AbuseIPDB is “an IP address blacklist for webmasters and sysadmins to report IP addresses engaging in abusive behavior on their networks, or check the report history of any IP”.

However, unlike www.BlockList.de, AbuseIPDB is useless for a couple of reasons:

1. To (automatically) access the blocklist, account registration is required. You can argue that this is not an issue at all, furthermore it is for preventing service abuse. Nevertheless, neither www.BlockList.de nor Spamhaus require sign-up to be able to use their DNSBL service (www.BlockList.de, Spamhaus).
2. Hosting-provider (system administrator responsible for handling abuse complaints) cannot see complaints submitted to AbuseIPDB unless their restricted API is used. Unlike www.BlockList.de, AbuseIPDB, since their start back in early 2010’s, haven’t ever notified responsible abuse contacts for any of the received reports.

We (www.BlockList.de) report more than 70,000 attacks every 12 hours in real time using Whois (abuse-mailbox, abuse@, security@, email, remarks), the Ripe-Abuse-Finder, and the contact-database from abusix.com so we may find the abuse-address assigned to the offending host. Our reports are based on X-Arf (Network Abuse Reporting 2.0), so the abuse-department of the provider for the attacking host may parse our reports automatically.

3. Their restricted API?

• As a reporter, you are restricted from contributing too much (unlike at collaborative CrowdSec),
• As a hosting-provider (or a system administrator of an enterprise with few of publicly facing systems), you are restricted from checking your IP addresses for any reports too much or too efficiently:

Check-Block Limits

(IPv6 lookup restrictions are not mentioned for some reason.)

Given the above, without paid subscription, at the most you can lookup 500x /24 IPv4 prefixes once a day and 5000x single IPv4/IPv6 addresses. If you need to increase the precision of your alert system to, lets say, 1 hour, you can only lookup 20x /24 IPv4 prefixes and 208x single IPv4/IPv6 addresses.

Those restrictions may sound pretty reasonable, however I found this limitations too intrusive and purely financially-driven. In this case, both reporters and abused devices owners are charged for using this service. I understand that they really require funds to be operating, however these practices make me wonder why AbuseIPDB is still so goddamn popular despite their policy, given the variety of alternatives? Gosh, there is even multiple ways (1, 2) to make Fail2ban send abuse complaints directly to the hosting-providers without intermediaries like AbuseIPDB!

To my experience, Elantech touchpads are quite common at modern laptops and do have some issues arising from time to time. And I do have one in my Xiaomi RedmiBook laptop - it is ELAN2305:00 04F3:3122 (to my knowledge, it is connected via PS/2 interface).

After upgrading Linux kernel (to be exact, I am referring to sys-kernel/gentoo-kernel Gentoo package with savedconfig USE-flag enabled) from 5.15.88 to 6.1.22, I have lost my touchpad (only i2c device is seen but not detected by libinput).

Firstly, I assumed something was messed up in my config after upgrade from 5.x to 6.x branch. I have booted into Gentoo Minimal Installation CD, but the issue persisted.

At this step I was already confused, but after searching for similar problem I have found AMD-specific Linux kernel config entry: CONFIG_PINCTRL_AMD. After comparing 5.15.88’s and 6.1.22’s configs, I have found the reason why touchpad stoped from proprely functioning at newer kernels: CONFIG_PINCTRL_AMD=m. For some reason it cannot be built as a module anymore, thus the change from =m to =y solved the issue. Thanks to @loqs for mentioning this kernel knob!

I am an another happy owner of the Xiaomi’s RedmiBook, and this laptop is really amazing for its’ price. But nothing is perfect in this world, and one of the issues with RedmiBook is deep sleep support (on Linux).

When I discovered problems with energy consumption while laptop is sleeping, I found this article. I am grateful to author for his work, but unfortunately, copy-pasting commands did not solve my issue - there were some errors during decompilation stage, so recompilation stage failed also.

Problem 1. Disassembling DSDT

As you can see, there are some unresolved external control methods in the DSDT. This is preventing successful disassembly, so future patching and recompilation are impossible.

 $ sudo cat /sys/firmware/acpi/tables/DSDT > dsdt.aml
 $ iasl -d dsdt.aml

Intel ACPI Component Architecture
ASL+ Optimizing Compiler/Disassembler version 20200326
Copyright (c) 2000 - 2020 Intel Corporation

File appears to be binary: found 7312 non-ASCII characters, disassembling
Binary file appears to be a valid ACPI table, disassembling
Input file dsdt.aml, Length 0x4FA8 (20392) bytes
ACPI: DSDT 0x0000000000000000 004FA8 (v01 XMCC XMCC1955 00000002 01000013)
Pass 1 parse of [DSDT]
Pass 2 parse of [DSDT]
Parsing Deferred Opcodes (Methods/Buffers/Packages/Regions)

Parsing completed

Found 8 external control methods, reparsing with new information
Pass 1 parse of [DSDT]
Pass 2 parse of [DSDT]
Parsing Deferred Opcodes (Methods/Buffers/Packages/Regions)

Parsing completed
Disassembly completed
ASL Output: dsdt.dsl - 192773 bytes

 iASL Warning: There were 8 external control methods found during
 disassembly, but only 0 were resolved (8 unresolved). Additional
 ACPI tables may be required to properly disassemble the code. This
 resulting disassembler output file may not compile because the
 disassembler did not know how many arguments to assign to the
 unresolved methods. Note: SSDTs can be dynamically loaded at
 runtime and may or may not be available via the host OS.

