IT Dribble

Mutterings, inconsistant tips, rants and randomness

Security, Tips

Password generator for memorable passwords

by

Like any good paranoid netizen I use a password manager to create unique passwords for each website, the problem that I have with unique passwords is that if you need to remember them for any period of time (even 20 seconds) while you type the password somewhere (because copy and paste is not supported for some reason) then it’s nearly impossible to do so!

I have also cracked my fair share of passwords in this day and age and know the passwords patterns / rules used to create an extended wordlist based on how people create passwords, eg. YourPetName2017. So what do we need? We need dictionary words, completely random, at least four of them and with a space separator plus numbers and symbols. So by utilising this methodology we get the website: https://xkpasswd.net/s/

So I ask you which is easier to remember for 20 seconds:
?02-dollar-space-french-25? OR shegh3xohzu4ahjaekiik%eiqu#u

Oh and bookmark that website! :-)

Operating Systems, Linux, Security, Tools, Tips

Using OpenSCAP to scan and harden your servers

by

Determine which profile you want to use: oscap info /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml replacing the –profile line as required.

Perform a scan:

  oscap xccdf eval --report report.html 
      --profile xccdf_org.ssgproject.content_profile_CS2 
       /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 

Apply a remediation:

  oscap xccdf eval --remediate --report report.html 
      --profile xccdf_org.ssgproject.content_profile_CS2 
       /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml 
Operating Systems, Linux, Fedora, Debian, Suse, Red Hat, Security, Network, Firewall, Tips

Add comments to IPTables firewall rules

by

Instead of just documenting the IPTables configuration file eg: /etc/sysconfig/iptables with comments (#’s) you can also input comments as part of the ruleset itself. So when you perform iptables -L -v -n you get the following output: 

root@server070:[~]: iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  64M 4727M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    5   474 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
 202K   27M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   16   880 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
 137M   38G ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514 /* Syslog traffic */
   28  1664 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:514 /* Syslog traffic */
41067 2050K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:9997 /* Universal Forwarder traffic */
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8089 /* Splunk SSL traffic */
   47  2564 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8000 /* Splunk web interface */
14135 1313K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
 218K   21M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

All that you need to do use the following example in your configuration file:

root@server070:[~]: cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9997 -m comment --comment "Universal Forwarder traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8089 -m comment --comment "Splunk SSL traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk web interface" -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Happy commenting!

Operating Systems, Windows, Security, Tips

Generate random password in batch (command prompt)

by

If you do a lot of scripting then this snippet maybe useful. I use this snippet to change the default password for Splunk Universal Forwarder installations, from the default to random. You don’t actually need to record the password for the forwarder - and it’s easy enough to reset if you do.

@echo off
set pass=
set s=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
set m=0
:loop
set /a n=%random% %% 62
call set pass=%pass%%%s:~%n%,1%%
set /a m=m+1
if not %m%==32 goto loop:
echo %pass%
Operating Systems, Windows, Security, Tools, Tips, Encryption

Backup Windows Server with TrueCrypt / VeraCrypt

by

TrueCrypt is considered dead these days, but back when it was trusted this is a script I wrote to backup Windows Server (2008 and above) with TrueCrypt. It uses a loopback VHD (loopback file/drive) on a removable USB harddrive that it RAW formatted with TrueCrypt. That TrueCrypt volume then contains a large VHD file to the size of your backup volume.

How to configure it:

  1. Save the bat file on your server
  2. Format a (USB?) drive as a RAW TrueCrypt volume
  3. Mount the TrueCrypt partition
  4. Create a VHD volume with the filename: z:Backups.vhd within the TrueCrypt volume
  5. Mount the VHD volume as Z Drive
  6. Configure Windows Server Backup to use the Z Drive as a backup destination
  7. Unmount the VHD Volume
  8. Unmount the TrueCrypt volume
  9. Create the directories: C:backupscripts

How to use it:
With the above completed:

  1. Configure a scheduled task to run 10 minutes before your nightly backup job to run the backup script (Mount-truecrypt.bat)
  2. Eg. If your backup is to run at 11pm, configure the script to run at 10:50pm.
  3. Then after your backup finishes execute another scheduled task to UNmount the VHD and TrueCrypt volume (UNmount-truecrypt.bat)

Your done!

