This Friday, I tried to look into the SSH failures on my servers, how different systems/bots/people tried to break into the servers. I have the logs from July this month (when I moved into newer servers).

Following the standard trends, most of the IP addresses are working as a staging area for attacks by other malware or people. Most of these IP addresses are the real people/places from where the attacks are originating. There are around 2.3k+ IP addresses in this list.

Origin IP locations

The above is a map of all of the IP addresses which tried to break into my system.

Country wise

You can see there is a big RED circle here, as one particular IP from Belgium tried 3k+ times, the second country is China, and the USA is in third place. I made the map into a static image as that is easier for the page load.

BE 3032
CN 1577
US 978
FR 934
RU 807
SG 483
DE 405
NL 319
CA 279
KR 276

Known VS unknown IP addresses

I also verified the IP addresses against AlienVault database, and it is an open threat intelligence community. The API is very simple to use.

According to the AlienVault, 1513 IP addresses are already known for similar kinds of attacks, and 864 IP addresses are unknown. In the coming days, I will submit back these IP addresses to AlienVault.

I took the highest amount of time to learn how to do that heatmap on the world map. I will write a separate blog post on that topic.

Here is PoC based on qubesadmin API which can auto attach USB devices to any VM as required. By default Qubes auto attaches any device to the sys-usb VM, that helps with bad/malware full USB devices. But, in special cases, we may want to select special devices to be auto attached to certain VMs. In this PoC example, we are attaching any USB storage device, but, we can add some checks to mark only selected devices (by adding more checks), or we can mark few vms where no device can be attached.

I would love to see what all magical ideas you all come up with. Have fun with the code.

Btw, you can execute it in dom0 by

python3 autoattach.py

oqubeslogging is a proof of concept project for Qubes OS. This includes a qrexec service, which allows one AppVM (we will call it logging VM for the rest of the blog post) to have all the logs from different select VMs. This enables central logging among QubesOS land.

The second part is a Python logging handler, which if configured correctly, will allow to pass the logging lines to the logging VM

import logging
from oqubeslogging import OQubesLog

def main():
    handler = OQubesLog("workvm", "loggingvm")
    logging.basicConfig(level=logging.DEBUG, handlers=[handler])
    logger = logging.getLogger("example")

    logger.info("kushal says it works")


if __name__ == "__main__":
    main()

Third, is another example code, which if run as root user in any VM, will collect all logs from journald and pass them to the logging VM.

Why is this useful?

The same reason we use central logging in every place. This will enable us to check only one VM to find the correct log. QubesOS is designed for single user in mind, and instead many random AppVM, we will be able to read and parse logs in that one special logging VM.

I started a newsletter, focusing on different stories I read about privacy, security, programming in general. Following the advice from Martijn Grooten, I am storing all the interesting links I read (for many months). I used to share these only over Twitter, but, as I retweet many things, it was not easy to share a selected few.

I also did not want to push them in my regular blog. I wanted a proper newsletter over email service. But, keeping the reader’s privacy was a significant point to choose the service. I finally decided to go with Write.as Letters service. I am already using their open source project WriteFreely. This is an excellent excuse to use their tool more and also pay them for the fantastic tools + service.

Feel free to subscribe to the newsletter and share the link with your friends.

nmap is the most loved network discovery, and security auditing tool out there. It is already 22 years old and has a ton of features. It can generate output in various formats, including one which is useful for grep, and also one XML output.

We also have one XML stylesheet project for the XML output from nmap.

Click on this result to view the output. You can use this to share the result with someone else, where people can view it from a web-browser with better UI.

The following command was used to generate the output. I already downloaded the stylesheet in the local folder.

nmap -sC -sV -oA toots toots.dgplug.org --stylesheet nmap-bootstrap.xsl

This year at Nullcon Eva gave her talk on When governments attack: malware campaigns against activists and journalists. After introducing EFF, she explained about Dark Caracal, a possibly state-sponsored malware campaign. If we leave aside all technical aspects, this talk has a few other big points to remember.

• No work is done by a single rock star; this project was a collaboration between people from Lookout and EFF.
• We should take an ethics class before writing a "Hello World" program in computer science classes.
• People have the choice of not working for any group who will use your technical skills to abuse human rights

Please watch this talk and tell me over Twitter what do you think.

In 2017, I started working on a new book to teach Linux command line in our online summer training. The goal was to have the basics covered in the book, and the same time not to try to explain things which can be learned better via man pages (yes, we encourage people to read man pages).

Where to practice

This one question always came up, many times, the students managed to destroy their systems by doing random things. rm -rf is always one of the various commands in this regard.

Introducing lymworkbook

Now, the book has a new chapter, LYM Workbook, where the reader can set up VMs in the local machine via Vagrant, and go through a series of problems in those machines. One can then verify if the solution they worked on is correct or not. For example:

sudo lymsetup copypaste
sudo lymverify copypaste

We are starting with only a few problems, but I (and a group of volunteers) will slowly add many more problems. We will also increase the complexity by increasing the number of machines and having setup more difficult systems. This will include the basic system administration related tasks.

How can you help

Have a look at the issues, feel free to pick up any open issue or create issues with various problems which you think are good to learn. Things can be as easy as rsync a directory to another system, or setting up Tor Project and use it as a system proxy.

Just adding one problem as an issue is also a big help, so please spend 5 minutes of your free time, and add any problem you like.

Back in 2013, I wrote Shonku in golang. It helped me in two important things:

• Having a static blogging tool which works (worked for the last 5 years).
• To help me to learn basics on golang.

Now, I think it worked for me. I could focus on writing the actual content of the posts than anything else. The tool has a few flaws, but, none of them had any issue with my blogging requirements. It just worked for me. I could have written it in Python (in much less time), but, learning a new language is always fun.

As I am trying to write more and more Rust, I decided to write a new tool in Rust and use that for my blog https://kushaldas.in.

This is very initial code, and you can easily figure out that I still don’t know how to write more idiomatic Rust yet. However, this works. The last couple of the posts were made using this tool, and I also regenerated the whole site in between.

The cargo build --release command takes time, at the same time the release binary is insanely fast.

We regularly move between git branches while working on projects. I always used to type in the full branch name, say to go back to develop branch and then come back to the feature branch. This generally takes a lot of typing (for the branch names etc.). I found out that we can use - like in the way we use cd - to go back to the previous directory we were in.

git checkout -

Here is a small video for demonstration.

I hope this will be useful for some people.

While I was trying to install rust on a FreeBSD box, I figured that I will have to update the path on the system with directory path of the ~/.cargo/bin. I added the following line in the ~/.cshrc file for the same.

set path = ( $path /home/kdas/.cargo/bin)

I am yet to learn much about csh, but, I can count this as a start.