Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Saturday, May 3, 2025

Removing bloatware in Android

It is common, every non AOSP android may come with ton of partner's application. The applications are known as bloatware.

Some bloatwares can be uninstall. Or some can only be disable. However, bloatware with disable can still running on background.  

Those bloatwares are used your mobile phone resource. These are steps to remove/uninstall from your mobile using PC, any operation system that can run adb (Android Debugging Bridge). I Assume, you done this.

You must enable development mode and USB Debugging your mobile phone.

Development mode
USB Debugging

Afteer you connect your mobile phone to your PC using USB, from your mobile, you need to trust your PC to make connection and run debugging, include running script via adb.

AllowUSB Debugging

Open your terminal and go to directory where your ADB tool install or placed, e.q. D:\android\sdk\platform-tools. Follow this command

1. detect your android phone

>adb devices
List of devices attached
1xxxxxxxxxxxxxxx        device

2. connect to your device

>adb shell
TECNO-KJ6:/ $

3. run pm to remove bloatware

$ pm uninstall --user 0 com.transsnet.store
Success

4. exit

$ exit
>

To View packages

$ pm list packages | grep store
package:com.google.android.apps.restore
package:com.transsnet.store

This is screen shoot status of application after deletion.

Getting package name
After removing/deletion

You need to know the package name you want to remove. Pick any application you wish in play store with key search "Application Inspector"

Bloatware Table

Application Package Name Tecno Spark 20 Pro KJ6 Infinix note 12 x670
AHA Games net.bat.store n y
Folax com.transsion.aivoiceassistant n y
Hola Browser com.talpa.hibrowser y y
Palm Store com.transsnet.store y y
Visha Player com.transsion.magicshow n y
WeZone com.transsion.wezone n y


NOTE:

  1. The bloatware status uninstall after restart your android
  2. The bloatware still exist in rom, every time you reset your android, the bloatware will come up. You need to re do all steps to remove it.

Reference: https://www.phoneworld.com.pk/the-truth-about-xos-how-infinixs-ui-is-burdened-by-excessive-bloatware/

 

Posted by at
Labels: ,

Friday, April 25, 2025

Recovering from hacked account is so painful when we accidently got scammed.

Recovering from a hacked account is so painful when we accidently get scammed. 

To recover hacked gmail, do it as fast as possible. Even if a hacker changes your phone recovery and or your email recovery, Google still keeps your previous recovery data for some time (maybe 7 days). I called it the grace period.

In my case, i successfully recovered my gmail less than 12 hours after the account was hacked. After successfully signing in into your account, go to https://myaccount.google.com, immediately check your devices, and sign off of any unknown device. 

Then, in security, check recovery options. Remove any unwanted recovery option. Add your original recovery phone number and recovery email if necessary. Verify them as soon as possible. 

These processes are race conditions with hackers.

If a hacker changes your email account for Mobile Legends: Bang Bang and email account Clash of Clans, you will lose them. No one of those games provides good support for recovery.

Posted by at
Labels:

Sunday, February 11, 2024

Openssl s_client to verify SSL

Syntax general: openssl s_client [-connect host:port] [option]

 

Get and read openssl s_client output 

$ echo "Get HTTP/1.0" | openssl s_client google.com:443
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1                        <- verification chain 2 ok
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1                        <- verification chain 1 ok
depth=0 CN = *.google.com
verify return:1                        <- verification chain 0 ok
---
Certificate chain
 0 s:CN = *.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  9 06:25:08 2024 GMT; NotAfter: Apr  2 06:25:07 2024 GMT
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
... <TRUNCATED> ...
-----END CERTIFICATE-----
subject=CN = *.google.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6833 bytes and written 396 bytes
Verification: OK                    <- handshake verification ok
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Use openssl s_client to export certificate PEM into a file (output file: certfs.pem)

$ echo "Get HTTP/1.0" | openssl s_client -showcerts -connect google.com:443 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p' > certifs.pem
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
DONE

Get fingerprint SHA1 in byte

$ echo "Get HTTP/1.0" | openssl s_client -connect google.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin

Fingerprint SHA256 in byte

$ echo "Get HTTP/1.0" | openssl s_client -connect google.com:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

Fingerprint SHA256 in base64 encode

$ echo "Get HTTP/1.0" | openssl s_client -connect google.com:443 | \
    openssl x509 -pubkey -noout | \
    openssl rsa -pubin -outform der | \
    openssl dgst -sha256 -binary | \
    openssl enc -base64 

To get service sertificates

$ echo "Get HTTP/1.0" | openssl s_client -connect google.com.com:443 -showcerts

For Let's Encrypt, here is official information about compatibility platforms (operating system, browser and java virtual machine,  <https://letsencrypt.org/docs/certificate-compatibility/>

Reference:

  • https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html
  • https://www.baeldung.com/linux/ssl-certificates