P.S. I’m not actually sure if this works with VeraCrypt but I think they have the same command line flags…. :-P

:: Truecrypt backup script written by Campbell McKenzie - www.cammckenzie.com 

:: =================================
:: ==  START Mount-truecrypt.bat  ==
:: =================================

:: "Auto" mount the RAW TrueCrypt disk as drive Z: password 1234

eventcreate /L Application /T INFORMATION /SO Backup /ID 666 /D "Attempting to mount backup disks..."

CD C:\Program Files\TrueCrypt
TrueCrypt.exe /auto devices /q /lZ /p 1234
if '%errorlevel%' EQU '0' (
    eventcreate /L Application /T SUCCESS /SO Backup /ID 666 /D "RAW Disk mounted on Z:\ "
    goto MountVHD
) else ( goto ERROR-TC )

:MountVHD
:: Perform directory listing for Truecrypt Bugs
dir z:\ > nul
:: Create the scriptlet
cd C:\backup\scripts

echo sel vdisk file="Z:\Backups.vhd" >mount.diskpart
echo attach vdisk >> mount.diskpart
echo select partition 1 >> mount.diskpart
echo assign letter=X >> mount.diskpart

:: Run the cmdlet
diskpart /s mount.diskpart
if '%errorlevel%' EQU '0' (
    eventcreate /L Application /T SUCCESS /SO Backup /ID 666 /D "Loopback VHD Disk mounted on X:\ - Mount Completed"
    goto TidyUp
) else ( goto ERROR-DP )

:TidyUp 
del /q mount.diskpart
EXIT 0 

:ERROR-TC
eventcreate /L Application /T ERROR /SO Backup /ID 666 /D "TrueCrypt Mount Failed..."
EXIT 1

:ERROR-DP
eventcreate /L Application /T ERROR /SO Backup /ID 666 /D "Loopback VHD Disk mount Failed..."
EXIT 1

:: REF: http://nicj.net/mounting-vhds-in-windows-7-from-a-command-line-script/
:: ===============================
:: ==  END Mount-truecrypt.bat  ==
:: ===============================
:: ==================================
:: ==  START UNmount-truecrypt.bat ==
:: ==================================

:: UnmountVHD.cmd
eventcreate /L Application /T INFORMATION /SO Backup /ID 667 /D "Attempting to unmount backup disks..."

cd C:\backup\scripts

echo sel vdisk file="z:\Backups.vhd" >unmount.diskpart
echo detach vdisk >>unmount.diskpart
:: Run the cmdlet
diskpart /s unmount.diskpart
if '%errorlevel%' EQU '0' (
    eventcreate /L Application /T SUCCESS /SO Backup /ID 667 /D "Loopback VHD Disk unmounted successfully..."
    goto UnmountTrueCrypt
) else ( goto ERROR-DP )

:: Unmount the RAW disk
:UnmountTrueCrypt
"C:\Program Files\TrueCrypt\TrueCrypt.exe" /d /q /s
if '%errorlevel%' EQU '0' (
    eventcreate /L Application /T SUCCESS /SO Backup /667 /D "RAW Disk unmounted successfully - Unmount Completed"
    goto TidyUp
) else ( goto ERROR-TC )

:TidyUp 
del /q unmount.diskpart
EXIT 0

:ERROR-TC
eventcreate /L Application /T ERROR /SO Backup /ID 666 /D "TrueCrypt Unmount Failed..."
EXIT 1

:ERROR-DP
eventcreate /L Application /T ERROR /SO Backup /ID 666 /D "Loopback VHD Disk Unmount Failed..."
EXIT 1

:: ==================================
:: ==  END UNmount-truecrypt.bat ==
:: ==================================