Pages

Showing posts with label internet security. Show all posts
Showing posts with label internet security. Show all posts

Sunday, February 7, 2021

Fedora 33 : Running Zeek - part 001.

Zeek is often used as a network analysis tool but can also be deployed as an IDS known as Intrusion Detection System.
The full documentation can be found on this website page.
Let's install this tool on Fedora 33 distro.
[root@desk mythcat]# dnf search zeek
Last metadata expiration check: 0:18:02 ago on Sun 07 Feb 2021 11:21:35 AM EET.
No matches found.
[root@desk mythcat]# dnf config-manager --add-repo 
https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
Adding repo from: https://download.opensuse.org/repositories/security:zeek/Fedora_33/security:zeek.repo
[root@desk mythcat]# dnf install zeek
The Zeek Network Security Monitor. (Fedora_33)  105 kB/s | 128 kB     00:01    
Last metadata expiration check: 0:00:01 ago on Sun 07 Feb 2021 11:40:31 AM EET.
...
  Verifying        : zeekctl-3.2.3-1.1.x86_64                               8/8 

Installed:
  libbroker-devel-3.2.3-1.1.x86_64       libpcap-devel-14:1.9.1-6.fc33.x86_64  
  openssl-devel-1:1.1.1i-1.fc33.x86_64   zeek-3.2.3-1.1.x86_64                 
  zeek-core-3.2.3-1.1.x86_64             zeek-devel-3.2.3-1.1.x86_64           
  zeek-libcaf-devel-3.2.3-1.1.x86_64     zeekctl-3.2.3-1.1.x86_64              

Complete!
[root@desk mythcat]# whereis zeek
zeek: /opt/zeek/bin/zeek
[root@desk mythcat]# whereis zeekctl
zeekctl: /opt/zeek/bin/zeekctl
I found this informations into the documentation area:
ZeekControl is an interactive shell for easily operating/managing Zeek installations on a single system or even across multiple systems in a traffic-monitoring cluster.
A Minimal Starting Configuration
These are the basic configuration changes to make for a minimal ZeekControl installation that will manage a single Zeek instance on the localhost:
  • In $PREFIX/etc/node.cfg, set the right interface to monitor.
  • In $PREFIX/etc/networks.cfg, comment out the default settings and add the networks that Zeek will consider local to the monitored environment.
  • In $PREFIX/etc/zeekctl.cfg, change the MailTo email address to a desired recipient and the LogRotationInterval to a desired log archival frequency.
Next step is to configure and adjust your PATH environment variable:
[root@desk mythcat]# export PATH=/opt/zeek/bin:$PATH
[root@desk mythcat]# zeekctl

Welcome to ZeekControl 2.2.0

Type "help" for help.
...
Use install , start and diag commands on Zeek command line to check if the Zeek tool works fine.
If you received this error on diag command , then you need to set your network interface:
==== stderr.log
fatal error: problem with interface eth0 (pcap_error: SIOCGIFHWADDR: No such device (pcap_activate))
Let's fix this error using the files configuration:
[root@desk mythcat]# updatedb
[root@desk mythcat]# locate node.cfg
/opt/zeek/etc/node.cfg
[root@desk mythcat]# vi /opt/zeek/etc/node.cfg
I change the row with the interface= with my network interface.
You can find your interface with these commands:
[root@desk mythcat]# ip link show
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
...
[root@desk mythcat]# nmcli device status
DEVICE  TYPE      STATE                   CONNECTION 
...
Now I can run the zeekctl command an check if is all right.
And first issue reported by diag and zeekctl is this:
1612693272.168741 Reporter::WARNING Your interface is likely receiving invalid TCP and UDP checksums, most likely from NIC checksum offloading. By default, packets with invalid checksums are discarded by Zeek unless using the -C command-line option or toggling the 'ignore_checksums' variable. Alternatively, disable checksum offloading by the network adapter to ensure Zeek analyzes the actual checksums that are transmitted. /opt/zeek/share/zeek/base/misc/find-checksum-offloading.zeek, line 54
You can see this tool can provide good information for users.

Friday, January 24, 2020

Fedora 31 : The twa web auditor tool.