Posted by at
Labels: ,

Monday, January 29, 2024

huawei echolife default user for EG & HG series

There are 3 default type/user group available in echolife EG, HG and DSL Home Gateway series, these user name and password are:

type/user group
 EG Series HG V300R016C10 and earlier HG V300R017C00 and later DSL Home Gateway
user Epuser/userEp root/admin root/adminHW user/HuaweiUser
admin Epadmin/adminEp root/admin * root/adminHW * user/HuaweiUser *
telnet Eproot/adminEp root/admin * root/adminHW * user/HuaweiUser *

* not tested

if those fail try telecomadmin/admintelecom or admin/@HuaweiHgw or maybe your firmware has been customized by your privder

  1. user: for general use
  2. admin: for more setting then user e.q to change default ntp and time zone; change services
  3. telnet: for connect to router via telnet or SSH

In EG8145V5 default service to access your router are:

  1. Enable the LAN-side PC to access the device using HTTP
  2. Enable devices on the Wi-Fi side to access web pages

Important: 

  1. Change default password immediately and put in a note
  2. DO NOT OPEN ANY SERVICES for WAN

References: https://forum.huawei.com/enterprise/en/huawei-ont-login-account-and-password/thread/667238610795118592-667213871523442688

Posted by at
Labels: ,

Sunday, January 21, 2018

Detecting DNS flood using dns-flood-detector

You need to install dns-flood-detector
# apt-get install dns-flood-detector

dns-flood-detector will give you warning in dmesg something like:
[1309426.142779] TCP: request_sock_TCP: Possible SYN flooding on port 53. Sending cookies.  Check SNMP counters.

To show where it is come from
# /etc/init<dot>d/dns-flood-detector status
* dns-flood-detector<dot>service - LSB: start and stop the dns-flood-detector daemon
   Loaded: loaded (/etc/init<dot>d/dns-flood-detector; generated; vendor preset: enabled)
   Active: active (running) since Fri 2018-01-05 14:25:46 WIB; 2 weeks 1 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 2 (limit: 4915)
   CGroup: /system<dot>slice/dns-flood-detector<dot>service
           `-475 /usr/bin/dns-flood-detector -d -v -v -t5 -w3
Jan 20 18:09:20 mars dns_flood_detector[475]: source [66<dot>220<dot>156<dot>144] - 3 tc…AA]
Jan 20 18:09:23 mars dns_flood_detector[475]: source [173<dot>252<dot>90<dot>118] - 3 tc…AA]
Warning: Journal has been rotated since unit was started<dot> Log output is incomplete or unavailable<dot>
Hint: Some lines were ellipsized, use -l to show in full<dot>

or
# service dns-flood-detector status
* dns-flood-detector<dot>service - LSB: start and stop the dns-flood-dete
ctor daemon
   Loaded: loaded (/etc/init<dot>d/dns-flood-detector; generated; vendor preset: ena
bled)
   Active: active (running) since Fri 2018-01-05 14:25:46 WIB; 2 week
s 1 days ago
     Docs: man:systemd-sysv-generator(8)
    Tasks: 2 (limit: 4915)
   CGroup: /system<dot>slice/dns-flood-detector<dot>service
           `-475 /usr/bin/dns-flood-detector -d -v -v -t5 -w3
Jan 20 18:09:20 mars dns_flood_detector[475]: source [66<dot>220<dot>156<dot>144] -
3 tcp qps : 3 udp qps [1 qps A] [5 qps AAAA]
Jan 20 18:09:23 mars dns_flood_detector[475]: source [173<dot>252<dot>90<dot>118] -
3 tcp qps : 3 udp qps [1 qps A] [5 qps AAAA]
Warning: Journal has been rotated since unit was started<dot> Log output is incomple
te or unavailable<dot>

Lets we find out who they are
# whois 66<dot>220<dot>156<dot>144
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=66<dot>220<dot>156<dot>144?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange:       66<dot>220<dot>144<dot>0 - 66<dot>220<dot>159<dot>255
CIDR:           66<dot>220<dot>144<dot>0/20
NetName:        TFBNET3
NetHandle:      NET-66-220-144-0-1
Parent:         NET66 (NET-66-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc<dot> (THEFA-3)
RegDate:        2009-02-13
Updated:        2012-02-24
Ref:            https://whois<dot>arin<dot>net/rest/net/NET-66-220-144-0-1
...

and
# whois 173<dot>252<dot>90<dot>118
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=173<dot>252<dot>90<dot>118?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange:       173<dot>252<dot>64<dot>0 - 173<dot>252<dot>127<dot>255
CIDR:           173<dot>252<dot>64<dot>0/18
NetName:        FACEBOOK-INC
NetHandle:      NET-173-252-64-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc<dot> (THEFA-3)
RegDate:        2011-02-28
Updated:        2012-02-24
Ref:            https://whois<dot>arin<dot>net/rest/net/NET-173-252-64-0-1

