As a fast workaround, a friend of mine made a modsecurity rule to filter CVE-2021-44228/LogJam/Log4Shell, which he allowed me to share with you. SecRule \   ARGS|REQUEST_HEADERS|REQUEST_URI|REQUEST_BODY|REQUEST_COOKIES|REQUEST_LINE|QUERY_STRING "jndi:ldap:" \   "phase:1, \   id:751001, \   t:none, \   deny, \   status:403, \   log, \   auditlog, \   msg:'Block: CVE-2021-44228 - deny pattern \"jndi:ldap:\"', \   severity:'5', \   rev:1, \   tag:'no_ar'" New improved version ..read more

You surely heard of the LogJam / Log4Shell / CVE-2021-44228 – if not, take a look at this blog post. If you’re running Jitsi is most likely vulnerable and as there is no fix currently, you need a workaround which I provide here for you. You need to add -Dlog4j2.formatMsgNoLookups=True at the correct places in the file – the position is important. /etc/jitsi/jicofo/config /etc/jitsi/videobridge/config And restart the processes or restart the server. The post Jitsi Workaround for CVE-2021-44228/LogJam/Log4Shell first appeared on Robert Penz Blog ..read more

I just did an apt update / upgrade of a Debian 10 container and restarted it afterwards and got following: # pct start 105 Job for pve-container@105.service failed because the control process exited with error code. See "systemctl status pve-container@105.service" and "journalctl -xe" for details. command 'systemctl start pve-container@105' failed: exit code 1 with a more verbose startup I got following # lxc-start -n 105 -F -l DEBUG -o /tmp/lxc-ID.log lxc-start: 105: conf.c: run_buffer: 335 Script exited with status 25 lxc-start: 105: start.c: lxc_init: 861 Failed to run lxc.hook.pre-start fo ..read more

In the village I live the water meter is replaced every 5 years and it was the fifth’s year this year. I took the opportunity to talk to the municipal office, if it was possible to get a water meter with impulse module, which I can integrate in my network. And they said yes – Thx again! So last week they came by and put the new one in, I was not at home, and when I came home I found following: They also left  the packaging, so I was able to guess the module. For me it looked like a “Ringkolben-Patronenzähler MODULARISRTK-OPX” from Wehrle as shown in this datasheet. I was not 100% sure i ..read more

Wireguard is the new star on the block concerning VPNs – and yes it has some benefits to the old VPN technologies but I won’t talk about them as there is much information about that on the Internet. This blog post just explains how to set it up in an unprivileged container. In my case everything is done on a Proxmox server. Let’s start: On the Proxmox host itself we need to get the kernel module running. As Proxmox is based on Debian we just pin the Wireguard package from unstable, which is the recommended way by the Debian project in this case. echo "deb http://deb.debian.org/debian/ unstable ..read more

As many of you know me, I’m quite serious about security and therefore a believer in the theory that a service which is not reachable (e.g. from the Internet) cannot be attacked as easily as one that it. Looking at password managers this makes choosing not that easy. Sure there is Keepass and the descendants, but they have the problem that the security is based solely on the master password and the end device security. Knowing friends that use Google Drive for syncing the password file between their devices, I looked at that option, but it was not right for me (e.g. Browser integration, 2FA ..read more

My current Linux Root-Server needs to be replaced with a newer Linux version and should also be much cheaper then the current one. So at first I did look what I don’t like about the current one: It is expensive with about 70 Euros / months. Following is responsible for that My own HPE hardware with 16GB RAM and a software RAID (hardware raid would be even more expensive) – iLo (or something like it) is a must for me 16 additional IPv4 addresses for the visualized container and servers Large enough backup space to get back some days. A base OS which makes it hard to run newer Linux version ..read more

If you know Mikrotik Routers you know that you’re able to access them via MAC Telnet (see here for more details) via Layer2 with Winbox. But running Winbox via Wine on a Linux is not that great for using MAC Telnet, and there is a better way .. just use MAC-Telnet from Håkon Nessjøen. On Ubuntu/Debian you can just install the package with sudo apt-get install mactelnet-client and you see its feature like this: $ mactelnet -h MAC-Telnet 0.4.2 Usage: mactelnet <MAC|identity> [-h] [-n] [-a <path>] [-A] [-t <timeout>] [-u <user>] [-p <password>] [-U <user>] | -l ..read more

You ask why you should need this at all? Easy, sometimes a tcpdump is not enough or not that easy to use: You want to check the TTL/hop count of BGP packets before activating TTL security You want to look at encrypted SNMPv3 packets (Wireshark is able to decrypt it, if provided the password) You want to look at DHCP packets and their content Sure, it’s quite easy to sniffer on a remote Linux box with tcpdump into an file and copy that that over via scp to the local system and take a closer look at the traffic. But getting used to the feature of my Mikrotik routers to stream traffic live to m ..read more

In my last blog post I wrote about blocking, detecting and mitigating the Locky Ransomware. I’ve referenced to a earlier blog post of mine which allows to block traffic to/from the Tor network. This blog post combines both – a way to block Ransomware botnet C&C traffic on a Mikrotik router. The base are the block lists from Abuse.ch, which also provide a nice statistic. Locky is not the most common Ransomware today. Linux part You need also a small Linux/Unix server to help. This server needs to be trustworthy one as the router executes a script this server generates. This is required as ..read more