Friday, July 3, 2015
Saturday, December 1, 2012
Upgrade complete !
Hello all
So i have completed the upgrade to my new blog with a new url
you can follow me @ www.seanmancini.com
Click here to go to the new site !
Again Thanks for all your support !
So i have completed the upgrade to my new blog with a new url
you can follow me @ www.seanmancini.com
Click here to go to the new site !
Again Thanks for all your support !
Friday, November 2, 2012
upgrading my blog
Hello All,
I am currently in the process of upgrading my blog to a wordpress blog which allows me to present information in a much better way and the ability to catagorize my sibjects in a website form
i will still update this blog until ive completed the switch
i will provide the new link to my blog shortly
till then stay secure !
I am currently in the process of upgrading my blog to a wordpress blog which allows me to present information in a much better way and the ability to catagorize my sibjects in a website form
i will still update this blog until ive completed the switch
i will provide the new link to my blog shortly
till then stay secure !
Saturday, October 27, 2012
a little continuation of my fail2ban post
Recently i was able to capture some real data from my servers fail2ban logs
this is how fail2ban logs look for banning ips
2012-10-21 12:54:16,032 fail2ban.actions: WARNING [ssh] Ban 112.4.172.217
2012-10-22 17:05:48,080 fail2ban.actions: WARNING [ssh] Ban 222.73.24.10
2012-10-22 18:36:55,892 fail2ban.actions: WARNING [ssh] Ban 202.96.199.150
2012-10-22 23:23:10,053 fail2ban.actions: WARNING [ssh] Ban 111.74.82.33
2012-10-23 05:06:53,861 fail2ban.actions: WARNING [ssh] Ban 74.206.235.92
2012-10-23 13:11:05,652 fail2ban.actions: WARNING [ssh] Ban 112.216.140.51
2012-10-24 19:31:55,504 fail2ban.actions: WARNING [ssh] Ban 60.161.124.10
2012-10-24 22:52:47,324 fail2ban.actions: WARNING [ssh] Ban 125.210.190.190
2012-10-25 04:20:06,184 fail2ban.actions: WARNING [ssh] Ban 109.163.234.238
2012-10-26 11:11:12,332 fail2ban.actions: WARNING [ssh] Ban 122.139.60.134
very straigt forward and easy to understand which is always a good feature now lets look at the iptables entries
DROP all -- 122.139.60.134 0.0.0.0/0
DROP all -- 109.163.234.238 0.0.0.0/0
DROP all -- 125.210.190.190 0.0.0.0/0
DROP all -- 60.161.124.10 0.0.0.0/0
DROP all -- 112.216.140.51 0.0.0.0/0
DROP all -- 74.206.235.92 0.0.0.0/0
DROP all -- 111.74.82.33 0.0.0.0/0
DROP all -- 202.96.199.150 0.0.0.0/0
DROP all -- 222.73.24.10 0.0.0.0/0
DROP all -- 112.4.172.217 0.0.0.0/0
DROP all -- 31.3.214.241 0.0.0.0/0
DROP all -- 193.104.68.200 0.0.0.0/0
DROP all -- 219.146.225.147 0.0.0.0/0
DROP all -- 64.185.226.120 0.0.0.0/0
DROP all -- 58.221.252.194 0.0.0.0/0
DROP all -- 212.68.50.132 0.0.0.0/0
DROP all -- 205.251.141.29 0.0.0.0/0
DROP all -- 121.10.140.215 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
fail2ban as i say in my post is a must have for ssh based security
with dynamic editing to the iptables firewall and clear logs it really is a
admins must have app
stay secure !