 To specify the tables needed to resolve external control method
 references, the -e option can be used to specify the filenames.
 Example iASL invocations:
 iasl -e ssdt1.aml ssdt2.aml ssdt3.aml -d dsdt.aml
 iasl -e dsdt.aml ssdt2.aml -d ssdt1.aml
 iasl -e ssdt*.aml -d dsdt.aml

 In addition, the -fe option can be used to specify a file containing
 control method external declarations with the associated method
 argument counts. Each line of the file must be of the form:
 External (<method pathname>, MethodObj, <argument count>)
 Invocation:
 iasl -fe refs.txt -d dsdt.aml

Fixing disassembly

But we have some example usage of iasl, mentioning additional SSDTs. And I have a lot of them:

 $ ls /sys/firmware/acpi/tables/SSDT*
/sys/firmware/acpi/tables/SSDT1 /sys/firmware/acpi/tables/SSDT13 /sys/firmware/acpi/tables/SSDT2 /sys/firmware/acpi/tables/SSDT6
/sys/firmware/acpi/tables/SSDT10 /sys/firmware/acpi/tables/SSDT14 /sys/firmware/acpi/tables/SSDT3 /sys/firmware/acpi/tables/SSDT7
/sys/firmware/acpi/tables/SSDT11 /sys/firmware/acpi/tables/SSDT15 /sys/firmware/acpi/tables/SSDT4 /sys/firmware/acpi/tables/SSDT8
/sys/firmware/acpi/tables/SSDT12 /sys/firmware/acpi/tables/SSDT16 /sys/firmware/acpi/tables/SSDT5 /sys/firmware/acpi/tables/SSDT9

Let’s try to disassemble DSDT including all available SSDTs:

 $ sudo iasl -e /sys/firmware/acpi/tables/SSDT* -d dsdt.aml

Intel ACPI Component Architecture
ASL+ Optimizing Compiler/Disassembler version 20200326
Copyright (c) 2000 - 2020 Intel Corporation

File appears to be binary: found 7312 non-ASCII characters, disassembling
Binary file appears to be a valid ACPI table, disassembling
Input file dsdt.aml, Length 0x4FA8 (20392) bytes
ACPI: DSDT 0x0000000000000000 004FA8 (v01 XMCC XMCC1955 00000002 01000013)
External object resolution file /sys/firmware/acpi/tables/SSDT9
Input file /sys/firmware/acpi/tables/SSDT9, Length 0xC78 (3192) bytes
ACPI: SSDT 0x0000000000000000 000C78 (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT8
Input file /sys/firmware/acpi/tables/SSDT8, Length 0x1BF4 (7156) bytes
ACPI: SSDT 0x0000000000000000 001BF4 (v01 XMCC XMCC1955 00000001 AMD 00000001)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT7
Input file /sys/firmware/acpi/tables/SSDT7, Length 0xF8 (248) bytes
ACPI: SSDT 0x0000000000000000 0000F8 (v01 XMCC XMCC1955 00001000 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT6
Input file /sys/firmware/acpi/tables/SSDT6, Length 0x80 (128) bytes
ACPI: SSDT 0x0000000000000000 000080 (v01 XMCC XMCC1955 00000002 01000013)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT5
Input file /sys/firmware/acpi/tables/SSDT5, Length 0x47E (1150) bytes
ACPI: SSDT 0x0000000000000000 00047E (v01 XMCC XMCC1955 00001000 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT4
Input file /sys/firmware/acpi/tables/SSDT4, Length 0x792 (1938) bytes
ACPI: SSDT 0x0000000000000000 000792 (v01 XMCC XMCC1955 00003000 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT3
Input file /sys/firmware/acpi/tables/SSDT3, Length 0x228 (552) bytes
ACPI: SSDT 0x0000000000000000 000228 (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT2
Input file /sys/firmware/acpi/tables/SSDT2, Length 0x7216 (29206) bytes
ACPI: SSDT 0x0000000000000000 007216 (v02 XMCC XMCC1955 00000002 MSFT 04000000)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT16
Input file /sys/firmware/acpi/tables/SSDT16, Length 0x517 (1303) bytes
ACPI: SSDT 0x0000000000000000 000517 (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT15
Input file /sys/firmware/acpi/tables/SSDT15, Length 0x7D (125) bytes
ACPI: SSDT 0x0000000000000000 00007D (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT14
Input file /sys/firmware/acpi/tables/SSDT14, Length 0x20A (522) bytes
ACPI: SSDT 0x0000000000000000 00020A (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT13
Input file /sys/firmware/acpi/tables/SSDT13, Length 0x65E (1630) bytes
ACPI: SSDT 0x0000000000000000 00065E (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT12
Input file /sys/firmware/acpi/tables/SSDT12, Length 0x20A (522) bytes
ACPI: SSDT 0x0000000000000000 00020A (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT11
Input file /sys/firmware/acpi/tables/SSDT11, Length 0x30C8 (12488) bytes
ACPI: SSDT 0x0000000000000000 0030C8 (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT10
Input file /sys/firmware/acpi/tables/SSDT10, Length 0x10AC (4268) bytes
ACPI: SSDT 0x0000000000000000 0010AC (v01 XMCC XMCC1955 00000001 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
External object resolution file /sys/firmware/acpi/tables/SSDT1
Input file /sys/firmware/acpi/tables/SSDT1, Length 0x33BB (13243) bytes
ACPI: SSDT 0x0000000000000000 0033BB (v02 XMCC XMCC1955 00000000 INTL 20130117)
Pass 1 parse of [SSDT]
Pass 2 parse of [SSDT]
Pass 1 parse of [DSDT]
Pass 2 parse of [DSDT]
Parsing Deferred Opcodes (Methods/Buffers/Packages/Regions)

