wannacrypt killswitch morph proof

I was tracking Wannacrypt over the weekend and had an idea which I felt can be rolled out quickly. Listing it out as succinctly as possible:
  1. The killswitch is what it essentially hinges on. An unregistered domain in the code
  2. the encryption and further execution stops if the domain specified in code is resolved and a http connection established.
  3. the killswitch domainname in the wannacry code has changed which means sinkholing just one or two domain names will not work
  4. so what if we could resolve all unregistered domains to a honeypot.
  5. DNS by nature cannot be gamed to do this as it will cause havoc.
  6. Maxmind GeoIP has a domainame database 
  7. write a small dns server drop in replacement which uses a local copy of this database
  8. the drop in dns server sits infront of actual organization dns server
  9. checks domain name in the maxmind db.
  10. if found in db lets request pass on to actual dns or replies
  11. if not found our drop in dns server replies with a honeypot IP
  12. honeypot IP is running a http server and allows the http connect
  13. http connect happens and killswitch is activated. Wannacrypt/wannacry stops execution
This can be dynamically configured by giving dns IP to our drop in application server. Later as dust settles further course of action can be decided.
Potential to provide clients with a solution that so far is not available. Effect on normal working of applications is nil. It can be explained to clients in an advisory.

Online Radio – Howto


Here’s a howto for setting up your own online internet radio station. This was done on a CentOS 6.2 platform but it’s pretty much the same for others as well. Most of the installs are source compiles, yum has been used for some libraries you could use your favourite package manager on your server.

Config files and installation service are available on request. We will be refining this project over time adding much much more funtionality and software to the web player. for now enjoy this player here:

Prepare the server for greatness

  •  yum -y install bzip2-devel ncurses-devel aspell pspell expat-devel gmp-devel freetype-devel flex-devel ruby-libs ruby gd-devel subversion libjpeg-devel libpng-devel gcc-c++ gcc-cpp curl-devel libxml2-devel libtool-ltdl-devel httpd-devel pcre-devel libc-client-devel unixODBC-devel postresql-devel net-snmp-devel libxslt-devel sqlite-devel readline-devel atop htop pspell-devel
  • cd /home/imtiaz/src/; wget http://space.dl.sourceforge.net/project/lame/lame/3.98.4/lame-3.98.4.tar.gz
  • tar -zxf lame-3.98.4.tar.gz
  • cd lame-3.98.4
  • ./configure
  • make
  • make install
  • yum install libshout-devel, flac-devel, perl-devel, python-devel, libmp4v2-devel

add a user which will be used to run everything

  • useradd ice
  • passwd ice

start working on the streaming server setup as the user from above

  • su – ice
  • mkdir src
  • cd src
  • wget http://downloads.xiph.org/releases/icecast/icecast-2.3.2.tar.gz
  • wget http://www.centova.com/clientdist/ices/ices-cc-0.4.1.tar.gz
  • tar -zxf icecast-2.3.2.tar.gz
  • tar -zxf ices-cc-0.4.1.tar.gz

setup icecast

  • cd icecast-2.3.2
  • ./configure –prefix=/home/ice/srv
  • make
  • make install

build a local copy of flac 1.1.2(or lower) as ices wont work with latest versions of flac

  • cd ..
  • wget http://downloads.sourceforge.net/project/flac/flac-src/flac-1.1.2-src/flac-1.1.2.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fflac%2Ffiles%2Fflac-src%2Fflac-1.1.2-src%2F&ts=1338063039&use_mirror=space
  • tar -zxf flac-1.1.2.tar.gz
  • cd flac-1.1.2
  • ./configure –prefix=$HOME/srv
  • make
  • make install

build ices

  • cd ../ices-cc-0.4.1
  • make distclean
  • ./configure –prefix=/home/ice/srv –with-flac=/home/ice/srv
  • make
  • make install

work on the housekeeping

  • export PATH=/home/ice/srv/bin/:$PATH
  • cd srv
  • cd etc/
  • vi icecast.xml
  • cd
  • mkdir -p /home/ice/srv/var/log/icecast
  • chmod -R 755 /home/ice/srv/var

Launch icecast

  • /home/ice/srv/bin/icecast -c /home/ice/srv/etc/icecast.xml -b

(-b sends it to the background, icecast.xml will need to be editted for passwords etc.)

playlist setup and directory structure for music files and playlists

  • cd
  • mkdir media
  • cd media
  • mkdir pls
  • cd ~/srv/bin
  • vi mp3list
  • cd ~/media
  • cd music

##(remove spaces from name of songs)

  • find . -name ‘* *’ | while read file; do target=`echo “$file” | sed ‘s/ /_/g’`; echo “Renaming ‘$file’ to ‘$target'”; mv “$file” “$target”; done;
  • cd ~srv
  • cd bin
  • chmod 755 mp3list

