JerryGamblin.com.

 
Mod_Security is the most widely known and used server based Web Application Firewall but I had not had a chance to play with it so I decided to take sometime this weekend to build a website (modsec.handsonhacking.org) to test it.   Here is a small walk through on how I did it.

Base Server Install:

I used AWS Lightsail to build a webserver using Ubuntu 16.04,  Apache2,  LetsEncrypt , and this HTML5 Template.
Install and configure the website with these commands:

sudo apt update && sudo apt upgrade -y
sudo apt install apache2 git -y
sudo rm /var/www/html/index.html
sudo git clone https://github.com/themefisher/Blue-Onepage-HTML5-Business-Template.git /var/www/html/
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot

Mod_Security Install

Install Mod_Security with these commands:

sudo apt-get install libapache2-modsecurity
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

Move from logging to blocking move with these commands:

sudo nano /etc/modsecurity/modsecurity.conf
# Change SecRuleEngine DetectionOnly
SecRuleEngine On

It should look like this:Install the updated OWASP ModSecurity Core Rule Set:

sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs

Enable them in the apache config file:

sudo nano /etc/apache2/mods-enabled/security2.conf
Add:
     IncludeOptional /usr/share/modsecurity-crs/*.conf
     IncludeOptional /usr/share/modsecurity-crs/rules/*.conf

It should look like this:
Move the OWASP rules from logging to blocking:

cd /usr/share/modsecurity-crs
sudo cp crs-setup.conf.example crs-setup.conf
sudo nano crs-setup.conf
Comment Out:
#SecDefaultAction "phase:1,log,auditlog,pass"
#SecDefaultAction "phase:2,log,auditlog,pass"
Uncomment:
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

It should look like this:

Next restart apache to enable mod_security:

sudo systemctl restart apache2

Testing

To test I used burp suite to scan modsec.handsonhacking.org to generate plenty of “bad traffic”.

Run this to see what is being blocked in real time:

sudo tail -f /var/log/apache2/modsec_audit.log

Next Steps

Now that I have mod_security running I need to find a better logging solution.   So far I have quickly looked at waf-fle and auditconsole but they both look to be abandoned.  It looks like there are people who are doing a lot with ELK but I have not found anything solid yet.  I am really surprised there isn’t a ready made Dashboard but I will keep looking.

Warning:

I have spent all of four hours playing with this on non-production traffic.  Please do not just install this in front of your website and then blame me when things break.

Closing:

Overall with the help of @infosecdad  and @lojikil guiding me through some of the places where documentation is lacking it was fairly easy to get this setup and going.   If you have any questions please reach out to me on twitter at @JGamblin. 

One of the things that even the new MacOS beta is missing is MAC Address Randomization on boot.  After spending a few hours working on it I put together this completely hack-y solution that uses Spoof and an automator Script saved as an application.
Here is how I configured it:

• Install Spoof
• Open Automator
• Select “Application”
• Add “Run Applescript”
• Copy & Paste This Script:

on run {input, parameters}
	delay 4
	tell application "Terminal"
		activate
	end tell
	tell application "System Events"
		delay 0.3
		keystroke "sudo spoof randomize en0"
		keystroke return
		delay 0.5
		keystroke "#SADLYYOURPASSWORDHERE"
		keystroke return
		delay 5
	end tell
	tell application "Terminal" to quit
	return input
end run

• Change “#SADLYYOURPASSWORDHERE” to your local password.
• Test & Save:

• Add to System Preferences -> Users & Groups -> Login items

Overall this is a pretty simple solution.  I dont love it because you have to save your local password in the script and I am looking for a way to change that but it looks like to change the MAC address you have to be root.  I will update this post if I figure out a way to remove the password.

I recently saw this SSH/HTTP(S) multiplexer on Github and tweeted that it looked amazing:

An amazingly cool tool to run a webserver and a ssh on the same port: https://t.co/Z2eel3aIq5

— Jerry Gamblin (@JGamblin) July 2, 2017

A couple of people responded that you should be able to do the samething with HAProxy or something similar but my experience with HAProxy has been that is temperamental so I didn’t want to mess with it.  After some more research I found a tool called SSLH that did what I wanted so I built a demo site at  sshttps.jgamblin.com that is running SSH and HTTPS on port 443.

