My Notes

Thursday, October 13, 2016

To hash password (using default algorithm bcrypt)

$mypass = "password";
$myhash = password_hash($mypass, PASSWORD_DEFAULT);

To verify password

$brutepass = "test";
password_verify ($brutepass, $myhash); // true or false

Storing password in database

"Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)." Maybe varchar(255)

Reference:

Tuesday, October 11, 2016

Install PHP GeoIP

# apt-get install geoip-bin geoip-database geoip-database-extra php5-geoip php5-geos

Updating GeoIP database from SID (choose your mirror)

# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database-extra_20160912-1_all.deb

# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database_20160912-1_all.deb

# dpkg -i geoip-database_20160912-1_all.deb

# dpkg -i geoip-database-extra_20160912-1_all.deb

To convert IP to integer

$ip = ip2long('119.249.54.66');

To convert integer to IP

$hostip = long2ip($ip);

To get 3 chars country code

echo geoip_country_code3_by_name($hostip);

To get country name

echo geoip_country_name_by_name($hostip);

To get country code and region

echo var_dump(geoip_region_by_name($hostip))."<br>";

 Error: mod_fcgid: stderr: PHP Warning:  geoip_region_by_name(): Required database not available at /usr/share/GeoIP/GeoIPRegion.dat. ??? May be required subscription premium service ???

Reference:

http://www.php.net/manual/en/book.geoip.php

China DDOS SSH 2016-10-11 Involving 12 IPs

Log:
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]

Oct
 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11: [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11: [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11: [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11: [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11: [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]

Oct
 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

119.249.54.66
119.249.54.68
119.249.54.75
119.249.54.88
121.18.238.104
121.18.238.109
121.18.238.114
121.18.238.98
221.194.47.208
221.194.47.224
221.194.47.229
221.194.47.249

Others IPs before attact begin:

113.108.21.16
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
124.232.156.78
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78 : 11: Bye Bye [preauth]
183.129.160.229
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16

Sequence for each IP attempt:

No	Time	From	Method Auth	No	Time	From	Method Auth
1	2016-10-11 4:40	121.18.238.114	: 11: [preauth]	21	2016-10-11 5:30	119.249.54.66	: 11: [preauth]
2	2016-10-11 4:43	119.249.54.75	: 11: [preauth]	22	2016-10-11 5:31	121.18.238.104	: 11: [preauth]
3	2016-10-11 4:44	221.194.47.208	: 11: [preauth]	23	2016-10-11 5:37	221.194.47.229	: 11: [preauth]
4	2016-10-11 4:45	221.194.47.229	: 11: [preauth]	24	2016-10-11 5:40	121.18.238.104	: 11: [preauth]
5	2016-10-11 4:45	221.194.47.224	: 11: [preauth]	25	2016-10-11 5:47	119.249.54.88	: 11: [preauth]
6	2016-10-11 4:52	221.194.47.249	: 11: [preauth]	26	2016-10-11 5:51	121.18.238.104	: 11: [preauth]
7	2016-10-11 4:53	121.18.238.98	: 11: [preauth]	27	2016-10-11 5:54	119.249.54.88	: 11: [preauth]
8	2016-10-11 4:56	119.249.54.68	: 11: [preauth]	28	2016-10-11 5:57	121.18.238.98	: 11: [preauth]
9	2016-10-11 4:57	221.194.47.208	: 11: [preauth]	29	2016-10-11 6:13	221.194.47.208	[preauth]
10	2016-10-11 4:57	121.18.238.104	: 11: [preauth]	30	2016-10-11 6:16	121.18.238.104	: 11: [preauth]
11	2016-10-11 4:58	221.194.47.229	: 11: [preauth]	31	2016-10-11 6:34	121.18.238.114	: 11: [preauth]
12	2016-10-11 5:02	221.194.47.249	: 11: [preauth]	32	2016-10-11 6:40	119.249.54.68	: 11: [preauth]
13	2016-10-11 5:08	221.194.47.249	: 11: [preauth]	33	2016-10-11 6:41	119.249.54.75	: 11: [preauth]
14	2016-10-11 5:09	119.249.54.68	: 11: [preauth]	34	2016-10-11 6:41	221.194.47.249	: 11: [preauth]
15	2016-10-11 5:16	121.18.238.109	: 11: [preauth]	35	2016-10-11 6:50	121.18.238.98	: 11: [preauth]
16	2016-10-11 5:18	119.249.54.75	: 11: [preauth]	36	2016-10-11 7:55	119.249.54.88	: 11: [preauth]
17	2016-10-11 5:18	121.18.238.114	: 11: [preauth]	37	2016-10-11 8:01	221.194.47.208	: 11: [preauth]
18	2016-10-11 5:25	221.194.47.224	: 11: [preauth]	38	2016-10-11 8:03	121.18.238.104	: 11: [preauth]
19	2016-10-11 5:26	119.249.54.66	: 11: [preauth]	39	2016-10-11 8:04	119.249.54.75	: 11: [preauth]
20	2016-10-11 5:29	221.194.47.229	: 11: [preauth]

