AniNIX/Wiki
3
0
Fork 0
Code Issues 9 Pull Requests 3 Releases Activity

Moving Services to Ubiqtorate

Browse Source 
Updates for Operation
Cleanup on README
Added table of counters for tracking technology selection
Naming cleanup
Renamed Bastion to Nazara
This commit is contained in:
DarkFeather
2020-10-08 16:38:15 -05:00
parent 06f37260ec
commit 5c42170cc2
29 changed files with 107 additions and 1057 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
Operation/Incident_Reports.md
View File

@@ -2,20 +2,25 @@ These are cybersecurity incidents that the AniNIX has had to remedy due to some
**Note**: We explicitly exclude routine incidents, such as IP's banned for SSH brute-force, files quarantined after virus scanning, and other routine housekeeping.
{{Incident Report|Attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
|title=January 2018 Spambot Detection
|date=11-29-2017 through 1-4-2018
|who=IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)
|type=Spambot
|vector=Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
|detect=Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder.
|assets=[[Core|AniNIX::Core]]
|impact=This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.
# January 2018 Spambot Detection
An attacker used a default password to pull down a Perl SMTP spambot and email list to spam fake Bank of America emails to users, attempting to phish them into clicking an xplotica link.
* When: 11-29-2017 through 1-4-2018
* Who: IRL identity unknown; last source IP 196.52.32.4 (Netherlands residential)
* What: Spambot
* * Vector: Attacker used a default password to access a monitoring user account; spambot and target lists were downloaded from a GoDaddy webhost (now nonfunctional).
Detection was provided by the ISP and [https://www.abusix.com/ Abusix]. The Postfix service was shut down, and forensic analysis performed starting with the /var/spool/mail folder and tmux session capture.
# Impact
This has negatively impacted the AniNIX's reputation as an SMTP source -- we are following up with Abusix and Google to restore our reputation.
Current forensic investigation does not indicate a compromise to any AniNIX privileged information.
|actions=* Monitoring user password has been rotated on all systems.
* Automatic password rotation for service accounts added to the ConfigPackages and other repos in [[Foundation|AniNIX::Foundation]]
|plan=[[Cerberus|AniNIX::Cerberus]] needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
|logs=[file:///home/cxford/Desktop/Incident Response - 1-4-2018|Contact an admin for access.]}}
[[Category:Operation]]
## Our Response
* Monitoring user password has been rotated on all systems.
* Automatic password rotation for service accounts will be added to the service deploy automation.
* Sharingan needs updates to better monitor lastlog output and the sshd "Accepted" regex in journald. Postfix will be evaluated for appropriate MTA settings and restored to service later.
Contact an admin for access to incident files.

