Introducing Passwds.io

Pronounceable Password Generator

I’d had this code sitting around for a while and decided to make a new site dedicated to it. It’s called passwds.io. It’s a simple service that produces pseudo-random passwords that have some elements that can actually be pronounced, hopefully making them easier to remember.

I do not recall where I got the original code to generate the pronounceable passwords, but am trying to find the source so I can credit where it’s deserved.

I threw thew site at passwds.io together in about an hour using the newest Bootstrap, PHP, and jQuery.

Brandon Lighter brought up the fact that I could be storing all generated passwords, but I’m not. This was developed as a tool for myself to use while I was a sys admin at a large local business, I’d use it to create new passwords for users in Active Directory. It’s still the same code.

Once I can bring the code to a level that isn’t so scattered, I will put it on GitHub so everyone can see the source and what’s going on. It’s really very, very simple.

Of course, I could omit the important “logging” piece when pushing to GitHub, but at some point people just have to trust others, and I’m flat out saying there’s no type of logging being done at passwds.io, other than the standard Google Analytics and Gaug.es for site analytics/

Brandon does bring up good points though, like no usage of special characters.

Secondly, they are only lower-case, upper-case, and numbers, which means you are pulling from a much smaller character set than you could be, making brute-force attacks easier.

I may add an option to do pronounceable passwords, or passwords with special characters enabled, which would probably break pronounceability. But options are always nice.

If you have other suggestions, I’d love to hear them. I’ve debated adding user accounts and the ability to save your generated passwords (that would be accessible only by you), but that sort of goes beyond the scope of passwds.io, which is simple, fast password password creation.

An example output from passwds.io can be seen in the screenshot below.
passwdsio-results

Also, check out Placezombie.com if you’re looking for some pretty gruesome zombie images to use as placeholder images in your designs. Sample 900×150 pixel greyscale image below, achieved with https://placezombie.com/g/900x150 :

Anyway, like I said, I’d love to hear your thoughts on passwds.io. Leave a comment here, it’s the best way to communicate with me about passwds.io. I haven’t bothered setting up passwds.io email yet.

Advertisements

Find Shellshock Exploit Attempts & Probes From the Command Line and Papertrail

Never hurts to make sure

I’ve written about Papertrail a few times before, I love the service and it’s just too valuable to not use.

Papertrail makes it super easy to find Shellshock exploit attempts and probes. Probes are just checking a machine to see if it’s vulnerable to Shellshock. If you’re using CloudFlare, you’ll never see any Shellshock attempts show up in your logs, CloudFlare doesn’t even let them through.

See If Shellshock Affects You

Checking to see if your system is vulnerable to Shellshock is quite easy. It takes a relatively simple bash command:

Run that code in a terminal. If you see All good, you’re not vulnerable. However, if you see vulnerable to shellshock, you are potentially vulnerable.

Yahoo-WinZip-Servers-Shellshock-Bug

Shellshocker.net provides a script that will download, compile, and install the newest version of bash for you. You should only use it though if your Linux distribution hasn’t already provided updated security release packages. If you’re interested, the code that runs Shellshocker.net is available on GitHub.

Find Shellshock Attemps and Probes Via The Command Line

This is very easy as long as you know the location of your Apache access log file. It’s typically something like /var/log/apache2/access.log. Assuming that’s the location of your Apache access log file, this command will pull out all the Shellshock probes and attempts:

If nothing was returned, that means nobody has been trying to exploit Shellshock on your system, or even checking to see if your system is susceptible to Shellshock. If results are returned, look them over carefully to examine where the attempts are coming from, an IP address will be associated with every attempt.

Shellshocker.net Checker

Shellshocker.net also provides a bash script to check your machines for the Shellshock vulnerability. You can download the script and run it manually from your terminal, or, if you have cURL installed, run the following command:

Running that command will produce results similar to the screenshot seen below. It checks for a number of Shellshock related vulnerabilities.
shellshocker

Find Shellshock Attemps and Probes With Papertrail

Go to your Papertrail events tab and search for the following:
"() {"

If anything is returned, those are Shellshock probes. Some example probes are listed in the gist that’s embedded below. None of the offending IP addresses have been redacted.

These actually made it through to Papertrail, which shouldn’t happen since longren.io sits behind Cloudflare. I’ll open a support ticket with them about it and update this post later.

Send Apache Logs to Papertrail With Rsyslog

Over the last few days, I’ve been looking at Apache web server logs, a lot, mostly quick checks for Shellshock probes and exploit attempts. All on client servers, thankfully. All of the servers I operate through DigitalOcean are patched up. It just so happens that all the sites I host have their DNS hosted by Cloudflare, which has been blocking all Shellshock attempts.

