Author: Alan

Attractive deal? Check how long that website’s been around.

Was that vendor set up yesterday to try and take money from you today?

One thing that happens as advertisers get their algorithms into you is much more targeted advertising. Often times with a web link.

Ever wonder how long that website’s been around? Setting up shop, scamming money, and disappearing are tactics that have been around since scams. Long before the Internet. Checking how long a domain name has been around can help detect a scam.

One thing I do when I check advertising is check how old the domain name is. The domain name is the .com, .org, .gov, .net, etc., plus the word before it starting from the preceding / or ., whichever is closest before the .com. Examples like www.disney.com breakdown to domain name disney.com.

How old is the domain name disney.com?

The whois command reveals that information and more with 156 lines of output. The dates are among the first lines and are scrolled off the top of the screen. So scroll up to them to see them.

Substitute a function, called by the same name, that uses whois and grep to produce less output, and focused on dates and attributes like URLs. The substitute command returns 23 lines. These are the lines.

$ whois disney.com
   Updated Date: 2021-01-21T15:04:59Z
   Creation Date: 1990-03-21T05:00:00Z
   Registry Expiry Date: 2023-03-22T04:00:00Z
NOTICE: The expiration date displayed in this record is the date the
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
view the registrar's reported date of expiration for this registration.
Updated Date: 2021-01-15T16:22:12Z
Creation Date: 1990-03-21T00:00:00Z
Registrar Registration Expiration Date: 2023-03-22T04:00:00Z
Registry Registrant ID: 
Registrant Name: Disney Enterprises, Inc.; Domain Administrator
Registrant Organization: Disney Enterprises, Inc.
Registrant Street: 500 South Buena Vista Street, Mail Code 8029
Registrant City: Burbank
Registrant State/Province: CA
Registrant Postal Code: 91521-8029
Registrant Country: US
Registrant Phone: +1.8182384694
Registrant Phone Ext: 
Registrant Fax: +1.8182384694
Registrant Fax Ext: 
Registrant Email: Corp.DNS.Domains@disney.com

Easier to see only the dates and some other relevant info by customizing my own whois. I am sure it can be improved on, but for the time being this listing is the substitute whois in my .bash_aliases.

function whois {

        if [ $# -ne 1 ]; then
                printf "Usage: whois <domain.tld>\nTo use native whois precede command with \\ \n "
                return 1
        fi

# implemented code calls installation whois by full path 
        /usr/bin/whois $1 | grep -wi "date\|registrant\|contact 
domain\|holder"
## haven't tried outside Ubuntu
## a possibility to make this somewhat portable
## $(which whois) $1 | grep -wi "date\|registrant\|contact 
domain\|holder"
}

Now, for an advertisement that’s been showing up in my Facebook feed lately, there’s listncnew.com. Sells NEW laptops and Macbooks for $75 – $95!! I figured it must be scam but, for that price, worth the risk because could cancel the credit card transaction. Before I made the order I ran the domain name through my substitute whois to see when the domain was registered. It was created October, 2021, very new. I didn’t expect to get my order and didn’t. At least I wasn’t out the money and now have a way to look at whois data that limits the output to show only information relevant to me.

whois listncnew.com
   Updated Date: 2021-10-26T09:14:16Z
   Creation Date: 2021-10-26T09:10:35Z
   Registry Expiry Date: 2022-10-26T09:10:35Z
NOTICE: The expiration date displayed in this record is the date the
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
view the registrar's reported date of expiration for this registration.
 Updated Date: 2021-10-26T09:13:25Z 
 Creation Date: 2021-10-26T09:10:35Z 
 Registrar Registration Expiration Date: 2022-10-26T09:10:35Z 
 Registry Registrant ID: 5372808-ER 
 Registrant Name: Privacy Protection 
 Registrant Organization: Privacy Protection 
 Registrant Street: 2229 S Michigan Ave Suite 411 
 Registrant City: Chicago 
 Registrant State/Province: Illinois 
 Registrant Country: United States 
 Registrant Postal Code: 60616 
 Registrant Email: Select Contact Domain Holder link 
 Admin Email: Select Contact Domain Holder link 
 Tech Email: Select Contact Domain Holder link 
 Billing Email: Select Contact Domain Holder link

This is my first post in a while. Haven’t been routine releasing posts this year. There’s another five that have been hovering in edit for a while. Maybe I can get them out before the end of this year.