Ops they are Facebook.inc :D

Lets we block it
# ipset add mynetrules 66<dot>220<dot>156<dot>144
# ipset add mynetrules 173<dot>252<dot>90<dot>118
# iptables -L | grep mynetrules
DROP       all  --  anywhere             anywhere             match-set mynetrules src

 These are how to block class C
Jan 21 10:11:31 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>119] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>125] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>126] - 3 t…AA]
Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>123] - 3 t…AA]

Jan 21 10:11:34 mars dns_flood_detector[475]: source [173<dot>252<dot>124<dot>124] - 3 t…AA]

Just check one of them
# whois 173<dot>252<dot>124<dot>124
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www<dot>arin<dot>net/whois_tou<dot>html
#
# If you see inaccuracies in the results, please report at
# https://www<dot>arin<dot>net/public/whoisinaccuracy/index<dot>xhtml
#
#
# The following results may also be obtained via:
# https://whois<dot>arin<dot>net/rest/nets;q=173<dot>252<dot>124<dot>124?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2
#
NetRange:       173<dot>252<dot>64<dot>0 - 173<dot>252<dot>127<dot>255
CIDR:           173<dot>252<dot>64<dot>0/18
NetName:        FACEBOOK-INC
NetHandle:      NET-173-252-64-0-1
Parent:         NET173 (NET-173-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS32934
Organization:   Facebook, Inc<dot> (THEFA-3)
RegDate:        2011-02-28
Updated:        2012-02-24
Ref:            https://whois<dot>arin<dot>net/rest/net/NET-173-252-64-0-1

Lets we block it
# ipset add mynetrules 173<dot>252<dot>124<dot>0/24



Posted by at
Labels:

Friday, May 26, 2017

Blocking IP by country for some ports using ipset

To block IP by country, we need IP blocks for particular country. This step needs IP blocks from http://ipdeny.com/.
We need to convert IP blocks into ipset format, this bash script will do:
  1. Download block ip by country from http://www.ipdeny.com
  2. Convert block ip into ipset format
For IPV4: http://www.ipdeny.com/ipblocks/data/countries/ For IPV6: http://www.ipdeny.com/ipv6/ipaddresses/blocks/
Here is bash script blockcountryip.sh:
#!/bin/bash
# 2017-05-23

if [ "$1" != "" ]; then
 echo $1
 # download ipv4 block
 echo "Download ipv4 $1"
 wget http://www.ipdeny.com/ipblocks/data/countries/$1.zone -O zone.ipv4.$1
 # download ipv6 block
 echo "Download ipv6 $1"
 wget http://www.ipdeny.com/ipv6/ipaddresses/blocks/$1.zone -O zone.ipv6.$1
 mfile1="./zone.ipv4.$1"
 ofile1="./ipv4.ipset.$1"
 touch $ofile1
 echo "creating ipset rules $ofile1 for ipv4"
 echo "create ipv4_$1 hash:net" > $ofile1
 while read line; do
  echo "add ipv4_$1 $line" >> $ofile1
 done <"$mfile1"
 echo "Done creating $ofile1"
 mfile2="./zone.ipv6.$1"
 ofile2="./ipv6.ipset.$1"
 echo "creating ipset rules $ofile2 for ipv6"
 echo "create ipv6_$1 hash:net" > $ofile2
 while read line; do
  echo "add ipv6_$1 $line" >> $ofile2
 done <"$mfile2"
 echo "Done creating $ofile2"
else
 echo "Usage .//blockcountryip.sh countrycode2"
fi
To use this bash script:
# ./blockcountryip.sh [countrycode]
for example to generate IP blocks for China CN
# ./blockcountryip.sh cn

To load it in memory
# ipset restore -! < ipv4.ipset.[countrycode]
[countrycode] is 2 character country code https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
To apply in iptables
# iptables -A INPUT -p tcp -m multiport --dports [any port you wish] -m set --match-set ipv4_[countrycode] src -j DROP
For example to block all IPV4 from China for port 21, 22, 80, 443 and 2222
# iptables -A INPUT -p tcp -m multiport --dports 21,22,80,443,2222 -m set --match-set ipv4_cn src -j DROP 
# iptables -A INPUT -p udp -m multiport --dports 22,2222 -m set --match-set ipv4_cn src -j DROP
Who will care if I block all of their connection:
# iptables -A INPUT -m set --match-set ipv4_cn src -j DROP
To make it persistent, follow your distribution guide how to load ipset and iptables rules every time system start/restart or network start/restart.
Not Working IPV6
Note:
  1. Tunneling SSH may used UDP protocol
  2. Proftpd listen on port 2222
  3. Port 25 uses to communicate with/to other mail server
My github.com: https://github.com/dedetok/bash-block-ip-by-country
 References:
  • http://ipdeny.com/ 
  • https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
Posted by at
Labels:

Tuesday, November 15, 2016

Fail2ban: save your log into mysql and show it

Required:
  • fail2ban 0.9
  • mysql
  • web server with php (apache with php and mysql library)
Create user and its database in mysql. Give all privilege to its database for its user. You can use any existing database, here is only sample of database structures:
database name : myf2b
table name: kci_logipv4
No field datatype
1 logdate  datetime
2 logipv4  int(11)
3 logmsg varchar(1000)
4 kci_category  int(11)
5 id (int11)
6 codecontinent char(2)
7 codecontinent2 char(2)
8 codecontinent3 char(3)

table name: kci_category
No field datatype
1 id  int(11)
2 category  varchar(20)

Note:
  1. We store IPv4 in long.
  2. Field with underline is primary key 
Table kci_logipv4 will be used to store any log from trapped in fail2ban, and table kci_category will be used to categorize all log in type of attack. Populate kci_category with your wish, this is my category for example: 
id category
10  SSH          
20  FTP             
30 HTTP/HTTPS
40 SMTP/POP/IMAP/POP3/S

We need a small application to store any log trapped in fail2ban. I use PHP to do that. Here is kci_log.php source code https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/kci_log.php
That's all. Now you create a custom action mlocaldb.conf for fail2ban to call kci_log.php. Put mlocaldb.conf in /etc/fail2ban/action.d/, here is mlocaldb.conf https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/mlocaldb.conf
Note: You need to change this part 'http://[your_domain]/kci_log.php' >> /home/[user]/logs/curlfail2ban.log
  • 'http://[your_domain]/kci_log.php' where kci_log.php reside
  • /home/[user]/logs/curlfail2ban.log where the log will be store. You can remove it after you confidence.
The final step, edit your /etc/fail2ban/jail.conf and add a line to use mlocaldb at the end of action, for example:
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[name=sshd]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22] 
...
Note change category with id you inserted into table kci_category. For example 20 for proftpd.
Show it in your web. This is kci_logread.php source code to show the log, feel free to modify it . https://github.com/dedetok/fail2ban-to-mysql/blob/gh-pages/kci_logread.php

See on Github https://github.com/dedetok/fail2ban-to-mysql
Posted by at
Labels:

Thursday, October 27, 2016

Script Kiddies to use hydra

 This is intended for Education purpose!
After researching how to defend our network, I want to share how to perform what they are doing. It is very easy to perform automatic password attack against various services. One of their tools is hydra. Chrome mark https://www.thc.org/ "The site ahead contains harmful programs" and Firefox mark it as "Reported Unwanted Software Page!". Who's care.... LOL
To install it
# apt-get install hydra
or
# yum install hydra
To create dictionary install British words
# apt-get install wbritish
or

# yum install words
You don't need to run this as root.
Create a directory (whatever you want). I use directory hydra.
$ mkdir hydra
$ cd hydra
Now create words file before running hydra.
$ cat /usr/share/dict/words > words.txt
You can perform ssh using
hydra -l root -P words.txt ssh://xxx.xxx.xxx.xxx
To get more option:
$ hydra -h
Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -q        do not print messages about connection erros
  -U        service module usage details
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: sapr3 afp ncp oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.:  % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh
WARNING: FOR EDUCATION PURPOSE! DO IT ON YOUR LOCAL NETWORK AND WITH YOUR OWN RISK. DOING THIS IS ON PUBLIC NETWORK IS BREAKING A LAW!

Posted by at
Labels:

Tuesday, October 25, 2016

fail2ban: autoreporting attack to www.abuseipdb.com

Create file /etc/fail2ban/action.d/abuseipdb.conf
# Fail2Ban configuration file
#
# Author: IGAM Muliarsa
#
#

# Action to report IP address to abuseipdb.com
# you must sign up in https://www.abuseipdb.com
# This action requires API_KEY
# https://www.abuseipdb.com/report/json?key=[API_KEY]&category=[CATEGORIES]&comment=[COMMENT]&ip=[IP]
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelyhood of receiving human errors
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = curl --data 'key=<apikey>' --data 'category=<category>' --data 'ip=<ip>' --data-urlencode 'comment=<matches>' --user-agent 'fail2ban v0.8.12' 'https://www.abuseipdb.com/report/json'

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban =

[Init]

# Option:  apikey
# Notes    your user apikey from abuseipdb.com user account
# Values:  STRING  Default: None
#
apikey = REPLACE_WITH_YOUR_API_KEY

# Option:  service
# Notes    service name you are reporting on, typically aligns with filter name
# Values:  STRING  Default: None
#
#service =
Edit /etc/fail2ban/jail.conf
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22]
...
To find available category, follow this rule.
Restart your fail2ban.
Tested on Fail2ban 0.9.x

References:

  • https://www.abuseipdb.com/api.html
Posted by at
Labels:

Tuesday, October 11, 2016

China DDOS SSH 2016-10-11 Involving 12 IPs

Log:
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]
Oct 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11:  [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]
Oct 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client aes128-cbc,blowfish-cbc,3des-cbc server aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11:  [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11:  [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11:  [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11:  [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11:  [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11:  [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11:  [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11:  [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11:  [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11:  [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11:  [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11:  [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11:  [preauth]
Here is attacker IPs:
  1. 119.249.54.66
  2. 119.249.54.68
  3. 119.249.54.75
  4. 119.249.54.88
  5. 121.18.238.104
  6. 121.18.238.109
  7. 121.18.238.114
  8. 121.18.238.98
  9. 221.194.47.208
  10. 221.194.47.224
  11. 221.194.47.229
  12. 221.194.47.249
 Others IPs before attact begin:
  1. 113.108.21.16
    Oct 11 03:05:36    mars sshd[16159]:    Did not receive identification string from    113.108.21.16   
  2. 124.232.156.78
    Oct 10 21:32:00    mars sshd[14650]:    Received disconnect from    124.232.156.78    :  11: Bye Bye [preauth]
  3. 183.129.160.229
    Oct 11 03:05:36    mars sshd[16159]:    Did not receive identification string from    113.108.21.16   
Sequence for each IP attempt:
No Time  From Method Auth No Time  From Method Auth
1 2016-10-11 4:40 121.18.238.114 :  11:  [preauth] 21 2016-10-11 5:30 119.249.54.66 :  11:  [preauth]
2 2016-10-11 4:43 119.249.54.75 :  11:  [preauth] 22 2016-10-11 5:31 121.18.238.104 :  11:  [preauth]
3 2016-10-11 4:44 221.194.47.208 :  11:  [preauth] 23 2016-10-11 5:37 221.194.47.229 :  11:  [preauth]
4 2016-10-11 4:45 221.194.47.229 :  11:  [preauth] 24 2016-10-11 5:40 121.18.238.104 :  11:  [preauth]
5 2016-10-11 4:45 221.194.47.224 :  11:  [preauth] 25 2016-10-11 5:47 119.249.54.88 :  11:  [preauth]
6 2016-10-11 4:52 221.194.47.249 :  11:  [preauth] 26 2016-10-11 5:51 121.18.238.104 :  11:  [preauth]
7 2016-10-11 4:53 121.18.238.98 :  11:  [preauth] 27 2016-10-11 5:54 119.249.54.88 :  11:  [preauth]
8 2016-10-11 4:56 119.249.54.68 :  11:  [preauth] 28 2016-10-11 5:57 121.18.238.98 :  11:  [preauth]
9 2016-10-11 4:57 221.194.47.208 :  11:  [preauth] 29 2016-10-11 6:13 221.194.47.208 [preauth]
10 2016-10-11 4:57 121.18.238.104 :  11:  [preauth] 30 2016-10-11 6:16 121.18.238.104 :  11:  [preauth]
11 2016-10-11 4:58 221.194.47.229 :  11:  [preauth] 31 2016-10-11 6:34 121.18.238.114 :  11:  [preauth]
12 2016-10-11 5:02 221.194.47.249 :  11:  [preauth] 32 2016-10-11 6:40 119.249.54.68 :  11:  [preauth]
13 2016-10-11 5:08 221.194.47.249 :  11:  [preauth] 33 2016-10-11 6:41 119.249.54.75 :  11:  [preauth]
14 2016-10-11 5:09 119.249.54.68 :  11:  [preauth] 34 2016-10-11 6:41 221.194.47.249 :  11:  [preauth]
15 2016-10-11 5:16 121.18.238.109 :  11:  [preauth] 35 2016-10-11 6:50 121.18.238.98 :  11:  [preauth]
16 2016-10-11 5:18 119.249.54.75 :  11:  [preauth] 36 2016-10-11 7:55 119.249.54.88 :  11:  [preauth]
17 2016-10-11 5:18 121.18.238.114 :  11:  [preauth] 37 2016-10-11 8:01 221.194.47.208 :  11:  [preauth]
18 2016-10-11 5:25 221.194.47.224 :  11:  [preauth] 38 2016-10-11 8:03 121.18.238.104 :  11:  [preauth]
19 2016-10-11 5:26 119.249.54.66 :  11:  [preauth] 39 2016-10-11 8:04 119.249.54.75 :  11:  [preauth]
20 2016-10-11 5:29 221.194.47.229 :  11:  [preauth]        
 It is better to block those IP in block /24:
For iptables:
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 121.18.238.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 221.194.47.0/24 -j DROP
If you don't have business with them  just block all incoming connection from them:
# iptables -A INPUT -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -s 121.18.238.0/24 -j DROP
# iptables -A INPUT s 221.194.47.0/24 -j DROP

Posted by at
Labels:

Thursday, October 6, 2016

Debian Jessie: installing fail2ban 0.9.5-1 from SID with ipset


Debian Jessie stable contain old version of fail2ban, i.e. fail2Ban v0.8.13 (Debian 8.6). This version has reach end of life cycle from its developer. Current version (in active) development is version 0.10. Debian Jessie in SID (unstable) has version 0.9.5-1. We are going to use this version on our production server.
Our /etc/apt/sources.list, we don't add any SID repository to our sources.

deb http://kambing.ui.ac.id/debian/ jessie main

deb-src http://kambing.ui.ac.id/debian/ jessie main

deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main

#backport
deb http://ftp.debian.org/debian jessie-backports main

Before download and install fail2ban, install all required package. 

