DEV Community: DiegoGo

Fighting The Bad Guys in a Fun Way

DiegoGo — Wed, 24 Jul 2024 05:57:02 +0000

Phishing Threats

In today's digital age, most people have a bank account that they use daily. Criminal groups have adapted and modernized their methods to steal and extract user information.

SMS Spoofing: A Deceptive Technique

SMS spoofing involves sending falsified text messages where the sender appears legitimate, such as a bank. These messages are often grouped with genuine ones from the bank, making the deception more dangerous. Cybercriminals typically hire external services to carry out these falsifications.

Case Study: A Fraudulent Message

On one occasion, I received a message that appeared to be from my bank, inviting me to access a fraudulent link.

So I thought it might be interesting and entertaining to see how that site was displayed.

The Original Message

The message was presented as a reliable communication from my bank. The criminals knew the last numbers of my card, suggesting a possible information leak from the bank.

Link Analysis

The link only contained the bank's name, which might seem normal to someone who is not familiar with how domains are constructed.

When running a whois query on the domain, it returned some interesting data.

Domain was created on May 27th.



Domain Name: banorte.link
Creation Date: 2024-05-27T05:21:53.892Z

At least, they went to the trouble of not providing certain information.



Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant Postal Code: REDACTED FOR PRIVACY

However, there are points where it states that the registrant is located in Mexico.



Registrant State/Province: Oaxaca
Registrant Country: MX

Site At First Sight

The site was, in some way, "well-made," featuring colors distinctive to the bank and similar icons, enough to deceive a non-technical person into entering their information.

However, it lacked a security certificate, which is a significant red flag.

It's important to remember that just because a site has a security certificate doesn't mean it is safe and free from scams or phishing. In this case, the criminals didn't even bother to add a certificate.

Investigating the Site

Upon examining the site, there's a field for entering data, which suggested that any information submitted would be stored in a database. I used a Python script with Selenium to inject false data into the form.

Although, I'm not an expert in web programming, but it never hurts to get a little help from ChatGPT, which assisted me in creating a script to inject information into a form.

Script Implementation

With the help of a Python script, I managed to inject false information into the site to counter the attack.

I adapted the script to inject random data, starting with 10 entries, then 30, and finally 50. The data consisted of random characters and numbers with a minimum length of 8 characters, as specified by the criminals for the form submission.

I won't go into the details of the generated script, but I'll focus on the crucial part:



input_field = form.find_element(By.NAME, 'form')

This line is pivotal, as it uses the find_element method of the form object to locate an element within that form. The find_element method is used to search for a single element in the Document Object Model (DOM) of the webpage.

In this case, the code is looking for an element within the form that has name "form". This is the value of the name attribute of the HTML element being searched for.

After leaving the script running for at least 1.5 hours, I came back after some time to check and it turns out that nothing was displayed in the site.

I consulted it using a VPN and using proxychains, to rule out that it was a ban of my IP address, however when I made the query, the page showed the same thing.

Final Reflections

I don't claim to have caused a DDoS attack or something similar, but it seems the criminals deactivated the site after receiving false and random data in a short period of time, instead of the expected user credit card or account name information.

This small counterattack was gratifying, knowing that I might have contributed to preventing innocent people from falling into the trap, at least for that day.

This case illustrates how criminals can create millions of fraudulent sites daily to steal information and how small actions can have a positive impact on user security.

Contributing to Combat Phishing

There are many platforms where you can submit phishing URLs to be reported and indexed on the Internet, assigning them a bad reputation for when someone tries to access them.

Personally, I use PhishTank, a service managed by Cisco Talos Intelligence Group. This cybersecurity team is dedicated to security research and employs various artificial intelligence techniques to analyze numerous URLs and IPs on the Internet, assigning them a positive or negative score to protect users.

How to setup two factor authentication using DUO security on SSH

DiegoGo — Mon, 09 May 2022 19:31:09 +0000

Introduction

Two-factor authentication or two-step authentication is an important security measure that adds a second layer of protection to the password we use. Adding this extra layer of security makes it more difficult to breach user accounts. today, it is very common to find applications that use two-factor authentication.