AD CI Struggles

Active Directory Configuration Item struggles! Seems like feeling around in the dark.

I set up a test lab to practice creating an administratively tiered AD forest with a single domain. Challenges came from everywhere; available documentation, platform the lab was built on, and ultimately figuring a way to compare policies and OU structure between labs.

First the virtualization was run in VirtualBox on my laptop and the lab build began there. That was abandoned because of available drive space.

Then it was moved to a dedicated virtual server running VMware ESXi. The browser interface was sluggish for me and, as I leaned, my account didn’t have permissions to copy/paste between my pc and the VM. That slowed me as I tried to enter configurations and compare between guests.

The ESXi guests occasionally froze after changes and were very slow to be to be power cycled when that happened, minutes.

Back to the laptop. Purge VMs that were built for other labs (intended to be continued) and start again on the laptop. And this time, got the administratively tiered lab running.

Great. Needs to be repeatable though. Go back to the ESXi test lab and try to produce the same results. Tried altering ESXi lab guests’ AD and GPO settings to be same as those on the VirtualBox lab. Didn’t work.

Found several ways to produce GPO reports to compare settings in each and see where they differed. Found a few differences and changed ESXi vms’ to match VirtualBox’ working ones. GroupPolicy Module | Microsoft Docs are a great tool. The most useful to me for this were Get-GPOReport, Import-GPO, and Backup-GPO.

Sadly the ESXi lab setup still didn’t produce the same results and response in the console was often sluggish. When I started ESXi I used the console tool which let me open multiple windows within one browser window. Unfortunately it didn’t copy paste between my pc and the session. Not helpful for testing.

I eventually tried the remote console tool. It opened a window for each connection and was more responsive than the console. And, bonus, copy paste worked between my pc and the terminal?!!

Better control of the ESXi test lab now but still not the correct tiered admin function. The ESXi test lab guests showed some symptoms of not enough memory like the sluggish responses and hangs. Am upping RAM from 2Gb to 4Gb, rebuilding the guests and trying again.

VirtualBox guests on the laptop are running 2Gb and the tiered admin lab works.

If more memory doesn’t do it I’ll have to come up with some other adjustment to try. Need to get both working with admin tiering.

Detail that may be a clue, the ESXi lab was built with a Windows 2019 Server lab DVD source. The VirtualBox lab was built with a Windows 2019 Server Microsoft Download image. The VirtualBox lab has Schema Admins group in AD DS as part of the default install from the DVD, the ESXi lab DOES NOT and is built from the different media. Makes me wonder if there are other differences, unseen, that prevent the ESXi lab from successfully building the tiered administration setup.

Diving into Tiered Administration

Really? There’s always something wrong in the instructions :-/

Approaches to improving security are always interesting to me. Recently I became aware of tiered administration as an aside in a security video I watched. “10 Work From Home Security Settings You Can Implement Now to Block Attackers.” Very good. Watch if you can. The intro to tiering admin credentials and systems begins at about 30:10. That started the dive for me!

There are many background and architectural articles on Microsoft.com. They talk ideas and generalization with really bad confusing graphics (imho). However, I found one article that promised to step through the process of setting up Tiered Administration, Initially Isolate Tier 0 Assets with Group Policy to Start Administrative Tiering – Microsoft Tech Community.

I followed the steps and it didn’t result in Domain Admins members being prevented logon to a member server or workstation. I repeated the process several times to be certain I hadn’t overlooked something and got the same lack of result each time.

The Group Policy precedence in the article didn’t work. The precedence in a comment to the article that stated the precedence in the article was wrong, also didn’t work.

At that point I put together a chart to track the hosts, accounts, policies, and security groups I was using. With the chart, and patiently changing one attribute at a time and repeating logon tests, I finally found a combination that worked!!

Great, Tier0 accounts couldn’t logon to anything except Tier0 assets. Now start trying other things in my virtual environment to find out what needs to be accounted for if migrating a domain to the restricted accounts model.

It didn’t take long to find there’s also something else Tier0 Domain Admins accounts couldn’t do, they couldn’t install software on Tier1 & 2 assets any longer. The Tier0 accounts couldn’t logon and there were no dedicated Tier1 or 2 accounts to use. (Should have tried the app server’s local admin for logon. Then try s/w install and see if could use Tier0 credential to perform s/w install.) Members of Local Administrators group can install software. Domain Admins group is in the local Administrators group. So any member of Domain Admins should be able to install software.