This tool comes with a good intro: A tiny web auditor with strong opinions.
The tool named twa takes one domain at a time and use these dependencies: bash 4, curl, dig, jq, and nc, along with the POSIX system.
The project can be found at GitHub repository but I can be install easy on Fedora 31 distro:
[root@desk mythcat]# dnf install twa.noarch 
Last metadata expiration check: 0:06:08 ago on Fri 24 Jan 2020 01:57:53 PM EET.
Dependencies resolved.
================================================================================
 Package       Architecture     Version                  Repository        Size
================================================================================
Installing:
 twa           noarch           1.8.0-3.fc31             fedora            18 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 18 k
Installed size: 30 k
Is this ok [y/N]: y
Downloading Packages:
twa-1.8.0-3.fc31.noarch.rpm                      10 kB/s |  18 kB     00:01    
--------------------------------------------------------------------------------
Total                                           6.7 kB/s |  18 kB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Installing       : twa-1.8.0-3.fc31.noarch                                1/1 
  Running scriptlet: twa-1.8.0-3.fc31.noarch                                1/1 
  Verifying        : twa-1.8.0-3.fc31.noarch                                1/1 

Installed:
  twa-1.8.0-3.fc31.noarch                                                       

Complete!
Let's see some examples with google website responses and this tool:
[mythcat@desk ~]$ twa google.com
FAIL(google.com): TWA-0102: HTTP redirects to HTTP (not secure)
FAIL(google.com): TWA-0205: Strict-Transport-Security missing
MEH(google.com): TWA-0206: X-Frame-Options is 'sameorigin', consider 'deny'
FAIL(google.com): TWA-0209: X-Content-Type-Options missing
FAIL(google.com): TWA-0210: X-XSS-Protection is '0'; XSS filtering disabled
FAIL(google.com): TWA-0214: Referrer-Policy missing
FAIL(google.com): TWA-0219: Content-Security-Policy missing
FAIL(google.com): TWA-0220: Feature-Policy missing
PASS(google.com): Site sends 'Server', but probably only a vendor ID: gws
PASS(google.com): Site doesn't send 'X-Powered-By'
PASS(google.com): Site doesn't send 'Via'
PASS(google.com): Site doesn't send 'X-AspNet-Version'
PASS(google.com): Site doesn't send 'X-AspNetMvc-Version'
PASS(google.com): No SCM repository at: http://google.com/.git/HEAD
PASS(google.com): No SCM repository at: http://google.com/.hg/store/00manifest.i
PASS(google.com): No SCM repository at: http://google.com/.svn/entries
PASS(google.com): No environment file at: http://google.com/.env
PASS(google.com): No environment file at: http://google.com/.dockerenv
PASS(google.com): No config file at: http://google.com/config.xml
PASS(google.com): No config file at: http://google.com/config.json
PASS(google.com): No config file at: http://google.com/config.yaml
PASS(google.com): No config file at: http://google.com/config.yml
PASS(google.com): No config file at: http://google.com/config.ini
^C
The output result line looks like this:
TYPE(domain): explanation where TYPE is one of PASS, MEH, FAIL, UNK, SKIP, and FATAL., see the output example:
PASS: The test passed with flying color.
MEH: The test passed, but with one or more things that could be improved.
FAIL: The test failed and should be fixed.
UNK: The server gave us something we didn't understand.
SKIP: The server gave us something we understood, but that we don't handle yet.
FATAL: A really important test failed, and should be fixed immediately.
Another feature is scoring.
The score format is this: npasses nmehs nfailures nunknowns nskips totally_screwed.
Let's see one example:
[mythcat@desk ~]$ twa google.com | tscore
20 37 2 7 0 0 0
The tool can be used with Alpine Docker container.

Thursday, August 22, 2019

Fedora 30 : Set up the Linux Malware Detect.

