XMPP Service Operators - 2024-01-31


  1. Stefan

    In case it does not open: https://wetransfer.com/downloads/d5663422e3886a6a7b63bee569cf177920240130235916/d6a76682d220a34e0659f1aab685560520240130235950/85edc0

  2. moparisthebest

    fail2ban is an excellent way to lock yourself out of your server with no upside at all (I wouldn't advise ever using it)

  3. klaudie

    It is useful to silence log spam from background noise so your siem/edr alerts are more useful

  4. klaudie

    I hope everyone here is using such tools

  5. klaudie

    I don't know why anyone would put email/xmpp alerts on fail2ban however

  6. klaudie

    that sounds annoying

  7. Stefan

    > fail2ban is an excellent way to lock yourself out of your server with no upside at all (I wouldn't advise ever using it) true. one should make sure that ignore ips are defined in the config. so perhaps this doc is only meant for those who have fail2ban already. (don't know how many that are).

  8. klaudie

    the "jails" fail2ban use are also insane regex soup

  9. Polarian

    moparisthebest, IP throttling isn't a bad idea though

  10. Polarian

    fail2ban tends to be really strict, people give it like 5-10 attempts

  11. Polarian

    and then lockout

  12. Stefan

    > the "jails" fail2ban use are also insane regex soup regex is cool :-)

  13. Polarian

    a simple plugin/module could watch sign in attempts, and if its 1000+ block the IP for a short period of time

  14. Polarian

    basically fail2ban

  15. Polarian

    but implemented into the server

  16. Stefan

    there are several included jails (quite a lot after all), but you can still build your own. I did this (with help from the fail2ban devs) for the ejabberd-mqtt module.

  17. Polarian

    meh

  18. Polarian

    if you got strong enough passwords

  19. Polarian

    they would need trillions of attempts

  20. Polarian

    and you are bound to notice your bandwidth disappearing with thousands of attempts a second

  21. Stefan

    i know someone who had ssh on port 22, without protection, password login not deactivated (but he has done that now), for such a case you can use fail2ban. I know there are other ways to protect yourself, so it's a matter of taste, so I wouldn't want to advertise fail2ban, but I personally like it.

  22. Stefan

    To be on the safe side: I have been told that you can easily lock yourself out of your server with fail2ban if you are not familiar with the software. (which is true). Therefore, if you are testing this and have not used fail2ban before, please be careful. (make ignoreip entries). The tutorial is perhaps intended more for those who already use fail2ban anyway. thx @ moparisthebest

  23. Stefan

    and of course you can also simply switch everything to xmpp, as Martin has done here: https://blog.mdosch.de/2023/05/06/system-mails-von-linux-ueber-xmpp-empfangen-(v2)/ (maybe you can use a translation service). but maybe you want to keep e-mail.

  24. hook

    Re fail2ban, this looks intriguing: https://blog.ppom.me/en-reaction/

  25. moparisthebest

    iptables alone will do "ip throttling" but again, why

  26. chunk

    Stefan: > To be on the safe side: > I have been told that you can easily lock yourself out of your server with fail2ban if you are not familiar with the software. (which is true). Therefore, if you are testing this and have not used fail2ban before, please be careful. > (make ignoreip entries). > The tutorial is perhaps intended more for those who already use fail2ban anyway. > thx @ moparisthebest I use a vpn with many node options, that helps in case of f2b errors

  27. chunk

    I recently had to change ssh port cuz of 100s of banned IPs

  28. chunk

    f2b is just python, so, I don't trust it all the way. iptables is kernel packet filtering, if used correctly is much more trustable

  29. chunk

    nowhere's near as versatile tho, and f2b always did the job for me

  30. chunk

    once upon a time somebody was sending regex string attacks to my c2s port, didn't phase f2b

  31. moparisthebest

    Or your XMPP server at all

  32. klaudie

    rEgExStRiNgAtTaCkS

  33. chunk

    > rEgExStRiNgAtTaCkS yes, very scary

  34. Martin

    > Establishing a secure connection from mdosch.de to zash.se failed. Certificate hash: 6fccd101c3f6b0dc84a75d033cd7e13b793ceacfe7338a547b7e560875034173. Error with certificate 0: no matching DANE TLSA records.

