Install Elastic Filebeat as daemon on OSX

Posted on in linux, open source
   Leave a reply

Filebeat is a lightweight shipper for logs. You can use it to collect logs from endpoints and store them centrally in Elastic. You can use it to collect logs from Linux systems, but it also works on Apple OSX. Installing filebeat is straightforward

After installing filebeat you have to enable the system module

Then update the configuration file (filebeat/filebeat.yml)

I used the information from a support post on the Elastic site: https://discuss.elastic.co/t/deploying-filebeat-on-macos-x/37785/11. This post describesRead more.

Postfix with client authentication

Posted on in linux
   Leave a reply

For a new project I had to foresee an SMTP relay server that supported client authentication. I love the simplicity of Postfix but setting it up with client authentication required more than just ‘a push of a button’. Below are some -unstructured- notes on how to achieve this.

The client authentication in Postfix is handled by Cyrus SASL. The Simple Authentication and Security Layer or SASL is a specification that describes how authentication mechanisms canRead more.

Analyse Linux (syslog, auditd, …) logs with Elastic

Posted on in linux, open source, security
   2 Replies

The Elastic stack is a great tool to quickly visualise large volumes of log files. In a previous post I described how to load stored Windows EVTX logs in Security Onion, with the help of Winlogbeat. In this new post I describe something similar with the goal to analyse Linux auditd logs with Elastic. Instead of using the Elastic stack of Security Onion I use an Elastic cluster via Docker and instead of storing theRead more.

Use Philips Hue as an IDS

Posted on in internet, linux, security
   Leave a reply

I recently bought a Philips Hue light system. It allows you to control your lights via a smartphone app and set the right colour mood. Setup is easy, you connect a light bridge to your home router, connect with the app and then setup the lights. The system also includes an API to build your own apps.

In 2015 I tweeted on an episode of CSI Cyber where “good” code automagically turned green whereas “bad”Read more.

Upgrading Apache, unmet dependencies

Posted on in linux, open source
   Leave a reply

I use a couple of Ubuntu Linux virtual machines via VMWare Fusion (OSX) for security testing. Some of the security tools have a web interface. Because I want to test with different environment setups I have /var/www/ mounted via Shared Folders on the host OSX. This has as advantage that

Files are stored centrally (on the host OS) Different environments can use the same files and configuration (if stored in /var/www) I can use nativeRead more.

ipv6: Neighbour table overflow

Posted on in geek, linux
   Leave a reply

One of my virtual machines hosted at Gandi had an excessive amount of error messages

The cause of this error message are the IPv6 router announcements that try to discover and configure the IPv6 neighbourhood. The excessive amount of messages were polluting the logs.

After contacting the Gandi helpdesk they provided insight on the cause of the error message and provided mitigations to prevent these type of errors. I had to update /etc/sysctl.conf withRead more.

Malware scanning of web directories with OWASP WebMalwareScanner

Posted on in internet, linux, open source, php, security
   2 Replies

One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).

One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked inRead more.

Exploring webshells on a WordPress site

Posted on in internet, linux, php, security
   Leave a reply

I recently had to handle a case where a website development company was hacked. This post describes some of my findings during the investigation.

All of the company websites were hosted on one virtual server running Linux. Most of these websites were WordPress powered. The management of the server was done via DirectAdmin, updating of the web files happened via FTP.

The incident was brought to the attention of the company because they received complaintsRead more.

HTTP 304 and Apache sinkhole

Posted on in internet, linux, open source
   2 Replies

This is a short post, put here as a “reminder to self” on browser caching.

A colleague recently set up an HTTP sinkhole with Apache. The setup redirected all the user requests to one specific resource.

When deploying the sinkhole, the web server logs showed that the first requests where logged with HTTP status code 200 (“OK”). The next requests however were logged with HTTP status code 304 (“Not Modified”).

The HTTP 304 code basicallyRead more.

The New Glibc Getaddrinfo Vulnerability: Is It GHOST 2.0?

Posted on in linux, security
   Leave a reply

I had a guest post published on Security Training for Incident Handlers: The New Glibc Getaddrinfo Vulnerability: Is It GHOST 2.0?.

The post describes the critical issue found in glibc getaddrinfo (CVE-2015-7547) and gives you advice on patch management to deal with current (and future) issues in glibc.