If you have an SELinux warning detection then the details you can see how can be fixed:
[mythcat@desk ~]$ su
Password: 
[root@desk mythcat]# ausearch -c 'systemd' --raw | audit2allow -M my-systemd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-systemd.pp

[root@desk mythcat]# semodule -X 300 -i my-systemd.pp
This tool comes with three modes that the monitor can be executed with and they relate to what will be monitored.
These modes are USERS|PATHS|FILES.
The options break down as follows:
  • USERS: The users option will take the homedirs of all system users that are above inotify_minuid and monitor them.If inotify_webdir is set then the users webdir, if it exists, will only be monitored;
  • PATHS: A comma spaced list of paths to monitor;
  • FILE: A line spaced file list of paths to monitor
$ maldet --monitor users
$ maldet --monitor /root/initial-setup-ks.cfg
$ maldet --monitor /home/mythcat
Let's test the USERS option:
[mythcat@desk maldetect-1.6.4]$ maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(7958): {mon} could not find inotifywait command, install yum package inotify-tools or 
download from https://github.com/rvoicilas/inotify-tools/wiki/


[root@desk maldetect-1.6.4]# dnf search inotify-tools
Last metadata expiration check: 0:01:39 ago on Wed 21 Aug 2019 11:09:22 PM EEST.
============================================ Name Exactly Matched: inotify-tools ======
inotify-tools.i686 : Command line utilities for inotify
inotify-tools.x86_64 : Command line utilities for inotify
================================================ Name Matched: inotify-tools ======
inotify-tools-devel.i686 : Headers and libraries for building apps that use libinotifytools
inotify-tools-devel.x86_64 : Headers and libraries for building apps that use libinotifytools
[root@desk maldetect-1.6.4]# dnf install inotify-tools.x86_64
...
Installed:
  inotify-tools-3.14-16.fc30.x86_64                                                                                          

Complete!
[root@desk maldetect-1.6.4]# maldet --monitor users
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(973): {mon} set inotify max_user_watches to 16384
maldet(973): {mon} added /dev/shm to inotify monitoring array
maldet(973): {mon} added /var/tmp to inotify monitoring array
maldet(973): {mon} added /tmp to inotify monitoring array
maldet(973): {mon} starting inotify process on 3 paths, this might take awhile...
maldet(973): {mon} inotify startup successful (pid: 1800)
maldet(973): {mon} inotify monitoring log: /usr/local/maldetect/logs/inotify_log

Wednesday, August 21, 2019

Fedora 30 : Testing the Linux Malware Detect.

Linux Malware Detect (LMD) is a malware scanner for Linux released under the GNU GPLv2 license, that is designed around the threats faced in shared hosted environments.
This tool is provided by R-fx Networks.
Let's install and test it:
[mythcat@desk ~]$ wget http://www.rfxn.com/downloads/maldetect-current.tar.gz
[mythcat@desk ~]$ tar -xf maldetect-current.tar.gz 
[mythcat@desk ~]$ cd maldetect-1.6.4/
[mythcat@desk maldetect-1.6.4]$ su
Password: 
[root@desk maldetect-1.6.4]# ./install.sh
Failed to enable unit: Unit file maldet.service does not exist.
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks <proj@r-fx.org>
            (C) 2019, Ryan MacDonald <ryan@r-fx.org>
This program may be freely redistributed under the terms of the GNU GPL

installation completed to /usr/local/maldetect
config file: /usr/local/maldetect/conf.maldet
exec file: /usr/local/maldetect/maldet
exec link: /usr/local/sbin/maldet
exec link: /usr/local/sbin/lmd
cron.daily: /etc/cron.daily/maldet
maldet(31046): {sigup} performing signature update check...
maldet(31046): {sigup} local signature set is version 201907043616
maldet(31046): {sigup} new signature set 2019081912001 available
maldet(31046): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-sigpack.tgz
maldet(31046): {sigup} downloading https://cdn.rfxn.com/downloads/maldet-cleanv2.tgz
maldet(31046): {sigup} verified md5sum of maldet-sigpack.tgz
maldet(31046): {sigup} unpacked and installed maldet-sigpack.tgz
maldet(31046): {sigup} verified md5sum of maldet-clean.tgz
maldet(31046): {sigup} unpacked and installed maldet-clean.tgz
maldet(31046): {sigup} signature set update completed
maldet(31046): {sigup} 15552 signatures (12740 MD5 | 2035 HEX | 777 YARA | 0 USER)
[root@desk maldetect-1.6.4]# vim /usr/local/maldetect/conf.maldet
Change this row to scan_user_access=1
Now you can run it:
[mythcat@desk ~]$ /usr/local/sbin/maldet -a 
Linux Malware Detect v1.6.4
            (C) 2002-2019, R-fx Networks 
            (C) 2019, Ryan MacDonald 
This program may be freely redistributed under the terms of the GNU GPL v2

