openssl s_client -connect www.google.com:443

This connects to google.com over SSL and will display on screen and should look something like this.

jason@boomer:~$ openssl s_client -connect google.com:443
CONNECTED(00000003)
depth=1 C = US, O = Google Inc, CN = Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
—
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
—
Server certificate
—–BEGIN CERTIFICATE—–
…

Another command I’ll run is to make sure weak SSL ciphers aren’t enabled on my hosts, so using the same command but adding -cipher LOW


jason@boomer:~$ openssl s_client -connect google.com:443 -cipher LOW

CONNECTED(00000003)
139786025997984:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 7 bytes and written 70 bytes
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

Now sit back and enjoy the awesome. Most of the time you don’t get any feedback when you do this,  so just try to run ‘telnet’ after the command returns.


DISM /online /Cleanup-Image /SpSuperseded


Will run for awhile and clean up all of those left over remnants on your drive.  Output should look something like this

 
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>DISM /online /Cleanup-Image /SpSuperseded

Deployment Image Servicing and Management tool
Version: 6.1.7600.16385

Image Version: 6.1.7600.16385

Removing backup files created during service pack installation.
[==========================100.0%==========================]
Service Pack Cleanup operation completed.
The operation completed successfully.

C:\Windows\system32>

I’m using swatch in linux to monitor my auth.log file looking specifically for brute force attempts, note that this is not a complete treatise on all of my security precautions, this is just how I deal with the ones that really annoy me.  My swatch.conf is here

watchfor /authentication failure/
threshold track_by=$1, type=both, count=5, seconds=3600
exec /usr/local/bin/notifyme "$_"


I’m essentially telling swatch to look for any attacker that fails more then 5 ssh attempts in 1 hour, when you find such a person send the log file entry that triggered the alert over to a script called /usr/local/bin/notifyme as a parameter.

notifyme is just a bash script that uses a few external programs.

Next you just need to run twidge for the first time and set it up with your twitter account.

The bash script itself is pretty simple.  When it runs, it takes the string sent to it from swatch, creates an email and a tweet off of the hostname, time and user they tried to break in as and then runs a noisy and thorough nmap scan against the host attacking you. No point in being quiet, if someone triggers this alert it wasn’t by accident.   If the host is running a webserver, nmap will also create a png screenshot of the page that they are serving and store it in /tmp. I used to have it sent in an email but one time I got 4 20mb png files that came in over a 3g connection. so we don’t do that anymore.

#!/bin/bash

echo "To: $RCPT" >>$FILE
echo "From: $FROM">>$FILE
echo "Subject: $SUBJECT" >>$FILE
echo "" >>$FILE
echo "" >>$FILE
echo "On $DATE, asshat at $HOST tried to ssh brute force as $USER" >>$FILE
echo "Running nmap scan..." >>$FILE
nmap -A -P0 -sV --script=default,http-screenshot $HOST >>$FILE
echo "---" >>$FILE
echo "" >>$FILE
echo "" >>$FILE
PORTS=`cat /tmp/message.txt |grep open | awk -vORS=' ' {'print $1'}|grep -v Warning`
TWEET="#WallofShame $HOST open ports $PORTS"
TWEET=`echo $TWEET | cut -c-140`
ssmtp -s $SUBJECT -f $FROM $RCPT <$FILE
twidge update "#WallOfShame $HOST tried to brute force SSH as $USER on $DATE"
twidge update "$TWEET"

If you want to take this further, you can integrate calls to shodanhq using curl that will also pull back what security vulnerabilities the attacking host’s listening services are vulnerable to. I started off initially posting this information to twitter but decided that “incite to violence” would be an appropriate description for that feature.   But lets say you felt like you needed to do that research anyways, field #3 in the nmap open port results is all you need to submit to shodan to see if your attacker has a great big hole in his boat.

curl http://www.shodanhq.com/exploits?q=`cat $FILE | grep open | awk {'print $3'}`


Lots and lots of room for improvement, but this is where I’m starting. you can monitor my scripts output by following my twitter account at @scratchhax

1. open regedit and look for the following key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci

2. right click on “Start” and select “Modify”
3. Change the value to be “0″ and then reboot

Be sure that you enabled AHCI support in your BIOS. when you reboot windows will install the AHCI drivers for your drives and then make you reboot again.

open a command prompt as admin. It has to be admin or this won’t work. Run the following
fsutil behavior query disabledeletenotify

DisableDeleteNotify = 1 means that TRIM is disabled
DisableDeleteNotify = 0 means that TRIM is enabled

Note that TRIM will only work on an SSD drive that is set to use AHCI in BIOS. If you installed windows using Legacy or SATA mode, you can either reinstall windows after switching your BIOS to AHCI or you can edit your registry to enable AHCI drivers after you have changed your BIOS to use AHCI

2factor authentication is awesome, therefore google authenticator is awesome.  I wanted all of my internet connected boxes to use 2factor for ssh, but only when the source IP isn’t coming from one of my internal networks. Here is how I did that on ubuntu 12.10

install the google_authenticator pam module

sudo apt-get install libpam-google-authenticator


edit /etc/pam.d/sshd and add the following before the @include common-auth line

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth required pam_google_authenticator.so


create the file /etc/security/access-local.conf and add the following to it

+ : ALL : 192.168.0.0/28
+ : ALL : LOCAL
- : ALL : ALL

192.168.0.0/28 should be the subnet of your trusted network that you will not require 2factor from.

Edit /etc/sshd/sshd_config and make sure that

ChallengeResponseAuthentication yes

is set. By default it is set to No.

Install the google authenticator app on your phone and add a new source. Log into your server as the user that you want to setup and run, from the command line

google-authenticator


Now either copy the codes into your authenticator app or scan the QR code. Restart ssh and you’ll be done! If you try to connect from a host outside of your trusted network, you should get prompted for your 2factor code. Anything inside of your trusted network should be allowed in with just a password.


xbmc-send -a "Notification(Hey,Hey there this is a message)"

will display a pop up notification on your screen with a title of “Hey” and a message of “Hey there this is a message”

The same thing can be done with a remote xbmc instance by using

xbmc-send --host=192.168.0.1 --port=9777 -a "Notification(Hey,Hey there this is a message)"


Actually, xbmc-send can send any of the actions that xbmc is aware of, you can find a full list of them here