Apologies for being away so long

I had some pressing matters with my team at Being Libertarian LLC, I have since published some new articles there which you can read through this link, https://beinglibertarian.com/author/ganon/. This weekend I plan to be creating a brand new WordPress stack as this server is on the older Ubuntu 14.04 LTS with a GNU/Linux, Apache, MySQL, and PHP (5.7) LAMP stack. The new wordpress stack I will be building will utilize Ubuntu 16.04 GNU/Linux, Nginx (Easy Engine), MariaDB, and PHP (7) (making it a LEMP stack). I have over the past few months grown to love Nginx more than Apache. So I am ditching LAMP stacks for LEMP. It will incorporate SQL Injection filters, Cloudflare DNS Proxy and DDoS mitigation, Nginx caching, amongst many other things. Yes I will be putting forth a tutorial on how to do what I will be making. I also hate PHPMyAdmin and prefer working directly in shell, so no there will not be tutorial including PHPMyAdmin. This is in part due to my perception of one more way for a website to be compromised.

I am not sure whether or not I will cover the SQL database migration as those tutorials are widely found across the website. So hopefully I should have the entirety documented by late next week.

Moving to Xubuntu 16.04 for my personal items

Well my Home Theater PC is just about finished… I just installed samba, enabled openSSH via my SSH key, along with my other goodies. Just doing the final tweaks to smooth out video playback via xorg.conf hopefully all the settings will carry over perfectly as this the same exact GPU and such.
But my Nvidia driver is 361 instead of 358 which I was using when on 14.04.
I am just hoping I don’t have to recompile a kernel just for the “Intel Core 2 or Newer” CPU’s along with modifying the system timer from 250Hz to at least 300Hz to have a number more evenly divisible into 30FPS to equal US NTSC video vs European PAL at 25FPS, if that is the case I will bump it to a 1000Hz timer for faster responsiveness as it’s a desktop, as well as being divisible into 30 and 25 in case I take it over seas. If I have to recompile for the Home Theater I am merely going to recompile from the Ubuntu sources rather than directly from kernel.org. My laptop will be getting a custom kernel from kernel.org though as it doesn’t have the proprietary GPU for smoother video playback

I opted for fresh reinstalls for my laptop and HTPC as I ran into issues with the upgrade and then merely reinstalled all my applications and such through my scripts, as I always keep my /home on a separate partition just in case I have to reinstall things.

I am working on upgrading my servers from 14.04LTS to 16.04LTS as well by Q2 of 2017 after lots of testing. Some servers will probably be rebuilt from scratch. However I am in no rush as we all have until 2019 for the end of life of Ubuntu 14.04 LTS to end.

Internet Naming System to be Privatized

This article was originally published on Being Libertarian reposted here with permission

The Internet… It’s amazing, isn’t it? How one small innovation from the Defense Advanced Research Projects Agency (DARPA), which led to the Internet Protocol (IP) system we use today, was taken by the private sector and thrown in to warp drive, and brought us into a whole new cyber world. There is no denying that the Internet today as we know it, is almost entirely a product of private sector innovation, as they built about 99% on top of the underlying IP model.

So, how exactly does the Internet naming system work? When you enter http://facebook.com in a browser, you get the Facebook homepage. In order for that to happen, the address facebook.com has to be translated into a format that’s understood by the computers around the world which delivered our home page to you. This format is known as an IP address, and for facebook.com, one of these addresses is 66.220.146.36. This is essential for how the Internet operates, and also why one US agency or another has been in charge of the Internet naming system pretty much since its founding, with the role currently falling to the National Telecommunications and Information Administration (NTIA), which is part of the Department of Commerce.

It is amazing how most of the Internet today is controlled by standards bodies such as the Institute of Electrical and Electronics Engineers (IEEE), World Wide Web Consortium (W3C), XMPP Standards Foundation (XSF), and others which are made up of engineers and companies all voluntarily working together to set forth new industry standards so everything is compatible with one another. Slowly, we have been seeing since the creation of the Internet – aside from some bonehead moves by the FCC – that the government is releasing control of the Internet to the private sector. Now the government has finally decided it is time for the Internet naming system to be free from all direct US government control, with all of the control being delegated to a non-profit entity known as the Internet Corporation for Assigned Names and Numbers (ICANN), based in California. The deal was finalized on August 16th by the NTIA. making its final steps to basically choose not to renew it’s contract with ICANN, which it has had since 1998 (the contract between the US government and ICANN was a zero-cost one).