  35. Stefan

    > f2b is just python, so, I don't trust it all the way. iptables is kernel packet filtering, if used correctly is much more trustable fail2ban uses iptables,

  36. Stefan

    > Re fail2ban, this looks intriguing: https://blog.ppom.me/en-reaction/ hook, there is also crowdsec, but I dont't know that software.

  37. Stefan

    > Re fail2ban, this looks intriguing: https://blog.ppom.me/en-reaction/ sounds very interesting!

  38. chunk

    Stefan, yea, it "uses" iptables, because it runs as root it can, but "is" made with python, a high level language, not a low level utility, but this is besides the point tbh

  39. Stefan

    chunk, One of the fail2ban developers raised the question of whether it is safe to use go-sendxmpp, "he wouldn't let it run under root" ;-) so it's all a question of trust., too. Surely the performance is also better if it is written in a language closer to the hardware, as far as I can tell. this "reaction" is written in go, if I have seen it correctly? would that be better? crowdsec is apparently also written in go.

  40. Menel

    Dropping privileges is quite easy, let the root script call it with user mail or something

  41. Martin

    It's generally good advice to not run anything as root as long as it doesn't strictly requires it.

  42. Martin

    Stefan: Not sure what you mean by closer to the hardware? Write a sendxmpp in assembler?

  43. Stefan

    I'm not an expert.. I don't know the differences of python and go.

  44. Menel

    It's more about the fail2ban and its high resource consumption it was about

  45. MSavoritias (fae,ve)

    Stefan, if you are not an expert how do you which one is close tho the hardware then /thinking

  46. MSavoritias (fae,ve)

    Stefan, if you are not an expert how do you which one is close tho the hardware then? /thinking

  47. MSavoritias (fae,ve)

    (whatever that means)

  48. Stefan

    > but "is" made with python, a high level language, not a low level utility, just thought about this sentence. high level language - worse performance?

  49. jonas’

    (not necessarily. rust is also a high-level language and has decent performance. python, however, is not among the well-performing high-level languages)

  50. jonas’

    but that doesn't matter if you're just sending a few notifications an hour.

  51. Martin

    > I'm not an expert.. I don't know the differences of python and go. Python is a scripting language which compiles at runtime while go is compiled.

  52. Stefan

    thank you

  53. Stefan

    > but that doesn't matter if you're just sending a few notifications an hour. as mentioned in the doc, the fail2ban standard is to not send notifications at all. So one has to think about if it is really necessary. more problems can occur, if a whois lookup is done too. (but I think they managed that problems in the newer versions of fail2ban.).

  54. Menel

    It is true that fail2ban can be quite resource hungry. It doesn't matter really why for people that don't intend to improve that by coding. For sysadmins it enough to know it is

  55. Stefan

    > One of the fail2ban developers raised the question of whether it is safe to use go-sendxmpp, "he wouldn't let it run under root" this comment of the fail2ban dev was not meant specially for go-sendxmpp, but for some sendxmpp clients (perhaps older ones) in general.

  56. Holger

    > rust is also a high-level language The perceived height depends on which of the various levels your looking from I guess πŸ˜ƒοΈ

  57. moparisthebest

    > It's generally good advice to not run anything as root as long as it doesn't strictly requires it. haiku-os disagrees

  58. Holger

    > rust is also a high-level language The perceived height depends on which of the various levels you're looking from I guess πŸ˜ƒοΈ

  59. Martin

    >> It's generally good advice to not run anything as root as long as it doesn't strictly requires it. > haiku-os disagrees No idea how haiku works.

  60. moparisthebest

    Martin: there's only 1 user, it's root

  61. roughnecks

    😞

  62. Arya Kiran

    is there a MUC solution to read receipt syncing?

  63. Menel

    Short answer, no at the moment

  64. agris

    > Licaon_Kter: > 2024-01-30 03:31 (CST) > hook: funny how millions of dollars allow you to have both devs and PR people, never thought of that > Wonder is XMPP ever... It's VC money, not having. The VC people are expecting a return on their investment one way or another eventually, even if that means liquidation and selling off everything to big tech

  65. agris

    It selling off their users to advertisers and scammers

  66. Licaon_Kter

    πš†πšŽ πšπš‘πšŽ πšŒπš‘πš˜πš’πš› πšŠπšπš›πšŽπšŽ

  67. agris

    > klaudie: > 2024-01-30 08:54 (CST) > rEgExStRiNgAtTaCkS Are you talking about attacking fail2ban? Do you have a poc?

