AuthorTopic: server probing  (Read 1265 times)

Offline Palloy

  • Sous Chef
  • ****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
server probing
« on: May 31, 2015, 07:42:48 PM »
A while ago I was experimenting with writing a mail server that uses PGP encryption, and this had the server listening on port 995 (usually used by POP3S, SSL encryption).  To my surprise, within 20 minutes someone in China had probed it, presumably to try to break in.  The probe failed because it didn't know to talk in PGP.

Then a few days ago, I tried an experiment with a dummy server listening on port 8888 (not usually used at all).  This time it took 40 hours, but someone with the Chinese ISP Unicom Beijing probed the server.  The probe failed because everything is treated as a failure.

What this demonstrates is that people in China (and probably everywhere) are constantly probing every possible server on the internet.  This is why DD's web server needs to be prepared for anything, and all its security updates should be keptup to date.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 39790
    • View Profile
Re: server probing
« Reply #1 on: May 31, 2015, 08:25:40 PM »
A while ago I was experimenting with writing a mail server that uses PGP encryption, and this had the server listening on port 995 (usually used by POP3S, SSL encryption).  To my surprise, within 20 minutes someone in China had probed it, presumably to try to break in.  The probe failed because it didn't know to talk in PGP.

Then a few days ago, I tried an experiment with a dummy server listening on port 8888 (not usually used at all).  This time it took 40 hours, but someone with the Chinese ISP Unicom Beijing probed the server.  The probe failed because everything is treated as a failure.

What this demonstrates is that people in China (and probably everywhere) are constantly probing every possible server on the internet.  This is why DD's web server needs to be prepared for anything, and all its security updates should be keptup to date.

I emailed Doomer Support again on the issue of getting upgraded and fixing security problems.  Have not heard back from him.

I would welcome your assistance in this matter.

Contact me in PM.

RE
Save As Many As You Can

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 39790
    • View Profile
Diner Security
« Reply #2 on: July 18, 2015, 09:15:45 PM »
Babbles has recommended a PGP encryption system which is portable and works cross-platform.

I am currently experimenting with it.