If a Tier0 account is in the group that limits logon on to only Tier0 assets then it cannot logon and install software on Tier1 & 2 assets. So, have Tier0 accounts restricted to Tier0 assets but how are Tier1 and 2 assets going to be managed?

Nowhere in the article is this limitation mentioned! Set up Tier0 admins and suddenly Tier1 & 2 assets can’t be managed with any Domain Admin group account. A real problem.

Back to my trusty charts. Create new security groups and Group Policies after spending some time trying to understand the policies and how they’re being applied. Then start testing.

Seems my head scratching after discovering the problem and before trying to produce a solution worked. I came up with a scheme that doesn’t change the working Tier0 accounts and hosts settings and gives Tier1 accounts access to Tier1 assets but not Tier0 assets. Still a bit more testing to confirm Tier1 can’t access Tier2. Then testing to confirm able to create Tier2 accounts. Then check the effect on service accounts which currently are admin accounts used only for function of certain software, e.g. manage audit settings to capture and report changes in the environment.

Anyhow this screed was about two things really. My satisfaction standing up a Tiered Admin environment (at least the beginnings, in test) and my growing frustration over technology implementation articles written as step-wise instruction that just don’t work (Tiered Admin, Certificate Services, Federation Services to name a few), and that leave out really important information like, “if you do this, you loose admin access to Tier1 & 2 assets.”

The “how to articles” that don’t actually work are all from Microsoft.com URLs. A third party site getting it wrong, frustrating but not feeling misinformed by an authority I should be able to trust. After all, not Microsoft. An article on Microsoft.com that says “do this” get “that result” that’s wrong or incomplete, very frustrating! If you can’t trust Microsoft about how to use its software then who are you going to trust?

Got a job!

Review LOTS of advertisements, select and apply, repeat. It’s a full time job that you want to dump.

After nine months of applications and 99% ghosted 🙁 got a job 🙂 !

Interesting that for the first time in my professional career the title is IT System Administrator. I’m familiar with all that has been needed so far. Seems a good fit. Yet I’ve never had this title before.

Good way to start a new job. Not lost in anything and able to contribute quickly.

Oh, and first post since commenting was enabled. Wondering what kind of spam will show up first.

Tracking Things, SO MANY THINGS, Which Are the Important Things?

Don’t get overwhelmed.

Digital devices, for discussion the range from smartphones to computers and devices making up the networks they attach to, offer so much information for monitoring health and diagnosing failures.

To maintain the health of that cloud of devices it’s good to know what’s going on. What to monitor. And by the same token, good to monitor things that affect your experience so the provider can be shown when it’s their problem.

For home Internet users the big things are usually the reliability and speed of the Internet connection. If it’s fast but down a lot that’s no good. And if it’s up and performance is good is it actually performing to spec? Are you getting what you’re paying for?

Only as an exercise in curiosity, wondered how often my public IP address changed, and how quickly the log would grow. Have been tracking since May, 2014 and have 11,441 lines in the log. It’s only grown to 670K in that time. Had 129 different public addresses and top five are 2,267, 1,681, 1,176, and 702 occurrences. More than half the instances.

Mostly just trivia. Having the log did help me discover one of the temporary IPs that I got in Flushing was on some black lists. When that happened I couldn’t log in to my (ISC)2 account. Once troubleshoot I was able to get it removed from the blacklist and was again able to get to (ISC)2 when I got that IP.

More immediate, is the Internet performance I contracted for being delivered? In my case it certainly seems it isn’t being delivered.

A typical recent week of service from my ISP. Any not green is bad :-/. There’s quite a bit of it.

Better times :-). Start of November, 2020.

That’s examples of some things to track. One seemingly more immediately useful than the other. There’s so many more. Which are important for security? Authenticate by location, time of day, second factor, log file access (hierarchy of criticality). Web browsing?

Need to ask and answer what’s critical, confidential, who should have access and access paths allowed.

More phishing warning

Yeah, always talking about it because always getting examples to share.

Another picture to help avoid possibly painful mistakes.

This is my Inbox with only one message displayed.

