Updating talk

For Bsides, as mentioned earlier, I’m making some changes for the talk.

For Bsides Detroit I’m swapping out the original Raspberry Pi B devices from the project for the Raspberry Pi 2 B.

The first time I did this, with the RPi-B, I made one image got it working and then cloned it to the others. It caused minor problems with the wireless card naming. I also still had to touch them all to change names, static ip addresses, and the kismet configs.

This week there was a new version of Kali out for the Raspberry Pi 2 when I checked. So I downloaded it, patched it and installed the software. Then created the clone image.

I am going to have to touch each one anyway so figure I will just get the one image with the software, and then load each one and configure it.

Bsides Detroit 2015

The last schedule I have seen has me speaking at 4pm on Saturday the 18th at Bsides Detroit.

I know it’s a surprise to me to.

Talk is similar to the one I gave at Circle City Con on Raspberry Pi and Wifi detection.

New this talk: Looking at the clients, email alerts (I hope) and all on Raspberry Pi 2 (again I hope).

ARRL Field Day

Over the weekend I did my very first ARRL Field Day. It was rather interesting. For those that don’t know what Field Day is, it’s when the Amateur Radio Service (yes there is a public service aspect to the HAM Hobby and License) gets together to make contacts under adverse conditions. The club I am in, Ford Amateur Radio League, teamed up again this year with the Livonia Radio Club. We had a tent with a generator out in the middle of a field.

Continue reading

Getting the Raspberry Pis ready

As I mentioned before here and here I’ll be at Circle City Con, talking about the Raspberry Pi WIDS project I did last year at Eastern.

I’ve updated all my Raspberry Pis, including the firmware. I’ve setup a Raspberry Pi B+ and the Raspberry Pi 2 with the respective Kali images. But they still need to be set up as kismet drones, and tested.

I also need to set up the hard drive for the con, and update my slide deck.

1 week to do it in. Plenty of time.  (Famous last words).

Why is useful documentation hard to find?

I just finished reading The Linux Journal’s “Geek’s Guide to Enterprise Monitoring Success“. It was good, talking about how to leverage the monitoring to work for the IT department in an organization. This also talked about some business problems you can face, which I’ve seen first hand. I’ve been in the “metrics from another group’s monitoring tools” meeting before. Trust me, you need to be sure of yourself and what you’re doing for the company before that happens. I’ve also seen monitoring systems destroyed because the wrong people had too much access and trying to  tune the system for their needs only.

For what it was, this was a good guide. From the title though, I expected something different.

Continue reading

Yet more with Fail2Ban

So yesterday, I thought I was all good on Fail2Ban today’s logcheck emails show there were still problems with Dovecot.

Continue reading

More Fail2Ban fun with Debian Stretch

Yesterday, going through email yesterday, mostly logcheck emails, I found that Apache wasn’t blocking the attackers. It was seeing them, but not adding the ip address to iptables block list.

The fix was setting up the maxretry it was set rather high, I moved it down to 1 like I had it in the past. I also adjusted the search time to 1 hour and the ban time to 7 days. I thought I was good, and didn’t give it a second thought.

Today, looking at the logcheck emails (really it’s a great IDS for system admins to get a view into their box), there are a lot of automated attacks on the mail server NOT BEING BLOCKED!!! It worked yesterday, there were even banned ip addresses in the chain.

After lots of digging, and several changes that didn’t work, I decided to go for the bad option.

Really the real reason was that Fail2Ban had been around for a while. Things changed, and I had a weird mishmash of configuration files. After the install I removed the files in the package that were not debian related, not sure why bsd; osx; or fedora are in the Debian package to start with.

Followed the local customization file directions creating jail.d/server-defaults.conf with apache-auth and dovecot in them. ssh is handled by defaults-debian.conf. Why the new file, in case the Debian one gets over-written by new stuff later.

Restart the service and…

Still not working for dovecot.!? (tailing the log and watching iptables).

Turns out, it’s where Fail2Ban was set for default to watch for login errors for Dovecot (also noted through the logs). It’s looking in /var/log/mail.warn. I don’t know if I changed it, or it’s legacy left over, or what, but my box it’s /var/log/auth.log where Dovecot login failures go. So I added the logpath to jail.d/server-defaults.conf, restarted Fail2Ban and it worked.

Fail2Ban problems with Debian Stretch

This week The Debian project released “Jessie” (Debian 8.0) as stable. I like to keep my servers a little more ahead of the curve than that, so I upgraded to the new testing branch “Stretch”.

While going through my logs from yesterday and this morning, log checker is awesome, I saw someone hitting my mail server. Normally you only get 1 chance to log in as a non-existent account before Fail2ban kicks in and adds the ip address to my Netfilter iptables jail. This address kept showing up, hour after hour in the logs, and multiple user names.

Looking, I found out that while running, it wasn’t catching all the rules for Fail2ban. I checked the configuration files, and things checked out OK. So I fell back on the old restart the service and see what errors pop.

Continue reading

Home Lab – Lines to the basement

I currently have 2 lines ran to the basement. One black 15 foot, 1 red 25 foot. I ran the black line last year before the basement flooded in August, but I couldn’t tel you why I did it now. I really don’t remember. I think it was for my old tower. The red line is for the span port. I chose to color code them to make it easier to know what does what.

I used the pre-drilled holes in the floor for some reason the cable provider for who lived here before me drilled 2 holes next to each other. The old cable is still there, the other was empty, and what my provide used. Dropping the black line was quick and easy. The red cable though, was a pain in the butt. I could get it in the hole, but it would get stuck at the bottom edge of the wood. I ended up pulling up a length of coax, and then taping the span cable to it. I then fed it through the hole. That got it down there, then I fed from above instead of pulled because it was a tight fit, and figured pushing would do less damage to the cat5e twisted pairs.

I was thinking it would have been great to have flight line, fish tape, or a pole, but after looking at the head on a fish tape last night, I don’t think that would have worked either.

color code:
Black – switch to switch
white – entertainment
red – span
blue – Firewall to Switch, Switch to Router
green – ISP

I don’t know what color I’m going to use for the PI farm. I was thinking maybe purple.