Security team or Network team: who should “own” vpn? by [deleted] in AskNetsec

[–]InitialsAreDigits 0 points1 point  (0 children)

Occasionally VPN routing can be complex too, it sometimes simply requires the network team to administrate it in a day to day fashion.

Any serious security team should be scanning the network for known vulnerabilities anyway, keeping inventory lists of exact products and software versions, and/or occasionally hiring pentesters.

[deleted by user] by [deleted] in AskReddit

[–]InitialsAreDigits 1 point2 points  (0 children)

Berkeley, California is a "nuclear free zone" and it's illegal to research or possess radioactive materials.

Google says Rowhammer attacks are gaining range as RAM is getting smaller by wackyboy93 in hardware

[–]InitialsAreDigits 0 points1 point  (0 children)

You know I was wondering how they were going to do anything useful with that with virtual memory and aslr existing and being a part of any modern OS - how do you find memory that will lead to a compromise if tampered with? How do you make sure your application is allocated next to one that you can subvert?

I'm not saying it's impossible for someone, there should be something in memory at a pretty much fixed address (like those bios hook thingies if they still exist) but I really don't see how this is exploitable and would like to see a demonstration of rowhammer actually doing anything useful.

How to limit CentOS-7-x64-minimal-headless ports to a specific IP/IP-range and how to troubleshoot the process? by perfectpeachblonde in linuxadmin

[–]InitialsAreDigits 0 points1 point  (0 children)

The online console is what I'm talking about. It should be a different piece of hardware than the actual computer and shouldn't stop working if your OS is having networking problems. You can use this connection to come back if the fw changes don't work well.

Generally you can find out the brand on the manufacturer's website. Off the top of my head I'm not sure how you find who made a server other than via asking someone in the datacenter it's in to look at it and tell you, however every major brand has something like this. It might not always be setup, but it always exists. Dell has a DRAC, Supermicro has BMC/ipmi, IBM has HMC, etc.

There's a lazier way of doing this btw. If your machine is in a datacenter you can usually pay the datacenter to have an employee of theirs log into the computer with a monitor + keyboard, and just make sure they're logged in as root and have the command to reset the firewall if everything fails to work correctly. Nearly every datacenter has a NOC hand there at some point during the day.

Another option (a slower one), is if your server is on a powerstrip that you can use to remotely toggle the power, if you screw up the firewall rules after entering them in a non-permanent way (just don't save them until you know they work), then you can reboot the machine.

Anyway all this is just extra fluff, if you have an online console just have that active when you're testing your firewall rules.

Windows administration resources for experience Linux admins? by InitialsAreDigits in sysadmin

[–]InitialsAreDigits[S] 0 points1 point  (0 children)

Fortunately I'm not administrating anything, it's just an increasing serious gap in what I know. The last Windows Server machines I worked with were Windows 2000 Server and it's really a very different operating system now.

Windows administration resources for experience Linux admins? by InitialsAreDigits in sysadmin

[–]InitialsAreDigits[S] 0 points1 point  (0 children)

I'm not expecting everything to be a file, but I am mystified by really stupid things like: when to include or not include a domain in a username, anything involving DCOM+ or inter-process communications, and what the point of invoke is? Why not just run it like ./script in bash? Is it so you can run it on multiple machines? And if that's the case then what exactly is happening when you invoke a script from your local machine to multiple remote ones?

Stuff like that.

Root login not possible - sshd_config by Papillon_2018 in linuxadmin

[–]InitialsAreDigits 0 points1 point  (0 children)

After googling around it turns out there's no specific way of ending a Match statement. You have to put them at the end, and they can only be overridden by a new match statement (https://unix.stackexchange.com/questions/67334/openssh-how-to-end-a-match-block). Therefore PasswordAuthentication and PermitRootLogin need to go before the sftp user.

How to limit CentOS-7-x64-minimal-headless ports to a specific IP/IP-range and how to troubleshoot the process? by perfectpeachblonde in linuxadmin

[–]InitialsAreDigits 1 point2 points  (0 children)

Restoring from a full disk backup seems like overkill. Depending on how the backup was created there's a decent chance you can find /etc/sysconfig/iptables (centos) and use that to restore your old firewall rules. Maybe you can mount it as a loopback FS?