See the mouse (the pointing index finger) is floating over the first column, the Sender. And beneath the finger is a black rectangular window with white text.

When the finger floats over the Sender that black window pops open and shows the email address the message is supposedly from. It is very obviously NOT the Apple App Store. Mark this message as SPAM and delete without opening!

Don’t even open it

Don’t get phished – take a test

How many times will you be fooled? Take the test and learn not to be.

Phishing is very common. I’ve written a number of posts cautioning readers and providing examples.

Today I came across something even better! An online phishing test hosted by Google. It presents you with messages and asks whether they are “real” or phishing.

It’s a test… so no messages are really real. But the messages do give you the opportunity to learn if you’d fall victim to phishing. And to learn how to avoid being a victim. Whether the message is phishing or not is explained and illustrated after you judge the message’s authenticity.

Fun. Try it.

Jigsaw | Phishing Quiz

Phishing, don’t get hooked!

Give yourself a Merry Christmas, don’t get phished.

I have posted about phishing before. Hopefully some of what I’ve posted or others have posted has been useful to you. I’m posting again because I got another phishing email just recently that, when I saw it in my Inbox, made me worry for a few moments. That’s because my Inbox shows the subject and the first words of the body of the email. So, what I saw in my Inbox was, “Update on Your Yahoo Account the password for your Yahoo account was recently changed”!

Immediate concern. I did not recently change my Yahoo password. And the sender column of my Inbox does not show the email address. It shows the sender name, in this case “Yahoo”. Have I been hacked? Fortunately, no. If I was in a rush and not paying attention though I might have given up my Yahoo credentials out of panic. So I’m posting again to remind myself, and anyone reading this, DON’T rush when you get an email about your accounts. Take the time to look them over and be certain of what you’ve gotten.

In this case the Inbox view said the email was from Yahoo. As soon as I opened the message it was clearly NOT from Yahoo.

From there, it’s all the usual stuff to know it’s fake. Hover over the link to go fix the “problem” and see the link doesn’t go to a Yahoo.com website.

Then last, I clicked on the link so you could see the webpage it goes to. And you see even though it tries to look like a Yahoo page it clearly is not a Yahoo site.

Please, don’t get hooked. There’s not enough info in the Inbox view to know whether this is something to worry about or not. Once the email is opened there’s two different opportunities to see it isn’t a Yahoo! message.

  • The “From:” is not a Yahoo! account.
  • Hover over the link and it clearly is not a Yahoo! URL.
  • And finally, if the link is clicked… the URL for the webpage definitely is not a Yahoo! URL.

Stay web safe and have a Merry Christmas.

Got vsftpd?

The path from “need a few files” to providing any time you like self service.

I tend to have computer components and a few spare computers hanging around. Both because I haven’t got hit with Marie Kondo fever (I’m not really bad) and because I help my kids with equipment selection, sometimes purchase, and benefit from getting their leave behinds to experiment with.

In this case one son had upgraded so I got the old laptop. It needed some work to be useful, badly damaged digitizer. He also wanted files from the hard drive but didn’t have opportunity to get them before leaving me the pc.

I replaced the digitizer and swapped out the hard drive with a loose one I had around so I could use the pc. Put the original drive in an external USB3 enclosure I had, labeled it not to erase, and set it aside.

Then said son asked for four files from the old drive. No problem I thought. Plug the drive into the USB port of my laptop, read them off the drive and send. Nope.

This son is one I’ve gotten to use Linux on several systems. I’d set up Linux for him on this system and used the default partition method at the time, LVM. Couldn’t read the drive. My system, using the current default, ZFS, didn’t have the ability to mount the drive.

Here’s one of the reasons I find Linux to be easy to use, all I needed to do was install LVM on my system and reboot. Presto I could read the external drive. It now automatically mounts when plugged in to USB. And the ZFS install of my system wasn’t affected at all.

Now try to read his files for him. Nope. He had been traveling internationally so I’d set up an encrypted home directory for him. Fortunately I’d kept the encryption passphrase in my password safe and was able to mount the encrypted home directory. I still wasn’t getting files in the clear though. It seemed related to the fact the drive was no longer the boot drive. Went down that rabbit hole for a bit and seemed to be making progress. Finally though, to get him the files, I just asked him if he recalled his login password. He did.