There are several options for using 2FA:

A physical security key: it works like a lock.
Through an application: Commonly installed on a smartphone and then, when logging in, we will get a message on the device to verify our identity.
Verification code: this option sends a one-time numeric code, by SMS for example, or by call, which must be entered to verify identity.

Requirements

In this tutorial, we will use DUO security. Which with its free version, we will be able to register up to 10 users.

To access the DUO administration panel, it is necessary to register a free account at the following link: https://duo.com/editions-and-pricing/duo-free
A Debian 11 server.
Basic Linux knowledge.

Steps

Once the DUO account is created, we will be able to access to the dashboard and it will be shown as follows.

Inside the dashboard we go to "Applications" and select "Protect an Application", as follows.

We are going to search "UNIX" and after that, we select "Protect".

After selecting "Protect" we must save the details that are presented to us, the Integration key, Secret key and the API hostname.

After that, up to the bottom, we click on "Save".

We make sure that in "Applications" we have the application that we have just saved.

Adding DUO repos security packages

Inside our server, we add the following repository on our sourcelist editing the file /etc/apt/sources.list

deb https://pkg.duosecurity.com/Debian bullseye main

We add the key

curl -s https://duo.com/DUO-GPG-PUBLIC-KEY.asc | sudo apt-key add -

And proceed to update the repositories and install the duo-unix package

apt-get update && apt-get install duo-unix

Once duo_unix packet is installed, we proceed to edit pam_duo.conf in /etc/duo to add the integration key, secret key, and API hostname from your Duo Unix application.

[duo] ; Duo integration key ikey = <integration key> ; Duo secret key skey = <secret key> ; Duo API hostname host = <api hostname> pushinfo=yes

Configuring PAM

We are going to use our OpenSSH to use DUO, for that, you are going to set both UsePAM and ChallengeResponseAuthentication to yes in your sshd_config file at /etc/ssh/sshd_config. You should also set UseDNS to no so that PAM Duo is always passed the IP address of the connecting user, rather than the resolved hostname.

UsePAM yes ChallengeResponseAuthentication yes UseDNS no

Since we are using a Debian system, the pam_duo.so module should be found in /lib64/security

root@debian11-server:~# ls -lh /lib64/security | grep duo -rwxr-xr-x 1 root root 921 Feb 2 16:12 pam_duo.la -rwxr-xr-x 1 root root 437K Feb 2 16:12 pam_duo.so root@debian11-server:~#

What is PAM?

The pluggable authentication module (PAM) in a nuthshell, is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface (API). PAM allows programs that rely on authentication to be written independently of the underlying authentication scheme.
https://www.linux.com/news/understanding-pam/

We proceed to configure the following file:

vim /etc/pam.d/common-auth

Before:

auth [success=1 default=ignore] pam_unix.so nullok auth requisite pam_deny.so auth required pam_permit.so

After:

auth [success=2 default=ignore] pam_unix.so nullok auth sufficient /lib64/security/pam_duo.so auth requisite pam_deny.so auth required pam_permit.so

The location of this line and the specified control flag (e.g. "required", "requisite", "sufficient") varies. For most common configurations, place pam_duo directly after pam_unix (frequently found in common-auth or system-auth on Linux), set pam_unix's control flag to "requisite", and set pam_duo's control flag to whatever pam_unix used to be.

SSH Public Key Authentication

Now, we proceed to configure this file
vim /etc/pam.d/sshd

Before:

@include common-auth

After:

auth required pam_unix.so auth sufficient /lib64/security/pam_duo.so auth required pam_deny.so

Now, we restart SSH service and login again to the server.

ssh diego@<debian-server IP address> (diego@<debian-server IP address>) Password: Please enroll at https://api-ca19920d.duosecurity.com/portal?code=123456789&akey=abcdefghijklm (diego@<debian-server IP address>) Password:

Enrolling with DUO link

We need to access to the enroll link and follow the steps presented on the browser.

We click "Start setup"

We select "Mobile phone" option

We proceed to add out phone number.

Select our phone brand.

