:        CHINANET-JX
descr:          CHINANET Jiangxi province network
descr:          China Telecom
descr:          No.31,jingrong street
descr:          Beijing 100032
country:        CN

 

inetnum:        202.109.128.0 – 202.109.191.255
netname:        CHINANET-JX
descr:          CHINANET Jiangxi province network
descr:          Data Communication Division
descr:          China Telecom
country:        CN

 

inetnum:        89.248.162.128 – 89.248.162.255
netname:        NL-ECATEL
descr:          AS29073, Ecatel LTD
country:        NL

 

inetnum:        212.83.128.0 – 212.83.153.255
netname:        FRWOL
descr:          Tiscali France
country:        FR

NetRange:       168.243.0.0 – 168.243.255.255
CIDR:           168.243.0.0/16
OriginAS:
NetName:        LACNIC-ERX-168-243-0-0
NetHandle:      NET-168-243-0-0-1

 

Its probably nothing to worry about…

Adding “client denied by server configuration” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is another useful filter for fail2ban. Once this plugin is installed it will prevent malicious visitors from trying to brute-force folder and file discovery. After 5 attempts to visit a non existing file/folder the visitor is banned…

like always… BASH IN! :D

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-clientd]
enabled = true
port = http,https
filter = apache-client-denied
logpath = /var/log/apache*/*error.log
maxretry = 5

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-client-denied.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] client denied by server configuration:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

Adding “File Does Not Exist” Filter To Fail2Ban: Ubuntu 12.04 LTS

Ok so here is a quick post to a common question… adding a filter to fail2ban for bot/scanners searching for files, folders or simply doing recon which can result in exploit discovery, this filter will automatically block a visitor/bot after 4 attempts to scan for a file that does not exist on your domain/server.

like always… BASH IN! (lol…)

sudo bash

First Lets create a new entry in our jail.local file…

vim /etc/fail2ban/jail.local

 

copy the following text after the last apache entry…

[apache-nofile]
enabled = true
port = http,https
filter = apache-nofile
logpath = /var/log/apache*/*error.log
maxretry = 4

 

Now that we have added the entry into our jail.local we proceed, change to the filter.d directory, in this folder you will see lots of other pre-configured filters

cd /etc/fail2ban/filter.d

 

instead of creating a new filter file simply copy another, this will make the next step easier…

cp /etc/fail2ban/filter.d/apache-auth.conf /etc/fail2ban/filter.d/apache-nofile.conf

 

find the line identical to the one below (Line 23)

failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$

 

replace it with the following one.

failregex = [[]client <HOST>[]] File does not exist:

 

At this point your pretty much done, close the file and restart fail2ban

service fail2ban restart

 

Comment if you have questions, like my post if you find it helpful :)

 

 

 

 

The Future Of Decentralized Computing And It’s Impact On Social Justice On The World Wide Web

 

Get ready people we are living once again in exciting times for the internet, it’s evolving! We are living in times where information can no longer be suppressed which will have a major impact in overall society. People all around the world are becoming involved in the preservation of privacy and social justice. Here are some ideas of how I think decentralized computing will change the world.

 

1) Open Source Decentralized Political Registry

Everyone who is a political or public official should be registered on this site, their entire public record could be open sourced and controlled by a community, decentralized platform would eliminate illegal confiscation of infrastructure or prevent censorship. rendering covert corruption difficult.

2) Open Source Decentralized Criminal Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

3) Open Source Decentralized News Registry

Every person on this planet would now be able to report any crime about any person including a public official (police, federal, military officer etc…) at any time and keep it in public domain. This would eliminate extortion, threats and possible cover-ups by any person/group or agency in the world. This platform would also be decentralized to eliminate confiscation or hack.

4) Open Source Decentralized Education Registry

Every Person in the world would now have access to any knowledge without propaganda, lies, manipulation, managed by a global community on a credit system so popular vote always wins.

 

The overall idea is to create an infrastructure that anyone can post any information without censorship, but the information must remain check able, other “wallets” with “coins” or credits should have the ability to change or revise any post, as the post is modified the amount of credits required to modify the post increases, groups of wallets/users could donate amounts to a pool key to also use their limited credits to help causes they might believe in, this will discourage the act of one person acquiring many credits and overwhelming a specific record or trying to hijack its content, a group of wallets/users would always be able to override a single user modifications.