##(generate the playlist)

  • ./mp3list ~/media/music/1 1

(write the config file for the stream)

  • cd ~/srv/etc/
  • mkdir stubs
  • cd stubs
  • vi 1.conf

Launch ices

  • cd
  • srv/bin/ices -c srv/etc/stubs/1.conf

Create the webpage for the demo embedded player

  • su –
  • cd /var/www/vhosts/default/htdocs/
  • mkdir radio
  • cd radio
  • vi 1.htm
  • chmod 755 radio -R

That is it, your radio is online and you can tune in by going to the mountpoint you setup in the ices configuration you used. If you need assistance with this setup please mail us on R at NetBrix dot net. Lots of improvements on the way in the meanwhile enjoy this online radio channel

speed up with varnish

Varnish makes your websites fly

….so goes the byline and frankly they’re not lying. I use varnish on atleast 8 websites that do over 200,000 impressions a day. The way it works is actually pretty simple and can be implemented using a plethora of other tools, only varnish does it much more efficiently. Varnish is primarily a website accelerator but it can be configured to work as a high availability load balancer (hell yeah it can beat the pants of any hardware HA load balancer if configured right on the right hardware it can probably do better than an H5). Some of the advertised features

A modern design
VCL – a very flexible configuration language
Load balancing with health checking of backends
Partial support for ESI
URL rewriting
Graceful handling of “dead” backends

The important thing to know is that varnish can be easily dropped in into your cPanel or Plesk managed server and not cause havoc (unlike a lot of opcode caching solutions and other website speedup options). It can probably extend your servers capacity by atleast 50% and much more depending on what percentage of your content is static (images, videos for instance). I’ve used it on practically dead in the water servers, running 150+ sites with 140+ databases, the corresponding zones on named and email with spam/virus scanning for those 150+ sites all off of 2Gb RAM. Moved from 1.83seconds per kb to 0.01kbps, enuf said!!

So in case you’re looking to improve the user experience on your site without investing in improved hardware you should look at varnish as a solution. Also for much less than the cost of owning a hardware load balancer, or a slice of a shared load balancer for that matter, you can setup a software load balancer. Varnish works off one of your webservers alongside the webserver instance and takes the load off of your webserver(s) leaving it free to do the processing for more clients thus expanding your capacity without draining you at the bank.

Before upgrading hardware you’d probably do well to talk to us about setting up your server with Varnish. Please feel free to use the contact form or mail us on support@netbrix.net

varnish with plesk or cpanel

So this is what it is…. if you need help with the setup please use the contact form.

rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
yum install varnish.x86_64 or aptitude install varnish

edit /etc/default/varnish or /etc/sysconfig/varnish — change ports as required
edit /etc/varnish/vcl.conf or /etc/varnish/default.vcl — change backend information

/usr/local/psa/admin/sbin/websrvmng –set-http-port –port=80
/usr/local/psa/admin/sbin/websrvmng –reconfigure-all

/etc/init.d/httpd stop
/etc/init.d/varnish start
/etc/init.d/httpd start

go to tweak settings in WHM and change the port for apache to a non standard one (say 8081)

stop/start apache make sure its listening on new port
start varnish

secure mail (Postfix+SMTP_AUTH+SMTPS — DOVECOT+IMAPS)

This is a quick and dirty on howto enable smtp_auth and ssl encryption for smtp services along with secure imap. I like ot use postfix and dovecot.

yum install dovecot cyrus-imapd

wget http://www.tigertech.net/mirrors/postfix-release/official/postfix-2.8.3.tar.gz
tar -zxf postfix-2.8.3.tar.gz
cd postfix-2.8.3
make tidy
make makefiles CCARGS="-DUSE_TLS -DUSE_SASL_AUTH -I/usr/local/include/sasl -DUSE_CYRUS_SASL -I/usr/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2 -lssl -lcrypto"
make install

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
local_recipient_maps =
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
broken_sasl_auth_clients = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_sender=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o broken_sasl_auth_clients=yes
-o smtpd_tls_wrappermode=yes

(NOTE: last line is important for supporting buggy clients like outlook express for mac and windows)

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out OutlookSMTP.p12

RELOAD POSTFIX (at this point smtps and smtp_auth are done)


protocols = imaps pop3s

protocol imap {
listen = *:143
ssl_listen = *:993
protocol pop3 {
listen = *:110
ssl_listen = *:995

ssl_disable = no

ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem

mail_location = mbox:~/mail:INBOX=/var/mail/%u

RELOAD DOVECOT (at this point imaps and pops3 on ports 993 and 995 respectively are enabled)

ensure firewall allows ports 993, 995, 465 are all open.