My Public Key is below.  You will need this if you encrypt a message for my eyes only:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFWrFfIBCADOF0KafWM5KGiE6A+QlnVrs6G4PNFZjXlsFEo6WkmxgjkycNES
qf10WcP3n3Kers9CCGw2dKmsZQzkP4LqC0HFycNdRDqp2aCAKPMVAA3czooelqF5
V5eJkqwibvpXsvILD35ZhWTSmhMiYDrrMFG9av7JVF16wW64AWPjYmdZT2x1cd+I
LgzkjjvbQ1KYcNxUDYEswyWsdEvk85LRs9At+QFhM43kFAtUCz0AzRbQ09j49bSD
0jIjQYJ8ecFSYSWxV85/5gOQJ7UHnuw7Z8IsQtRtMLu01NgEBx6EMdIiUWHKWrsv
t0Abp2dg9s1nL7RDr2xO7UyeO6RXajPlCXMXABEBAAG0OlJldmVyc2UgRW5naW5l
ZXIgKEZpcnN0IEtleSkgPHJldmVyc2VlbmdpbmVlcjc3QHlhaG9vLmNvbT6JATYE
EwEKACAFAlWrFfICGwMFCwkIBwMFFQoJCAsEFgIBAAIeAQIXgAAKCRDlTGNEH3sj
qMgvB/9VisWQIZi75l2nafA9VrhyL8Aj1QroYHd5p5CWZR7vvB+PjYcF0Th3RSyi
cUslX+62ofgW5q23QTKBh4Jsk8Bxg2nW6WOLb02ChwGYpyZ+++XvEHKphGZdOFVp
9zOlaFCDbdsREyZPJu2BJuZk5425//3HD15ciFFymv+4g/EMODquxpwfMR+rGWZl
ed8x8EFPYTHAp7gnoApxdfAHS6BjsD0dMTXtBr4mr+By3+VknSnNIrIpQNqTrHYQ
+I5+2u/G1Q8Qq8NT+R54oSYVxL3zBfSi6AMX7qVCO258ZHNiiImoolm+6ojHI+B7
BqoAh4eQry9cDsvYZ/tuIBrhPHmfuQENBFWrFfIBCAC+hFOPN1Boedmgz5Kpw8qJ
EkbU0mBrX0lKUfREQs2xVIahvnJW7ujfM6Ubag1DATtJJ96pAS37fnPDIc1fM02K
KlplHX/W+Hlp1O8t+XnnwVvodKnQvZkwrKi2+x/11Od7OvyZ6L+0vrK4HZIsOPex
u1RhT9ALqfx11GbH3NOnunicged7E5afmG/+ndTLVECBT60nC1FyfbZ7XH/2xrDr
Z8fm5iaTVC1cb9GWmSjsEurc/BqsMXvzbblCsyV8dGG/BxDxH0rhF/Thz7Wen2yb
op6K3YeLLPRIojD0txDaoPg+C9rRFbECHMw9+XCUSFXw00Nv3x6a10T0B944O1dN
ABEBAAGJAR8EGAEKAAkFAlWrFfICGwwACgkQ5UxjRB97I6gTyAgAmO65/Ws8KLW2
4JOe5Rj7vCLZEAqS53IVkm+3GakDD6DIVlPFJ4A5LorI+HXado0kE6Ixf1wlp+94
3JbZS8U1lbuN5JB+HFIoIOgRH02sr68lBVs3bXkNdLXJ5dSFIPTmhwRfiUgALkTX
y2gI5DXJHWgsyGNWrRxSOQKw74V4duAjXdlTclmGJvfA3Sqx1UCPtP5jzqXhaImT
kfiMiMdkY0JYFTj7FajgDGPvpjS3zKHufUYiFN86Ai3MnCAaAnZ1gfFd8FAZRsgQ
4DfSm6iYa6amdVzZ3ALRnM/2OpeJFi8eEe8R/5wYLqqMDr85FHIShoUPVVRj5pO6
Znh7pYgmIw==
=BAeL
-----END PGP PUBLIC KEY BLOCK-----


You will also need a Private Key on your end in the Ecryption.  You must generate the Private-Public Key pair before composing the message.

You are welcome to send me a secure message to test the system.  You will need to generate your own Public & Private Keys to be able to do this, and publish the Public Key, either here on the Diner or elsewhere.  Publishing the Public Key in no way dimishes the overall security.  The recipient has to know his/her Private Key as well in order to decode the message.

You can use this system to make sure only intended recipients will be able to read your emails and PMs.

RE
Save As Many As You Can

Offline Palloy

  • Sous Chef
  • ****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Re: server probing
« Reply #3 on: July 18, 2015, 10:02:16 PM »
This is Palloy's public key - we should have these keys (or their .asc file equivalents) on DD somewhere obvious.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)