this is how fail2ban logs look for banning ips
2012-10-21 12:54:16,032 fail2ban.actions: WARNING [ssh] Ban 112.4.172.217
2012-10-22 17:05:48,080 fail2ban.actions: WARNING [ssh] Ban 222.73.24.10
2012-10-22 18:36:55,892 fail2ban.actions: WARNING [ssh] Ban 202.96.199.150
2012-10-22 23:23:10,053 fail2ban.actions: WARNING [ssh] Ban 111.74.82.33
2012-10-23 05:06:53,861 fail2ban.actions: WARNING [ssh] Ban 74.206.235.92
2012-10-23 13:11:05,652 fail2ban.actions: WARNING [ssh] Ban 112.216.140.51
2012-10-24 19:31:55,504 fail2ban.actions: WARNING [ssh] Ban 60.161.124.10
2012-10-24 22:52:47,324 fail2ban.actions: WARNING [ssh] Ban 125.210.190.190
2012-10-25 04:20:06,184 fail2ban.actions: WARNING [ssh] Ban 109.163.234.238
2012-10-26 11:11:12,332 fail2ban.actions: WARNING [ssh] Ban 122.139.60.134
very straigt forward and easy to understand which is always a good feature now lets look at the iptables entries
DROP all -- 122.139.60.134 0.0.0.0/0
DROP all -- 109.163.234.238 0.0.0.0/0
DROP all -- 125.210.190.190 0.0.0.0/0
DROP all -- 60.161.124.10 0.0.0.0/0
DROP all -- 112.216.140.51 0.0.0.0/0
DROP all -- 74.206.235.92 0.0.0.0/0
DROP all -- 111.74.82.33 0.0.0.0/0
DROP all -- 202.96.199.150 0.0.0.0/0
DROP all -- 222.73.24.10 0.0.0.0/0
DROP all -- 112.4.172.217 0.0.0.0/0
DROP all -- 31.3.214.241 0.0.0.0/0
DROP all -- 193.104.68.200 0.0.0.0/0
DROP all -- 219.146.225.147 0.0.0.0/0
DROP all -- 64.185.226.120 0.0.0.0/0
DROP all -- 58.221.252.194 0.0.0.0/0
DROP all -- 212.68.50.132 0.0.0.0/0
DROP all -- 205.251.141.29 0.0.0.0/0
DROP all -- 121.10.140.215 0.0.0.0/0
RETURN all -- 0.0.0.0/0 0.0.0.0/0
fail2ban as i say in my post is a must have for ssh based security
with dynamic editing to the iptables firewall and clear logs it really is a
admins must have app
stay secure !
Saturday, October 20, 2012
cyber bullying : what parents can do
Hello All,
Latley in the news we have been hearing alot about online bullying or cyber bullying
this is brings a new issue that today parents have to deal with
some parents are asking them selves what can be done to protect thier children again such attacks
here are some tips parents can use
1.) parental controls on mobile devices
now a days kids and teens are carrying what used to be a phone but is now virtually a computer in thier pockets and with the new issue of things likes sexting and camerphones there is a need for parents to step in a control what thier children and teens have the access to certain features on the devices of today some examples would be software mechnisum to not allow mms messages or textmessages to anyone other than an allowed contact
2.) use of social media such as facebook
parents should sit down with children and set ground rules on the use of social media it is also a good idea for you to add yourself on your childs friends list so you can see what is being posted and some of thier activites if your child is under a certain age one of which you can decide up until that point you may also want to choose to have your childs password for thier account so you can review the activites
3.) parental controls on a pc/laptop
another approach is to instal parental controls that record conversations that take place on the web from your childs computer and also record activites such as image uploads for you review later
what to do if you discover you childs a victim of cyber bullying
1.) report the imncident to the authorites if you use parental control software or monitoring software you can show the autorirea the information you have obtained as proof
2.) report the incident to your childs school
3.) talk to your child and educate them on awareness of network saftey
such as dont give out personal information to strangers such as address or phone number
as the assumption always is that the bully is someone your child know this is not always the case
if you have anymore ideas on what could be done please leave a comment !
thank you all for reading
Latley in the news we have been hearing alot about online bullying or cyber bullying
this is brings a new issue that today parents have to deal with
some parents are asking them selves what can be done to protect thier children again such attacks
here are some tips parents can use
1.) parental controls on mobile devices
now a days kids and teens are carrying what used to be a phone but is now virtually a computer in thier pockets and with the new issue of things likes sexting and camerphones there is a need for parents to step in a control what thier children and teens have the access to certain features on the devices of today some examples would be software mechnisum to not allow mms messages or textmessages to anyone other than an allowed contact
2.) use of social media such as facebook
parents should sit down with children and set ground rules on the use of social media it is also a good idea for you to add yourself on your childs friends list so you can see what is being posted and some of thier activites if your child is under a certain age one of which you can decide up until that point you may also want to choose to have your childs password for thier account so you can review the activites
3.) parental controls on a pc/laptop
another approach is to instal parental controls that record conversations that take place on the web from your childs computer and also record activites such as image uploads for you review later
what to do if you discover you childs a victim of cyber bullying
1.) report the imncident to the authorites if you use parental control software or monitoring software you can show the autorirea the information you have obtained as proof
2.) report the incident to your childs school
3.) talk to your child and educate them on awareness of network saftey
such as dont give out personal information to strangers such as address or phone number
as the assumption always is that the bully is someone your child know this is not always the case
if you have anymore ideas on what could be done please leave a comment !
