Security – Page 2 – Ryan Schulze

Adding CVE information to Nmap scans

January 19, 2018April 1, 2022Ryannmap, security

Last week I stumbled across a nice nmap script that adds CVE information from https://vulners.com/ to the results of nmap scans. Since it relies on version information from services it requires you scan the host with -sV

Example: nmap -sV --script vulners host

The github repository is https://github.com/vulnersCom/nmap-vulners/
You can add the script to your nmap installation with dir=/usr/share/nmap/scripts/ ; curl -ksL https://raw.githubusercontent.com/vulnersCom/nmap-vulners/master/vulners.nse >> ${dir}vulners.nse && chmod 0644 ${dir}vulners.nse
(or wherever your nmap script directory is, e.g. /usr/local/share/nmap/scripts/ ).

API for Troy Hunts passwords list

August 14, 2017August 14, 2017RyanAPI, passwords

TL;DR version: https://github.com/ryanschulze/password-check-api

So NIST updated their recommendations on passwords/authentication a few weeks ago. And while a lot of the reporting was about how password complexity was removed in favor of password length, one point I found intriguing was the suggestion to check if a users password falls into one of these categories:

Passwords obtained from previous breach corpuses.
Dictionary words.
Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
Context-specific words, such as the name of the service, the username, and derivatives thereof.

Troy Hunt, the guy behind https://haveibeenpwned.com, deals with a lot of data breaches and made 320 Million passwords from breaches available (at the time of this posting) to help people with checking if passwords that were part of a data breach.

I threw together a small API that can make the data from Troy Hunt easily query-able (or any list of SHA1 hashes for that matter). This can be useful if you have multiple systems that want to query the data, or if you want the data on a separate system.

It’s nothing special, a MySQL backend, a Webserver and an API application using the Slim framework. It’s also stupid fast because there is nothing fancy or special about it. Since it uses a well documented framework it is also easy to change/extend/adjust to your specific requirements.

Running an OSSEC server with lots of agents

August 7, 2017August 7, 2017RyanOSSEC

The default maximum amount of agents an OSSEC server supports is 256. That’s not very much. In order to increase that number, you need to recompile the source code. Instructions for that are in the official documentation.

Depending on the defaults of your Linux Distribution, you may start noticing dropped UDP packets (depending on the amount of agents connecting and how much data they are sending to the server). An easy way to check is with cat /proc/net/snmp | grep Udp\:|column -t (check if RcvbufErrors or InErrors are increasing).

The following tweaks to the incoming network buffers resolved the situation for me, and can be a good starting point if you are having similar problems and looking at which settings to tweak. Focus on the rmem buffers first.

net.core.rmem_max=33554432
net.core.rmem_default=33554432
net.ipv4.udp_mem='192576 256768 385152'
net.core.somaxconn=256
net.core.netdev_max_backlog=2000
net.ipv4.udp_rmem_min=8192

net.core.rmem_max=33554432

net.core.rmem_default=33554432

net.ipv4.udp_mem='192576 256768 385152'

net.core.somaxconn=256

net.core.netdev_max_backlog=2000

net.ipv4.udp_rmem_min=8192

Playing around with eBPF

March 29, 2017July 17, 2017Ryankernel, linux

Here is a wonderful github repository for playing around with BPF https://github.com/iovisor/bcc

(more…)

Setting up multidomain DKIM with Exim

October 13, 2016November 7, 2018RyanDKIM, dmarc, exim, SMTP, SPF

Update November 2018:

A reader contacted me and pointed out that removing the {} around DKIM_DOMAIN solves the errors in the original example I found and had problems using. I’ve updated the code below (line 8) to reflect those changes in case anyone ends up here via google.

He also shared a nifty way to make selector rollovers easier by adding them to the filename:

DKIM_SELECTOR = whatever
DKIM_FILE =/etc/exim4/dkim/DKIM_DOMAIN.pem.DKIM_SELECTOR
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

With the format of the key files being ....

/etc/exim4/dkim/example.org.pem.previousselector
/etc/exim4/dkim/example.org.pem.whatever

DKIM_SELECTOR = whatever

DKIM_FILE =/etc/exim4/dkim/DKIM_DOMAIN.pem.DKIM_SELECTOR

DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

With the format of the key files being ....

/etc/exim4/dkim/example.org.pem.previousselector

/etc/exim4/dkim/example.org.pem.whatever

And last but not least an elegant way to populate the DKIM_DOMAIN variable: https://bugs.exim.org/show_bug.cgi?id=1019

Original Posting:

I was recently setting up SPF, DKIM and DMARC for multiple domains and was having trouble getting Exim to sign emails for the different domains. I found an article here explaining the steps. But I kept getting the following error in my exim logs:

failed to expand dkim_private_key: missing or misplaced { or }

The suggested configuration was the following:

DKIM_CANON = relaxed
DKIM_SELECTOR = 20150726

# Get the domain from the outgoing mail.
DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}

# The file is based on the outgoing domain-name in the from-header.
DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN.pem

# If key exists then use it, if not don't.
DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

DKIM_CANON = relaxed

DKIM_SELECTOR = 20150726

# Get the domain from the outgoing mail.

DKIM_DOMAIN = ${sg{${lc:${domain:$h_from:}}}{^www\.}{}}

# The file is based on the outgoing domain-name in the from-header.

DKIM_FILE = /etc/exim4/dkim/DKIM_DOMAIN.pem

# If key exists then use it, if not don't.

DKIM_PRIVATE_KEY = ${if exists{DKIM_FILE}{DKIM_FILE}{0}}

I’m not quite sure why, but Exim was having trouble using the macros in the following macros, so I ended up changing it to the following snippet instead. If you don’t use DKIM_FILE you can omit it. Also you might want to set DKIM_STRICT to true if you published a DMARC policy that will reject or quarantine email failing the DKIM tests (unset, or “false” tells Exim to send the message unsigned if it ran into problems signing the email). The default setting for DKIM_CANON is “relaxed“, so it also can be omitted.

DKIM_CANON = relaxed
DKIM_STRICT = false
DKIM_SELECTOR = 20160724
DKIM_DOMAIN = ${lc:${domain:$h_from:}}
DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem
DKIM_PRIVATE_KEY = ${if exists {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem} {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem}}

DKIM_CANON = relaxed

DKIM_STRICT = false

DKIM_SELECTOR = 20160724

DKIM_DOMAIN = ${lc:${domain:$h_from:}}

DKIM_FILE = /etc/exim4/dkim/${lc:${domain:$h_from:}}.pem

DKIM_PRIVATE_KEY = ${if exists {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem} {/etc/exim4/dkim/${lc:${domain:$h_from:}}.pem}}

Other than that, just make sure the exim process has permissions to access the dkim directory and certificate files and everything should work nicely.