Download fail2ban 0.9.5-1 installer from SID directly from main pool

http://ftp.us.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.9.5-1_all.deb

or from its mirror (choose your closest one)

http://kambing.ui.ac.id/debian/pool/main/f/fail2ban/fail2ban_0.9.5-1_all.deb

Use wget to retrieve fail2ban 0.9.5-1 installer

# wget http://kambing.ui.ac.id/debian/pool/main/f/fail2ban/fail2ban_0.9.5-1_all.deb

If you are not confidence to use "unstable" version use fail2ban 0.9.3-1 from testing

http://ftp.us.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.9.3-1_all.deb

Remove existing fail2ban

# apt-get --purge remove fail2ban

You can now start to install fail2ban 0.9.5-1

# dpkg -i fail2ban_0.9.5-1_all.deb
(Reading database ... 109167 files and directories currently installed.)
Preparing to unpack fail2ban_0.9.5-1_all.deb ...
Unpacking fail2ban (0.9.5-1) over (0.9.5-1) ...
dpkg: dependency problems prevent configuration of fail2ban:
 fail2ban depends on python3:any (>= 3.3.2-2~).
dpkg: error processing package fail2ban (--install):
 dependency problems - leaving unconfigured
Processing triggers for systemd (215-17+deb8u5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Errors were encountered while processing:
 fail2ban

It will ask you to install python python3. It's file and safe, your default python still 2.7. Run this command to fix it.

# apt-get -f install
...
# python --version
Python 2.7.9

Create a new action in /etc/fail2ban/action.d/iptables-ipset-proto4-allports.conf

# Fail2Ban configuration file
# Original: iptables-ipset-proto4.conf (Author: Daniel Black)
# Modified: IGAM Muliarsa
#
# Tested on: Debian 8.6
# ipset version: ipset v6.23, protocol version: 6
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipset --create f2b- iphash
-I -m set --match-set f2b- src -j
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = -D -m set --match-set f2b- src -j
ipset --flush f2b-
ipset --destroy f2b-
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset --test f2b- || ipset --add f2b-
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset --test f2b- && ipset --del f2b-
[Init]
You need to enable configure /etc/fail2ban/fail.conf and enabling ipset
...
# consider low maxretry and a long bantime
bantime = 600
...
maxretry = 5
...
[sshd]

port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[name=sshd]
...
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[name=sshd-dos]
...
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
enabled = true
filter = proftpd
action = iptables-ipset-proto4-allports[name=proftpd]
...
[postfix]

port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
enabled = true
filter = postfix
action = iptables-ipset-proto4[name=postfix, port="25,465,993,995,465,143,110"]
...
[postfix-sasl]

port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
enabled = true
filter = postfix-sasl
action = iptables-ipset-proto4[name=postfix-sasl, port="25,465,993,995,465,143,110"]
...
[dovecot]

port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
enabled = true
filter = dovecot
action = iptables-ipset-proto4[name=dovecot, port="25,465,993,995,465,143,110"]
...

Note: you need to define name in iptables-ipset-proto4[] to make it work properly
after Restart your fail2ban

# /etc/init.d/fail2ban restart
...
# /etc/init.d/fail2ban status
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled)
Active: active (running) since Thu 2016-10-06 12:10:29 WIB; 4min 24s ago
Docs: man:fail2ban(1)
Process: 24350 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 24358 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 24361 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
└─24361 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail...

Oct 06 12:10:29 mars fail2ban-client[24358]: 2016-10-06 12:10:29,293 fail2ba...5
Oct 06 12:10:29 mars fail2ban-client[24358]: 2016-10-06 12:10:29,294 fail2ba...e
Oct 06 12:10:29 mars systemd[1]: Started Fail2Ban Service.

Hint: Some lines were ellipsized, use -l to show in full.

You can enable other fail2ban service such as apache, ftp, etc.

If you need to latest version of fail2ban, download and install it from source xxx and manually configure its service.