How To Build It Yourself:

To demo this I used a $5 Ubuntu AWS lightsail instance with a valid DNS record (sshttps.jgamblin.com)

Base Out The System:

These commands will update the system, install SSLH and Apache, and install a valid TLS certificate from LetsEncrypt:

sudo apt update && sudo apt upgrade
sudo apt install sslh build-essential apache2
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto

Configure SSHL:

You need to edit the config so that <ETH0 IP> is the local (not public) IP:

sudo nano /etc/default/sslh
DAEMON_OPTS="--user sslh --listen <ETH0 IP>:443 --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 --pidfile /var/run/sslh/sslh.pid"

Configure Apache:

You just need to change Listen *:443 to Listen 127.0.0.1:443

sudo nano /etc/apache2/ports.conf
<IfModule ssl_module>
        Listen 127.0.0.1:443
</IfModule>
<IfModule mod_gnutls.c>
        Listen 127.0.0.1:443
</IfModule>

Reboot and Enjoy:

You can probably restart services but a  sudo reboot works here and you are good to go.  If you visit with a web browser you get the page:

…*but* you can now ssh into the box on port 443 using ssh [email protected] -p 443

Closing Thoughts:

NMap only knows it is SSH if you use -sV:
I am looking forward to using this method in the future to stack services.  Let me know on twitter @jgamblin if you have any thoughts.

I love OWASP  (I wanted to get that out of the way) but they let their TLS certificate expire yesterday:


Should it have happened to an organization whose whole goal is to secure web applications?
No.

There are a million reasons why their TLS certificate could have expired and plenty of reasons it shouldn’t have  (OWASP uses letsencrypt for their TLS certificate which can automatically renew certificates and sends you email when they are close to expiring).
Is it forgivable?
Yes.
Expired certificates,  missing patches and unknown cloud services haunt every security organization. Some people look at these things as *easy* to fix and if you miss them you dont care about security… most of those people have usually never worked in operational security.
Why did it happen?
Operational Security Is Hard.

Being perfect is impossible.   Stephen Curry (Arguably the best shooter in the NBA) only makes 90% on his free throws.  So everyone is going to miss a patch, let a certificate expire and have unknown cloud services.  It.Is.Going.To.Happen.
What can we learn from this?
A lot. 
How would your organization have handled this on Saturday morning?  Would you have been able to update your certificate in an hour on a Saturday morning?    If you know the answer to those questions you can pick a tweet from @badthingsdaily and work through it with your team.
Let me know your thoughts on twitter.

Have you ever wanted to control a vast medium small network of Honeypots but only had an hour and about $40 a month to spend on your project? So did I!  So with the help of Digital Ocean and Anomali‘s Modern Honey Network we can now do it!
For a basic distributed Cowrie network you will need:
1 – $20 a month Digital Ocean Droplet for the MHN Server.
4 – $5 a month Digital Ocean Droplets for the Cowrie honeypots.

Configuring The MHN Server:

Setting up the server is eas easy as running these commands on your controller droplet and and waiting 10 minutes:

sudo apt update
sudo apt upgrade -y
cd /opt/
sudo git clone https://github.com/threatstream/mhn.git
cd mhn/
sudo ./install.sh

After it installs everything it needs it will ask you the following questions:

Do you wish to run in Debug mode?: y/n n
Superuser email: [email protected]
Superuser password:
Superuser password: (again):
Server base url ["http://honeypot.jgamblin.com"]:
Honeymap url [":3000"]: http://honeypot.jgamblin.com:3000
Mail server address ["localhost"]:
Mail server port [25]:
Use TLS for email?: y/n n
Use SSL for email?: y/n n
Mail server username [""]:
Mail server password [""]:
Mail default sender [""]:
Path for log file ["/var/log/mhn/mhn.log"]:
Would you like to integrate with Splunk? (y/n)n
Would you like to install ELK? (y/n)n

Once that is done you now have a working MHN server:

Configuring The HoneyPots:

At this time MHN supports 17 honeypots for easy deployment:

I have used cowrie in the past and like it a lot so decided to use it for this blog post. You can deploy cowrie honeypots to your MHN server with the following commands:

sudo apt update
sudo apt upgrade -y
sudo apt install python -y
wget "https://gist.githubusercontent.com/jgamblin/e2c5432fa4518876c0536b625f90f8da/raw/67f792b549198a9bff15fd863e4e0cca6ae50b37/cowrie.sh" -O deploy.sh && sudo bash deploy.sh http://yourmhnserver yourcode
#An update broke the deployment script and there is a proposed fix.
#I copied the proposed fix to the gist used here. 
#wget "http://yourmhnserver/api/script/?text=true&script_id=14" -O deploy.sh && sudo bash deploy.sh http://honeypot.jgamblin.com yourcode wget

This scripts moves your *real* ssh port to 2222 and starts the honeypot  on port 22 (SSH) and 23 (Telnet). 
Once the script is complete they show up in your MHN server:

Looking at the Data:

Within minutes you will have data to look at.  My honeypots were up for under 30 minutes and I had a lot of data:

Next Steps?

There are 16 other types of honeypots you can run. WordPot is an amazing WordPress Honeypot and Dionaea is a great way to capture your own malware samples.  I will likely run both and a few more as I keep playing with this project.
Have any questions? Reach out to me on twitter @jgamblin.

In the last couple of years the Anti-Vaccination crowd in the United States has started to make inroads with more and more people deciding that the perceived risk of the vaccination outweighs the known risk of the disease.
When you ask them why they dont vaccinatie they always have anecdotal evidence of how the vaccination could hurt them,  how they know of someone else who 5 years ago got a vaccination and it made them *really sick*  or they have an amazing supplement that they take that does much better than the vaccination would do.

I am not talking about parents who are put their children at risk of getting measles, I am talking about IT shops who are putting their companies, customers and data at risk by not taking proven preventative measures to secure their systems.
After 15 years in security I have heard all the excuses for not vaccinating systems:

It *might* break something.
We have a $500,000 Next-Generation  ██████ Box (Unconfigured).
We have not a had a *serious* outbreak yet.

The problem is when you bring proven and tested solutions like the CIS Critical Security Controls and the anti-vaxxers bring an anecdote you are going to lose.  My favorite mentor told me a long time ago you “you can’t debate an anecdote and win“.
This is normally where I like to end my blog post with a great solution we can all use. The problem is there isn’t a good solution to make people vaccinate their children and there isn’t a solution to make  people to vaccinate their systems.
Until then I am just happy I dont have to deal with polio or WannaCry.

As I continue to try to learn R,  I am trying to build tools that other people might find useful. Tonight with the help of Bob Rudis I built a script that will find domains with a keyword in it from DomainPunch, do a geoip lookup and map it if it is online.
Since it is time to start thinking about defcon this summer I decided to use it as my keyword for the demo.
Here are all 544 live IPs with “defcon” in it mapped:

Link to the full screen map.
Here is a CSV of the data.
Here is the source code:
https://gist.github.com/jgamblin/eaab0066e7942dcb8f822f5cb7fdc72e
As a reminder if you want to play along at home there is an RStudio docker container so all you need to do is:

docker run -d -p 8787:8787 -e USER=<username> -e PASSWORD=<password> rocker/rstudio

Learning R is turning out to be more fun than I thought it would be so expect some more blog posts!  Here is a picture semi related to this blog post to make it look pretty when I share it on social media.  

Since I have started looking at the Umbrella DNS Popularity List I was interested in seeing how much the data changes day to day.  I fired up RStuido and wrote some terrible code but finally got it to work with some help.
Yesterday there were 80937 new DNS names on the list that were not on the list the day before.
(Update: Here is a CSV of the 169366 domains that were not on the list April 1st but was on the May 1st list.)
Here are the new additions on a map:

Link to the full screen map.

Here is a CSV of the data with GEOIP information added. 
Here is code I ended up with if you want to build your own:
https://gist.github.com/jgamblin/e665abadbafdd4757d484b728a74383c
Up next is to run these domains through Virustotal to see if any of them are bad.
Here is a picture semi related to this blog post to make it look pretty when I share it on social media.