Parsing completed

Found 8 external control methods, reparsing with new information
Pass 1 parse of [DSDT]
Pass 2 parse of [DSDT]
Parsing Deferred Opcodes (Methods/Buffers/Packages/Regions)

Parsing completed
Disassembly completed
ASL Output: dsdt.dsl - 191166 bytes

Everything seems to be OK, and 8 our control methods were resolved successfully.

Problem 2. DSDT errors

Now we are applying patch from original article (be aware that XMCC version could be different). In my case, proper patch looks like this one:

@@ -18,7 +18,7 @@
 * Compiler ID " "
 * Compiler Version 0x01000013 (16777235)
 */
-DefinitionBlock ("", "DSDT", 1, "XMCC", "XMCC1955", 0x00000002)
+DefinitionBlock ("", "DSDT", 1, "XMCC", "XMCC1955", 0x00000003)
 {
 External (_SB_.APTS, MethodObj) // 1 Arguments
 External (_SB_.AWAK, MethodObj) // 1 Arguments
@@ -733,19 +733,13 @@
 Zero,
 Zero
 })
- If ((CNSB == Zero))
+ Name (_S3, Package (0x04) // _S3_: S3 System State
 {
- If ((DAS3 == One))
- {
- Name (_S3, Package (0x04) // _S3_: S3 System State
- {
- 0x03,
- 0x03,
- Zero,
- Zero
- })
- }
- }
+ 0x03,
+ 0x03,
+ Zero,
+ Zero
+ })

 Name (_S4, Package (0x04) // _S4_: S4 System State
 {

Idea is simple - update version to a higher one (in DefinitionBlock) and remove ‘if’ blocks, that are preventing S3 state.

 $ iasl dsdt-sleep.dsl

Intel ACPI Component Architecture
ASL+ Optimizing Compiler/Disassembler version 20200326
Copyright (c) 2000 - 2020 Intel Corporation

[redacted: many lines with remarks, warnings and errors were deleted]

ASL Input: dsdt-sleep.dsl - 191027 bytes 2041 keywords 6370 source lines

Compilation failed. 3 Errors, 32 Warnings, 121 Remarks
No AML files were generated due to compiler error(s)

I do not want to do grep for handling multiline errors, so I would simply add -ve flag, which will report only errors:

 $ iasl -ve dsdt-sleep.dsl

Intel ACPI Component Architecture
ASL+ Optimizing Compiler/Disassembler version 20200326
Copyright (c) 2000 - 2020 Intel Corporation

dsdt-sleep.dsl 3567: Return (Zero)
Error 6105 - ^ Invalid object type for reserved name (_CRS: found Integer, Buffer required)

dsdt-sleep.dsl 3580: Return (Zero)
Error 6105 - ^ Invalid object type for reserved name (_CRS: found Integer, Buffer required)

dsdt-sleep.dsl 3593: Return (Zero)
Error 6105 - ^ Invalid object type for reserved name (_CRS: found Integer, Buffer required)

ASL Input: dsdt-sleep.dsl - 191027 bytes 2041 keywords 6370 source lines

Compilation failed. 3 Errors, 32 Warnings, 121 Remarks
No AML files were generated due to compiler error(s)

Fixing DSDT compilation

After some small research, I tried to replace Zero with _CRS:

@@ -3564,7 +3564,7 @@
 {
 Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings
 {
+ Return (_CRS)
- Return (Zero)
 }
 }