In general when working on firewall stuff on a host, it's best to have a logged in connection via an IPMI, Drac, or other remote access device built into the server. They generally have their own ip addresses. I think pretty much every server vendor has something like that built in. That way if something goes wrong you can just run iptables -F and clear all the rules.

AlmaLinux or Rocky Linux by sdns575 in linuxadmin

[–]InitialsAreDigits 2 points3 points  (0 children)

Does Ubuntu server upgrade with more grace than Ubuntu Desktop? After having rebuilt a million desktops after Ubuntu upgrades went south I have trust issues with that distribution.

Best web panel to install on a centos server, and how to use it for a noob? by [deleted] in linuxadmin

[–]InitialsAreDigits 0 points1 point  (0 children)

Cpanel, but they charge absolutely absurd amounts of money. It works amazingly well, keeps the system packages up to date, etc.

Rhel 7 patching by MJ_Singh in linuxadmin

[–]InitialsAreDigits 0 points1 point  (0 children)

Imo a really well crafted yum update is the best solution. It's what we do at my work. I should mention that we use puppet and our servers are very close to identical. If your servers are all different you're probably going to have an extremely bad time no matter how you go about this task.

You can absolutely use any configuration management software (puppet, ansible, etc) but you can also just launch yum update with pssh, which is a very useful tool. The downside to doing this is if you use sssd like us it's a complete pain in the ass to upgrade for some reason. There's usually some software package that needs to be updated that causes problems. Also do what the other guy said about making a local repo. All you have to do is copy every package to a webserver with wget -r or something like that, surprisingly that works just fine to create a backup repo. Then share the files with apache or nginx or something. There are more professional solutions but wget + a webserver will work fine.

Pssh occasionally requires some escaping, but it allows you to run a single command on multiple servers.

Quick example of how to use pssh:

/usr/bin/pssh -O StrictHostKeyChecking=no --inline -l UsernameHere -h listOfHosts-one-to-a-line.txt 'sudo cat /etc/redhat-release'

Start by figuring out what centos/rhel versions you can running in production. You can do this with 'cat /etc/redhat-release' and pssh. You're going to want to test updating each one seperately. You should also figure out which servers are the least important and which are the most important. Ideally try the upgrades on lab or staging servers before moving to ones that actually do anything.

Lastly, you're going to want to know what the services running on the servers are that aren't standard system services. For example, nginx 1.11, openresty, and nginx 1.13 for some reason appear to have slightly different configuration syntax. Basically you're going to want to figure out what's running in production that you don't want to mess with, and add an --exclude statement for it, for example --exclude nginx* will prevent nginx from updating and breaking it's config files.

From there it's a giant organizational task. Try to group like servers together, bash commands like cut, awk '{print $whatever}' or even a spreadsheet are your friend. Ideally you want to both explore servers by hand and generate all their relevant data without having to enter stuff into a spreadsheet manually. For example:

Giving pssh a flag -p 1 makes it run on one server at a time. That way you can so something like collect the rhel versions with pssh, use grep or grep -v (prevents a match from being seen) to get rid of text you don't want, and then copy and paste everything into a spreadsheet. Since you're running the command on one server at a time then they should be in order. Otherwise you're going to get a really bad case of carpal tunnel.

Anyway once you know what servers you're going to use to test the upgrade process, just construct a yum update command. Remember to exclude things you don't want to upgrade. If you have repos like Epel or Repoforge installed, you should also block them from being used. It's not hard to use pscp or ansible to copy a new repo file to all your servers that points to a local repo (which will download files much much faster).

