#cybersecurity

Specifically made for hashing passwords i mean

PBKDF2 is specifically meant for that

Password based key derivation 2

As well as bcrypt and scrypt

Also argon2

Guess who found an RCE on a Genesis Student Portal haha. Sadly I have no idea how reporting bugs on their servers are like. not risking reporting

nice

@lament frost i got into trouble for reporting an XSS and RCE I found on Moodle to the uni

they weren't the brightest bulbs in the box

@lament frost I found an XSS years ago and rather than fixing it, they just banned my user when I let them know about it through the proper channels. ¯_(ツ)_/¯

They banned you? (-_-)

How to begin with security focused python

huh?

you could try reporting anonymously from like some burner email at a library via a vpn lol

@lament frost

That could work but it seems like they don't care about the vulnerability, so no point in doing that.

@reef onyx It depends on what particular field of security you're picking up, for example if you want to go with reverse engineering then there's a book Gray Hat Python it's a bit outdated but you can get the idea of work.

@sick hawk I actually did something similar to that previously on a smaller company. Reported it in the correct way, through the correct channel they were viewing it through. They just fixed the bug and banned my acc

lmao

companies love doing that

Gracias @upbeat palm

@reef onyx Good luck :)

:)

hey guys

event from subreddit https://reddit.com/r/SecurityRedTeam started
it's called operation icarus
if you want to participate in this cool CTF with a lot of sites and fake personalities and companies, be sure to check it out

@drifting igloo That /r/ looks pretty dead

@thorn obsidian mostly because their advertise is being deleted

but they did run the event

and it seems pretty nice and good designed so far

their advertise?

@thorn obsidian they were posting link for their subreddit on other pentesting themed subreddits

but it didn't go well

Sounds like spam

My uni uses moodle too @thorn obsidian

I wonder how broken is it

🧀

I have a shitty and dumb question, I got a connection request from a random ip in Sofia, Bulgaria, that showed up in my console, the port of it was 1204.
I shut down the server immediately the moment I saw it and I have anxiety kicking in.
5.188.206.18:1204, the port for the server it was trying to connect to is 7777, what is the significance for the port 1204, what program or potential programs could it be.

@tender vine

Well I already searched that up, but I still don't know what log listener means, im a fool.

log listener probably means that it's some service that writes your logs

do you have anything that produce logs of your web server's work?

I think?

Im not sure what a log is, text files of what the console is saying?

kinda like that

no log

have no idea what it can be then

I just need to know am I save still keeping the server up

i guess? i don't think that they can hack you through going into unused port

again Im a complete fool when it comes to anything networking, I have no idea what vulnerabilities I have running a server with firewall and everyday security running.

you can use netstat -l to get a list of listening applications on your server

thank you, also I think this may be a Port scanner

they arent malicious right?

Here's a nice article: https://www.cyberciti.biz/faq/how-do-i-find-out-what-ports-are-listeningopen-on-my-linuxfreebsd-server/

I was talking to my friend and we found this out

https://www.abuseipdb.com/check/5.188.206.18

The ip is a bruteforcer and portscanner

it tried to connect to port 7777 and couldnt do anything else i hope

I may be misinterpreting everything wrong or maybe im there some stuff correct

I need clarification badly since I know nothing about networking.

How do you know you got a connection request? What exactly did it say?

my console said
5.188.206.18:1204 Connecting...
then an exception error occurred at the bottom

What's the exception, and what console?

I need to have it connect again, the logs clear everytime I close the console.

What is the console?

hdy

@tender vine Well, couple questions. First - what's your firewall look like and how did you detect this IP?

Second, what do you run on this server?

Third, Why do you believe this IP is malicious if you have no log files? ( and how did you detect it if you don't have log files? )

The issue was resolved by bast earlier, https://www.abuseipdb.com/check/5.188.206.18 this is why I knew it could be harmful.

thank you though

I think Cloud Security Engineers will take over the world

@tender vine Looks like brute force attacks and port scans. Which isn't that big of a deal if you have defenses against brute forcing. You can't really stop port scanning.

@thorn obsidian couldn't you leave a port or two open with garbage data on them say pictures of toast

Sounds like a complete waste of time

How many legitimate people would find it? Roughly zero.

not "legitimate people" port scanners

Most port scanners are sketchy

and defiantly in need of some toast.png data

also what makes a port scan not sketchy

A normal person wouldn't need to scan ports to begin with

@thorn obsidian, a normal person never does yes, but why is security necessary? it's not for those people; is it? now the question is: if encrypted images of toast were bounced on arbitrary ports could an attack be delayed or detected if say a person happened to have an excess of toast images in there network (excess is unused network space).

but why is security necessary? it's not for those people; is it? - Elaborate?

the context is normal people never encounter port x an attack that scans ports sees data on port x (toast.png) and notices port x which is connected to nothing vital is "open for stealing of data" the request for data blacklists the ip

There's a few things you're bringing up and I believe your initial premises is flawed. You're saying bots are dumb enough to check these port on a single IP address for these scans.

If you're an important enough person, what's stopping someone from using the Tor network with these scans?

Okay, you block exit nodes ( which is fairly easy to do as they're public ), what's preventing someone from dropping $10 USD a month on a VPN?

Are you or your server worth $10 a month to someone interested in you or your server? Probably

Also, what you're talking about is security through obscurity.

You think a bot will actually load up each and every single port it finds and display toast images? No, not at all.

You'd be better off implementing fail2ban filters, a proper firewall, and not some toast IDS

you win also If you're an important enough person, what's stopping someone from using the Tor network with these scans?: mr. President get the laptop with tor on it

Tor is amazing, actually.

Indeed

It's something I advocate for the use of. It's just a lot of people tend to be stupid when given anonymity.

That doesn't mean it's a bad system or network. The police, military, parents, churches, and anyone/everyone you can think of use Tor.

Agreed

😄

Gotta love your explanations, Scott.

You should start some blog.

Thank you

I do, lol

Haven't written to it in a while, but it's got a few things on it

Why you didn't share it earlier? facepalm

A lot of it is just "I've had to repeat this a few times, so I should write it down."

Let me take a look

The format is a little broken and it's something I've meant to fix

https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6195 - I just saw someone posted this

"Australia literally made it a law to require devs to make backdoors if requested and if they don’t comply they get 10 years prison" I asked as to what law it was

Dude, that's awesome.

Damn, what kind of law is that.

¯_(ツ)_/¯

I've never been approached by anyone asking for backdoors, and if I had I'd tell them to kick rocks go away in a less than polite tone.

You live in Australia?

Sure don't!

😄

Hi
i want to choose a cipher to do the following: can be decrypted only with a key /be good for being sent over internet

AES-256 CBC?

What do you mean by key in this instance?

If password/passphrase, yes - AES-256 would work.

What are some good resources for security based Python ideas. Or what Python can do in terms of security projects. I'm looking more for ideas rather than code itself. Or better yet, resources that points to libraries that I can import and play with.

Python3, as some resources tend to be Python2 when I dug around (and I am not skilled enough to translate)

Don't use QR codes for websites, for example: https://i.imgur.com/ukvJQnN.png

I'm having a problem working with some scan data. I'm trying to pass some dict value and keys to another dict to be stored during iteration as well as another function for processing. Basically i have a a bunch of hosts with different keys for ports and service names in a dict.

could someone advise on how to work with a dict? i feel like working with datatypes is something not really documented well

there is just a couple basic guides showing how to grab a key or value but nothing more complicated than that

@stoic ember Is this Ansible?