thank you all for reading
Saturday, October 6, 2012
Protecting your linux ssh server with fail2ban
Protecting your public servers is crucial we have talked before on a previous post on how to mitigate Ssh attacks on a cisco router now let’s talk Ssh on a server
an ssh server is no different you still have the same issues to fend off from DDOS attacks to brute force attacks ssh servers such as openssh are vulnerable here is a good module you can install on any Linux based server to protect again a brute force attack on your ssh tunnel ,
There is a free open source product called fail2ban www.fail2ban.org/
this free solution scans logs files of the ssh service and looks for a set of criteria mostly an x amount of failed login attempts on the ssh service and then creates a rule in the iptables firewall which will drop all future traffic to the ssh port it also supports ftp applications such as pure ftp in the same way
The below steps assume you are using a debian based distribution of Linux in our example we are using Ubuntu server 12.04
To install this application run the following command from your terminal window
sudo apt-get install fail2ban
Once the package is installed we can now start configuring it
Fail2ban uses a file called jail.conf to set the parameters for things like maximum attempts
Before banning the offending IP
the location of the jail.conf file is /etc/fail2ban
Once in the proper directory we can edit the config file using a text editor i personally like the VI editor
So you would issue the following command
sudo vi jail.conf
This will open the fail 2 ban configuration file
In this configuration file you are going to look for a section that looks like this
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
the above configuration allows for 3 unsuccessful attempts (default is 6 ) before banning the offending IP address you can change the log file name and path if you like also by default there will be a # symbol before enable you will want to remove that symbol the enable this rule or you can just copy and paste the config above
Once you have matched the default config to the one above you will then save the file in the vi editor using the :wq combination in command mode within the vi editor
you have now completed the setup of fail2ban for the ssh service
View Banned IP addresses
In order to see what IP's have been banned issue the following command
sudo iptables -L -n
look through the output for the fail2ban chain
Banned IP addresses will shows up like the one below in bold
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Drop all - 10.10.10.10 0.0.0.0/0
Remove banned ip addresses
in order to remove a IP address from the banned list issues the following command
sudo iptables -D fail2ban-ssh -s 10.10.10.10 -j DROP
this will allow the IP on the server
The following post shows how to protect again bruteforce attacks on linux based ssh servers
using the fail2ban application this tool is a simple and free yet powerful application that should be installed to add a layer of protection to you servers ssh service
Till next time
Stay secure !
Sunday, September 30, 2012
SSH bruteforce attack on cisco routers and ways to stop it !
Here is what a ssh bruteforce attack looks like from a cisco router log
uthentication Failed] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:18.463: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:57 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:57 UTC Sun Sep 30 2012
The above shows a perfect example why you should have a radiius server or tacas server for authentication with an ip ban mechanism this prevents scripts such as the above one from constantly trying to bruteforce attack your edge router from the same ip which would force the script to either use a different proxy or change servers not a total solution but an effective layer of security you can also use things like vpn so an administrator would vpn into your local network and then locally access your equipment
Just a little tid bit of knowledge
Till next time
Stay secure !
uthentication Failed] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:18.463: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:18 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:24.967: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:24 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:31.447: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:31 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:37.963: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:37 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:44.307: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:44 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:50.771: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:50 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] at 01:13:57 UTC Sun Sep 30 2012
*Sep 30 01:13:57.239: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 0 secs, [user: root] [Source: 211.144.68.163] [localport: 22] [Reason: Login Authentication Failed] [ACL: 100] at 01:13:57 UTC Sun Sep 30 2012
The above shows a perfect example why you should have a radiius server or tacas server for authentication with an ip ban mechanism this prevents scripts such as the above one from constantly trying to bruteforce attack your edge router from the same ip which would force the script to either use a different proxy or change servers not a total solution but an effective layer of security you can also use things like vpn so an administrator would vpn into your local network and then locally access your equipment
Just a little tid bit of knowledge
Till next time
Stay secure !
Subscribe to:
Posts (Atom)