@@ -3577,7 +3577,7 @@
 {
 Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings
 {
+ Return (_CRS)
- Return (Zero)
 }
 }

@@ -3590,7 +3590,7 @@
 {
 Method (_CRS, 0, NotSerialized) // _CRS: Current Resource Settings
 {
+ Return (_CRS)
- Return (Zero)
 }

 Device (WLAN)

Recompiling our patch again:

 $ iasl -ve dsdt-sleep-buffer-fix.dsl

Intel ACPI Component Architecture
ASL+ Optimizing Compiler/Disassembler version 20200326
Copyright (c) 2000 - 2020 Intel Corporation

ASL Input: dsdt-sleep-buffer-fix.dsl - 191027 bytes 2041 keywords 6370 source lines
AML Output: dsdt-sleep-buffer-fix.aml - 20520 bytes 1137 opcodes 904 named objects

Compilation successful. 0 Errors, 32 Warnings, 124 Remarks, 33 Optimizations

Finally, that worked. Now you can follow further instructions to build cpio archive and add image to initrd.

Hello, $USER! Amazon Simple Email Service (SES) is an email service which allow develops to send mail from within any application, and “supports TLS 1.2, TLS 1.1, TLS 1.0 and SSLv2Hello”, as stated in official documentation.

Problem

While registering at a few services (especially tawk[.]to and wpscan[.]com) I have observed enormous message delivery latencies (about 8 hours) and the same warning from few Amazon’s IP addresses:

warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2283:

Full connection logs (without TLS warnings, only connection log):