@thorn obsidian its in python using a nmap lib

and just to clarify on my datatypes comment, im not saying that python doesnt explain it's datatypes. I'm more saying that finding good reference material online to explain how to work with different datatypes and objects for someone who has no formal CS background can be a challenge.

no its really not a challenge, it might be even more of a challenge if you have a formal cs background because you might expect things to work in a way they dont

good point, but atleast you know how things should work and can work around that.. hence knowing what you dont know. as opposed to me right now i dont know what i dont know

A dictionary is just a key value pair, if you index it by a key you get a value and you can iterate over all keys using a for in loop

The rest is googable

res = {"hello":"world","def":"foo"}
for i,j in res.items():
    print(i,j)``` @stoic ember

@upbeat palm What is j?

NameError: name 'j' is not defined

Oh my

Sorry, was woke up and wrote it. (-_-)

I was just about to say did you mean for i,j

Just edited it.

Though, I think dict are easy enough to use.

let me throw my code up on pasebin

gotta add some comments first hehe

https://pastebin.com/G3sU98V7

https://pastebin.com/Bq1VZKrd

so my specific problem is that when trying to pass specific parameters to another function it keeps sending the top level items

for exmaple if i say check 192.168.1.0/24 and something is match at 192.168.1.10 it passes 192.168.1.0/24 even though its currently iterating on 192.168.1.10

see line 37 on the first link

@stoic ember thats because the only host variable visible to service_check is the one defined on line 15 host = "192.168.2.0/24"

if you want the one defined on line 55 to be visible to service_check, you need to pass it in

also you reuse the same variable names over and over a lot, and i think its going to make the code hard to maintain and work with

eg line 15, 44 and 55 all use the host variable name for different things and they end up overwriting each other

How would one protect flask web app from slow loris attacks

In flask you don't care about the server side itself, flask is meant for the logic you'd usually use something like nginx Infront of it @noble kraken

Hmm

So slow loris is like protocol attack?

Slow Lori's is an attack against the server which is actually exposed to the public

Which would in this case be nginx

@gentle heron thats i actually realized that as i was pasting it into pastebin and figured someone would call me on it

i guess its time to buy a rubber ducky

so are you saying that if i change up the host variables it should pass between functions correctly?

@noble kraken nginx or apache?

@stoic ember Rubber duckies are trash against anything that protects the USB ports.

Could do a blanket USB ban, set a USB whitelist ( using something like Killer - https://github.com/Lvl4Sword/Killer ), etc.

@stoic ember you need to actually pass it in as a parameter. dont try to use global variables or pull data from other functions. just pass in what you want when you call a function

# bad:
def a():
    x_var = 5
    b()
def b():
   x_var = 3 # this is a new variable, it is not the same as a()'s x_var

# good:
def a():
    x_var = 5
    x_var = b(x_var)
def b(x_var):
    return x_var  - 2

https://www.techradar.com/how-to/how-to-add-two-factor-authentication-to-linux-with-google-authenticator Set up libpam-google-authenticator on Debian/Ubuntu/etc to get 2fa on your system 😄

@thorn obsidian nginx and gunicorn

2FA for SSH has been great for me.

@thorn obsidian do you think I can remove my SSH key passwords if I use 2FA?

wouldnt that turn it back in to one factor authentication?

having the ssh key period might count as a 'factor' as far as how secure your setup is and is likely ok tbh

requiring a thing you have, a thing you know AND a timed code seems like 3 factors

@cedar pelican No, that's stupid

Keep your SSH keys/SSH key passwords in place

Yep. Just checking

I've been using 2FA for ages now, really nice.

@noble kraken slowloris isn't an issue with nginx

Scott while I've got you.... how do I go round creating a secure webhook service?

I want to ensure my CI/CD can send data to my server... and a bit of data back.

What do you mean by webhook?

Ah, so like a REST API?

Yeah.

https://alert.sking.io uses Flask and Flask-RESTful

https://flask-restful.readthedocs.io/en/latest/

I'll be using golang...

So let's generalise a bit

Do I need to consider anything other than a hashed password, plus some sort of https connection?

Setting hard limits to authentication attempts

HTTPS + HSTS + other security headers are a must

https://securityheaders.io/

I don't know if that's a option. My CI/CD connections might be erratic.

Well, how many realistically are you going to do within x amount of time? Apply those limits to that timeframe using something like fail2ban

I mean it depends, I could make some sort of dev-switch, so when I'm testing it dramatically increases the limit.

Look into https://github.com/ismailtasdelen/Anti-DDOS and apply it to your scenario. By default it blocks all ipv6, which is not optimal. So tweak to your needs

That's a good idea, and apply it to only specific keys

With a average webserver, is it easy enough to include secure http connections?

Incredibly easy

Look into https://certbot.eff.org/

I'm using it already.

I don't understand the question then

Oh. Your suggesting I just send it through nginx?

I'm such a dumbass

Thanks.

lol

No problem 😄

Would I proxy something like that?

Let me check the specific syntax

Actually using nginx for this could be quite hard ... I'm wanting to control nginx with this program, it's a "heroku-like" idea.

So I might struggle to do that

I might need to find another way to do this. Am I right that just using the servers ip on a random port with https is a bad idea? or viable?

ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
is the bare minimum ( from https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 ), but if you go further down it brings up headers and ciphers ( https://cipherli.st/ )

Ok thanks.

If you have any other questions/concerns/issues security-related, feel free to ask.

Im in the process of moving to certbot auto + nginx in containers. It's taking awhile, but I can use all this

Did you see the question I asked above your links?

The I might need to find another way to do this. Am I right that just using the servers ip on a random port with https is a bad idea? or viable??

100% bad idea. By default your browser will use 443 for HTTPS. Also, any port above 1024 can be used/manipulated by non-root users.

That's what I thought

I can't use nginx - with my current plans that just isn't a option

👍

So if have to add https directly into my golang web service.

nginx/apache or something else normally handles the HTTPS certs

Would you say, that is pretty difficult to achieve to a high standard? Im thinking now I need some sort of account based solution.

Normally the HTTP server's job for HTTPS certs

high standard in security for this type of thing?

Yeah.

Well, I don't understand why you couldn't use nginx.

I use nginx for my website and services.

nginx/gunicorn/fail2ban would take the brunt of questionable things thrown at your server

I don't think I can support 2 nginx containers at once....

right?

You're worried about the port being in use?

This is all for a service called sharpops btw... lemme give you some context

Sharpops manages all the programs on my server

So if I make a change to my websites code, sharpops downloads it, builds the containers and deploys it

It current does this for my discord bots and my website

My website of course has a nginx container

Is two nginx containers working together viable?

I'm assuming it would need some sort of "master/slave" setup

I'd personally set one server to do one thing, and another to do the other.

If it was possible

I don't have the funds for that right now.

I'm just tinkering and learning with what I've got :D

$5 or $6 a month for 1GB RAM/25GB storage at Vultr/DigitalOcean/etc

I imagine you don't even need that for a discord bot

I'm currently paying £5 for a server with 4 cores, 200gb SSD and 8gb RAM

Still, you understand the point I'm making.

Currently I need to be able to develop in the cloud, run a discord bot, hastebin, and a website

I know man.... I just don't like spending the money.