mQINBFWrAJUBEADHDDv1334DHONEXMFpdCFFZDLENNPhkDjNMbSdXAn+JbbYSe3S
tOY1rPOGbV7iZlJ3LSHWh1igbd3NsOCg02Av5XctiS2RBYQbID8ImgvXxgeGHiMT
+QFHpw8qWigMSVycrFWesG4urxW/xq9JYG5WTpdqOzx8N/qS7CMh35Nu5xvSydNe
ibf8hiacrRSkjrCarid+Seo0p9PJA2P05nNdEwpJ4cthRvn3EvyLmbdyTQf3sBUe
aJofAyon1TOHiA6Z/LHlKfkXj5EwSpBkhQ8tkZKaYyTiYDGEC7WdrDQF7gd4chqb
RhqtZQ2bRC4b8Cls1rjAIKMRpN4vXF9MEUL84/ktwUEJnhviLQireBdpZR4i8p7R
xZV9fh92dXki72Yqh5VnO6Zejt2SwhsNaNf4yzSDtwzBdQtgtVE3s7TMMFXMIzVP
mK4EiWSUR6BXIkw/XNS+1rm1M6K9gySAVEflJGZQ33ZJzVSx33eIGX3JtW0GsPKM
xUmMPVvjfNgoCszJFh6h899IF+v2S6TRWuiryGy94ANADU8EtBBKeSaBDMKDrZDk
ZTvN4idIaDssqfF0rCHCVGT7M9wcigqRwiNCgfK2+LET731ZPlRp2TtWr9DmjcMm
6ryMCH1Vkjl2q/Vf2qEzq+4dENsJRa9illdw6Ij/XRz1g59bxU+NCNXraQARAQAB
tBpQYWxsb3kgPHBhbGxveUByaXNldXAubmV0PokCPwQTAQIAKQUCVasAlQIbIwUJ
CWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJECLs1vvKQnhgJL8P/2rK
ktUVYZHkoU8Hk+9XZ6U6qAbF0a/dymerkrUXX1NxLLKTFqzxe55UvPVXRAq4z9+5
iDt1O2cgYRgSDL5KhGgDUfc+brL8/8Ih6bTiSznb6XkIxGAvUogt5F2ACZM852vF
2E/WWPUedgpT4tQo+dZHv/sS1UFoUKUOWSxELQcvSMnbWcqRuBoptgjV8F/7+/hV
9MZ1eTIBaHcXYkw9CHT+ayO2suXsVDZd8AFJxjXhVyCFnSkK4+exLeaoceTjOTSD
ZvYLvoc3cHVJAriqIGUeGXEyNvshRGaNIQgflKDqXOMexbfrnq1pCGhL/mlSQCzc
Q4oQO/0IYPoIlnfBa8hiwBAuLSNMI9eZR7utUNiZQyzoOAYALy9+1sOUjPiIO80X
eE/U3t/HxRQiE7Msgc8R5ogootMvYCrxdWlwaTZVMq42EPeu/rjXo3tuP6M6SU/1
YpmgJTaRwXXRFlE3xG2iewaWvIqdPTLAVE23AGwlk45y9dsI8tCe5lo/BSe685Z+
CY/nbXX14qG7f5qt+Y1dSLawbez1fkKJIyoi0NrdJnDzpf/D99YDkN4yHGxcFuj+
GQQ9aTdMbsTJqw79fQu8tSaBVZh4Pl4vsbkiMenb0/bMha6WUjWy2BQUkEPNgtEu
DCZvAJ/bTQ9zlXRN9KWHByzaMeL4MwFT92x6CNSluQINBFWrAJUBEADgvFADhUfw
rAs8dxH2YWnnz0jQiCdLtsbtxsVd/S5Oa61M6yZep3eDJRJRvSnkW4h5et2Cy03P
xGMgtEfXQm7rtk57BZyJizfvI5HjmoptupQ6FpYlLs37BJ9LhEwNkDilUChjjsKN
2T1+aXQprkQeb3o3F0TFI1JGP5p/drIk+1K/7aPddgwSj4u/OaqjwZ2YLxNyufYo
KGqZmsq/qyISfPcId3aZaeiEGEml3uQiTseHphJ+o35tIafSAxCMdgekAktLDhRP
DedXz1/ykwvbqs4vVGFrrdRhmajbia8HU+I+jHor/kkxQ4RqKpwfPBia9MPvTeIh
RdasendVusTfSMg3sbUEkgOMLg/Kfne487KNV4J9dSkgXn3B6kpCUovsvmfaLB43
piPMy+ZiSmtdl6/0o1PGT4FsAoRviXGK8M5xsW1mKX+nOCI03pkBDUrzwqKshjXd
DkeVTx0vzzYSUNe4l7R6BSIHxeG8kbMMFbFZqC8c4ZPgjZUqRBsJqQK6QNF1/jrm
TBpHZHY6KROmhYIhrblBS9EBbHqjDeBscv4XOQ2SQiE1PTXflWNLrf0ZwBzg2i1t
FVSyHKyd5GzrudK7xTp4Z1QJgMSADMb2E+QKlV5i6o1PzdtJqla2uNZtj+BEAVLe
EAKkMQmPJ3q9K4OWN2kJcAdkU8Rt6T6OZQARAQABiQIlBBgBAgAPBQJVqwCVAhsM
BQkJZgGAAAoJECLs1vvKQnhgAWMP/jYOSJP2QNsVBl5MmRjIbWPhsyHuVCu0JZi/
kQW3lntvI+AZXb2zWii25AWSCHyweGyD6LZfBtLpgDaHZxrmw70I0xVbYTLeWG/l
NGEHOB47h9deEQbgmghnoK1sAxcu8lOezYBi9CdNG+bYBSePySOdFhBQ5O+RgmQq
GmpMc/6UFvC4pYgTCCpl+ZW8h0x1rdSWqER4Nwyc1xLNXY7XhOjlluyaFsTg2g0C
OZ5ibZsO99t78Ai3lVvwXNRWrTzjFPH/Ld3cFg9+noVk2xz240ZKnvqOz6YejyJT
Q/m+1zBpAsFsYFaHew9Pu96hScccPMNtynSbMmxzhmjGuFmaxaMMsAFxFE+ggm2y
yz2xT2Zhz561CoZRrKM7cZak6Ti+d1w51bf/yMovG5ZUyvj6GiFgaB21bLV+kAqW
u2YHn+/NUyGZShtEhlzVVkT23FMBTEND/gl8E2iFC3daNUMRKC4awfeYEfHY/zYV
L4MaC5d8DfLmqyy0W64g77LqDh3se28DXeHiQ8C7zw9PH/DIYz08k4eCrmrxyV64
a4r9Jo2HbDBsqPqfCtlw1uUYSIwZo9OQh7EgpIMlLgq0dChSRN9zZk6xE+0vA/Pl
H7uTF6w9Qq7ba34QC8G4N35szNcCqDtz+ULuloJ3iXIdW/3UirrUHkMAzepP3W9F
elcM9pMG
=5Qzs
-----END PGP PUBLIC KEY BLOCK-----