At this point, we need to have installed the DUO app on our smartphone, DUO app is available for iPhone and Android.

Click continue on the above step and a QR code will be presented on the screen in where you need to open the DUO app to scan it, after that, the following screen will be presented and click on "Finish Enrollment".

After the above steps, the process is done. Now, we can proceed to login again to our server, and we will be presented with the following information.

ssh diego@<debian-server IP address> (diego@<debian-server IP address>) Password: (diego@<debian-server IP address>) Duo two-factor login for diego Enter a passcode or select one of the following options: 1 Duo Push to +XX XX XXXX XX95 2 SMS passcodes to +XX XX XXXX XX95 Passcode or option (1–2): We hit 1 to receive a push notification on our phone, and after we hit that option and accept it on our phone, we will be able to access to our device. Passcode or option (1–2): 1 Success. Logging you in… Success. Logging you in… Linux debian11-server 5.10.0–11-amd64 #1 SMP Debian 5.10.92–1 (2022–01–18) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Apr 23 22:52:59 2022 from x.x.x.x diego@debian11-server:~$

And this is the way how we can setup a 2FA using DUO to login into our server via SSH.

Raspberry to the rescue of your privacy - PART TWO

DiegoGo — Sun, 30 Jun 2019 06:04:33 +0000

In part one we set up port forwarding, SSH server and install the web server with all his security stuff.

Now everything is set up to continue with the installation of the other services

Pi-hole

I use some privacy extensions on my browser, such as Privacy Badger, HTTPS Everywhere,Facebook container (that is kind of cool to separate your websites and it's build by default on Firefox), Pure URL and finally uBlock.

I'm a big fan of this last one, because as we know there are many advertisements on pages we visited (yeah yeah I know that many pages are mantained because of ads and clicks) but many times they are annoying.

But these are addons that I installed on my browser PC, what about my local network devices? such as my smarphone, the smartphone of my parents, brother or a guest, I know there are apps that I can installed and have this, but I'm not going to do this with every guest coming to my house.

For this purpose is a service called Pi-hole "A black hole for Internet advertisements".

This service is going to help us to block ads in all our local network devices.

In the official site is all the step by step installation.

Two web servers living together

As we mention before, we are using Apache as our default web server, but to install Pi-hole, we are going to install another web server called Lighttpd. Pi-hole have a web interface dashboard to view the stats, change settings and configure some aspects of our Pi-hole.

This service is not going to be exposed, this service is only going to serve in our local network, but to see the web interface dashboard, we need to change the default port of Lighttp because it is going to have issues with Apache that servers on port 80.

When we install Lighttp, automatically the service is up so we are going to stop apache before we install Pi-hole just doing

# systemctl stop apache

Once you install Pi-hole you need to change Lighttp port at /etc/lighttpd/lighttpd.conf changing the server.port line putting your prefer port

after doing this you need to restart the service and if everything goes ok, you will be able to see your Pi-hole dashboard in the port you specify.

In my case it was port 8080, the local ip of my Raspberry is 192.168.1.110 so your dashboard should look like this.

Setting up the service on your home router

To use this service as it should be, is necessary to make a change in the DNS addresses of our router as shown below.

You need to add the local address of the Raspberry and so, any device that connects to your network will have the benefits of Pi-hole.

Summarizing:

Stop Apache service.
Install Pi-hole and Lighttpd.
Change Lighttpd port.
Set Raspberry IP address as DNS in your home router.

Your private cloud

I'm not kind of paranoid, but I thing that having your own stuff and infrastructure is cool.

In this section I'm going to show how I install ownCloud a file sharing server that puts the control and security of your own data back into your hands.

I know there are other services such as NextCloud, but this time I'm goig to use this service.

Installation

The installation is very easy, we just need to download a compress package and decompress it in our web server folder.

Manual Installation

I had some issues starting ownCloud because the server needed some php modules that were not installed, but it was very easy to install them just doing apt search <php-module> to search the module you need.

After install all the packages, your ownCloud it will be ready.

Note: I follow the recommended configuration of owncloud documentation setting up ownCloud outside of the document root

After doing this, we are already be able to upload all the things we want even through our cellphone using the ownCloud app.