It is better to block those IP in block /24:
For iptables:
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 121.18.238.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 221.194.47.0/24 -j DROP
If you don't have business with them just block all incoming connection from them:
# iptables -A INPUT -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -s 121.18.238.0/24 -j DROP
# iptables -A INPUT s 221.194.47.0/24 -j DROP
If you install ipset follow this to setup ipset, and download ipset to block ssh black list from here

Monday, October 10, 2016

PHP >5.3: DateTime

Example construct Datetime object

`$datetime = new DateTime("now");`
`$datetime = new DateTime('2000-01-01');`

Example to print Datetime

`echo $datetime->format('Y-m-d\TH:i:s');`

Example to add a hour

`$datetime->add(new DateInterval('PT1H'));`

Example to add 10 day

`$datetime->add(new DateInterval('P10D'));`

Note:

P: Period

T: Time

Comparing 2 Datetime

`$datetime = new DateTime('2016-10-10');`
`$datetime2 = new DateTime('2016-10-9');`
`echo var_dump($datetime > $datetime2).' $datetime > $datetime2 <br>'; // bool(true) $datetime > $datetime2`
`echo var_dump($datetime < $datetime2).' $datetime < $datetime2 <br>'; // bool(false) $datetime < $datetime2`

References:

http://www.php.net/manual/en/class.datetime.php

Thursday, October 6, 2016

Debian Jessie: installing fail2ban 0.9.5-1 from SID with ipset

Debian Jessie stable contain old version of fail2ban, i.e. fail2Ban v0.8.13 (Debian 8.6). This version has reach end of life cycle from its developer. Current version (in active) development is version 0.10. Debian Jessie in SID (unstable) has version 0.9.5-1. We are going to use this version on our production server.

Our /etc/apt/sources.list, we don't add any SID repository to our sources.

deb http://kambing.ui.ac.id/debian/ jessie main
deb-src http://kambing.ui.ac.id/debian/ jessie main

deb http://security.debian.org/ jessie/updates main
deb-src http://security.debian.org/ jessie/updates main

#backport
deb http://ftp.debian.org/debian jessie-backports main

Before download and install fail2ban, install all required package from this article.

Download fail2ban 0.9.5-1 installer from SID directly from main pool

http://ftp.us.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.9.5-1_all.deb

or from its mirror (choose your closest one)

http://kambing.ui.ac.id/debian/pool/main/f/fail2ban/fail2ban_0.9.5-1_all.deb

Use wget to retrieve fail2ban 0.9.5-1 installer

# wget http://kambing.ui.ac.id/debian/pool/main/f/fail2ban/fail2ban_0.9.5-1_all.deb

If you are not confidence to use "unstable" version use fail2ban 0.9.3-1 from testing

http://ftp.us.debian.org/debian/pool/main/f/fail2ban/fail2ban_0.9.3-1_all.deb

Remove existing fail2ban

# apt-get --purge remove fail2ban

You can now start to install fail2ban 0.9.5-1

# dpkg -i fail2ban_0.9.5-1_all.deb
(Reading database ... 109167 files and directories currently installed.)
Preparing to unpack fail2ban_0.9.5-1_all.deb ...
Unpacking fail2ban (0.9.5-1) over (0.9.5-1) ...
dpkg: dependency problems prevent configuration of fail2ban:
fail2ban depends on python3:any (>= 3.3.2-2~).

dpkg: error processing package fail2ban (--install):
dependency problems - leaving unconfigured
Processing triggers for systemd (215-17+deb8u5) ...
Processing triggers for man-db (2.7.0.2-5) ...
Errors were encountered while processing:
fail2ban

It will ask you to install python python3. It's file and safe, your default python still 2.7. Run this command to fix it.

