ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login
    1. Topics
    2. DustinB3403
    3. Best
    • Profile
    • Following 21
    • Followers 20
    • Topics 938
    • Posts 25,971
    • Groups 0

    Posts

    Recent Best Controversial
    • RE: Synology Cloud Sync - Export a CSV Log

      @travisdh1 Yeah supposedly in /var/log/cloudsync, but this directory does not exist on the Synology.

      I can pull other logs, which are in compressed .dat file, which are very extensive, but it doesn't list this detail, nearly as neatly or expressly.

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • RE: Proxmox: UPS

      @pattonb said in Proxmox: UPS:

      Why not use apcusd (http://www.apcupsd.org/)

      you can calibrate the ups and monitor and much more. I have it running on a few proxmox pve servers. There is a Debian wiki as well. (https://wiki.debian.org/apcupsd)

      you just need the usb cable that connects to the ups.

      In a scenario like Proxmox, sure use it all day long as you have community support only (generally speaking) it likely works just fine. When something doesn't work though and you need a dedicated support channel does this potentially pose an issue, if its not included and used as the default product.

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • RE: Print Management: Export

      @gjacobse If you open PM, select "Print Servers" > Expand the server > Select "Ports" and then select Export you'll get the port details (ip, WSD etc) into a txt file.

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • RE: Vulnerability Assessment and Alerting Solutions

      @IRJ Yeah I've tried openVAS in the past, it wasn't bad, but it also wasn't great.

      I've ended up making some changes to my firewall and using Wazuh to report on my endpoints that are remote to our datacenter.

      Which works well enough for our needs

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • RE: How to get Chrome to remember which monitors to open on

      @CCWTech I wish I had that monitor setup 🙂

      As for getting everything to open on a separate monitor and with the content you had open I'm not sure of off hand. I only use two monitors... and all of my content is constantly changing.

      posted in IT Discussion
      DustinB3403D
      DustinB3403
    • Hardening RHEL (and RHEL Based OSs)

      For obvious reasons RHEL is annoying, like needing to sign into their paywall to find this information. If you're ever needing to harden a RHEL based OS, specifically to disable SHA1 and CBC you can use the below and reboot the server.

      These vulnerabilities are outlined below and the remedy is listed at the bottom. Mind any typo's I've copied the description out of a PDF and there may be some copy/paste artifacts or typos.

      Medium (CVSS: 5.3)
 NVT: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
 Product detection result
 cpe:/a:ietf:secure_shell_protocol
 Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
 →)
 Summary
 The remote SSH server is con gured to allow / support weak key exchange (KEX) algorithm(s).
 Quality of Detection (QoD): 80%
 Vulnerability Detection Result
 The remote SSH server supports the following weak KEX algorithm(s):
 KEX algorithm
 | Reason-----------------------------------------------
diffie-hellman-group-exchange-sha1 | Using SHA-1
 Impact
 An attacker can quickly break individual connections.
 Solution:
 Solution type: Mitigation
 Disable the reported weak KEX algorithm(s)- 1024-bit MODP group / prime KEX algorithms:
 Alternatively use elliptic-curve Di e-Hellmann in general, e.g. Curve 25519.
 Vulnerability Insight- 1024-bit MODP group / prime KEX algorithms:
 Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman
 key exchange. Practitioners believed this was safe as long as new key exchange messages were
 generated for every connection. However, the first step in the number field sieve-the most efficient
 algorithm for breaking a Diffie-Hellman connection-is dependent only on this prime.
 A nation-state can break a 1024-bit prime.

 Vulnerability Detection Method

 Checks the supported KEX algorithms of the remote SSH server.
 Currently weak KEX algorithms are defined as the following:- non-elliptic-curve Di e-Hellmann (DH) KEX algorithms with 1024-bit MODP group / prime- ephemerally generated key exchange groups uses SHA-1- using RSA 1024-bit modulus key
 
 Details: Weak Key Exchange (KEX) Algorithm(s) Supported (SSH)
 OID:1.3.6.1.4.1.25623.1.0.150713
 Version used: 2024-06-14T05:05:48Z
 Product Detection Result
 Product: cpe:/a:ietf:secure_shell_protocol
 Method: SSH Protocol Algorithms Supported
 OID: 1.3.6.1.4.1.25623.1.0.105565)
 References
 url: https://weakdh.org/sysadmin.html
 url: https://www.rfc-editor.org/rfc/rfc9142
 url: https://www.rfc-editor.org/rfc/rfc9142#name-summary-guidance-for-implem
 url: https://www.rfc-editor.org/rfc/rfc6194
 url: https://www.rfc-editor.org/rfc/rfc4253#section-6.5

      And CBC

      Medium (CVSS: 4.3)
 NVT: Weak Encryption Algorithm(s) Supported (SSH)
 Product detection result
 cpe:/a:ietf:secure_shell_protocol
 Detected by SSH Protocol Algorithms Supported (OID: 1.3.6.1.4.1.25623.1.0.105565
 →)
 Summary
 The remote SSH server is con gured to allow / support weak encryption algorithm(s).
 Quality of Detection (QoD): 80%
 Vulnerability Detection Result
 The remote SSH server supports the following weak client-to-server encryption al
 →gorithm(s):
 aes128-cbc
 aes256-cbc
 The remote SSH server supports the following weak server-to-client encryption al
 →gorithm(s):
 aes128-cbc
 aes256-cbc
 Solution:
 Solution type: Mitigation
 Disable the reported weak encryption algorithm(s).
 . . . continues on next page ...
2 RESULTS PER HOST
 6
 . . . continued from previous page ...
 Vulnerability Insight- The 'arcfour' cipher is the Arcfour stream cipher with 128-bit keys. The Arcfour cipher is
 believed to be compatible with the RC4 cipher [SCHNEIER]. Arcfour (and RC4) has problems
 with weak keys, and should not be used anymore.- The 'none' algorithm specifies that no encryption is to be done. Note that this method provides
 no confidentiality protection, and it is NOT RECOMMENDED to use it.- A vulnerability exists in SSH messages that employ CBC mode that may allow an attacker to
 recover plaintext from a block of ciphertext.
 Vulnerability Detection Method
 Checks the supported encryption algorithms (client-to-server and server-to-client) of the remote
 SSH server.
 Currently weak encryption algorithms are de ned as the following:- Arcfour (RC4) cipher based algorithms- 'none' algorithm- CBC mode cipher based algorithms
 Details: Weak Encryption Algorithm(s) Supported (SSH)
 OID:1.3.6.1.4.1.25623.1.0.105611
 Version used: 2024-06-14T05:05:48Z
 Product Detection Result
 Product: cpe:/a:ietf:secure_shell_protocol
 Method: SSH Protocol Algorithms Supported
 OID: 1.3.6.1.4.1.25623.1.0.105565)
 References
 url: https://www.rfc-editor.org/rfc/rfc8758
 url: https://www.kb.cert.org/vuls/id/958563
 url: https://www.rfc-editor.org/rfc/rfc4253#section-6.3

      Simply running sudo update-crypto-policies --set DEFAULT:NO-SHA1:NO-CBC and rebooting the system in question removes these vulnerabilities.

      posted in IT Discussion ssh hardening linux rhel
      DustinB3403D
      DustinB3403
    • 1
    • 2
    • 341
    • 342
    • 343
    • 344
    • 345
    • 345 / 345