maldet(32628): {scan} signatures loaded: 15552 (12740 MD5 | 2035 HEX | 777 YARA | 0 USER)
maldet(32628): {scan} building file list for , this might take awhile...
maldet(32628): {scan} setting nice scheduler priorities for all operations: cpunice 19 , ionice 6
maldet(32628): {scan} file list completed in 13s, found 44109 files...
maldet(32628): {scan} scan of  (44109 files) in progress...

Wednesday, August 14, 2019

Fedora 30 : First steps with Fedora firewall.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.[1] A firewall typically establishes a barrier between a trusted internal network and untrusted external network, such as the Internet.[2], see the wikipedia. In this short tutorial about the Fedora firewall subject, I will show you how you can use firewall commands to set it. The install is simple with dnf tool:
[root@desk mythcat]# dnf install firewalld firewall-config 
Let's start with the status of your firewall:
[root@desk mythcat]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
...
You can use start , restart or stop it.

[root@desk mythcat]# systemctl start firewalld
[root@desk mythcat]# systemctl restart firewalld
[root@desk mythcat]# systemctl stop firewalld
Let's see active zones:
[root@desk mythcat]# firewall-cmd --get-active-zones
We can see all active for public zone with:
[root@desk mythcat]# firewall-cmd --zone=public --list-all
We can see all ports for public zone:
[root@desk mythcat]# firewall-cmd --zone=public --list-ports 
These commands are used for add and remove ports:
[root@desk mythcat]# firewall-cmd --permanent --zone=public --add-port=80/tcp
[root@desk mythcat]# firewall-cmd --permanent --zone=public --remove-port=80/tcp
Let's see services:
[root@desk mythcat]# firewall-cmd --get-services 
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client 
bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit 
condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm 
dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps 
freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability 
http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos 
kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr 
managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql 
nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole 
plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio
 puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client 
samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid 
ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp 
tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http 
wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent 
zabbix-server
Let's add and remove one service named ftp:
[root@desk mythcat]# firewall-cmd --zone=public --add-service=ftp
[root@desk mythcat]# firewall-cmd --zone=public --remove-service=ftp
Let's see all running services:
[root@desk mythcat]# firewall-cmd --zone=public --list-services
If you want to block/unblock any incoming or outgoing connections then use this:
[root@desk mythcat]# firewall-cmd --panic-on
[root@desk mythcat]# firewall-cmd --panic-off 
For example, after you use panic-on then you can check with this:
[root@desk mythcat]# ping google.com -c 1
[root@desk mythcat]# firewall-cmd --query-panic
[root@desk mythcat]# firewall-cmd --panic-off
You can masquerade your IP address with:
[root@desk mythcat]# firewall-cmd --zone=external --query-masquerade
Another example: we can forward all tcp port 80 connections to IP 6.6.6.6 :
[root@desk mythcat]# firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=6.6.6.6
Let's see ICMP:
[root@desk mythcat]# firewall-cmd --get-icmptypes
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable 
echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation 
host-prohibited host-redirect host-unknown host-unreachable ip-header-bad 
neighbour-advertisement neighbour-solicitation network-prohibited network-redirect 
network-unknown network-unreachable no-route packet-too-big parameter-problem 
port-unreachable precedence-cutoff protocol-unreachable redirect reject-route 
required-option-missing router-advertisement router-solicitation source-quench 
source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect 
tos-host-unreachable tos-network-redirect tos-network-unreachable 
ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type 
unknown-option
We can use it for block or not the echo:
[root@desk mythcat]# firewall-cmd --zone=external --query-icmp-block=echo-reply
[root@desk mythcat]# firewall-cmd --zone=external --add-icmp-block=echo-reply
[root@desk mythcat]# firewall-cmd --direct --get-rules ipv4 filter IN_public
[root@desk mythcat]# firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 
...
I cannot show you a magic rule because this depends by your network and your software. You can use this command to see all into a graphic interface.
[root@desk mythcat]# firewall-config
This will give a good image of your firewall settings.