Ideally I'd be buying one server for SQL, one server for discord, one server for the website

$5/$6 is a lot? 🤔
When it comes to security you have to think compartmentalization. Being able to separate everything is a huge thing you learn the deeper you get into security, and programming in general really. You want the database stuff separated from the program's main portion/logic.

Do containers not cover this?

Yeah man I just can't spend £20 a month when unis in a year.

Your specific case sounds like you want two services running on the same port, which doesn't sound possible.

I figured out it is with some fancy docker tricks,

Using the master/slave process actually, and a docker network

But its not for my needs.

Thanks anyways Scott, I appreciate the help.

You can run programs on different local ports and assign them to domains/subdomains through virtualhosts.

But you can't assign the programs/services to the same domain/port and expect them to function perfectly

Yeah.

But yeah, no problem!

If I moved to one server / app, would I need to stop using docker?

Or is it still ok?

I'm currently in the process of dockerizing all the things 😝

Just found out my CI/CD service supports SSH. That might be the option I go with

@thorn obsidian i heard it's a protocol attack

but don't really know what that means

@cedar pelican I don't know why Scott keeps saying it's unsafe to use ports over 1K - it's perfectly fine on a non-shared machine

Better safe than sorry?

I mean, yeah your sorta right, but no reason not too do that.

And you can specify the port even with SSL, it doesn't have to be 443

Yes, I also know that

While your here... I want to connect my server to my CI/CD

sure

Is doing this with SSH ok?

I don't see why not, if you contain it to a container

Kata container if you're paranoid

The ideal way is just webhooks which trigger a git clone/build

but ssh works

Well for what my service is doing, webhooks isn't a option I don't think.

I'm planing on making all my production services completely containerised, so they only need env vars and a docker-compose file.

One of the services is nginx

@noble kraken Like I said, not an issue with nginx. I'd look up the specifics as to why but I'm a little slammed for time right now

👌

its still 'better' to not use ports over 1000. if any account including ones used by services gets compromised and manages to take your high port number process down, they can replace it and potentially gather a lot of information before you even know they have done it. if you dont need root in order to open a port that people are submitting data over then it means you also dont need root to compromise all of that data. all you need is any remote execution exploit on any process running under any account and a crash on the target service

or even just have it sit in wait until you restart that service

its a super unlikely attack but it is viable

they won't have access to your ssl key

it just means a vulnerability in basically any service results in the ability to gather data from your high port service.
if you keep your important services under 1000, then they ALSO need a privilege escalation exploit

yeah that does help but not all services use / check them
for a web page you HOPEFULLY do have one

but how often do people self sign and not create a proper ca

hmm

i wonder if nginx can proxy to a unix domain socket

and then you can have all the sockets live in a directory that only root can create files in

you could even then give processes access to just specific sockets i bet on linux

so they are both protected by root priv AND the processes can only see their own

like via SELinux or cgroups etc

technically you could probably do this all with anonymous sockets and file descriptor passing but it'd require a rewrite of nginx and all the services involved and make nginx spawn the processes

you could also use an unprivileged container and avoid the whole issue

unix domain sockets have a halfway decent chance of already being supported (and nginx does support them)

yeah so it seems like here the ideal setup would be to have ngix with your ssl cert
let it see the folder with the files so it can write to them
when you start up a server process, pass off a file descriptor to it. make sure they arnt running as the same user as ngix.
that means only a vuln in ngix itself, the kernel, or your app can cause an information leak of that app
gaining access to a different process wouldnt do anything because the other processes dont have access to that folder and they dont have the file descriptor. therefore they cant take over that processes location period.

meaning a vuln in your shitty php based forum software cant be used to open a service on some other more important programs port

not sure that many servers will support receiving a file descriptor to listen on that way though

twisted+flask would though

i bet if it uses unix domain sockets you can use /dev/fd for an anonymous socket

yeah an anon socket would be even better.

maybe not, not sure if you can call bind twice

you can set up anon unix sockets when you start a sub process but not sure how that would help here unless you can start the subprocess as a separate user still

and the ngix would prob have to be what starts the other service

nginx would have to have CAP_SETUID

might be easier to try using containers and an internal CA. then set up both ngix and your containerized server to verify that cert

I wonder if capabilities supports fine-grained determination of what uids it's allowed to setuid to

then you only have to maintain the public cert on ngix for regular users

please tell me how you bind to a port already in use by nginx

I suppose it could execute a CAP_SETUID wrapper which changes the uid to the desired user to run the service

you wouldnt and i dont think thats really part of the threat model here

unless they ran ngix ITSELF on a port over 1000

and then you run in to the initial issue of just have your attacker wait and monitor for the moment you restart ngix

and you wouldn't immediately notice that nginx doesn't bind to the port?

depends on if its a manual restart or not

automatic service restarts

yikes

you could know pretty quick with proper monitoring

reloads are what you need most of the time and they don't release ports

im not going to try and come up with a million reasons someone might have to restart ngix but not the whole server

really what would be nice if there were some way for a process running as root, to automatically evict the holder of a port that is already bound

and, short of killing it, give it a fake socket that won't receive any connections

I don't think the concept really exists in linux though

that's already a feature in most NIDS my dude

so if someone is running a regular socket on a port over 1000 we have to assume they are going to be prone to making multiple mistakes

in this case since they are inexperienced or foolish what other basic suggestions could we make to help mitigate the issues that might arise when proxying from ngix to another servce

unix domain sockets if easily configurable take care of a lot of potential issues if its all on the same machine

"If I wanted to run a service on a port over 1000 I would simply avoid getting hacked"

lul

[NB it's 1024]

er, it's 1024 and over, rather, so over 1023

but i think containers side step the whole issue

again, if you already have a malicious actor who's compromised an user in your machine, you have a million bigger fish to fry than portbindings

because if each service is in a container, and each one has a different IP on either the real network or your internal one on the host, then attacking one service will not let you start a service in a way that could ever replace one in the other containers

anyway, what would really solve this is a way to assign permanent ownership of ports to a particular user or a particular binary

i.e. give ports over 1023 the same protection against random processes opening it

there are registered service numbers above 1023, so saying you "shouldn't" isn't always gonna be an option

also containers would help reduce the impact of an attacker finding a vuln in one of your services

since they would have access to fewer resources in general

this is not a bad idea

like on proxmox, you could create a network that cant connect to the actual physical network

could be implemented as easily as chowning/modding the /dev/{tcp,udp} devices

also it occurs to me that very little of this discussion is applicable to shared hosting scenarios where you may not have root at all and your neighbors may be malicious and/or compromised

and let ngix proxy to services on that network

then your ngix container is hte only one that also has a port/ip on your real network

wait, I swear you can restrict ports in namespaces

then if a container is compromised in any way, as long as they cant escape then the only thing they can do is grab data coming in to the service they already have access to

opening a new different port does nothing because ngix wont read from it

so your services on port whatever on your other containers are safe from the compromised one

and yeah on a shared host its unlikely you can set this up

linux recently added the ability to put containers IN containers but that still relies on your provider setting that up

or being on a recent version of the kernel

so the tldr is that if you have a funky bunch of apps and you want a single public ssl cert and single public facing domain, put the apps in containers and make ngix proxy to them over a 'secure' not public facing network

i guess technically this would allow you to have ngix listen on any port as long as its also in a unprivileged container and its the only thing with that ip

moderately securely. with one app per container and a unique ip per container, there isnt a difference between someone gaining access to rce on the app or gaining full control of the guest container

both have the same ability to influence the rest of your system

xx: again, if you already have a malicious actor who's compromised an user in your machine, you have a million bigger fish to fry than portbindings

Except, if you're using ports 1024 and under, they would need to compromise root.