Jul 31 14:29:10 hostname postfix/smtpd[973370]: connect from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:29:10 hostname postfix/smtpd[973370]: SSL_accept error from a14-42.smtp-out.amazonses.com[54.240.14.42]: -1
Jul 31 14:29:10 hostname postfix/smtpd[973370]: lost connection after STARTTLS from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:29:10 hostname postfix/smtpd[973370]: disconnect from a14-42.smtp-out.amazonses.com[54.240.14.42] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:29:10 hostname postfix/smtpd[973370]: connect from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:33:29 hostname postfix/smtpd[973474]: connect from a9-75.smtp-out.amazonses.com[54.240.9.75]
Jul 31 14:33:30 hostname postfix/smtpd[973474]: SSL_accept error from a9-75.smtp-out.amazonses.com[54.240.9.75]: -1
Jul 31 14:33:30 hostname postfix/smtpd[973474]: lost connection after STARTTLS from a9-75.smtp-out.amazonses.com[54.240.9.75]
Jul 31 14:33:30 hostname postfix/smtpd[973474]: disconnect from a9-75.smtp-out.amazonses.com[54.240.9.75] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:34:11 hostname postfix/smtpd[973370]: timeout after EHLO from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:34:11 hostname postfix/smtpd[973370]: disconnect from a14-42.smtp-out.amazonses.com[54.240.14.42] ehlo=1 commands=1
Jul 31 14:43:56 hostname postfix/smtpd[973620]: connect from a9-115.smtp-out.amazonses.com[54.240.9.115]
Jul 31 14:43:57 hostname postfix/smtpd[973620]: SSL_accept error from a9-115.smtp-out.amazonses.com[54.240.9.115]: -1
Jul 31 14:43:57 hostname postfix/smtpd[973620]: lost connection after STARTTLS from a9-115.smtp-out.amazonses.com[54.240.9.115]
Jul 31 14:43:57 hostname postfix/smtpd[973620]: disconnect from a9-115.smtp-out.amazonses.com[54.240.9.115] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:54:54 hostname postfix/smtpd[973741]: connect from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:54 hostname postfix/smtpd[973741]: SSL_accept error from a9-38.smtp-out.amazonses.com[54.240.9.38]: -1
Jul 31 14:54:54 hostname postfix/smtpd[973741]: lost connection after STARTTLS from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:54 hostname postfix/smtpd[973741]: disconnect from a9-38.smtp-out.amazonses.com[54.240.9.38] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:54:54 hostname postfix/smtpd[973741]: connect from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:57 hostname postfix/smtpd[973741]: 5EA8C22059E: client=a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: connect from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: SSL_accept error from a9-39.smtp-out.amazonses.com[54.240.9.39]: -1
Jul 31 14:57:01 hostname postfix/smtpd[973787]: lost connection after STARTTLS from a9.39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: disconnect from a9-39.smtp-out.amazonses.com[54.240.9.39] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:57:02 hostname postfix/smtpd[973787]: connect from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:59:57 hostname postfix/smtpd[973741]: timeout after RCPT from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:59:57 hostname postfix/smtpd[973741]: disconnect from a9-38.smtp-out.amazonses.com[54.240.9.38] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:01:59 hostname postfix/smtpd[973887]: connect from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:00 hostname postfix/smtpd[973887]: SSL_accept error from a9-67.smtp-out.amazonses.com[54.240.9.67]: -1
Jul 31 15:02:00 hostname postfix/smtpd[973887]: lost connection after STARTTLS from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:00 hostname postfix/smtpd[973887]: disconnect from a9-67.smtp-out.amazonses.com[54.240.9.67] ehlo=1 starttls=0/1 commands=1/2
Jul 31 15:02:00 hostname postfix/smtpd[973887]: connect from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:01 hostname postfix/smtpd[973887]: 5B7E622059E: client=a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:02 hostname postfix/smtpd[973787]: timeout after CONNECT from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 15:02:02 hostname postfix/smtpd[973787]: disconnect from a9-39.smtp-out.amazonses.com[54.240.9.39] commands=0/0
Jul 31 15:07:01 hostname postfix/smtpd[973887]: timeout after RCPT from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:07:01 hostname postfix/smtpd[973887]: disconnect from a9-67.smtp-out.amazonses.com[54.240.9.67] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:13:26 hostname postfix/smtpd[974066]: connect from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:27 hostname postfix/smtpd[974066]: SSL_accept error from a14-40.smtp-out.amazonses.com[54.240.14.40]: -1
Jul 31 15:13:27 hostname postfix/smtpd[974066]: lost connection after STARTTLS from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:27 hostname postfix/smtpd[974066]: disconnect from a14-40.smtp-out.amazonses.com[54.240.14.40] ehlo=1 starttls=0/1 commands=1/2
Jul 31 15:13:27 hostname postfix/smtpd[974066]: connect from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:28 hostname postfix/smtpd[974066]: 914C422059E: client=a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:18:28 hostname postfix/smtpd[974066]: timeout after RCPT from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:18:28 hostname postfix/smtpd[974066]: disconnect from a14-40.smtp-out.amazonses.com[54.240.14.40] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:40:07 hostname postfix/smtpd[974378]: connect from a14-57.smtp-out.amazonses.com[54.240.14.57]
Jul 31 15:40:08 hostname postfix/smtpd[974378]: SSL_accept error from a14-57.smtp-out.amazonses.com[54.240.14.57]: -1
Jul 31 15:40:08 hostname postfix/smtpd[974378]: lost connection after STARTTLS from a14-57.smtp-out.amazonses.com[54.240.14.57]
Jul 31 15:40:08 hostname postfix/smtpd[974378]: disconnect from a14-57.smtp-out.amazonses.com[54.240.14.57] ehlo=1 starttls=0/1 commands=1/2
Jul 31 16:07:04 hostname postfix/smtpd[974699]: connect from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:04 hostname postfix/smtpd[974699]: SSL_accept error from a14-55.smtp-out.amazonses.com[54.240.14.55]: -1
Jul 31 16:07:04 hostname postfix/smtpd[974699]: lost connection after STARTTLS from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:04 hostname postfix/smtpd[974699]: disconnect from a14-55.smtp-out.amazonses.com[54.240.14.55] ehlo=1 starttls=0/1 commands=1/2
Jul 31 16:07:04 hostname postfix/smtpd[974699]: connect from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:06 hostname postfix/smtpd[974699]: 2D84422059E: client=a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:12:06 hostname postfix/smtpd[974699]: timeout after RCPT from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:12:06 hostname postfix/smtpd[974699]: disconnect from a14-55.smtp-out.amazonses.com[54.240.14.55] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 17:14:40 hostname postfix/smtpd[975482]: connect from a14-56.smtp-out.amazonses.com[54.240.14.56]
Jul 31 17:14:40 hostname postfix/smtpd[975482]: SSL_accept error from a14-56.smtp-out.amazonses.com[54.240.14.56]: -1
Jul 31 17:14:40 hostname postfix/smtpd[975482]: lost connection after STARTTLS from a14-56.smtp-out.amazonses.com[54.240.14.56]
Jul 31 17:14:40 hostname postfix/smtpd[975482]: disconnect from a14-56.smtp-out.amazonses.com[54.240.14.56] ehlo=1 starttls=0/1 commands=1/2
Jul 31 17:32:08 hostname postfix/smtpd[975779]: connect from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:09 hostname postfix/smtpd[975779]: SSL_accept error from a9-156.smtp-out.amazonses.com[54.240.9.156]: -1
Jul 31 17:32:09 hostname postfix/smtpd[975779]: lost connection after STARTTLS from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:09 hostname postfix/smtpd[975779]: disconnect from a9-156.smtp-out.amazonses.com[54.240.9.156] ehlo=1 starttls=0/1 commands=1/2
Jul 31 17:32:09 hostname postfix/smtpd[975779]: connect from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:12 hostname postfix/smtpd[975779]: 746E022059E: client=a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:37:12 hostname postfix/smtpd[975779]: timeout after RCPT from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:37:12 hostname postfix/smtpd[975779]: disconnect from a9-156.smtp-out.amazonses.com[54.240.9.156] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 20:00:24 hostname postfix/smtpd[977858]: connect from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:00:24 hostname postfix/smtpd[977858]: SSL_accept error from a14-44.smtp-out.amazonses.com[54.240.14.44]: -1
Jul 31 20:00:24 hostname postfix/smtpd[977858]: lost connection after STARTTLS from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:00:24 hostname postfix/smtpd[977858]: disconnect from a14-44.smtp-out.amazonses.com[54.240.14.44] ehlo=1 starttls=0/1 commands=1/2
Jul 31 20:00:24 hostname postfix/smtpd[977858]: connect from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:05:24 hostname postfix/smtpd[977858]: timeout after EHLO from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:05:24 hostname postfix/smtpd[977858]: disconnect from a14-44.smtp-out.amazonses.com[54.240.14.44] ehlo=1 commands=1
Jul 31 20:39:17 hostname postfix/smtpd[978615]: connect from a14-43.smtp-out.amazonses.com[54.240.14.43]
Jul 31 20:39:17 hostname postfix/smtpd[978615]: SSL_accept error from a14-43.smtp-out.amazonses.com[54.240.14.43]: -1
Jul 31 20:39:17 hostname postfix/smtpd[978615]: lost connection after STARTTLS from a14-43.smtp-out.amazonses.com[54.240.14.43]
Jul 31 20:39:17 hostname postfix/smtpd[978615]: disconnect from a14-43.smtp-out.amazonses.com[54.240.14.43] ehlo=1 starttls=0/1 commands=1/2
Jul 31 22:48:27 hostname postfix/smtpd[989112]: connect from a14-58.smtp-out.amazonses.com[54.240.14.58]
Jul 31 22:48:29 hostname postfix/smtpd[989112]: 303BD2204A4: client=a14-58.smtp-out.amazonses.com[54.240.14.58]
Jul 31 22:48:54 hostname postfix/smtpd[989112]: disconnect from a14-58.smtp-out.amazonses.com[54.240.14.58] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Self-host is innocent!

