Using netwox

I will give examples of using netwox and describe them.
I described the netwox installation in this article – Установка netwox

Example of a standard startup:

sudo netwox

netwox has quite a lot of functions, you can see them by pressing after starting the number 3 and Enter.

Network configuration display:

sudo netwox 1

Display debugging information:

sudo netwox 2

Display information about the IP address or host name:

sudo netwox 3 example.com

Displaying information about the MAC address:

sudo netwox 4 -e 00:15:5D:38:01:08

Obtaining MAC addresses from the IP list:

sudo netwox 5 -i 192.168.1.0/24

Display information that will be used to reach the specified IP address:

sudo netwox 6 192.168.24.254

Sniffer, displaying the transmitted packets on the screen:

sudo netwox 7

Sniffer, displaying only the list of open ports that were used in the captured packets:

sudo netwox 8

Sniffer, mapping of MAC and IP addresses:

sudo netwox 9

An example of capturing packets and displaying brief statistics (the number of packets counted, the size of packages, the percentage of the number of packets (c%), the percentage of the size (s%)):

netwox 10 -d eth0

Convert a digit to an encrypted one:

sudo netwox 21 -n number

Converting a string to an encrypted string (sha256, md5, etc.):

sudo netwox 22 -d text

Show ASCII table:

sudo netwox 23

Check the security of the directory:

sudo netwox 25 /tmp/

Example of ICMP PING:

sudo netwox 49 -i 192.168.24.253

Example of ARP PING:

sudo netwox 55 -i 192.168.24.253

Example ICMP route tracing:

sudo netwox 57 -i examle.com

Example of TCP route tracing:

sudo netwox 59 -i examle.com

Example UDP route tracing:

sudo netwox 61 -i examle.com

Example of port scanning:

sudo netwox 67 -i 192.168.24.254 -p 1-1000

ICMP scanning for availability:

sudo netwox 65 -i 192.168.1.0/24

TCP port access scan:

sudo netwox 67 -i 192.168.1.0/24 -p 80

UDP port access scan:

sudo netwox 69 -i 192.168.1.0/24 -p 80

ARP scanning:

sudo netwox 71 -i 192.168.1.0/24

Flood random fragments:

sudo netwox 74 -i 192.168.24.254

Filling the table of MAC-addresses of the switch by sending a flood:

sudo netwox 75

Synflood:

sudo netwox 76 -i 192.168.24.254 -p 80

etc.

Installing and Configuring Config Server Firewall (CSF) in Ubuntu

Config Server Firewall (CSF) – a software product created for automatic server protection.

I’ll describe below the procedure for installing and configuring Config Server Firewall (CSF) in Ubuntu.

First of all, download the archive with the latest version:

cd /usr/src
sudo wget https://download.configserver.com/csf.tgz

Unpack the downloaded archive:

sudo tar -xzf csf.tgz

If any firewalls are used in the system, they must be disabled, iptables rules will be deleted automatically.
Disable for example UFW:

sudo ufw disable

Let’s move to the directory with the unpacked files and run the installer:

cd csf
sudo sh install.sh

Install the necessary components:

sudo apt-get install libwww-perl
perl -e "use Time::HiRes"

Check whether the required modules are installed (“OK” should be displayed opposite each):

sudo perl /usr/local/csf/bin/csftest.pl

After installation, the SSH port will be automatically opened, even if it is not standard, and your current address is added to the whitelist.
CSF will work in test mode, it will need to be disconnected later in the configuration file.
The configuration file can be opened in any text editor, for example nano:

sudo nano /etc/csf/csf.conf

The changes will be applied after the following command:

sudo csf -r

Lists of allowed and blocked IP addresses are located in /etc/csf/csf.allow, /etc/csf/csf.deny and /etc/csf/csf.ignore.

The status of the CSF can be seen by the command:

sudo csf --status

Delete CSF can be similar to the other script:

sudo -i
cd /etc/csf
sh uninstall.sh

The built-in brief help can be seen by the command:

man csf

Configure Firefox for anonymity

To get started, type the following in the address bar of the Firefox browser:

about:config

Below I will describe what settings transmit information about the user, for faster search, you can copy and paste the parameter into the search bar.