So if they compromise another user, it's an easier clean up.

yeah this just reduces their impact

but containerizing each thing on a different ip reduces it even more

if you can give each app a different user and somehow pass each one a different file descriptor in a way that prevents locating the descriptors via the file system, you can get a similar effect

not as good, but similar protection between the front facing ngix and the services

now passing a file descriptor in to a process in a container? thats the best. now not only do they not the ability to listen on another services 'port' or the network perhaps at all, but they have greatly reduced access to other resources period

no clue if you can actually do that right now though. you can certainly give a container access to a file, but idk about a specific process in a container

maybe you can use a unix socket between containers, then pass a file descriptor over it via the ability to do so through unix sockets. not sure if containerization would interfere with any of that

The arguments of just change SSH to some high port! holds no merit when you can switch from 22 to 23 ( telnet ). Though, some IRC network scans will flag that 😄

now you could make your firewall remap that port

basically if your wan router is forwarding a port, you can have it take like port 40212 and map it to any port on any computer

now you still have ssh on port 22, but you access it remotely via a random port that people are less likely to attack

How do you guys learn all this stuff.

regularly mess around with this stuff for many years, also some schooling

So just make a lab and try stuff out and document it?

yeah thats a good start

@obtuse siren I've been actively using KeePass since... 2005? So it's mostly doing something, and figuring out best practices with that thing. Ask questions even if you think you'll look like an idiot. Because figuring out the issues you're having, and the best way to approach something is a lot better than winging it and pulling an Equifax.

Ha, base64 is good for password encryption right?

^ 😄

@obtuse siren been very actively using and messing around with Linux for well over a decade, have a degree in ethical hacking, work at an information security company

just kind of picked things up along the way

Right and how much did that degree help compare to the other things mentioned?

@thorn obsidian You have a degree in ethical hacking?

ayup

@tropic bay fuck all

i can count on one hand the lectures i actually learned something new from

good for networking, i guess

and i got to do CISCO for free which was pretty based

Nice, I still have to get my OSCP.

@thorn obsidian so basically you're saying that school is useless and you learn the most by putting your self in a real life situation?

😱

But what do I know right? LOL i didnt go to college and they pay me to glue sh!t to the ground.

@tropic bay i guess schools good for determining if it's what you're interested in it or not and if it's what you want to be doing in life

but I already knew I was, so...

Well f**k I dont feel like taking out a loan to try and find out if I like it tho

Lolol

true

I would've stayed in estonia where uni is free but they didn't teach ethical hacking

never should've gone the first place tbh

oh well, hindsight

Yeah I am into white hacking too

I am still trying to fig out how to install Wine on linux mint

Well we all start somewhere right? LOL

At least you started. A lot of folks don't get that far.

That's quote material right there

yeah make a lab of some sort. then just work on installing, configuring and testing stuff. being able to just jump in to any software, read its docs, and then get it operable is a really useful skill

I have a question about a book

Is this a good book to learn security with?

Or atleast getting started?

@next shale its okay, not excellent but its a nice intro yeah

Okay thank you

A decent intro is what I need

but do you have any recommendations after I read it?

no not really I just googled around mainly

okay thanks anyways 😃

youre welcome

@tropic bay Why don't you try OSCP, it'll be great as a startup point in cyber security.

Yeah gonna check it out buddy

@next shale Check out...

!resources

@thorn obsidian Thank you!

No problem 😄

@next shale im using that book as well

im a complete beginner in security

It's not about just reading books, I'd prefer you guys to try your custom tools in vulnerable environment.

@swift magnet are you enjoying it?

hmm kind of yeah

but its a python 2 book

i have trouble translating python 2 code to python 3 sometimes

You can come here anytime, I've translated most of it. @swift magnet

Thanks man

Welcome, I guess.

I guess most of the principles remain the same tho @swift magnet

I have a copy of the book around here somewhere, didn't read it yet tho haha

@upbeat palm where do you have the translation? Could I get a copy

I mean I did it once but there are plenty of github repos with updated version.

https://github.com/iluxonchik/blackhat-python-book

how is the initial path of onion routing determined without giving identity data such as IPs?

it's done locally, on the client. client sees a list of nodes, picks the exit node first and works back from there

https://gitweb.torproject.org/torspec.git/tree/path-spec.txt is a good read

@oblique perch

only the guard node (the very first node) will see your IP if you are not using something like a VPN

Hi

hello

What’s up with Facebook?

Why do they feel the need to disable my account after I report a vulnerability on the whitehat program?

facebook do what want

best idea would be to post this in a blog post (with evidence) and post it on /r/netsec or something, get them bad exposure for bad practices

you wont really get help with this here as it is possible that you are using this for malicious purposes

Yes, that's right

We don't assist with hacking, cracking, or anything of that nature

I'm honestly a bit surprised that you don't know that, @swift magnet, since you have received an infraction for this before

OH NO

sorry

i though this channel was newly made for hacking

@leaden blaze

remove that
';;

btw im making this for fun

yes, i'm also making a 50k computer cryptominer botnet for fun

(almost) Every school graduate in Russia has to pass the Unified State Exam (USE) and see the results using a special website. Each region of Russia (i.e. the city of St. Petersburg) usually has its own website. In the case of St. Petersburg, the website has a security hole.

Most sites require the full name of a person, the passport number and a captcha to see the results, while the website for St. Petersburg only requires the passport number which has two fields: the series (a 4-digit number) and the number (a 6-digit number). Most graduates in St. Petersburg this year have only one of these three series: 4014, 4015, 4016. The number (the 6-digit nubmer) is not random either, it belongs to a certain small range. It is not very hard to acquire most results because there are only ~25000 graduates each year.

All universities must display a list of enrollees: their full name and their USE scores. If you collect enough exam results, you can acquire the passport information of graduates. So you'll have their full name and their passport information (and their USE results as a bonus), i.e. get all their private information.

Why would anyone allow for such easy access to the exam results?

😬

well, i would argue that as a lot of large scale security issue, it rises from the unforseen collision of two systems that makes different assumptions, and that could have been considered safe each on its own, but are not anymore when the two systems are in presence of each others. But i do think there was deep ineptitude in making the assumptions the St. Petersburg site did.

One of the mendatory exams is the graduation compoistion. This composition requires serious effort from the student to be failed. I can search for students that didn't pass the exam twice and take a look at the exam sheet scans. It can be hilarious at times.

you mean they fail it on purpose? or you think they are seriously lacking?

@last ivy because they're the government

they take the cheapest offers

and no shit the cheapest offers will be from someone who doesn't know or care jack shit about security

@thorn obsidian But it's cheaper, you'd really pass off someone who can do it for half the price????

Does anyone have any attempts at the OSCP here?

Nope, preparing for it though.