# apt-get -f install
...
# python --version
Python 2.7.9

Create a new action in /etc/fail2ban/action.d/iptables-ipset-proto4-allports.conf

# Fail2Ban configuration file
# Original: iptables-ipset-proto4.conf (Author: Daniel Black)
# Modified: IGAM Muliarsa
#
# Tested on: Debian 8.6
# ipset version: ipset v6.23, protocol version: 6
[INCLUDES]
before = iptables-common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = ipset --create f2b-<name> iphash
<iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
ipset --flush f2b-<name>
ipset --destroy f2b-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset --test f2b-<name> <ip> || ipset --add f2b-<name> <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
[Init]

You need to enable configure /etc/fail2ban/fail.conf and enabling ipset

...
# consider low maxretry and a long bantime
bantime = 600
...
maxretry = 5
...
[sshd]

port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[name=sshd]
...
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[name=sshd-dos]
...
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
enabled = true
filter = proftpd
action = iptables-ipset-proto4-allports[name=proftpd]
...
[postfix]

port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
enabled = true
filter = postfix
action = iptables-ipset-proto4[name=postfix, port="25,465,993,995,465,143,110"]
...
[postfix-sasl]

port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
enabled = true
filter = postfix-sasl
action = iptables-ipset-proto4[name=postfix-sasl, port="25,465,993,995,465,143,110"]
...
[dovecot]

port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
enabled = true
filter = dovecot
action = iptables-ipset-proto4[name=dovecot, port="25,465,993,995,465,143,110"]
...

Note: you need to define name in iptables-ipset-proto4[] to make it work properly

after Restart your fail2ban

# /etc/init.d/fail2ban restart
...
# /etc/init.d/fail2ban status
● fail2ban.service - Fail2Ban Service
   Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled)
   Active: active (running) since Thu 2016-10-06 12:10:29 WIB; 4min 24s ago
     Docs: man:fail2ban(1)
Process: 24350 ExecStop=/usr/bin/fail2ban-client stop (code=exited, status=0/SUCCESS)
Process: 24358 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=0/SUCCESS)
Main PID: 24361 (fail2ban-server)
   CGroup: /system.slice/fail2ban.service
           └─24361 /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail...

Oct 06 12:10:29 mars fail2ban-client[24358]: 2016-10-06 12:10:29,293 fail2ba...5
Oct 06 12:10:29 mars fail2ban-client[24358]: 2016-10-06 12:10:29,294 fail2ba...e
Oct 06 12:10:29 mars systemd[1]: Started Fail2Ban Service.
Hint: Some lines were ellipsized, use -l to show in full.

You can enable other fail2ban service such as apache, ftp, etc.

If you need to latest version of fail2ban, download and install it from source https://github.com/fail2ban/fail2ban and manually configure its service.

I add some regex filter here if you want to use.

My Notes

Thursday, October 13, 2016

PHP >= 5.5: password hashing

To hash password (using default algorithm bcrypt)

To verify password

Storing password in database

Reference:

Tuesday, October 11, 2016

PHP 5: GeoIP

Install PHP GeoIP

Updating GeoIP database from SID (choose your mirror)

To convert IP to integer

To convert integer to IP

To get 3 chars country code

To get country name

To get country code and region

Reference:

China DDOS SSH 2016-10-11 Involving 12 IPs

Monday, October 10, 2016

PHP >5.3: DateTime

Example construct Datetime object

`$datetime = new DateTime("now");`
`$datetime = new DateTime('2000-01-01');`

Example to print Datetime

`echo $datetime->format('Y-m-d\TH:i:s');`

Example to add a hour

`$datetime->add(new DateInterval('PT1H'));`

Example to add 10 day

`$datetime->add(new DateInterval('P10D'));`

Note:

P: Period

T: Time

Comparing 2 Datetime

Thursday, October 6, 2016

Debian Jessie: installing fail2ban 0.9.5-1 from SID with ipset

References:

Blog Archive

Total Pageviews

Thursday, October 13, 2016

PHP >= 5.5: password hashing

To hash password (using default algorithm bcrypt)

To verify password

Storing password in database

Reference:

Tuesday, October 11, 2016

PHP 5: GeoIP

Install PHP GeoIP

Updating GeoIP database from SID (choose your mirror)

To convert IP to integer

To convert integer to IP

To get 3 chars country code

To get country name

To get country code and region

Reference:

China DDOS SSH 2016-10-11 Involving 12 IPs

Monday, October 10, 2016

PHP >5.3: DateTime

Example construct Datetime object

$datetime = new DateTime("now");$datetime = new DateTime('2000-01-01');

Example to print Datetime

echo $datetime->format('Y-m-d\TH:i:s');

Example to add a hour

$datetime->add(new DateInterval('PT1H'));

Example to add 10 day

$datetime->add(new DateInterval('P10D')); Note: P: Period T: Time

Comparing 2 Datetime

Thursday, October 6, 2016

Debian Jessie: installing fail2ban 0.9.5-1 from SID with ipset

References:

`$datetime = new DateTime("now");`
`$datetime = new DateTime('2000-01-01');`

`echo $datetime->format('Y-m-d\TH:i:s');`

`$datetime->add(new DateInterval('PT1H'));`

`$datetime->add(new DateInterval('P10D'));`

Note:

P: Period

T: Time