This new era is set to officially begin on October 1st. The most important thing is the handover will not affect the estimated 3.5 billion Internet users. This is because the US role was mostly administrative, rather than hands on, leaving ICANN to do all the actual day-to-day work on behalf of the government. This has not come as a surprise to anyone, as the NTIA voluntarily triggered this course of events back in March of 2014. ICANN has since set up their own various bodies and committees to finalize the transition plan following 33,000 emails and 600 meetings.

This has become a very important post due to Edward Snowden’s revelation of the scope of the US government’s invasion of privacy; which notes concerns with the US government having control over key Internet infrastructures and calls for the Internet to be more globalized for the sake of freedom on the Internet. China and Russia have both called for the system to be overseen by an even bigger government body that might have been worse for us all, the United Nations International Telecommunications Union, which would not be afraid to curb the rights of some to acquiesce to the desires of a few countries with oppressive regimes; such as when they allowed Saudi Arabia, a country with many human rights violations, to head the UN Human Rights Panel.

ICANN being selected is a much better outcome for us all, as private organizations have consistently shown themselves to be more nimble and flexible than a government body with bureaucrats. Once the handover is completed, ICANN, a “multi-stakeholder” non-profit organization whose roster of members includes the likes of tech giant companies and individuals, governments, and other such people or organizations with an interest in controlling the Internet naming system, will take over the reins. The US government itself has even performed a study showing the chances of ICANN being steered by a government with its own agenda to be “extremely remote”.

In conclusion, the beginning of October is when the new era of more freedom on the Internet will be here. We can rest easier knowing the Internet naming system is out of the hands of a single government, or even worse, being at the hands of the highly politicized and polarized United Nations, but rather in the hands of the private sector.

Perspectives: DNC Email Leak

This article was originally published on Being Libertarian reposted here with permission

Being Libertarian Perspectives will serve as a weekly, multi-perspective opinion and analysis piece by members of Being Libertarian’s writing team. Every week the panel, comprised of randomly selected writers, will answer a question based on current events or libertarian philosophy. Managing Editor Dillon Eliassen will moderate and facilitate the discussion.

Perspectives 1

Dillon Eliassen: What do you think is the most shocking or profound tidbit found in the Democratic National Committee email leak?

Alon Ganon: Where to begin? I personally have about 90+ emails uncovered on my blog. We have DNC members shooting a horse for insurance, a lollipop reference as in Lollicon, racism, some homophobic comments, some anti-Semitism sprinkled in when mentioning Yom HaShoah to remember the Holocaust as they were annoyed. The collusion between the media… I could go on, there is just so much. So, what I would say is most shocking is size and scope of how bad it actually all is.

It was a horribly set up network. It appears to be all Windows based using Microsoft Exchange, which Snowden had revealed Microsoft sits on the exploits of and hands on a a silver platter to the NSA, leaving millions vulnerable. So Big Government in a way had a hand in this leak. If they had been using a proper UNIX/UNIX-like system like the majority of the IT world does for network connected services, this could have been avoided. It’s why all of our servers set up by me use GNU/Linux. For example, Windows uses password authentication most often. We use RSA keys that would take the NSA even a little time to crack our server key for administrative access unless they have physical access to my laptop or the encrypted backup. The funny part is both Clinton and the DNC used Microsoft Exchange and that was the Achilles heel in both attacks.

However, I found the most interesting thing about #DNCLeak was actually the after effect. See, they immediately point the finger at the Russians. I have asked dozens of friends of mine in the IT world across the political spectrum, and no one is convinced the Russian government is behind it. However, it’s interesting to note that Clinton is going after Russia saying they are working with Trump when we have confirmation she has received money in exchange for some deals with them. I would also like to note the FBI was so sure of themselves when Sony was breached that it was North Korea. However, it was revealed later may not have been the case at all as it appeared to be an inside job. So how do we not know if maybe it was a disgruntled intern or someone?

Dillon: I also think it was a disgruntled employee. And again, they are shooting themselves in the foot by blaming Russia, because it gives credence to the assertion that Russia went after Hillary’s private server.

Alon: Apparently the only “evidence” they have of it being Russia, to my knowledge, is an IP address which we should note the Supreme Court says is not enough for a warrant, and some metadata in a document in Russian. That’s hardly a smoking gun.

If anything this situation has revealed the IT department of the Democrats to be as incompetent as their politicians they support.

If I were to sum up this whole situation in one single word as an IT person, it would be “incompetence.”