and now here is a private message to RE:

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

hQEMA57fkJ9H9Jp4AQf+IgpvsybLQKiFObnfZi5mOHtQFOIWwUkWvUGM8qs3SZuH
72+dncQr7TNVk6LgPYcuWtzTwh4vb3aslc6YuTL9Mucev+MDOWb/eq4mr6nBLOwo
6tdMo9UTrEyLZYW6DzKjx0WgtBelA9vj9nfwR3bJx+BZOqgmWnC0pAoL8X9A6aus
xgk+NXI8DWlETCXJWIRzhQR4Mw6Pvs9f6WGsJPbaL2LSc+/ZByc/imS+eQvKYWwg
ITSA7EPu0UKH3M0bO7C3w/eByugXWuloVZbBmuvFrytsYrIOWPnHZ4xFANTutMDC
9mcueTjaNqYPLblKoFHGS6wf2JRPKW18CNBzGcju4tJrAfCk6KsAsiTgIw/wd53k
lKWwOAHh1gl5AISp3wJLcMkMVSokwvI99ukhTPJHhlywSyUAoJYXUC7sepb/m5qL
Y8em4fgfG96ALO7xGQNMJ4iwuERF7MZ4r9o6NB4DHGvUGKOW6KxeksYHK3k=
=L/pG
-----END PGP MESSAGE-----

OK?
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 39790
    • View Profile
Diner TOP SECRET Communications
« Reply #4 on: July 19, 2015, 12:34:59 AM »
This is Palloy's public key - we should have these keys (or their .asc file equivalents) on DD somewhere obvious.

Mary had a little lamb,
she kept it in a bucket ...

It Works!

We now have NSA and Hacker-Proof communications for sensitive material such as account passwords.  :icon_sunny:

Other than that I see no need for a security certificate for normal Diner chit-chat.  It's got to be publicly available for reading by anyone to get the message out.

I will make a thread in FAQ for Diners to publish their Public Keys.