Yep, finished OSCP

@twin copper what specifically should I study in relation to Python for the OSCP.

yeah I'm preparing for OSCP as well

how do you connect something to a TCP client

i made a TCP client in python

but how do i connect something to it?

you build a tcp server?

or just connect to...pretty much any network service you can think of

@orchid notch how to

using the connect method described in the socket docs of python

hol up let me show you the code

@orchid notch

....you already connected it to google.com on port 8989?

what?

you dont really understand what any of these lines of code is doing do you?

yes

i know that it connects to the socket and sends messages and recieves

well if you know its connects why are you asking questions about how to connect things then?

wait

i dont understand the connection

what does it connnect to

how i can open the server

it connects to the google servers at port 8989

what does opening the server even mean

i mean

how i do send messages to google.com on port 8989

yeah youre not getting the code then, youre literally doing that in line 12

why does this happen then

wait

well my best guess is gonna be that port 8989 is not acccessible on google.com

apart from that your shebang is telling your os to execute teh script wiht python 2.7 you should change that to 3

so what does connecting to google.com on port 8989 mean

more or less asking wether the port is open and establishing more or less a stream between the two computer

okay

so how do i know that the messages are going to another computer

if you dont got an exception you can assume that everything worked out

it does not give me any errors for like 2 minutes

im gonna go ahead and assume that the default timeout is on 120 seconds then

its a time out after all

oof

oof to what?

@obtuse siren I didnt really use any custom Python at all

The course is imo doable with all the default built-in tools on Kali. I did automate some things that were repetitive

@swift magnet don't take this the wrong way, but I really don't think you should be using Kali Linux if you don't understand the very basics of TCP/IP and sockets. It's really not the right distro for someone who doesn't know what they're doing, and you can very easily shoot yourself in the foot

xx is basically speaking out what I was a little afraid to say

@swift magnet Not really a security question

True

I switched back to windows

And I made a basic UDP client and server

UDP client is really simple right ?, it sends the message to the server real quick without even connecting

Yeah, UDP is connectionless

hey guys

I don't know if it fits here but I need a solution and I don't know where to go

I think that someone hijacked my router, cracked the password and enterd my network

Can I ask my ISP log from the router from the 24/h ?

from the last 24/h*

and I detect it yesterday, and I have its MAC address

I have this program that scrapes proxies of a api
but I want to keep the api secret
how do I disable http debuggers from being able to intercept the api?

use https?

or what do you mean exactly? If set up properly, https blocks any men in the middle from intercepting your traffic, so that they can only see the host you're connecting to and the amount of traffic.

<@&267629731250176001> / <@&267628507062992896> sorry for the ping, but is discussion about exploit development against the rules? Assuming it isn't selling/attacking anything/one.

Good question.

it is i'm afraid, since we can't verify intention. Also you can just ping the mods, all admins are mods so they would also get the ping. Just less typing for you

Thanks for the response! Didn't want to get into hot water unnecessarily/unintentionally.

you're welcome, thanks for asking first

Unfortunately we don't allow offensive security discussions here beyond high-level theory

Okay thanks

@lilac trout Considering most ISP provided routers have default passwords, how do you know they broke in?

I'm also curious how they broke into your wireless.

what does nmap scanning do?

im just curious

ik malicious stuff is not allowed here

but idek if nmap scanning is malicious or not

that depends on how you scan

It's not malicious at all. It just scans the machine for open ports to analyze which services are running on the specific port. As nmap provides more features like, OS detection, Aggressive scan and other it allows you get information about system.

no that is not true it can be iillegal

if you are endangering the availability of a service through your port scan it is illegal

otherwise its fine

True that.

Since, NSE provides vulnerability scanning for services it's a great way to gather information.

well some vulnerability scanning can actually crash the service......

Some

Well, it depends on what and who your target is.

@upbeat palm I beg to differ than that nmap scanning can't be malicious.

Hi guys, it's me again haha

So I'm just about to start using my service, and it'll be exposed to the public internet

It has root access, but is passworded.

It can only be accessed through https on Linux, and I only need to have access to it from circleci, my CI/CD

Does this setup sound sensible? the password is hashed and salted with bcrypt, with minimal permissions, and is extremely long.

Just put sensitive data in env vars you good to go 👌

@noble kraken My CI/CD will be sending passwords, as well as commands that my service will execute.

I'm gonna have a filter on it obviously... But it's still a security risk.

Giving away passwords?

What?

The service I'm making is a "auto deployment" service.

The CI will send the data to my server, my service will process it and it'll get deployed.

It should in theory stop me needed to SSH into my server

@thorn obsidian What do you mean? Did I get anything wrong?

@upbeat palm Just the general statement that "nmap isn't malicious" is wrong

Shodan to a big extent can/is used for malicious purposes, and it's essentially nmap scanning.

True, sorry for that.

pyinstaller, is this worth doing?

@snow basalt might be a good defense if you're worried about people reverse engineering your software. i don't know how cryptographically sound it is, but it will at least be a deterrent

Definitely a deterrent, but if someone is determined to get your bytecode, they will manage

i've used cython to get binary modules from code and ship only that, removing the python files, it feels better because the source is not there at all, it's not decrypted at runtime, it's just not there, and the best one can do is try to reverse the horrible generated C code from the binary, and then work out the corresponding cPython calls, and then get to the python equivalent, that doesn't sound like a pleasant experience at all

@snow basalt I personally wouldn't do it, no.

If you're worried about having your code reverse engineered, put a license/terms of service in front of it.

There's also the client/server model where most of your code is up on a server you control. But that doesn't apply to a lot of programs 😄

Hello, PyCrypto doesn't install for me

and I use python 3.7.

Do you know a good library?

(Please ping me if you answer)

cryprography

pycryptodome is also ok but I still suggest cryptography

does anyone here have working AES256 encryption + decryption?

@thorn obsidian well there are a bunch of modules for it....and truth be told it is not that hard to implement properly if you dont care about side channel attacks

i just need it to test the encryption and decryption

not really gonna use it

then use one of the two modules mentioned by xx

ok thank you!

ok this won't work

I need encryption that works with my server

It's coded in ASP.net

on my server i use AES decryption that works with my c# tools

but not with my python ones

so i need to find something that both python works well with and my server

@thorn obsidian what block cipher mode is your c# code using

@thorn obsidian ASP.net and C# and you want Python?.. Sounds like an XY problem

http://xyproblem.info/

There's a site?

Nice

further, encryption is (should be) language agnostic and does not care what language you use to implement it, as long as the implementation matches. IE you're using the same block sizes, cipher modes, crypto algo etc @thorn obsidian

1 moment

let me check

out of my head i think block size was 16

https://pastebin.com/ErEHAmzY

this is my code for encrypting and decrypting

    try
    {
        // Create a new instance of the AesManaged class.  This generates a new key and initialization vector (IV).
        AesManaged myAes = new AesManaged();

        // Override the cipher mode, key and IV
        myAes.Mode = CipherMode.ECB;
        myAes.IV = new byte[16] { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; // CRB mode uses an empty IV
        myAes.Key = CipherKey;  // Byte array representing the key
        myAes.Padding = PaddingMode.None;

        // Create a encryption object to perform the stream transform.
        ICryptoTransform encryptor = myAes.CreateEncryptor();

        // TODO: perform the encryption / decryption as required...

    }
    catch (Exception ex)
    {
        // TODO: Log the error 
        throw ex;
    }

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesmanaged

hmm i didn't override the mode

so which mode does it normally use?

¯_(ツ)_/¯

I don't know C#

Found it from https://stackoverflow.com/questions/7400884/c-sharp-example-of-aes256-encryption-using-system-security-cryptography-aes

hmmm thx

ill try to figure it out

anyone have any good guides on the socket and encryption modules?
Or any other modules applicable in security programs?