Dillon: I enjoy the emails sent to Chuck Todd to get him to intercede on behalf of Debbie Wasserman Schultz, Hillary Clinton and the DNC to get MSNBC Morning Joe host Mika Brzezinski to stop criticizing them for being unfair to Bernie Sanders. I don’t believe Todd actually confirmed to someone in the Hillary campaign that he reached out to Brzezinski, so he might be in the clear as far as journalistic ethics go. And I don’t think it’s that terrible that DWS and her minions approached Todd to act on their behalf. What I wonder is why wouldn’t they ask to respond to Brzezinski’s allegations themselves by appearing on Morning Joe, or going on Meet The Press? Also, I think it’s foolish and risky on the campaign/DWS’s part, because what if Brzezinski got all bent out of shape and did a segment on Morning Joe saying she was approached by DWS and Hillary to not be so critical of them? Journalists hate being told what they can and can’t say, and they have a platform to antagonize their antagonizers. It would be like kicking a hornet’s nest!

Brandon Kirby: I was concerned about the philosophical implications to the way people think; the media’s involvement with the Democratic Party was alarming. I’ve seen stories on the media of situations I was close to that were false narratives that perpetuating biases rather than reality. I watched a 6 minute story that did this, then I multiplied that by 10 to imagine (I’ll admit my thought-experiment was imagination rich and empirical data poor) how much false narratives were being consumed by the viewer in an hour program, and then again by 365 and it’s a horrifying prospect to think of people walking around in society guided by these falsehoods. It’s similar to Plato’s cave where they’re seeing a shadowing blur of reality constructed by a bias. As horrifying as that was, it became more horrifying knowing the politicians are the ones creating the narrative. It’s nothing short of an Orwellian nightmare.

John Engle: I think the main revelation will be to wake progressives up to the bad faith in which the DNC operates. It’s a process that has been starting, and the hard core of the Sandinista movement seems to have seen it pretty clearly at the convention. The news media, film, TV, etc. all contribute to the notion that the Right operates in bad faith, more interested in the dollars from rich corporate interests than in actually serving the people. They portray the Democrats and the Left, on the other hand, as being good faith actors. When something goes wrong policy-wise, it is chocked up to unintended consequences rather than malice. What these emails reveal clearly is what anyone who follows politics understands: Both sides are entrenched interests that are largely interested in perpetuating themselves and their privileges. The act of public service is the secondary value at best.

Ni Ma: Charles Krauthammer suggested that Trump’s statement asking Russia to find Hillary’s emails may have been a trap, since Clinton claims those were all private. So there would be no implication to national security if they were all private. Yet Democrats complain about Trump jeopardizing national security. Not sure if there’s validity to it, but I found it to be an interesting hypothesis.

John: I’ve seen that as well. Even if he didn’t plan it that way, it will have that impact for him. Can’t be a better result from Trump’s perspective, because he will be able to turn it on them so easily. She freaks out over his one off the cuff remark and thinks we plebs should shut up about the hundreds of deleted emails.

Alon: I will say this, as an IT person. This has been the best comedy show for me. I have actually been using the DNC Leak as an example for my clients on the weaknesses of Microsoft software. Unfortunately as it was pointed out to me, the US Government seems to have a crony deal with Microsoft that they require Microsoft software on their computers and contractors computers. To me this is a blatant example of how Crony capitalism damages everyone.

I would like to see the US government actually read Eric S. Raymond’s, Cathedral and the Bazaar. Because they need to implement it properly. Because relying on a corporation with a dedicated team of a few hundred to fix all issues is clearly showing its strain. Linus’ law named after Linus Torvalds the founder of the Linux kernel, states “given enough eyeballs, all bugs are shallow”; or more formally: “Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.” Per Wikipedia but is a well cited law in the tech community to the flaw of Microsoft software or really any proprietary softwares
I cite it further as an example of cronyism damaging Government via proprietary contracts for public non defensive systems. The reason being that defense software is protected via “protection from obscurity.” However public services, are usually a common platform. Therefore a voluntarist structure is more beneficial as we can see in real world practices on Free, Libre, and Open Source Software (FLOSS) E.g. GNU/Linux, Firefox, Bitcoin, WordPress, email, and most fundamental services we rely on but don’t think about in our day to day cyber lives

ctp@slur.dk'

Dear Journalists of #DNCLeak

Dear Journalists of #DNCLeak,
Stop lying about that it was the Russians who cracked the security. First of all let me give you an IT lesson 101 in spoofing your location. We have what is called a Virtual Private Network (VPN) which allows us to have a virtual presence in a local network. It creates an encrypted tunnel to a location and proxies your information through there. So geographically it appears as if you are somewhere else. That’s why some of my friends have noticed my location shows as New York City, instead of Ohio where I actually live. So what exactly am I getting at here? Cyber security is tricky business and we can’t just trust that because it appears to possibly be from Russia, that is in fact Russia. So the mere fact they immediately began pointing the finger at Russia suggests this is spin rather than factual. This has been proven by the constant touting of “suspicion” as fact in many of the articles.