  68. agris

    > Menel: > 2024-01-31 03:19 (CST) > It's more about the fail2ban and its high resource consumption it was about Fail2ban does have a high resource usage. It's the biggest resource consumer on some of my jails with efficient software, so much so it doesn't justify the workload shedding against automated attackers with some software. Especially if you have multiple instances running on the same kernel. What makes fail2ban nice is that it's so easy to script and modify. However being made in python means server upgrades are a pita as python has breaking changes every minor update.

  69. agris

    If there's an alternative that also can do weighted scoring instead of just boolean regex that would be nice. Something I've been planning is to make a action for fail2ban that feeds an IP and reason to a ip reputation system. For example if someone tried to do a WordPress or Joomla exploit on my webserver which doesn't even host those apps, I can be pretty sure that IP is not good and would like to block it at my network edge for everything, not just a webserver.

  70. jonas-l

    > If there's an alternative that also can do weighted scoring instead of just boolean regex that would be nice. Something I've been planning is to make a action for fail2ban that feeds an IP and reason to a ip reputation system. For example if someone tried to do a WordPress or Joomla exploit on my webserver which doesn't even host those apps, I can be pretty sure that IP is not good and would like to block it at my network edge for everything, not just a webserver. Consider CG-NAT and the attack on the avaibility that becomes possible by that

  71. jonas-l

    I avoid blocklisting and rate limiting by IP address

  72. agris

    Rspand has a great base for weighted scoring but it is not adaptable for non-email systems. If we had something like that for general IP that could work with sensors on multiple separate servers and control firewall rules on a edge router that would be fantastic.

  73. agris

    > jonas-l: > 2024-01-31 01:26 (CST) > Consider CG-NAT and the attack on the avaibility that becomes possible by that I do. In most of my bucketed filters I treat a single V6 address as the /64 it's on. For v4 I consider if other malicious traffic has originated from neighboring addresses in a /24 window

  74. jonas-l

    Thats exactly the opposite of considering CG NAT where a whole street shares one single IP

  75. jonas-l

    Better example: one school; it's easy to make e.g. Moodle unavailable for everyone if fail2ban is used

  76. agris

    Ipv4 is out the door anyways. If there's a bad actor coming from a network with no way to differentiate them there's not a whole lot you can do besides get in contact with the user or admin managing it and setup a workaround.

  77. agris

    A lot of times this is resolved by just asking them if they can turn on ipv6 in their router

  78. agris

    Otherwise you'll have to hunt down a specific device on your network. Or you can pay us to setup a proxy server with credentials just for you.

  79. jonas-l

    > Otherwise you'll have to hunt down a specific device on your network. Or you can pay us to setup a proxy server with credentials just for you. And if the proxy has fail2ban, then the problem starts again

  80. agris

    Private proxy server.

  81. agris

    Their paying extra to maintain a workaround for them instead of fixing their network

  82. agris

    Ie, their paying you money to offset extra work

  83. jonas-l

    With what neighbors? Im thinking about sending mails from a vserver hosting 5 years ago ...

  84. jonas-l

    > Ie, their paying you money to offset extra work Then I could just whitelist them or avoid questionable security solutions

  85. agris

    Well ideally you wouldn't have your IDS system going off without being really sure theirs an attack

  86. jonas-l

    But I am not interested in attempted and failed attacks but attacks that would succeed - a difficult question for the IDS: what is just the regular background noise?

  87. agris

    jonas-l, the steps in a cyberattack including scanning and scoping out the target first

  88. agris

    being able to stop or at least slow those down, and prevent the use of automated tools goes a long way towards preventing and stopping attacks

  89. jonas-l

    I know; and I know how to do this as silent as possible

  90. agris

    also, getting as much background noise out of your logs as practicable helps speed up forensics

  91. jonas-l

    A patched system is not in big danger by automated tools

  92. jonas-l

    > also, getting as much background noise out of your logs as practicable helps speed up forensics It reduces the amount of available information

  93. Stefan

    > jonas-l, the steps in a cyberattack including scanning and scoping out the target first actually, this happens all the time, on every ip in the internet, is my impression (derived from what I see here on my internet connection).