My postfix configuration is (working) intermediate, which means that it supports TLS 1.2+, but with medium cipherlist. According to Mozilla:

• All cipher suites are forward secret and authenticated
• TLS 1.2 is the minimum supported protocol, as recommended by RFC 7525, PCI DSS, and others
• ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
• The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
• Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
• Administrators needing to provide access to IE 11 on Windows Server 2008 R2 and who are unable to switch to or add ECDSA certificates can add TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
• 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation

Conclusion

Unfortunately, there are big tech companies in 2021 that ignore best-practices and can’t even support well-known TLS 1.2 ciphersuits.

2021-09-02 update

I found possible solution to fix Amazon SES behaviour by adding ECDHE-RSA-AES256-SHA384 to the cipher list.

Hello, my favourite visitor! In the previous article I have told you about basics of honeypotting. Today I want to show you why and how we can process the web traffic.

Why I want to analyze web junk?!

Well, there are huge amount of web vulnerabilities from variety of services, starting from firmware backdoor at home router and ending at misconfigurated web server, which leaks internal Jupiter Notebook. Bots nowadays are a bit clever, so they rarely trying to exploit system at the first attempt - their first step is system scan. So we can recognize which services are being scanned by bots and lookup recent or most known vulnerability of this service.

How we can detect malicious traffic if I run real website?

This is the most simple task IMO. Everything we need to do is to create a new virtual host, which intercepts all the traffic without Host header, or with non-existent domain name (that was not defined in the server configuration, like our external IP address). Why this would work? Corresponding to RFC 7230, “A client MUST send a Host header field in all HTTP/1.1 request messages”. So if real browser will request encryp.ch, web server will know it certainly. In other cases we have suspicious client with potentially malicious requests, that are trying to exploit bugs in software, which not conforms RFC fully.

Practice time

Now, we have theory to materialise. In this guide I will use nginx because it is far more superior than Apache (performance and security).

Firstly, create two vhosts - first will return 200 status code, another one will log request with it’s bodies. We need two different vhosts to be able to use $request_body in our log_format (this is because nginx itself doesn’t read request_body if no backend is present, it serves only static files; we are lying to nginx so it will try to process our request_body, and we will see it in the logs)

 # log_format is used to describe our log entries
 # for more information about fields we are saving,
 # see docs: https://nginx.org/en/docs/varindex.html
 # https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
 log_format detailed_json escape=json "{\"request\": {\"client_addr\": \"$remote_addr\", \"client_port\": \"$remote_port\", \"conn_id\": \"$connection\", \"request_body\": \"$request_body\", \"full_line\": \"$request\", \"parsed\": {\"protocol\": \"$server_protocol\", \"method\": \"$request_method\", \"uri\": \"$request_uri\", \"host\": \"$http_host\"}, \"completion\": \"$request_completion\", \"lenght\": \"$request_length\", \"user-agent\": \"$http_user_agent\"}, \"response\": {\"time\": {\"iso8601\": \"$time_iso8601\"}, \"code\": $status}}";