Depends what you want to do with them

Which specific packages were you interested in other than sockets?

Hey guys I was wanting a opinion.
I went to a GCHQ workshop for a week, and they offered us the chance to apply for a bursary scheme: £20000 for 3 years of work with them + summer placements. Does this sound like something I should try?

They say any degree: so I'd probs do theoretical physics

Not really a #cybersecurity question

Well, it's security based... I apologize

https://www.equifaxbreachsettlement.com/ and check if you**'re** eligible at https://eligibility.equifaxbreachsettlement.com/en/eligibility

( Yes the site is legitimate: https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement )

@cedar pelican $20000 * 3 ?

basically 3 years interning?

@quartz terrace its only £4k a year.

But i'm in scotland, we have free tuition

So that 4k pretty much covers everything else

is this like part time or something? alongside part time study?

I choose any uni degree

But in the summer i do placements

which you say you can do for free anyway

And after the degree i do 3 years of work

those 3 years are full wage?

Yeah

oh so its like 4k for a couple months worth of interning

The main reason i'd do it is so I can see what the world is really like

Yeah

I guess

that sounds pretty cool

Yeah, have you ever heard of GCHQ?

dunno if most of their work would be programming

Its not really

But its problem solving, something physists are generally good at

And programming can only add to my skills

developing *realtime face recognition for all of *UK's CCTV 👀

Hhahahha

its actually harder to get into than scottish universities

So its fair play

But it might be more than 3 years if they let me do a masters

would be a pretty sick reference to have

Yeah

I don't know how much it will effect my chances of being a physics professor tho

That's like the "ideal goal"

But i'm sorta thinking about it realistically

And i'm intrested in wayy to many fields xD

they want to lock you into this before you've even got a year of uni under your belt?

I've heard if you wanna get to the top of academia the easiest route is just directly plowing through it

i.e not taking breaks anywhere

i'd ask uni people in the know if this would really make it all that more difficult or not

maybe that info is exagerrated

@quartz terrace Honestly, its opinions like that I need to hear

I am really struggling to make my mind up

also if you're just heading into uni right now I'd wager it's a 50% chance what your thoughts are now on career will look anything like what they do in 3 years time

or completely different

@quartz terrace Well the other decision is whether to do physics or mechatronics at university

The one thing I know is true: I really like maths

I also really like problem solving

I'd wager it's a 50% chance what your thoughts are now on career will look anything like what they do in 3 years time

Mechatronics covers this better

you should be able to take broad enough 1st year subject load that you could transfer either way

with minimal hassle

Not at top unis

Also: the top uni for physics and mechatronics are completely different

Plus, the opposite course sorta sucks

@cedar pelican in terms of having heard of GCHQ, I've only been making my own enigma cipher recently 😄

Oh hahaha

Well to be fair: I had no experience outside of web secuirty before I went

Lucky for me: I'm the only programmer in my school

****ing hard getting it historically accurate though

Great references

Yeah man i bet it is

Is using self-signed ssl certs acceptable for my webhook service?

I want to use certbot... but its gonna be on a non web port

@cedar pelican i had a similar issue... i think nginx can proxy non-http requests now

im going to try to set it up in the next few days, will let you know how it goes

@grizzled lake Its more a issue of getting sharpops to either "auto" setup online

Or force users to do it themselves

can you ship sharpops with its own CA or something

Wdym?

CA?

self-signed, but install the intermediate cert in the sharpops client

basically acting like your own certificate authority (CA)

so as far as the client is concerned, the server's ssl cert came from a legit CA

Ah. so I just add openssl certs to the executable?

If i'm using self-signed certs, there is no reason to use nginx

But I will add a tutorial to get it into nginx anyways

@grizzled lake basically acting like your own certificate authority (CA) by this, do you just mean using self-signed certs? But just a single standard one?

And tell the client to only connect to those certs?

hold on though

i mean yeah

so

ssl certs work because we all trust that a handful of companies won't issue certs to people who are lying about their identieis

I sorta get that, I don't understand how to implement it

So i tell the client "If this cert isn't signed by sharpops, error like your dying"

sorta

so how it works is, a cert is signed by a certificate authority

which has its own cert

we all have a bunch of trusted CAs certs on our computers

and OpenSSL or LibreSSL follows the chain of certs and signatures back up to that CA

Ok

I learned that last week

and OpenSSL or LibreSSL follows the chain of certs and signatures back up to that CA is this you saying not to use openssl?

so one way to do it is to make your own CA, and ship that CA's cert along with sharpops

so one way to do it is to make your own CA is this googleable?

If it is, ill be fine

thanks for the idea

i think you do it automatically when you sign your own cert

OH

Ok

im thinking though this might have a flaw

so if you have this CA installed in the sharpops client, you need the private key in the server

meaning that anyone with the sharpops binary can impersonate anyone else's sharpops binary

which is a bad idea

basically the only problem with self-signing is that you need the "root" cert from the self-signing process back on the client

Ok.

Can I step back a second

You should only use sharpops's that are yours

The important bit is that only you can access and read the POST data you are sending too yourself

That's why I need https

I use password verification anyways

thats right. but SSL ensures that you are connecting to the place you think you are connecting to

so maybe its not a problem? and its marginally better than just skipping cert validation altogether in the client

Yeah. I don't think it is.

Do you think openSSL is acceptable for this usecase?

I'm putting shit tonnes of warnings that say "PLEASE DO NOT USE THIS FEATURE UNLESS YOU KNOW WHAT YOU ARE DOING"

use whatever library is available in your langauge (Go i think you said)

Golang has opensll stuff with a few bash commands

Also, I'm gonna need penitraition testers, you down for that?

i dont know anything about it

People to try and get commands of their own running

might want to pay for a security audit

@grizzled lake How much money does that cost?

I'd rather focus on that when sharpops reaches a "standard". Friends can help me find the "big flaws"

yeah not something youd do right away

i think its pretty expensive

get people to use it and collect donations over time maybe

@cedar pelican What exactly is this for?

@thorn obsidian his devops autodeployment project

Ansible?

And tell the client to only connect to those certs? - not really an issue when you have HSTS / Public Key Pinning - https://scotthelme.co.uk/hpkp-http-public-key-pinning/

@thorn obsidian I can quickly explain the setup.

I have a server that accepts POST data. This data contains stuff like commands and passwords, and are executed as root.

As you can imagine, this is not a very good idea without some checks

Right now I:
Use a filter to only accept certain commands
Use a filter on env vars
Use a filter on Files that can be downloaded (Only from my GitHub)

As well as this, I'm going to make sure the server is https, and you need a special password thats is sent with the POST data before any of this is ran, using bcrypt

Basically, I want to know if this is a acceptable setup, or whether I need some more security.

acceptable for what purpose exactly

your implementation will have holes in it

question is whether you're protecting yourself against a foreign government or some bored script kiddies

is this going into production, or just a friday night project

is your source code going to be available, or is it going to only exist on your machines

I don't understand why it's running as root @cedar pelican

This more or less sounds like my https://github.com/Lvl4Sword/Alert_2.0

@thorn obsidian It's public, and I'm hoping to give it to others

But by default it's not exposed to the internet, and gives you a shit tonne of warnings if you try to.

@thorn obsidian It needs to be root so that if the user needs at least one "root" command at all in their setup, sharpops will run it

I'm wondering at this point if I force the user to set it up manually once, so that the webhooks are only sending alerts

I'd really think this through.