If we recall Sony was cracked into and even the FBI suspected North Korea of doing it (1), as it appeared to have been traced back through China, which is where North Korea proxies their internet through. However as Time magazine wrote, it turns out that evidence suggests after deep investigation they were completely wrong, and it seemed to be a disgruntled employee (2).

To be completely honest the most disgusting fact about this entire situation, is it shows how corrupt the media still is. We are seeing this as they are covering up the story, and spinning it, rather than using the emails there to show how bad the DNC and Hillary Clinton are. But then again the media has always thrown the left a soft pitch every single time historically compared to the right. I say this as someone who is neither a Republican or a Democrat. Please for once in your careers be honest to the people and report the story as it happened, not as you want them to hear how it happened.

Sincerely,
Alon Ganon
An Honest Journalist and CTO of Being Libertarian LLC

(1) http://www.usatoday.com/story/news/nation-now/2014/12/18/sony-hack-timeline-interview-north-korea/20601645/
(2) http://time.com/3649394/sony-hack-inside-job-north-korea/

#DNCLeak #DNCLeaks Master List

As many are aware the DNC Email was breached releasing 20,000 emails to the public. I have personally combed through them myself when the leak began. Thus far this is what I have found regarding the DNC leak

colluding with a reporter on NBC
https://wikileaks.org/dnc-emails/emailid/4025

Josh Barro Business Insider
https://wikileaks.org/dnc-emails/emailid/14713

Jake Tapper CNN
https://wikileaks.org/dnc-emails/emailid/11152

Politico writer sending his stories to the DNC before he sends them to his editor.
https://wikileaks.org/dnc-emails/emailid/10808

off the book meetings
https://wikileaks.org/dnc-emails/emailid/4459

Jason Seher coordinating with CNN
https://wikileaks.org/dnc-emails/emailid/4813

Bernie Supporter and Delegate Almost Wasn’t Allowed to Attend a DNC Fundraiser
https://wikileaks.org/dnc-emails/emailid/18396

DNC party with WaPo (NOTE in HTML format, easily viewed by downloading raw email and open with a mail program like Mozilla Thunderbird for Mac, Windows, and GNU/Linux)
https://wikileaks.org/dnc-emails/emailid/2699

Collecting Bernie Voter Data
https://wikileaks.org/dnc-emails/emailid/14388

Collusion with RI Gov
https://wikileaks.org/dnc-emails/emailid/6564

Bernie Narrative/making him look bad
https://wikileaks.org/dnc-emails/emailid/11056

Laughing at Bernie wanting to debate in California
https://wikileaks.org/dnc-emails/emailid/5664

DNC planning to end Bernie campaign in April
https://wikileaks.org/dnc-emails/emailid/592

Wasserman-Schultz response to claim of bias
https://wikileaks.org/dnc-emails/emailid/11878

Wasserman-Schultz called Jeff Weaver (Bernie Campaign Manager) a “damn liar” for saying there was violence in Nevada
https://wikileaks.org/dnc-emails/emailid/5823

Politico agrees to Let DNC review article regarding Hillary Fundraising before Publishing
https://wikileaks.org/dnc-emails/emailid/10808

Continue reading “#DNCLeak #DNCLeaks Master List”

Introducing IPset-Assassin

Completed installation
completed installation

I recently wrote a nice little program to setup and maintain your firewall on Ubuntu GNU/Linux 14.04. This will install a cron job to run daily and pull lists from multiple sites to block malicious IP addresses. Adding around ~40,000 or more individual IP addresses as well as the top 20 malicious IP blocks per day, all voluntarily and freely contributed. All of the malicious individual addresses are managed with ipset, while the IP blocks are managed with IPTables. This leads to a very efficient way of managing the tables easily and automatically. This optionally allows you to enable or disable Tor Exit node connections. I have also created an optional weekly cron job that will block whatever countries you may wish. I hand typed all 233 countries codes into a dialog menu. I added a new iptables-persistent from another Github repository which also works with ipsets to keep it persistent upon reboot for both iptables.