A majority of my sites send their Apache logs to Papertrail. Having all my apache logs easily accessible and searchable is extremely nice. It’d make sniffing out Shellshock attempts quite simple. You can check for Shellshock attempts relatively easily from the command line, as well, something like the command below would work:

1. Setup Rsyslog to Send to Papertrail

Anyway, sending Apache logs to Papertrail is pretty easy. I’m going to assume you’ve already setup rsyslog to send logs to Papertrail. If not, this post should help.

2. Add CustomLog Directive To Your VirtualHost

You just need to modify your virtualhost configuration and add a CustomLog directive. Here’s what I do to send longren.io logs to Papertrail:

The -t httpd piece sets the service name for Papertrail. The -p local1.info flag sets the priority. You’ll want to change the longren.io piece in the above code to whatever site you’re capturing logs for. You can also change or remove apache that immediately follows longren.io.

3. Reload Apache

After you’ve added the CustomLog directive to your virtualhost, you’ll want to reload Apache:

That’s all there is to it. You should start seeing your Apache logs in Papertrail shortly after reloading Apache.

TinyCert: Generate SSL Certificates And Become Your Own Certificate Authority

A few days ago I moved longren.io to https. I didn’t pay for a certificate though like I would when setting up an e-commerce site or something else important.

I even get the little green lock symbol in the address bar, but I think this is mostly due to my use of Cloudflare.

TinyCert is a service I discovered that lets you be your own PKI/certificate authority. It’s entirely free and provides you with a very nice interface for managing your certificates. The image below shows the interface for managing your certificates. The list on the right is a list of certificates, as you can see I’ve got one made up for longrendev.io, but haven’t put it in place quite yet.
tinycertinterface

The support from TinyCert is very good as well, I had a few questions regarding how their certificates would work with Cloudflare and they quickly cleared my questions up. SSL Labs from Qualys gives the SSL certificate an “A” rating. Should you use certificates from TinyCert in production? Probably not. I am, however, due to my use of Cloudflare.
ssl

This post isn’t meant to show you how to install certificates or use TinyCert, it’s simply to make you aware of the tool and what can be done with it. TinyCert has a pretty extensive FAQ, so should you have questions, which I’m sure you do, head on over and start reading. If you do need help installing the certificates from TinyCert, their help center does a nice job of providing instructions for Apache and Nginx based setups.

Have fun with TinyCert, it’s a pretty awesome service that I’ll continue to use and will absolutely be donating to. But please remember, TinyCert certificates should not be used for regular public websites and the service is not a substitute for a proper certification authority, but for self-signed certificates.

Install Tarsnap On a DigitalOcean VPS or Any Ubuntu 14.04 or Newer System

Securely and remotely backup your server using Tarsnap

Tarsnap is a great service. It’s extremely affordable and secure. I mentioned it briefly in my previous post about MySQL backups.

Tarsnap is only $0.25 / GB-month for storage and $0.25 / GB for bandwidth, which is extremely affordable. You can add funds to your account whenever you like, which is also very nice. Your initial fund deposit must be at least $5. You can signup for a Tarsnap account here.

Installing it on a stock Ubuntu 14.04 LTS installation requires some additional steps to get everything working nicely.

1. Install dependencies

2. Install Tarsnap

Download Tarsnap, I do it like this with wget:

Now we need to extract, configure, and compile Tarsnap.

3. Configure Tarsnap

First, copy the example config to the live config:

If you receive an error with that command, like mkdir: cannot create directory , ignore it and continue on.

Next, we need to generate a tarsnap key for your machine. I like to keep my tarsnap key in my home directory, so I run something like this:

You’ll be prompted for your Tarsnap password when running tarsnap-keygen.

Now, edit the tarsnap.conf file:

Point the keyfile directive to the key file we created a couple steps ago. The top of your tarsnap.conf file should look similar to this now:

4. Use Tarsnap to Make a Backup

You’ll want get familiar with the Tarsnap manpages. To create your first archive, with a name of servername-20140805, do this:

That will backup the /home/youruser folder to Tarsnap! Depending on the size of the backup and speed of your connection, it could take quite some time to finish the backup.

Below is the output of tarsnap –help, if you’re interested.
tarsnap-help

You can read more about Tarsnap at their homepage, tarsnap.com. They also have a page describing their infrastructure setup, which is kinda neat. Tarsnap also runs a bug bounty program.

I’ve only tested this on DigitalOcean VPS’s running Ubuntu 14.04 x64, but it should work on most Ubuntu variants.

Did I miss something or get something totally wrong? If so, please let me know, the comments are open!