Why do you need root access?

I could set up another user

I 100% would

Add docker to that user

But docker has root access!

No need to use docker then, just use a separate user.

It 100% needs to run docker commands

that is a must

It also needs to run bash scripts, that is a must.

@thorn obsidian What is your main issue with it being root?

Is it a problem if the server is not exposed? i.e you can only connect to it from localhost

Of course, you need a different password to get it to run.

But I get what your going at

Docker group member ship is essentially one trivial step away from root access. Not much to be gained there from an attacker perspective, only "protect your self from mistyping dangerous things" maybe

But can't latest 19.03 docker release use some kind of rootless mode?

https://github.com/moby/moby/pull/38050

https://github.com/docker/docker-ce/releases/tag/v19.03.1

@tight abyss It's not just docker.

But at this point I think I'm gonna just not allow remoteless control

I'll let you only control tasks that are already running

@cedar pelican Didn't you ask about GCHQ? https://www.schneier.com/blog/archives/2019/07/aclu_on_the_gch.html

https://www.businessinsider.com/capital-one-hack-was-data-stolen-2019-7 ... Ouch

Does anyone have any advice on what to do if after responsibly disclosing a vulnerability a company doesn't do anything after quite a while? I'm thinking of publicly disclosing.

Are you under NDA?

Nope @vast phoenix.

how serious is the vulnerability?

I have a lot of names, first name initial, title and full last name.

yeah i dont need to know all that

And some more info related which could cause social engineering.

I mean that's what the vulnerability is.

you could just say PII

?

PII = personal identifiable information.

Ah, okay.

at the end of the day its all about how much of a spotlight you want cast on you. Look good job you exposed a vulnerability and alerted the company. Chalk it up as a win and move on to greener pastures. (that's what I would do)

The company aren't doing anything and I feel the only way to make them do something is to pressure them by going public. I don't this as a job, I just want people to be aware what this company is doing and what's wrong with their software.

Well, that's the issue with alerting a company about these things.

1. If anything happens because of this bug and they can remotely tie it back to you you're going to want to lawyer up. Way too many people have been attacked because they tried to be the good guys.

2. You've already let them know about this bug. If you then publicly disclose it to "get things moving" it could be seen as trying to force their hand, and companies don't enjoy being forced to do anything.

@vast phoenix Is right, you've let them know about the bug and that's all you can do. It's rough when companies won't change things. But it's not your job ( unless they hire you of course ) to change them.

Responsible disclosure means you publish an exploit after giving those responsible x months to fix it

If youre afraid for users you can try to obfuscate the details as much as possible so it's not trivial to reproduce

Although sometimes ofc that can be hard to do without proving the exploit exists

@quartz terrace It's one end or the other though with these things.

Either they're very impressed, and will shower you with a lot of praise, or they'll threaten legal action because you "broke the computer fraud and abuse act"

Thanks for the feedback.

90 days is a pretty standard duration after you are sure the company received the information about the issue, before publishing

It kind of reminds me of Chernobyl though. They say the Soviet Union fell apart because it was accepting of this hugely vulnerable designs that they didnt want to spend time fixing and instead covered up. I dont mean to get political, just drawing comparison that it seems we as a culture are doing something similar with data and information. A startup company blowing up and getting uses is more important their user's safety half the time imo, and we justify it because thats what it takes to risk blowing up. I feel like it might blow up in our faces.

it's important that these things are disclosed, how and what's fair is always the hard part

See, and the issue is finding out what is considered how far in this day and age

So what prevents someone from accessing the source code for the encryption bit, getting the key and number of encryption times, and de-encrypting it?

@young stump nothing

apart from code obfuscation tools nothing

So nothing is secure then?

If you just get the encryption method and iterations

nothing that youre putting into the hands of non trustworthy people yes

as long as you have source code or even compiled stuff, everything in there can be extracted

including encryption keys

hmm

obfuscation may be used to make this harder but it will never be impossible

so why are websites like discordapp.com almost impossible to crack?

what prevents someone from getting the password storage, and deencrypting it all?

@young stump because you do not have access to their data, that's how they are safe

because the password storage is on the servers lol

apart from that

even if you got onto their servers the passwords would be hashed so youd still ahve to crack them, which for good passwords can take an eternity

So storing data on .json with a random name is a bad idea

that depends where your .json is

I wrote a dummy-login system here with registration, encryption, and login

well as long as the system keeping the login data is not accessible by anyone except you everything should be fine

Oh

So you can block people from accessing certain file paths via the browser?

I did not know this was possible lol

@orchid notch you'd be surprised about how many big name companies still store passwords in unsafe ways

PLAINTEXT 😱

I would not be no

@young stump yes, they have complete control on what they allow you to access

(considering there is no exploitable security breach)

making this dummy login system though, tought me a lot about why you SHOULD ABSOLUTELY NEVER EVER STORE A SINGLE SHRED OF AN UNHASHED UNSALTED PASSWORD EVER

It's as bad as putting the milk before the cereal!

I want to learn how python works in the web-development field

Maybe even put my code to use there!

@young stump: So you can block people from accessing certain file paths via the browser?

why are you keeping your account database in the public www folder?

that's never a good idea

@thorn obsidian Oh no, you mean I've been doing it wrong this entire time?

I kid, lol

@thorn obsidian I'm not, I have no idea how that servers work

I didn't know you could hide stuff.

not hide

you should keep it out of your public www directory

whatsoever

okay.

ive never used a server before

never used this stuff

Servers can be best summed up as compartmentalized and permissions.

While it may seem amazing to have multiple services on a single server, it also opens you up to failure.

Now, server here can be anything from a 256MB RAM VPS, to a dedicated server with 256GB RAM / 32+ cores

When starting out, your best bet is to find out how someone would attack your server, and try it yourself. WITH THIS BEING SAID.. I am NOT advocating testing/destroying/compromising or otherwise messing with a system that YOU DO NOT OWN or DO NOT HAVE PERMISSION TO PLAY WITH. I imagine you don't want to possibly be facing criminal charges...

Then tear down the server and build it again from the documentation you made doing it the first time, revising if necessary.

Then doing it again and again and again, until you get comfortable and can automate the build process. Never skimp on updates/upgrades because it's "a waste of time"

permissions in this regard is multi-fold. Examples such as...
Does the world need read access to my DB? No.
Does this specific user need access to this?
Have I implemented SELinux/AppArmor/etc to further harden the install?

i feel like the world needs a non-really-bad guide to server security

i havent found a good one

@grizzled lake Depends what you need to secure, really.

@thorn obsidian "I don't want my irc bouncer / mastodon host / web host to become part of a botnet"

/ minecraft server

i had that happen once - and I know it was the minecraft server because I ran it in an isolated user account and it (thankfully) didn't get root

though there's really nothing you can do about unknown security flaws in the server software itself

@grizzled lake ZNC is trivial to protect, and isn't really something worth covering

Apache/Nginx is also pretty trivial. What issues are you having?

Nothing. Just imagine the new user experience trying to set up a server

You have: user accounts/groups, filesystem permissions, sudo, sshd, apache or nginx, letsencrypt/certbot, and if you get fancy you have nftables/iptables, apparmor and/or filesystem acls, and maybe a pam setting or two. Plus a backup solution. Thats a boatload of stuff and i havent seen any coherent guide on how it all fits together.

Well, don't use sudo on a server for one.

How else are you going to install updates...

su?