  94. Stefan

    most trys are "wp-login.php"

  95. jonas-l

    There are also attempts for phpmyadmin

  96. Stefan

    I did active an fail2ban action that writes those line to a separate file for each month, just because i was curious and wanted to see whats going on.

  97. jonas-l

    This scans use quite small lists compared to the ones used in a pentest - but this is usally useful when scanning many hosts/the whole internet

  98. Stefan

    I found this filter a while ago, I changed it a bit, https://www.martv.de/index.php/fail2ban

  99. Stefan

    https://dpaste.org/MhL7j

  100. Stefan

    I altered it with the words I saw in the logs.

  101. Stefan

    but now the noise has subsided a little, i have set up fixed rules, independent of fail2ban

  102. Stefan

    this example is Nov 18 - Dec 9

  103. agris

    Stefan, if you don't run wordpress you can be pretty damn sure any requests to 'wp-admin.php' are malicious actors and block their ip.

  104. agris

    also phpmyadmin

  105. Stefan

    exactly. that's why I run this filter. if I had wordpress, that would not work, I expect.

  106. agris

    you can also compiled mod_security into nginx

  107. agris

    it can be run in a heruistics mode which does some weighting, and setup fail2ban to be fed from modsecurity detected threats

  108. agris

    be very careful to setup modsecurity in a way to only block things your really sure are malicious, instead of making it trigger happy like clownflare

  109. agris

    otherwise your shooting yourself in the foot

  110. agris

    what would be really nice is instead of blocking, if we could redirect these high-confidence malicious IPs to a honeypot for examination to make more filters from.

  111. jonas-l

    > you can also compiled mod_security into nginx This only detects potentially dangerous requests > what would be really nice is instead of blocking, if we could redirect these high-confidence malicious IPs to a honeypot for examination to make more filters from. This could be useful altough I would not do this because I do not consider it worth the time

  112. Licaon_Kter

    agris: you back?

  113. agris

    Licaon_Kter, what?

  114. Licaon_Kter

    I was under the impression you've packed your server and awaiting better weather, did I confuse you? :)

  115. Menel

    nueguia.net is still down

  116. agris

    > Licaon_Kter: > 2024-01-31 03:14 (CST) > I was under the impression you've packed your server and awaiting better weather, did I confuse you? :) It is still down. The person who attempted to steal it chopped and stole all of my cables, and half of my tools. I don't have the money to replace them or the tools to make new ones as they stole half of those too

  117. agris

    If I were to receive a donation it would expedite this.

  118. Licaon_Kter

    > It is still down. The person who attempted to steal it chopped and stole all of my cables, and half of my tools. Da fuuuuuu

  119. agris

    I'm also waiting on a court date.

  120. agris

    If someone knows a good lawyer in the state of Missouri who would be willing to work with us for a reasonable price I would appreciate a referral.

  121. klaudie

    Was it a colocation as a business or some random off of a Facebook group?

  122. klaudie

    Also civil fines for rj45 and a power cord likely won't amount to anything The filing cost alone may even be significantly higher

  123. agris

    Someone I knew drilled through a lock and broke into my bedroom.

  124. klaudie

    Oh

  125. agris

    Property beyond just cords were damaged and stolen

  126. klaudie

    You can call up your states attorney general and ask for a recommendation

  127. klaudie

    And file a police report if you haven't

  128. agris

    I can't afford to pay any layers until after February because the crime put me into a vulnerable position.

  129. agris

    I can't afford to pay any lawyers until after February because the crime put me into a vulnerable position.

  130. agris

    They also attempted to steal my friend's moped.

  131. Bob Evans

    Who.

  132. agris

    I'm not going to discuss that with anyone but a lawyer or until after it has been resolved.

  133. agris

    I've tried to get the police involved but they claim they don't have the authority to do anything about it.

  134. Licaon_Kter

    Mmmkay

  135. agris

    American police aloof as usual.

  136. Bob Evans

    Burglary and theft.

  137. Bob Evans

    They have authority.

  138. agris

    Unless there's a dead body lying around or someone's head to beat in.

  139. agris

    They may have it but aren't willing to use it.

  140. agris

    If you're ever the victim of a crime in America you'll understand.