Booted the old pc and selected the external HD to boot from, it went right to login screen, enter password, and I’m logged in to the old system. Another Linux advantage, take an original host drive, plug it into USB on another pc, select that drive as boot source, and Linux boots without complaint.

I sent him the files he wanted. Then I thought to send him a list of all files in his home directory. After all he might want others and just not recall their names. Sure enough, he wanted a few more after getting the list.

Now I’m thinking, if he wants more files, then more work for me. What if, instead, he can get the files on his own any time he likes? Could I set up an ftp site he could connect to and get files whenever he wished?

This is where vsftpd finally enters the picture. My plan was boot from the old hard drive using a spare pc, make an ftp site that used an encrypted connection so not even username/password are sent in the clear and provide him the connection information.

vsftpd is an easy set up. Run the installation and it accepts anonymous connections by default. Didn’t want anonymous though and wanted connection to go to his home directory. Read the man, linux.die.net is my favorite man source, search for others’ descriptions of how to set up a credentialed, encrypted connection, and keep hacking at it until it worked.

The thing that really stymied me was the obscure failure message when vsftpd was failing to start after some of the config changes I made. I couldn’t find a parameter to boost the detail of the logging and was left with only “status=2/INVALIDARGUMENT” to try and figure out what parameter was the problem. Fortunately I came across Why my vsftp service can’t start?. It offered the tip to run /usr/sbin/vsftpd manually from the command prompt and the specific issue might be revealed. I tried, the problematic option was revealed, changed the option and presto, working vsftpd using TLSV1 for connections!

For your interest, here’s my working vsftpd.conf

anonymous_enable=NO
local_enable=YES
chroot_local_user=YES
allow_writeable_chroot=YES
listen=NO
listen_ipv6=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
user_sub_token=$USER
local_root=/home/$USER
rsa_cert_file=/etc/letsencrypt/live/fullchain16.pem
rsa_private_key_file=/etc/letsencrypt/live/privkey16.pem
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=YES
ssl_ciphers=HIGH
pasv_min_port=xxxxx
pasv_max_port=yyyyy
pam_service_name=vsftpd
implicit_ssl=NO

A little bit Docker

Platform virtualization, a more granular way to virtualize.

Virtualization is something that’s been mainstream for years. I’ve used it for production environments to increase hardware utilization and improve failure tolerance. And it is also great for quickly setting up and using test environments whether to test before production deployment or to evaluate a technology without intermixing with your production environment.

Docker, platform as a service virtualization, has been around for a few years now, since 2013 actually. And I’d never used it. I decided it was time to change that.

So… what to do? Well I’ve been suspicious that my Internet Service Provider, ISP, isn’t actually providing the promised speeds. Whenever I’d check the speeds at a speed test website it would be slower than the service promise. Of course that’s very intermittent testing and I couldn’t really maintain a regular schedule, note the results, and have a documented history to complain to my ISP about.

In the past I’ve used a program called Nagios to monitor network services and computers on a network. A little searching and I found that Nagios has a feature, a plug-in it’s called, that can be used to monitor Internet upload and download speed on a schedule.

With this information in hand I decided to try using Docker to run a Nagios container with the speedtest plug-in. Quite a bit for me to get my head around. This particular plug-in works differently than the ones built into Docker Core so I needed to work out how to get it working. Of course there’s documentation online but it is old and the plug-in has been updated a few times while the documentation has not.

And with Docker itself there’s quite a bit to learn. Easy enough to get a container started. However there is a lot going on behind the scenes. Docker has images and containers. Images are the templates for the containers. Start an image and a container is created. Stop the container then start the image again and a new container is created. Without a guide, which I haven’t found yet, that explains the “theory of Docker” one might keep starting the same image and by that technique keep creating containers. This leads to not finding any of the customizations made in the last container because starting the image again starts a new container.

Then of course, there’s getting to the container command line. Basically, getting inside the machine. Once there it can be difficult to accomplish anything because many of the common command line tools, like a text editor, are not in the container. That leads to needing to find how to access the files and modify them from outside the container.

There are ways to resolve all the above. More than one way for each of the issues.

My good fortune is that I’m attending the (ISC)2 2020 Security Congress this year. Virtually, of course. And there is a Docker related session I’ve signed up for. Excited to learn about this.

  • 7 Layers of Container Insecurity