References:

  1. https://packages.debian.org/sid/all/fail2ban/download
  2. https://launchpad.net/debian/+source/fail2ban
  3. https://tracker.debian.org/pkg/fail2ban
  4. https://wiki.debian.org/DebianUnstable
  5. https://github.com/fail2ban/fail2ban



Posted by at
Labels:

Monday, October 3, 2016

Fail2ban: install dependency python library in Debian Jessie

These are some python library that may be used in Fail2ban:

  • pyinotify >= 0.8.3 (Linux >= 2.6.13)
  • gamin >= 0.0.21
  • systemd >= 204
  • dnspython
These are my /etc/apt/sources.list:
deb http://kambing.ui.ac.id/debian/ jessie main
deb-src http://kambing.ui.ac.id/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main
#backport
deb http://ftp.debian.org/debian jessie-backports main

Install them all:

# apt-get install gamin systemd python-pyinotify python-dnspython python3-pyinotify

References:

  • https://github.com/fail2ban/fail2ban
Posted by at
Labels:

Tuesday, September 20, 2016

Debian Jessie: install and configure Kippo

Kippo requirements:

  • python-pycryptopp
  • zope
  • python-twisted
Install all requirements
# apt-get install python-pycryptopp zope python-twisted
You need to add a user to run kippo, for instant we create user kippo (you can use any non admin user to run kippo since this service run on port above 1024).
# useradd kippo

Login as kippo and download kippo from github

$ wget --no-check-certificate https://github.com/desaster/kippo/archive/master.zip
unzip it
$ unzip master.zip
change directory to kippo-master i.e. /home/kippo/kippo-master
$ cd kippo-master/
copy and edit kippo.cfg
$ cp kippo.cfg.dist kippo.cfg
$ vi kippo.cfg
...
ssh_port = 2222
...
hostname = test
...
port and hostname can be change anything you wish. use any unused port above 1024.

You need to execute command below as root to update kippo "system" file and create iptables rule

# cd /home/kippo/kippo-master/
# ./utils/createfs.py > fs.pickle
Doing stuff
# iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222
Note to remove iptables above
# iptables -t nat -D PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

Use kippo user to start and stop kippo in directory /home/kippo/kippo-master/

to start kippo
$ ./start.sh
twistd (the Twisted daemon) 14.0.2
Copyright (c) 2001-2014 Twisted Matrix Laboratories.
See LICENSE for details.
Starting kippo in the background...
Generating new RSA keypair...
Done.
Generating new DSA keypair...
Done.
to stop kippo
$ ./stop.sh

References:

  • https://linuxconfig.org/deployment-of-kippo-ssh-honeypot-on-ubuntu-linux
  • https://github.com/desaster/kippo
Posted by at
Labels:

Sunday, September 18, 2016

Fail2ban: enabling ipset in Debian Jessie

Prerequisite:
  • fail2ban
  • iptable
  • ipset
To enable ipset in fail2ban edit /etc/fail2ban/jail.conf
# vi /etc/fail2ban/jail.conf
...
[ssh-iptables-ipset4]

enabled = true # change this
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto4
logpath = /var/log/auth.log
maxretry = 3

[ssh-iptables-ipset6]

enabled = true # change this
port     = ssh
filter   = sshd
banaction = iptables-ipset-proto6
logpath = /var/log/auth.log
maxretry = 3
...
Restart your fail2ban
# /etc/init.d/fail2ban restart
Posted by at
Labels:

Wednesday, August 24, 2016

Fail2ban: optional regex filter

Optional regex filter:

SSH, edit or replace /etc/fail2ban/filter.d/sshd.conf or /etc/fail2ban/filter.d/sshd-ddos.conf

^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?\s*$
^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$
^%(__prefix_line)sFailed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$
^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$
^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$
^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$
^%(__prefix_line)sUser .+ from not allowed because not in any group\s*$
^%(__prefix_line)srefused connect from \S+ \(\)\s*$
^%(__prefix_line)s(?:error: )?Received disconnect from : 3: .*: Auth fail(?: \[preauth\])?$
^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from (?: port \d*)?(?: ssh\d*)? \[preauth\]$
^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$
^%(__prefix_line)sConnection closed by \[preauth\]$
^%(__prefix_line)sReceived disconnect from : 11: (Bye Bye)? \[preauth\]$
^%(__prefix_line)sReceived disconnect from : 3: \S+: Auth fail$

Postfix-sasl, edit or replace /etc/fail2ban/filter.d/postfix-sasl.conf

^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$
lost connection after AUTH from (.*)\[\]

Postfix, edit or replace /etc/fail2ban/filter.d/postfix.conf


^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]);
from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$
^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname;
^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$
^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$
lost connection after (AUTH|UNKNOWN|EHLO) from (.*)\[\]
connect from unknown\[\]
disconnect from unknown\[\]?$
statistics: max connection rate 1/60s for (smtp:)?$
statistics: max connection rate 1 for (smtp:)?$

ProFTP, edit or replace /etc/fail2ban/filter.d/proftpd.conf 

^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$
^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$
USER \S+: no such user found from \S* ?\[\] to \S+\s*$
\(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+.*$
\(\S+\[\]\)[: -]+ USER \S+ \(Login failed\): Incorrect password.*$
\(\S+\[\]\)[: -]+ SSH2 session closed.