0
Operation/AniNIX::Wiki:Manual_of_Style.md → Operation/Manual_of_Style.md
View File

62
Operation/QANs.md
View File

@@ -1,62 +0,0 @@
This is a list of active quality-assurance notes (QANs) being worked on by AniNIX staff. Lists are sorted in order of priority.[[Category:Operation]][[Category:TODO]]
If you see a problem with our code, go to [https://aninix.net/irc/ IRC] and send a memo to the #tech channel with what you've found. These will be parsed into the ideas list or assigned-QANs lists below by admins.
<pre>
/ms send #tech <some note>
</pre>
Alternatively, you can make a new page as a child of this one, using [[:Template:QAN]], and assign it to yourself to work on the project. These will appear in [[Category:Open QANs]] automatically for assignment.
# Ideas
## GDPR WebApp
Add /gdpr WebApp to Webserver to download user content. Look at Sharingan source.
## Foundation
* Finish PKGBUILDs
* Identify why CGIT is suppressing "Receiving objects" and other typical git-clone messages.
## Maat
* Look into either using [https://wiki.archlinux.org/index.php/GnuPG GPG keyserver] or adding key fingerprint to [https://wiki.archlinux.org/index.php/PKGBUILD#validpgpkeys PKGbuilds]
* Test Jenkins for E2E, but require Lighttpd auth before proxying app, like Sharingan.
## Sora
* ldap-adduser.bash should make use of 'sed -i "s/^term: /c\term: Newething/" file' to simplify
* Improve regexes to handle names like TJ or emails like blar@something.subdomains.jp
* Add MemberOf overlay
<!-- ==ExploitChecks
* Add BEAST, BIND, DirtyCOW, CVE-2016-4484, [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 VENOM], [https://access.redhat.com/security/vulnerabilities/stackguard StackGuard] -->
## CryptoWorkbench
* Update to include flag for suppressing color usage
* Update to improve helptext and error checking
<!--
* Consider ncurses for line recall and better capture of input. [http://curses-sharp.sourceforge.net/API/ Curses Sharp] could do this. MARKING FOR FUTURE -->
## TheRaven
* Add suppress functionality for printing URL headers in conf.
* r.in function to remind users/channel in X amount of time with a given message.
* r.translate function that acts on the last message and translates with Google translate.
* Add PostGres integration
* Implement karma system -- nospaces-- or (with spaces)-- should update key
* Implement counter system -- r.counter keyword sets timestamp, r.counterdiff keyword returns time delta.
* Update searches to allow returning top result if possible. Use searches script folder?
* Add random copypasta linker/quoter via URL http://www.bash.org/?random
* Discord support
* Set attributtes on lists so that r.whitelist/r.blacklist/etc. can be generalized. Steal from CryptoWorkbench subscription model.
* Add IQ/word notification so that TheRaven can notify admins of useful conversations via Djinni
## CSS/.Xresources
Because CSS.
* Spacing between white borders is inconsistent.
* Standardize color requirements between CSS and .Xresource files.
* Consider [https://exercism.io exercism.io]'s layout
* [[Template:Reference]] has odd spacing of icons in some browsers.
* [https://aninix.net/foundation/TheRaven Repo tables] need to include tabulating borders.
## SSH
Consider offering certificate authentication. [https://code.fb.com/security/scalable-and-secure-access-with-ssh/ See Facebook's example.]
## IRC
Write MailServ daemon to proxy emails to MemoServ and allow outbound?

0
Operation/Getting_Started.md → Operation/README.md
View File

39
Operation/Table_Of_Counters.md Normal file
View File

@@ -0,0 +1,39 @@
| Attack vector | Defensive tool | AniNIX Selection |
| ------------- | -------------- | ----------------- |
| Worms, virus | AV | Sharingan(ClamAV) |
| Ransomware | Backups | Aether |
| Trojan/Shims | code signing | GPG |
| Rootkits | rkhunter/ASLR | |
| keylogger | HIDS | Sharingan(ossec) |
| Adware/spyware| DNS Blackhole | Pihole |
| Shodan IoT | dedicated VLAN | 10.0.2.0/24 |
| RATs | NIDS | Sharingan(zeek) |
| Logic bomb | HA/Peer review |Inquisitorius(Git) |
| Backdoors | Vuln scanners | OpenVAS |
| SOCENG, phish | DLP (weak), edu| Markdown |
| Nmap | Firewall | nftables |
| DDoS | Cloudflare | Offline Git/DL |
| DPI / MITM | Encryption | OpenSSH |
| Buf overflow | ASLR | SAST/DAST |
| XSS/XSRF | WAF / CSP | ??? |
| ARP poison/amp| Managed switch | |
| DNS hijack | DNS over HTTPS | Pihole 1.1.1.1 |
| MitM | SSL | Let's Encrypt |
| Zero day | Pentesting | Kali |
| Spoofing | Physsec | |
|Wireless replay| Strong creds | WPA2/AES, radiusd |
| IV | Strong creds | WPA2/AES, radiusd |
| Evil twin, etc| Wifi scanning | monitored Rpi NIC |
| WPS | Don't. | |
| Bluejacking | Don't Bluetooth| |
| De-auth | 802.11x | |
| B-day/rainbow | large hash | |
| Dict., BF | 8x4 | Sora pwdPolicy |
| Online BF | IPS |Sharingan(sshguard)|
| PTH / replay | nonce salting | OpenSSH/SSL conf |
| Weak implement|VCS config audit| Foundation(Gitea) |
| Hacktivist/APT| SIGINT, OSINT | Singularity(TTRSS)|
| Insiders | Role/work RNG | N/A |
| Tailgating | Trained guards | Martial Arts |
| Asset sprawl | IPAM w/ audits | Inventories |
| 1.6 | Patching |Ubiqtorate(Ansible)|