Summarizing:

Download the compress package of ownCloud and extract it
Install the necessary php modules
Configure Apache
Downlod the phone app (optional)

Your own VPN service

Maybe your are going to say that there are many services running on my tiny little Rasp, but watching the performance is everything ok.

The final thing I got on the Raspi is my VPN service. I really like this service because is an awesome tool when I'm outside and connected to some public WiFi (obviously checking log in requirements of public WiFi).

Again, this is very easy to install using pivpn.

Note: I know that this install method is automatic and everything is easy and fast. One time I set manually a VPN and for me it was hard, configuring security, keys etc, but at the end this things work you learn a lot doing that stuff. This pivpn method simplified many things and steps.

The next step will be open a new port in our home router to have access in the outside, we need to open you specify in the installation.

After install pivpn you need to add clients and generate the private key and the ovpn file that is are going to use to connect to the VPN.
Now we can use OpenVPN aplication in our PC or the app in our phone to connect to our VPN and this is going to be very useful when we want to preserve privacy when we were connect in some public space.

Summarizing:

Follow the guide of pivpn
Open the port in our home router
Generate the keys and the profile
Copy them to our phone or pc
Connect to our VPN using the OpenVPN aplication

Fail2ban

At this point you will have a device that is exposed to the Internet, maybe in one day if not less you will see a lot of login attempts in your secure logs, that's other reason why I have exposed the Raspi, to learn more about secure, read logs, configure things, etc.

I install a service call fail2ban that is use to mitigate the brute force attacks by users and bots.

fail2ban

Final thoughts

The first service I put on the Rasp was a middle Tor relay, I took it off because I didn't see that it had a lot of traffic, but also using Tor with a raspberry is a great option.
Also I would like to use the rasp as a honeypot to keep learning more about security.

As I said at the beginning I dared to write this, first because I believe in share the knowledge is awesome, I like a lot the free software filosophy and I think that the set of services that I'm running, they seem useful to me and maybe for you.

Thanks a lot to read and any constructive criticism is welcome.

Raspberry to the rescue of your privacy - PART ONE

DiegoGo — Sun, 30 Jun 2019 05:49:56 +0000

The main purpose of this post is to show the many services that you can run on a Raspberry, also I shared the links that I refer to do all the stuff and configurations.

I'm faithful believer that the things we do for ourselves, deserve recognition, maybe not public recognition of other person, but a personal one for the work that implies.

I decided to divide this post into 2 entries, one for setting up the basic web server and the part 2 setting up the other services I had. If you have already running a secure web server you can check the part two.

So where do I got with all this?

Nowadays we are in a world that our data is in a far computer of a certain provider, I don't want to seem kind of paranoid but given the risks that exist on the Internet, I prefer to have my own infrastructure that can be access any time, anywhere where I am.

Ok, ok, maybe is not going to be the best infrastructure, the most fastest, the biggest with a lot of capacity, but at least it's is going to be mine, I'm the owner of it and the best part of this is that I'm be the one who controlled it.

Why use a Raspberry?

As many of you know the Raspberry is a low-cost computer, based on ARM architecture and there's a lot of awesome projects you can do with it, domotic, maker stuff, IoT, to name a few. But In this post I'm going to focus specifically to use a Raspberry to our own server, our own cloud, our own storage device and other things that I have tried to experience.

First steps

The first thing we need to do, of course is install an OS to the Raspi, there's a lot of flavors to choose.
I choose to install the "default" flavor Raspbian, maybe you're going to said that why this, why not pure Debian (BTW I use Debian testing on my laptop XD) but that's my first choice, maybe later I'm going to put Debian on it.

Once we log in our Raspbian, we need to configure a static ip to connect vía SSH (previously install) to manage the device. We are not going to use the Raspbian graphical environment so we can disable it entering to a terminal and writing:

# systemctl set-default multi-user.target

This command is going to shut down the graphical environment and put the system into a multi-user command line.

Summarizing this section, the things we need to do are:

Install the OS.
Set a static IP.
Open a terminal to disable the graphical environment.