Friday, July 14, 2017

News: Send files on WhatsApp.

The WhatsApp software lets users share multimedia content, but you can't send files directly to other users.
If you wanted to send unsupported file formats like .apk, .zip etc, you had to rename the file to a supported file format.
For example, if you wanted to send the apk for your favorite app, you’d rename it such that it ends with .txt. I tested with Whatsapp™ For PC extension - Opera add-ons and works great.
I send a document file (.doc) with an approximate size of 5 Mb, without any interruption of the connection and a fluid transfer to the application.

Note:

You need to know also, there’s a limit of 100 MB to any attachment.
The executable file is not allowed ( like: .exe, .dll).
Meanwhile, messaging app Telegram is still leading the pack when it comes to file size restrictions — it has supported 1.5 GB files since its launch.

Thursday, March 9, 2017

News: WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency.

This is a old news and comes from WikiLeaks how to start one new series of leaks on the U.S. Central Intelligence Agency.
For me is another way to show bugs to people.
The article can be found here:
Some software come with new updates to fix bugs - like notepad, see article: Notepad++ 7.3.3 update fixe.

Monday, September 12, 2016

Linux with a irc trojan.

Accordind to this article written on Sep 9, 2016 08:40 GMT - Linux OS is vulnerable again.
The new trojan coded in Rust gathers information about the local system and sends it to its C&C server.
The Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety.
The syntax and semantics of Rust is similar to that of the Perl programming language.
However the security researchers have discovered Linux malware coded in languages such as Go (Rex) and Lua (LuaBot), but most of it is coded in C or C++ (Mirai).
The trojan integrates the "irc" Rust library by Aaron Weiss, in order to communicate via the IRC protocol to a remote IRC public channel.
Named "Linux.BackDoor.Irc.16 was designed to be a cross-platform Trojan ...
This tojan has recent discovery by Dr.Web, a Russian antivirus maker and published an article on their blog.

Tuesday, February 9, 2016

Google celebrate Safer Internet Day 2016 with one great gift.

All you have to do is check your secure account.
After that will see this message: To help celebrate Safer Internet Day 2016, we added 2 GB of free Drive storage to your Google account because you completed the Security Checkup.

Monday, January 4, 2016

News: OpenBSD and Nightly Mozilla Firefox security.

W^X ("Write XOR Execute"; spoken as W xor X[1]) is the name of a security feature present in the OpenBSD operating system. It is a memory protection policy whereby every page in a process' address space is either writable or executable, but not both simultaneously. from wikipedia.

The new Nightly Mozilla Firefox comes with enabled the security feature W^X.
Also will be it available to other versions of its web browser once they are upgraded to version 46.
The implementation of W^X makes all Just in Time ( named JIT) code page working with the browser.
This will need to write to pages, a function needs to be called to explicitly make the page writable. Also, that will remove the execute flag at the same time. The good thing is the permissions for memory pages which allows the compiler to patch code without performance overhead.

Tuesday, December 29, 2015

Nemesis Bootkit Malware the new stealthy Payment Card.

After I read many articles I got this infos about Nemesis Bootkit Malware:
 - suspected to originate from Russia;
 - infect PCs by loading before Windows starts
 - has ability to modify the legitimate volume boot record;
 - seam to be like another Windows rootkit named Alureon;
 - intercepts several system interrupts to pass boot process;
 - can steal payment data from anyone's not just targeting financial institutions and retailers;
 - this malware hides between partitions and is also almost impossible to remove;

I think about the antivirus and internet security solutions can deal with this type of issues.

Take a look at how fast working the scan disk and how it's working the memory traps, how it's working the booting process or maybe try to see how selinux works.
In my opinion these Antivirus and Internet security solutions are just not effective in design and heuristic detection.
Most of that the prices of this softwars is huge versus non make anything all.

Maybe will see into the future a mega malware wich jump from first boot to any operating system and this because the hardware is more complex and fast.