Google Safe Browsing (the parameter includes the transmission of information about the sites visited by the user on Google and prevents visits to sites with malicious software):

browser.safebrowsing.enabled
browser.safebrowsing.downloads.enabled
browser.safebrowsing.malware.enabled

Sending stability and performance reports to Firefox:

datareporting.healthreport.service.enabled
datareporting.healthreport.uploadEnabled

Usage statistics:

toolkit.telemetry.enabled

The parameter transmits the real IP address even if a VPN connection or TOR is used:

media.peerconnection.enabled

Enabling integration with the Pocket service:

browser.pocket.enabled

Using geolocation:

geo.enabled

Firefox connects to third-party servers without permission:

loop.enabled

Saving typed text in the search, for further tips:

browser.search.suggest.enabled

Enabling locks to track user information:

privacy.trackingprotection.enabled

Some information about the virus encryptor Trojan.Encoder.12544 attacked 06/27/2017

06/27/2017 After lunch, I received a call from one organization and reported that many computers stopped working, but some worked, I understood that Windows auto-update was enabled and all updates were installed, including the critical vulnerability fix that the virus uses – Microsoft Security Bulletin MS17-010 – Critical

On some infected computers, there was the following window (infected MBR area):

On the other side, the disk was checked for errors via CHDISK, as it turned out to be the second stage of the virus – disk encryption using AES-128-CBC algorithms and in this case, an immediate shutdown is necessary to recover the remaining unencrypted data.
Through special utilities, you could see only a few unencrypted data that can be recovered, and the rest can only be returned from backup copies made by system administrators since the decryptor is not available at the moment.
Under the old version of the virus last year, the decryptor was written https://github.com/leo-stone/hack-petya

The mail that was specified for requesting the decryption key was blocked after some time after the virus appeared, even about 45 transactions were received on the wallet.

Disabling ecryptfs encryption at home directory

It took one day to disable the ecryptfs encryption of the home directory, which was once set up when installing the system.

First of all, we make a copy of the home directory of the right user:

sudo cp -rp /home/user /home/user_backup

Get the mount point in the directory:

PRIVATE=`cat ~/.ecryptfs/Private.mnt 2>/dev/null || echo $HOME/Private`

Unmount the directory:

ecryptfs-umount-private

Install the rights to the directory:

chmod 750 $PRIVATE

Delete the directory and directories ~/.Private, ~/.ecryptfs:

rm -rf $PRIVATE ~/.Private ~/.ecryptfs

And also in the made copy:

rm -rf /home/user_backup/.Private /home/user_backup/.ecryptfs

If ecryptfs is no longer used in the system, then we will delete the utilities:

sudo apt-get remove ecryptfs-utils libecryptfs0

Install the right user directory:

sudo chmod 750 /home/user
sudo chown user:user -R /home/user

Copy the necessary files from the backup copy of the home directory.

Done.

You can see the built-in statement with the command:

ecryptfs-setup-private --undo

See also:
The solution to the error “Could not chdir to home directory /home/user: Permission denied”

nice and ionice. Process Priorities

nice – allows you to specify the priority of the processor performing various tasks, the range of priorities is -20 to 19, where 19 is the smallest, if not specified, then there will be a standard priority of 0. Convenient for example when packing data into archives so that this task does not load the server or when many processes need to be started, distributing the load, which occupy all CPU time.

Example of the execution of the command with the lowest priority:

nice -n 19 COMMAND

See the table of processes and their priorities as follows (column NI):

ps axl
ps -l

If the table is large, you can redirect the output of the command to Less and look at the page:

ps axl | less

To change the priority:

renice -n 19 PROCESS(PID)

Checking the default priority value (standard 0):

nice

ionice – allows you to specify the priority for I/O operations, for example, to reduce the load on the disk. The first class is from 1 to 3, then the priority is from 0 to 7, where 7 is the smallest.
There are three classes:
1) Real time – Preemptive without paying attention to other processes, indicating priorities from 0 to 7.
2) Best Effort — Standard with priorities from 0 to 7.
3) Idle — With idle time without priority.