SSH connection

We are using SSH to connect to our device. When we install SSH the default configuration is on, we can log in the device using the password authentication, but this is kind of risky, remember that the device is going to be exposed to the Internet and there are going to be some bad guys, most of the time bots trying to gain access to our device as we are going to see below.

So we are going to change the SSH configuration file and we are going to use a SSH key-based authentication to our device and use a key to access, we are going to use.

Also we can follow basic good security practices as disable root password, set the name of the user that is going to authenticate, disable de X11 forwarding.

How To Configure SSH Key-Based Authentication on a Linux Server

Summarizing this section:

Change the SSH configuration.
Disable the password authentication.
Set up key-based authetication.

Setting up

So at this point nothing extraordinary is going on, only basic administration and configuration. As I said at the beginning, we need to expose the device to Internet.
In my case, I have an ISP that gives me a dynamic IP, so I need to have something that help me to connect to the Rasp when the public IP change.
To make this possible I'm using a service called NoIp that is a service that is going to help us to always have access to our device at any place we are.

NoIp is a free service that offer us a Dynamic Update Client that is a service that run on our computer and check frecuently when our IP change, so when this happen, this client detect the change and automatically update our hostname to correct the IP.

It's really easy to set up, the only thing we have to do is Sign Up (no ads, no nothing), set the hostname we want and follow the instructions to install the Dynamic Update Client in our machine.

When NoIp detect that there have been passed 30 days, they send you an email to refresh your hostname.

Opening the world to our device

Once we have configured our NoIp service on the Raspi, we need to open the door to the Internet to get exposed, we are going to do this at entering in our home router, select the IP device and set the port forwarding to have remote access.

As you can see I have set up some other ports due to the services I'm running on my Raspi. I'm going to cover all, talking about each one according to specific service.

At this point we are going to be able to access via SSH outside our network, wherever we are.

When you set up your hostname on NoIp yo see that there is a domain that point directly to your public IP. In my case is diego-go.sytes.net, if we do a ping to this address we will be able to see that is my public address (that maybe is going to change 24hrs or more).

With this on mind, let's keep on.

Summarizing this section:

Sign up at NoIp NoIp
Install the DUC of NoIp.
Configure the port forwarding on our router.
Test NoIp hostname

Setting up a web server

I know there are many web servers, light and "heavy" ones.
Maybe you are going to think why Apache, if there are others (Nginx, Lighttpd for example), but for this purpose I'm using Apache that I know and always use (have to still learn Nginx I know, don't worry :-D).

To install is going to be so easy, just type

# apt install apache2

and this is going to install our web server.

How To Install the Apache Web Server on Debian 9

For the next step, we are going to secure our web server following some of the steps that are in this page.

13 Apache Web Server Security and Hardening Tips

The things I have set up are:

How to hide Apache Version and OS Identity from Errors.
Disable Directory Listing.
Disable Unnecessary Modules.
Securing Apache with SSL Certificates.

Obviously this is open to your choice.

Securing Apache with SSL certificates

Below I'm going to explain how do I install Owncloud, that is a service to have our own storage service, similar to Dropbox, Google Drive, but this is controlled and administered by us.

To install the SSL certificates and have https in our web server I'm am going to use Let's Encrypt, that is a Certificate Authority that provides us an easy way to obtain and install certificates.

I refer to DigitalOcean blog to follow the installation of Let's Encrypt in our Raspi.

How To Secure Apache with Let's Encrypt on Debian 9

Also, you can refer to certbot website that show you step by step how to install the cert

Opening new ports

At this point we install a web server and a certificate so we need to open new ports on our homer router to reach the web server from outside, so as we do in the SSH section, we need to specify the local ip and set the ports 80 and 443 that it is going to correspond to the web service and the secure web service.
Doing this we will be able to reach our server from outside, even using https protocol.

Note: I force Apache to redirect http to https using a2enmod How to Redirect HTTP to HTTPS on Apache

Summarizing this section:

Setting up Apache.
Secure some aspects of the web server.
Install certificate.
Open new ports on home router.

Continue with part 2...