 # our honeypot virtual host
 server {
 # replace 10.0.0.2 with your external IP
 listen 10.0.0.2:80 default_server reuseport so_keepalive=off backlog=4096;
 listen 10.0.0.2:8000 default_server reuseport so_keepalive=off backlog=4096;
 listen 10.0.0.2:8008 default_server reuseport so_keepalive=off backlog=4096;
 listen 10.0.0.2:8080 default_server reuseport so_keepalive=off backlog=4096;
 listen 10.0.0.2:8888 default_server reuseport so_keepalive=off backlog=4096;
 server_name _ "";

 access_log /var/log/nginx/honeypot-full.json detailed_json;
 log_not_found off;

 location = /robots.txt {
 access_log off;
 return 200 "User-agent: *\nDisallow: /\nDisallow: /i-ignore-robots-txt\n";
 }

 location / {
 proxy_pass http://unix:/var/run/nginx-dummy.sock;
 }
 }

 # our dummy vhost, used for request body processing
 server {
 # can listen anything you wish,
 # but remember to modify proxy_pass directive
 listen unix:/var/run/nginx-dummy.sock;
 return 200 "";
 }

Remember to paste those lines before including real vhosts (may look like inlude vhosts/*.conf), so it will be used as default trap.

Now, our logs contain something like this line:

{"request": {"client_addr": "74.201.28.70", "client_port": "60174", "conn_id": "11231", "request_body": "", "full_line": "GET / HTTP/1.1", "parsed": {"protocol": "HTTP/1.1", "method": "GET", "uri": "/", "host": "10.0.1.2:80"}, "completion": "OK", "lenght": "120", "user-agent": "libwww-perl/6.53"}, "response": {"time": {"iso8601": "2021-04-03T09:48:20+03:00"}, "code": 200}}

Conclusion

Provided setup is simplified solution without online requests processing, so server load and functionality is minimal. But we can setup something to automatically process JSON logs to report IP, send payload to VirusTotal or ban IP from accessing our real services.

One of the reasons our modern cryptography works so well on classical computers is that they rely on prime factorization which classical computers don’t do so well. This has been key to maintaining our computers and networks secured. One of the things Quantum computers do better than classical computers is prime factorization. How will the advent of Quantum computing impact cryptography? Will technologies like secure messaging, email and blockchains like bitcoin be affected?

In short, yes, all of those systems will be impacted. In one place or another, they all rely on public key cryptosystems, most of which rely on one of the following being difficult:

• The integer factorization problem (RSA)
• The discrete logarithm problem (Diffie–Hellman key exchange)
• The elliptic-curve discrete logarithm problem (ElGamal)

Large quantum computers will make all of those much easier and faster using Shor’s algorithm. However, not all cryptographic methods are broken by use of quantum computers - AES is a common and contemporary example of a quantum-resistant algorithm (which I’ve spoken to before here). There are many proposals for quantum-resistant systems which will replace contemporary public key cryptography, but cryptographers have plenty of time to keep investigating before those algorithms will become necessary. Quantum computers we have today are advancing fast, but they need to become much larger and more stable before they can use Shor’s algorithm to shred existing cryptographic protections.

So all these systems will be effected, but will they go away? No. It’s even unlikely that many user(s) of those will really notice when post-quantum cryptosystems are implemented to replace existing mechanisms. For example, your email provider’s encryption is transparent to users - you don’t select encryption algorithms or parameters when you’re sending an email. Remember, email is incredible old, and email providers moved from no encryption, to SSL, to TLS… largely without people noticing or caring, even as each prior system’s protections were shredded by advancing technology or cryptanalysis. Especially as we’ve moved into the usability age, most people won’t even need to make manual changes to what services/ports/etc. they were using, like when email providers started supporting encryption.

So in most cases, engineers will take care of pretty much everything, the key for users will just be to stay updated. The only possible pitfall I see to “just stay updated for protection” is going to be blockchains or certain secure messaging apps - basically anything where you are managing your own keys, you may need to take some small action on. i.e. for cryptocurrency I somewhat expect you will need to create a new wallet and migrate your funds, or use software/a provider/etc. which does that for you. In that case, follow guidance given by security professionals - but again users probably won’t be expected to do much.

Edit: One last thing. The only things that will go away or be substantially less secure are things that are no longer maintained, or not maintained properly. For example, many websites still don’t support modern encryption, or encryption at all. Unmaintained email servers will be substantially less secure until action is taken to upgrade. Blockchains are at risk for misuse and will need to handle that possibility; esp. unmaintained or under-maintained cryptocurrencies will almost surely be misused. But for everyone willing to keep up with technology, I expect most things will keep up.

The advent of quantum computing & Shor’s algorithm will fundamentally change the way professionals think about cryptography, but not the way end users interact with computers, or what computers are used for.