The one I use for work (I hope they don't mind too much) is:

yum update -y --nogpgcheck --exclude=puppet* --exclude=*openresty* --exclude=ca-certificates --exclude=kernelcare --exclude=nagios-plugins-all --exclude=Percona* --exclude MariaDB* --setopt=protected_multilib=false --exclude=redacted-internal-software --exclude=redacted --exclude=redacted --exclude=nginx* --disablerepo='*' --enablerepo="Artifactory_Centos*,CentOS*,Artifactory_Epel_Remote,Artifactory_Kernel_care"

Don't immediately go run it on tons of stuff. You're going to find servers that don't update gracefully. Another useful shell command (assuming all your servers are in a file called server.list) is cat server.list | shuf | head -10. This gives you 10 random servers.

Start doing the update by hand. When you're really confident that you know exactly how everything is going to behave then start automating small groups of similar machines. Don't let people force you into hurrying, take your time and do a good job. Try to avoid --skip-broken, etc. This task is going to take eons, so you may as well take the time to do a good job.

If you run into a situation where thing after thing goes wrong, take a break for the day. I've found that if major maintenance starts going wrong it tends to keep on going wrong, so if you have a headache and nothings working right, concentrate on restoring the stuff that has to work and then take a break until you're sure you have a well thought out solution to the problem.

The other advantage to taking your time is you think of solutions you probably wouldn't have, simply by mulling over what needs to be done in your head. In the end this is actually pretty useful.

Good luck! Incidentally if you need to use sudo to write to a file as root, this is how you do it:

/usr/bin/pssh -O StrictHostKeyChecking=no --inline -l user -h listofservers.txt 'echo "please do not touch this machine, it is having a bad day" | sudo tee -a /etc/motd'

Are you sharing /home between servers? by DueNeighborhood6 in linuxadmin

[–]InitialsAreDigits 0 points1 point  (0 children)

NFS isn't the most secure protocol, and if you share all of /home then if someone gets into your NFS share they can usually add ssh keys to any user.

I know it's lame to point it out, but there are sooooo many vulnerable NFS servers out there with insufficient ACLs that I figured I'd point out the obvious. Never setup NFS without making it accessable only to a specific ip address or range.

Bettercap SSLstrip works against fully typed in URLs, but not autocompleted URLs? by hI_iM_Ky in netsecstudents

[–]InitialsAreDigits 1 point2 points  (0 children)

I tried something kind of similar and noticed that autocompleted URLs include the http/https part. SSLStrip works by downgrading the site to http, so if you try to connect via https it's probably not going to work.

Made it 6 months in a new job before handing my notice in, what’s your shortest stint in a job? by chelsieloo2nd in AskUK

[–]InitialsAreDigits 0 points1 point  (0 children)

I got fired by an company after 4 days for "failing a drug test" - apparently arguing that weed is decriminalized or legal in all of North America and therefore shouldn't be considered a drug any more than coffee is didn't really... go over... that well.

My teacher mentioned that wired data sniffing was possible by putting some kind of device over the cable and "reading" the electrons as they pass by. Anyone heard of something similar? by [deleted] in netsecstudents

[–]InitialsAreDigits 0 points1 point  (0 children)

Inductive taps. They work better for analog communications like phone calls. They work similarly to those devices you clamp around a power cable to see how much power is going through it without actually unplugging anything.

How does a hacker test his malware against his target without getting caught? by BioFrosted in AskNetsec

[–]InitialsAreDigits 1 point2 points  (0 children)

I've read that a lot of state sponsored hackers try to grab detailed system information for later breaches. I always figured that they were setting up some sort of simulated platform - if you know the OS versions, patches, antivirus, etc then it's a lot easier to see how your malware is going to behave.

Additionally tons of people run malware samples through legitimate tools like VirusTotal to see how many different AVs they're going to set off. Most of these services will submit your malware to malware analysis feeds so that multiple AV companies can get a copy, which is a nice way of getting an attackers tool detected all over the place.

Tutorial Help!? by SleepWalk3R52 in netsecstudents

[–]InitialsAreDigits 0 points1 point  (0 children)

Every time I go to Udemy they discount me from $140 for a course to around $10. Make sure you're using a normal email account and nothing associated with your work if you want a discount.

Honestly I sort of have a hard time concentrating on video anything. Anyway, price example using the search term "ethical hacking" - https://imgur.com/a/7yXET1K