References:

  1. http://www.fail2ban.org/wiki/index.php/MANUAL_0_8
  2. http://serverfault.com/questions/686422/modify-fail2ban-failregex-to-match-failed-public-key-authentications-via-ssh
  3. http://security.stackexchange.com/questions/10869/fail2ban-does-not-ban-failed-root-login-attempt
  4. http://serverfault.com/questions/681703/regex-for-multiple-sshd-received-disconnect-from-preauth
  5. https://github.com/fail2ban/fail2ban/pull/1206/files
  6. http://serverfault.com/questions/335983/postfix-connection-lost-after-auth
Posted by at
Labels:

Friday, April 1, 2016

Find host or IP on Fail2ban log in Centos using bash and awk

Find out your fail2ban log and make permanent block. You need to install ipset to make your iptables rules

  • Create script bannedge2centos.sh
#!/bin/bash
## create by dedetok March 2016
## GNU GPL v3
echo "These IP get WARNING at least twice"
awk '(/fail2ban.filter/ && /WARNING/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n |
{
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}

echo "These IP get Filter sshd at least twice"
awk '(/fail2ban.filter/ && /sshd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}

echo "These IP get Filter ftpd at least twice"
awk '(/fail2ban.filter/ && /vsftpd/) { print $NF}' /var/log/fail2ban.log | sort | uniq -c | sort -n | {
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}

echo "These hosts get Filter Fail2ban at least twice"
awk '(/fail2ban.filter/ && /WARNING Unable/) { print $(NF-7)}' /var/log/fail2ban.log | sort | uniq -c |
 sort -n | {
  while read -r line1 line2
  do
    if [ "$line1" -ge 2 ]; then
      echo "$line1 $line2"
    fi
  done
}
  • Create ipset rules mynetrules
# ipset create mynetrules hash:net
  • Run bash bannedge2centos.sh  
# ./bannedge2centos.sh
These IP get WARNING at least twice
2 ['199.15.112.8']
2 ['216.117.2.180']
2 ['82.148.206.193']
4 ['208.100.26.231']
4 ['31.211.102.129']
5 ['71.6.167.142']
10 ['88.80.15.69']
28 known
These IP get Filter sshd at least twice
2 118.136.248.90
18 84.16.74.40
These IP get Filter ftpd at least twice
5 88.80.15.69
These hosts get Filter Fail2ban at least twice
2 128-140-19-52.maxnet.ir:
2 1-39-45-166.live.vodafone.in:
2 178.218.202.224.ip.turontelecom.uz:
2 181-174-60-157.telebucaramanga.net.co:
2 222.64.uzpak.uz:
2 238.124.206.49-ras.beamtele.net:
2 75-242-69-115.vasaicable.co.in:
2 78.187.230.16.static.ttnet.com.tr:
2 85-113-26-150.static.ktnet.kg:
2 91-219-55-106.static-pool.centr.zp.ua:
2 brbnd47-30.mng.net:
2 static-mum-120.63.188.93.mtnl.net.in:
4 client.fttb.2day.kz:
  • Popuate ipset rules mynetrules
# ipset add mynetrules 84.16.74.40
# ipset add mynetrules 71.6.167.142
# ipset add mynetrules 208.100.26.231
# ipset add mynetrules 31.211.102.129
  • Add ipset rules into iptables rules
# iptables -I INPUT -m set --match-set mynetrules src -j DROP
  • Save your new rules
# service ipset save
# service iptables save
Default ipset and iptables: /etc/sysconfig/ipset, /etc/sysconfig/iptables,  and /etc/sysconfig/iptables.save 
  • To reload ipset and iptables
# service ipset reload
# service iptables restart
Another interesting scrips
  • # awk '(/pam_unix/ && /sshd:auth/ && /authentication failure/) { print $NF }' /var/log/secure | sort | uniq -c | sort
  • # awk '(/pam_unix/ && /webmin/ && /authentication failure/) { print $(NF-1) }' /var/log/secure | sort | uniq -c | sort
  • # awk '(/pam_unix/ && /vsftpd/ && /authentication failure/) { print $(NF) }' /var/log/secure | sort | uniq -c | sort 
  • awk '((/not receive/ || /Failed/ || /Connection closed/ || /closed/ || /failure/ ) && /preauth/ && /sshd/) { print (NF-2),$(NF-1),$NF}' /var/log/auth.log | sort  | uniq -c
Note:
  • You can modify these to auto block those IP into your ipset rules. But beware about your IP may incidentally get auto blocked. Check those IP or host location before add them into ipset ruls
  • When ipset size increasing, it wont impose to CPU load.


Posted by at
Labels:
Subscribe to: Posts (Atom)