My Various Musings on Technology, Security, and Random Projects
As part of my project to create a Kibana dashboard to visualize my external threats, I decided I wanted a map view of where the IP addresses were coming from with geoip data. By default, Filebeat installs several dashboards that I used as inspiration, and saw what could be done, so I set out to imitate them.
Continue reading “Adding A Custom GeoIP Field to Filebeat And ElasticSearch”
We’re always told that the internet is a very dangerous place, but that is a very abstract threat. I have often found myself in a position where I tell people that the internet is dangerous, but I have no real data to back this up.
Therefore, my latest project was a deep dive into trying to figure out, for myself, how likely I was to get attacked if I had a server open to the internet. I know that it’s not a matter of ‘if’, but of ‘when’, but I wanted to quantify the ‘when’ as well as the ‘what’.
My plan has 3 phases. Generally, I am going to use an SSH (Secure Shell) server to act as a honeypot to lure in attackers. SSH is the black terminal window that people associate with Linux (and Jurassic Park).
SSH uses a server that listens usually on port 22, and when you log into a Linux server, you’re often using that.
So my plan is:
Continue reading “Your Home Network Is Under Attack 5000 Times A Day.”
In my last post, I set up ELK in a docker container to see if it would meet my needs, but I found that unless I wanted to go very deep with docker, I’d need to do a raw installation of ELK. The main motivation was that I wanted to install an SSL certificate in Kibana using LetsEncrypt from my pfSense box, and building a job that builds docker every 90 days seemed brittle.
One thing I realized was that you do do a lot without installing the ‘L’ in ELK. LogStash and ElasticSearch both provide means to ingest logs. When you install filebeat on your client, you can opt to output to LogStash or to ElasticSearch. I went direct to ElasticSearch for now, though I will likely revisit that later on. Here are two resources that discuss that here and here.
Continue reading “Installing ELK without Docker on Ubuntu 18.04 with LetsEncrypt”
My latest project is to set up a secure Minecraft server for my kids and their friends to play on. As I mentioned in my previous post, the usual recommendation to set up port forwarding on your router is a pretty bad idea. Normally, what is recommended is to set up a DMZ. I’ll do this in a bit (I had to order some stuff), but I’d like to talk about DMZs a bit, and how they are a terrible and misleading concept.
Quaint were the days when we viewed the internet as a ‘Wild West’. I’d take a sparsely populated area of frontier towns where you could travel in a stagecoach, with minimal risk of robbery, to what we have today. Remember ‘Tombstone’? That seems like a downright safe and friendly place to spend time compared to today’s internet, where we basically have to live in miniature fortresses and travel to other larger fortresses in armored convoys, all while under constant attack by a robot-augmented army of criminals.
I got to thinking about this because I’d like to set up a Minecraft server for my kids, but with the recent hack of Mariott, where 500 Million accounts were hacked, I’m reminded (again) that it’s just not safe out there. For context, 500 million is about as many Americans who have ever lived. It’s a little shy of 10% of the world population. Once you think about the scale of these breaches, it’s time to rethink what the internet is.
Continue reading “The Internet Is More Mad Max Than Wild West Now”
Now that I’m done with my WiFi project, and everyone is surfing happily (it seems), I’m ready for my next project. For years now I’ve had a basic video surveillance setup using old Panasonic Security Cameras (BL-VP104W) and one ultra sketchy Chinese camera. You know, one of those with extra backdoor admin accounts named 888888 that you can’t disable. I bought extras that I can’t sell on eBay at any price.
So I want to upgrade to a better video solution. Fortunately, Ubiquiti offers a solution that is as cost-effective as its infrastructure.
Continue reading “Next Project – Video Surveillance with Unifi Video”
We lasted about a day with the new content filtering that I put in place before we switched the kids back to the old open WiFi network. We encountered two problems: Missing whitelist entries, and well built apps that depended on not messing with their certificates with a MITM attack.
Amazon Video, for one, will not communicate with its servers if you tamper with its certificates. Given that the sort of inspection I am doing is a Man-In-The-Middle (MITM) Attack, they have a point. I thought I had prevented this problem, but as it happens, I did not understand two things: SSL inspection, and how Squid decides to mess with certificates.
Continue reading “Keeping The Kids Safe Part 2: MITM Lessons Learned”
One part of my project is to set up IPv6 on certain of my VLANs. IPv6 has long been a bit of a mystery to me. While IPv4 is complicated, the addresses can be held in memory, so we’ve all gotten used to memorizing 4 octets. Further, it allows a fairly simple topography in that the subnets are ‘human-sized’. IPv6 is totally different. It has huge numbers and unreadable addresses. I want each of my VLANs to use IPv6 subnets as appropriate, so here is how I did it. It’s not too complex.
This part of the project is easily the most complicated I did, and also took me the most time. There is a quote from a book that I read that ‘information wants to be free’ (a little googling tells me it’s been around for a long time, but I read it in a book by Charles Stross), and this certainly proves it. Trying to make it so kids can’t get to the bad parts of the internet is a good example of this, since you need to do a ton of things to make the filtering work. Here is what I did:
The goal is to have a transparent proxy for http and https that keeps my kids away from bad content and redirects them to a friendly error page to tell them that. I wanted to have content screening and filtering, with whitelists to add in what I want them to have access to.
This design is complicated, and it took a while to make me familiar with all the technologies involved. Plus there are some things that I just could not have with my technology.
Continue reading “Keeping the Kids Safe from the Internet with Filtering”
I have been using my UniFi system for a few months and I’m very pleased. The WiFi is very fast, I can roam around the house seamlessly, and the handoffs are seamless. Now I want to move to the two final stages: advanced access control and then content control for the kids. For access control, I’m going to use RADIUS, specifically pfsense’s freeRADIUS package. I’ve read that this it is a bit arcane, but my experimentation has shown that it’s actually pretty straightforward.