RE

Save As Many As You Can

Offline Palloy

  • Sous Chef
  • ****
  • Posts: 3754
    • View Profile
    • https://palloy.wordpress.com
Security Certificates
« Reply #5 on: September 16, 2015, 06:37:36 PM »
Let's Encrypt ( http://letsencrypt.org ) is an organisation that wants everybody that runs a web server and/or a mail server to have a security certificate, and everybody that goes to those websites to use https:// to encrypt the traffic while it is moving across the internet.  The only problem is that security certificates are issued by Certificate Authorities (CAs) and they CHARGE for them.  It's a rip-off because it takes almost no work to do, and mostly that consists of maintaining the billing system.

So Let's Encrypt has decided to become a CA itself and to issue certificates for FREE.  They have just become an official CA, although most browsers haven't yet been updated to acknowledge that.  They aren't quite ready to start issuing free certificates yet, but it won't be long.  They have one working on their own website.

If you go to http://letsencrypt.org/certificates/ you can download their root certificate, their normal issuing certificate, and their backup certificate.  Firefox uses certificates in ".pem" format, I'm not sure what other browsers use, but .pem is likely to work.  Since it hasn't seen them before, Firefox will ask you if you trust them, which you do.

For each of the three CA certificates, tick all the boxes and click OK.  You can then go to https://letsencrypt.org and see the website securely, and without Firefox giving you a scary warning about the site's certificate not being trusted.

I propose DD gets a free certificate when they are available.
The State is a body of armed men

Offline RE

  • Administrator
  • Chief Cook & Bottlewasher
  • *****
  • Posts: 39790
    • View Profile
Re: Security Certificates
« Reply #6 on: September 16, 2015, 07:23:47 PM »
Let's Encrypt ( http://letsencrypt.org ) is an organisation that wants everybody that runs a web server and/or a mail server to have a security certificate, and everybody that goes to those websites to use https:// to encrypt the traffic while it is moving across the internet.  The only problem is that security certificates are issued by Certificate Authorities (CAs) and they CHARGE for them.  It's a rip-off because it takes almost no work to do, and mostly that consists of maintaining the billing system.

So Let's Encrypt has decided to become a CA itself and to issue certificates for FREE.  They have just become an official CA, although most browsers haven't yet been updated to acknowledge that.  They aren't quite ready to start issuing free certificates yet, but it won't be long.  They have one working on their own website.

If you go to http://letsencrypt.org/certificates/ you can download their root certificate, their normal issuing certificate, and their backup certificate.  Firefox uses certificates in ".pem" format, I'm not sure what other browsers use, but .pem is likely to work.  Since it hasn't seen them before, Firefox will ask you if you trust them, which you do.

For each of the three CA certificates, tick all the boxes and click OK.  You can then go to https://letsencrypt.org and see the website securely, and without Firefox giving you a scary warning about the site's certificate not being trusted.

I propose DD gets a free certificate when they are available.

I'm always up for getting FREE stuff!  :icon_mrgreen:  I authorize you to get us a Free Security Certificate!  At least as long as this won't bollix up access to the Diner for the population at large.

BTW, did you see my post about Proton Secure Email?  You should get a Proton email addy.  It's end to end encrypted if both sender and recipient are using Proton.  I like GPG4USB better, but this is easier to use and pretty secure.  Also, it encrypts your file attachments as well as the text in your mail.

Far as the Diner goes, again nothing on the Blog or Forum needs encryption or a security certificate.  The Mail Server could benefit from a security certificate if anybody was using it, but so far we don't use the mail server other than to collect responses from the Contact page.

The only thing which needs High Security/TOP SECRET are the Passwords to the various Diner Accounts.  For exchanging those, we can use GPG4USB.

RE
Save As Many As You Can

 

Related Topics

  Subject / Started by Replies Last post
3 Replies
921 Views
Last post January 29, 2015, 02:08:51 AM
by RE
0 Replies
281 Views
Last post September 02, 2016, 07:54:46 PM
by Palloy
1 Replies
580 Views
Last post October 22, 2016, 03:57:13 PM
by Palloy