Example of executing the command with the lowest I/O priority:

ionice -c2 -n7 COMMAND

To change the priority:

ionice -c2 -n7 -p PROCESS(PID)

To view the set priority:

ionice -p PROCESS(PID)

You can specify priorities at the same time via nice and ionice:

nice -n 19 ionice -c2 -n7 COMMAND

To specify high priorities, for example, you might need root permissions, this command should be executed as root user or added before the sudo command.

Solving the SSL problem “Connection is not secure – Parts of this page are not secure (such as images)”

I noticed once one site with a signed SSL certificate, a message from the Mozilla Firefox browser:

Connection is not secure – Parts of this page are not secure (such as images)

As it turned out, images from other sources were inserted on the site, so the connection can be considered not protected, and to solve this problem, you need to upload images to the current site and change the link on the pages, necessarily starting with https://.

If the site works on http:// and https://, and the pictures are on it, then the links should be changed for example from:

<img src="http://www.ixnfo.com/img.jpg">

to

<img src="/img.jpg">

Done.

The reboot script of Wi-Fi routers TP-Link

Below is an example of the TP-Link router reboot script, I will test it on TL-WR720N 2.0 from Ubuntu Server.

#!/bin/sh
ROUTER_IP="192.168.24.174"
USERNAME="admin"
PASSWORD="admin"

# exit if router is down
ping -q -c 1 "$ROUTER_IP" > /dev/null || exit

curl --basic --user "$USERNAME:$PASSWORD" -A "Mozilla/4.73 [en] (X11; U; Linux 2.2.15 i686)" --refer "http://$ROUTER_IP" "$ROUTER_IP/userRpm/SysRebootRpm.htm?Reboot=reboot"

The contents of the script will be placed in a new file, for example, using the nano editor (“CTRL+X” to exit and “y” to save the changes):

nano file.sh

And make it executable:

chmod 777 file.sh

After this, we execute:

./file.sh

Similarly, you can perform other functions instead of rebooting.

Preventing attacks on WordPress xmlrpc.php and wp-login.php

I noticed once on some servers with WordPress sites a large number of calls to the file xmlrpc.php and wp-login.php

As it turned out, someone tried to pick up a password and gain access to the site, usually such things block Jetpack, limited access to the IP in the admin area of the web server, but for some reason, there was no protection.

To count the number of accesses to a file in the logs, you can use the command:

grep 'xmlrpc.php' /var/log/apache2/access.log | wc -l

By the way, the command above can be performed for example from the monitoring system Zabbix , draw a graph on the received data, and also notify of an increase in the number of hits.

Count the number for each IP and list the following:

grep 'xmlrpc.php' /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -r

Count the number for each IP and list for the wp-login.php file:

grep 'wp-login.php' /var/log/apache2/access.log | cut -d' ' -f1 | sort | uniq -c | sort -r
grep 'wp-login.php' /var/log/apache2/access.log | awk '{print $1}' | sort -n | uniq -c | sort -nr | head -20

In the apache2 configuration or through the .htaccess file, you can restrict access to /wp-admin/ by IP, for example:

<Directory /var/www/site/wp-admin/>
  Options -Indexes
  AllowOverride All
  Order allow,deny
  allow from 127.0.0.1 192.168.11.25
</Directory>

Completely deny access to files like this:

<Files wp-login.php>
Order Deny,Allow
Deny from all
</Files>
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

If you use for example Jetpack, then it is better not to limit wp-login.php, as there can be errors when updating the plug-in and will affect its operation.
In this case, you can activate password protection in the Jetpack settings.

If Jetpack is not in use, you can install other plug-ins, for example, “WP Limit Login Attempts”, which displays captcha during authorization, and also blocks incorrect login attempts.
For example, the “Disable XML-RPC Pingback” plug-in can disable XML-RPC functions if they are not needed.

Also in the robots.txt file, you can prevent indexing by the search engines of these files:

User-agent: *
Disallow: /xmlrpc.php
Disallow: /wp-login.php