Screenshot_2016-07-03_04-44-54
When installing it may get stuck here for a minute or two that’s fine. It’s setting a lot rules up

The lists that are regularly installed:

Project Honey Pot Directory of Dictionary Attacker IPs
TOR Exit Nodes this will block all access to Tor*
BruteForceBlocker
Spamhaus
C.I. Army
OpenBL.org
Autoshun
Blocklist.de
Malware Domain List
ZeusTracker
Malc0de IP blacklist
MaxMind GeoIP Anonymous Proxies
StopForumSpam
GreenSnow

 

*Tor exit node blocking is optional
*Tor exit node blocking is optional

It’s simple enough to install. Simply run the script as root and select if you want to block Tor exit nodes or if you want to block any countries. If there are any issues or suggestions please let me know on GitHub. I want to eventually make this also capable of running on CentOS for my PhonePBX.

https://github.com/ChiefGyk/ipset-assassin

Tested on Ubuntu 14.04 servers, and Xubuntu 14.04 running server applications. Test it on your own machine as well if you like

233 Countries to block if you choose to.
233 Countries to block if you choose to.

Beef up mail-in-a-box Fail2Ban jails and filters

In the past few posts of my blog/journal I detailed blocklist, nginx, and such. However I now have 12 jails in my MiaB server:

Munin, roundcube, owncloud, postfix, ssh-ddos, miab-management, sasl, ssh, dovecot, nginx-badbots, nginx-http-auth, and recidive.

Some of these jails had to be added manually to jails.local, I like to send my reports to two of my emails (work and personal) plus blocklist.de. So the sendmail-whois-lines is not required, and may be removed if wanted to do so.

[miab-munin]
enabled = true
port = http,https
filter = miab-munin
action = sendmail-whois-lines[name=miab-munin, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/nginx/access.log
maxretry = 20
findtime = 30

[miab-owncloud]
enabled = true
port = http,https
filter = miab-owncloud
action = sendmail-whois-lines[name=miab-owncloud, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /home/user-data/owncloud/owncloud.log
maxretry = 20
findtime = 30

[miab-postfix587]
enabled = true
port = 587
filter = miab-postfix-submission
action = sendmail-whois-lines[name=miab-postfix-submission, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/mail.log
maxretry = 20
findtime = 30

[miab-roundcube]
enabled = true
port = http,https
filter = miab-roundcube
action = sendmail-whois-lines[name=miab-roundcube, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]
logpath = /var/log/roundcubemail/errors
maxretry = 20
findtime = 30

In your filter.d folder create the following files with the content below

miab-munin.conf:

[INCLUDES]

before = common.conf

[Definition]
failregex=<HOST> – .*GET /admin/munin/.* HTTP/1.1\” 401.*
ignoreregex =

miab-owncloud:

[INCLUDES]

before = common.conf

[Definition]
failregex=Login failed: .*Remote IP: ‘<HOST>[\)’]
ignoreregex =

miab-postfix-submission.conf

[INCLUDES]

before = common.conf

[Definition]
failregex=postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
ignoreregex =

miab-roundcube.conf

[INCLUDES]

before = common.conf

[Definition]

failregex = IMAP Error: Login failed for .*? from <HOST>\. AUTHENTICATE.*

ignoreregex =

Ideas pulled from Github with my additional touches for nginx prior

Send Fail2Ban logs to multiple addresses

So I was running into an issue where I wanted to send the logs to blocklist.de as well as my own personal email, and my business email. However I found myself running into issues of sending to more than one. So I figured out the proper syntax for the jail.conf and jail.local

sendmail-whois-lines[name=FILTERNAME, dest=”[email protected],[email protected],[email protected]”, [email protected], sendername=”Fail2Ban”]

Just replace the parts in all caps with the appropriate settings for you. I always add blocklist.de to report to a whole community of abusers

Nginx Filters for Fail2Ban

When making my other servers I was double checking fail2ban configurations and noticed there is no fail2ban settings for nginx seeing as the webmail runs on it. Not sure if it’s an issue, or anything but I was hoping some other could tell me if I am on the right track, or if it’s not even necessary.

I did this for my email server which runs nginx as the web server.

In the /etc/fail2ban/jail.local

[nginx-http-auth]
enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /var/log/nginx/error.log
[nginx-badbots]
enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /var/log/nginx/access.log
maxretry = 2

thencd /etc/fail2ban/filter.d
sudo nano nginx-http-auth.conf

make sure it’s like below

[Definition]


failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
            ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$

ignoreregex =

copy badbots config from apache
sudo cp apache-badbots.conf nginx-badbots.conf