Which requires a root login password, which arguably might be worse?

I don't understand how that'd be worse?

sudo is giving root access to a single, normal user*. most of the time this is the case *

So if you break that users password, you've got root access too.

Whereas, su is the only root account.

Fair. But even disseminating that knowledge, good luck

Which is my point

¯_(ツ)_/¯

Which again is my point, there is no one place where you're going to find all of these entry level best practices

You got to scour around on the Internet reading a bunch of 15-year-old red hat tutorials and stack overflow answers

https://www.digitalocean.com/community/tutorials/ is fairly useful in that regard

Yeah I was being hyperbolic, there are plenty of good tutorials on each of those topics independently

Yeah, but having an end all be all guide may only focus on Debian, where you may be using CentOS or something.

But look at the kinds of ridiculous questions people ask when they learn programming by tutorial rather than out of a book, it's the same deal

None of those tools I mentioned are distro specific

App armor is the exception I guess

App Armor is default on Debian now

Yes there will obviously be details that vary depending on what distro you have

Wont centos have selinux instead

I haven't used centos in a while

disagreeing on su

sudo let's you manage who can do what in a more fine grained manner, and can add/revoke permissions of individual other accounts

su just switches to another account with their password

can you even elevate single commands with su?

You can but its uglier

su -c 'apt upgrade'

Also reading the sudo man page it looks like you can set sudo go act like su and request the target users password. Not that you should do that, but interesting

@tight abyss Sure, but the goto is root access

?

the sudo thing is absolute nonsense, don't listen to scott

@thorn obsidian You're telling me most people don't give root access through sudo 9/10 times?

If done properly, sure, sudo is better. But the good majority of cases it's done wrong.

Which is why I just advocate for su usage most of the time.

even then sudo is much better - it doesn't fuck with envvars, keeps logs on every command run and whom by, is contextually aware etc

besides, are you trying to tell me you know your root user password?

that's a big yikes

No, I don't know any of my root passwords. KeePass. 😄

@thorn obsidian even then sudo is much better - it doesn't [mess] with envvars, keeps logs on every command run and whom by, is contextually aware etc - on every distro?

Either way, I think you've missed the point.

Most users I've seen use sudo specifically for root access on a specific user.

I'm more or less just re-iterating what I've said

and, again, in that regard, su does exactly what sudo does except much worse

so I can't see why you would want to use su over sudo even if your only aim is to run commands as root

and sudo isn't disported by any distro or project i know and is more or less independent, the behaviour i've seen across distros has been (for me, at least) consistent

so I can't see why you would want to use su over sudo even if your only aim is to run commands as root
I wouldn't. You've missed what I've said.

My argument is fairly easy. Most people don't use sudo properly from what I've seen. So because of this, I tend to recommend su as a remedy to this. If someone understands the difference between sudo and su, then I wouldn't mind having that conversation. Even if they don't, and would just not make mistakes with sudo, I wouldn't mind having that conversation.

How can you use sudo wrong in a way that you wouldn't also mess up with su?

Hello guys, does anyone here have any idea about cloaking links?

A good example would be to cloak links used in facebook or google ads where it would detect bots and crawlers in the traffic going to a page and redirect them to a different page which stops them from going on the actual website intended for normal users.

@vagrant citrus "Cloaking" links?

You mean like bit.ly / tinyurl? Link shorteners?

@tight abyss You'd use them both wrong if you were using sudo wrong, but at least su is more explicit in that regard.

how so? any example?

Here are some examples

https://www.linkscloaking.com

https://www.Cloaki.ng

@vagrant citrus He was talking to scott about the su sudo thing

And I know what a facebook bot looks like

and a crawer

So the idea is to filter those through the traffic stream to my domain, catch out the bots and crawlers and redirect them to a different page on a different domain.

That way, the actual campaign destination stays hidden from facebook.

Facebook can detect redirect requests so I need to also find a way to get around that.

https://justcloakit.com

another one here

@vagrant citrus if a bot decides to not advertise that it's a bot, it's really hard for you to detect it's a bot and not legitimate traffic

usually, bots include their version string in the request headers

for example, if I fetch a page using curl, my "client" sends out a request like this:

GET /pgp.pub HTTP/1.1
Host: neonsea.uk
User-Agent: curl/7.65.3
Accept: */*

as you can see, curl advertises that it's curl using the User-Agent header value

however, it can easily decide to omit that

I can pretend I'm using Chrome for example:

$ curl -v neonsea.uk/pgp.pub -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36"
*   Trying 2a03:b0c0:1:a1::1937:b001:80...
* TCP_NODELAY set
* Connected to neonsea.uk (2a03:b0c0:1:a1::1937:b001) port 80 (#0)
> GET /pgp.pub HTTP/1.1
> Host: neonsea.uk
> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
> Accept: */*

same goes for bots - if they want, they can pretend they're legitimate traffic and it's extremely hard to differentiate between the two

however, most legit bots like social media crawlers usually include their version string

you can use that to redirect, using your web server's configuration options

i know it's pretty simple in nginx

but those bots usually respect /robots.txt regardless

another method would be somehow obtaining the IPs bots usually connect from and filter based on those, but that seems even more unreliable (and impossible, if trying to protect against malicious crawlers)

and re: the redirection detection

you don't need to redirect

you can serve whatever files on the same domain based on your filters

pseudo

if UA = bot:
  serve hidden.html
else
  serve legit.html

this is undetectable (unless, of course, the bot pretends to be legit)

alternatively, you can get complex and include canary links in your webpage that are hidden from legit users using css rules (not just visibility:hidden, that can easily be detected) but obviously visible to bots (since all they do is scan the source for links)

these canary links then, when visited, trigger some sort of rule which blacklists the IP of the bot

you can have these links on some sort of landing page for whatever you want to hide, alongside a legitimate link to it which is visible to regular users

but since a lot of crawlers crawl to a random link on the page and not sequentially, you should probably have a lot of canary links on the page so that the chances that the crawler stumbles upon the real link are slim to none

why do you even need any of this

@thorn obsidian I believe i have a solution.

https://developers.facebook.com/docs/sharing/webmasters/crawler/

Their bots can be identified through the header as well as the subnet ip.

that's literally all what I said :p

Yeah, didn't read the paragraph until after I wrote that.

I'm completely new to Python. This will be quite the complicated passion project lol

@vagrant citrus Yeah, there's no real way to detect if something is legitimate or not. You can throw out captchas and other things, but it's a cat/mouse game

If I have a bot on a residential connection with a regular Firefox user-agent, are you going to think it's a bot or a person? 😄

depends on how fast it navigates

depends on if it follows standards for javascript/css loading

I think his point is you can’t know for certain, not that bots don’t behave atypically

@tough rain Easy, time.sleep(random.choice(range(8, 47))) 😄

@tough rain Considering NoScript is installed on quite a few systems, why would you think users without JavaScript wouldn't be valid? 😄

Users who block JavaScript and cookies routinely get fucked by recaptcha

@grizzled lake I haven't had an issue, really.

Do you use chrome? In Firefox I routinely have to do 3+ captcha passes

same

if you use Chrome, Google already knows you better than yourself anyway, so why should it present you captchas

you'd imagine they'd still want to train their car AI

"Select the people in the image. Please hurry, our car is almost at the intersection"

they probably have enough

it was really interesting to see how all of a sudden the captchas were for bridges, signs, crosswalks

and storefronts i guess for street view / maps