Source: https://reddit.com/r/cybersecurity

Original article (was) here: https://privacy-watchdog.io/truth-about-protonmail/.

Update 2021/11/04. My thanks to the HN guys for their help and bunch of useful recommendations on this case. So, I have changed some things in this post:

• I have carefully read point 9 and the linked article to it, and now I can confirm that this is not a valid argument. I leaved it crossed out and did not delete it just for historical purposes;
• Renamed title (and changed link) to “Disturbing facts about ProtonMail”, so no absolutely truth is meant;
• Thanks to this comment author for adding two extra points (in this article they are 12 and 13).

Update 2021/10/28 domain registrator received abuse complaint against this article:

---
Dear Madam or Sir,
Our Company, Proton AG, is a provider of secured Internet services, including ProtonMail, and end-to-end encrypted email service.
We have recently been made aware of an article hosted on the website encryp.ch, and accessible via the following link: https://encryp.ch/blog/truth-about-protonmail/.
This article is highly defamatory. It claims untrue and groundless “facts” about our Company and our services, which can cause great damages to our reputation and the conduct of our business.
After investigation, it appears that the website is held by your Company.
We would be very grateful if you could take down the content of this article, and provide us with all available information regarding its author.
We remain at your disposal for further questions.
Best regards,
[redacted]
Legal Counsel
Proton AG
---

1. Protonmail Behaves like a CIA/NSA “Honeypot”

Protonmail has an Onion domain that allows users to visit their site using the TOR browser. Protonmail even has an SSL cert for that onion address even though it’s completely unnecessary. When a user makes a new account with Protonmail on TOR they are re-directed from Protonmail’s “.onion” to “.com” address. This breaks your secure encrypted connection to their onion address, enabling your identification. There are absolutely no technical reasons for this feature. In fact, the only other websites that operate like this are suspected NSA/CIA Honeypots.

This is a huge security issue that was either created because Protonmail is managed by Particle physicists who do not understand computer security OR they have been forced to operate their website in a similar way as CIA/NSA honeypots. Both possibilities are serious concerns.

2. Protonmail Does Not Provide “End to End Encryption”

Professor Nadim Kobeissi mathematically proved that Protonmail does not provide End to End Encryption. Meaning, Protonmail has the ability to decrypt their own user’s data. When this was shown to be true, Protonmail users were outraged they had been lied to. Protonmail was forced to issue a public statement. Their statement begins like you would expect it would.. by shitting on the security researcher that revealed their dishonesty. Then they continued to say: “We lied to our users because other email companies did”. No apologies. They can decrypt any of their user’s data be sending them scripts that allow them to do so. However they advertise that they can not. Protonmail’s admission proves they offer the same security that Gmail offers. Both Gmail and Protonmail offer encryption that they can decrypt whenever they want.

3. Protonmail’s Was Created Under CIA/NSA Oversight

Gmail & Protonmail were both created in CIA/NSA funded departments with their oversight. Protonmail has tried to hide this part of their history. We wrote a whole article about it here.

4. Protonmail is Part Owned by CRV and the Swiss Government

After a successful crowdfunding campaign with promises to “remain independent” Protonmail sold equity ownership to CRV and FONGIT. At the time of the equity sale a CRV founder, Mr Ted Ditersmith, was working for the US State Department closely with President Obama. His position as a delegate required close contact with CIA & NSA administration. Mr. Ted Ditersmith had also witnessed the Edward Snowden revelations and made statements that he planned to use his corporate knowledge to “fight terrorism”. FONGIT is a Non Profit organization that is financed by the Swiss Government. Protonmail staff member, Antonio Gambardella, also works for the Swiss Government.

5. CRV, In-Q-Tel & the CIA

The CIA openly operates a front company, In-Q-Tel, whose stated purpose is to invest in tech companies on behalf of the CIA. In-Q-Tel has stated they have a specific interest in the information contained in e-mails and encrypted communication. In-Q-Tel has been shown to be the bridge between the CIA and Gmail. An analysis of staff members reveals CRV & In-Q-Tel connections. The US media confirms these connections when they interview CRV so that they can understand In-Q-Tel. Additionally, The mastermind, cryptographer & back end developer that created Protonmail, Wei Sun, now works for Google.

6. Protonmail Follows CIA Email format & Metadata Requirements

Leaked documents at Wikileaks show that the CIA requires emails to be stored as an EML filetype. There are several ways to store emails, and Protonmail has selected the format that the CIA requires. Protonmail offers no protection for users’ metadata and has officially stated that they turn metadata over to Law Enforcement. Edward Snowden revealed that the US government cares least about the content of emails. Mr. Snowden revealed the US Law Enforcement cares most about who a person is talking to, the dates & times of the emails, and the subject of the email. Subject and metadata encryption are not difficult to provide. However, Protonmail refuses to offer any protection on data that is most valuable to the CIA & FBI and they store it as plain text (No encryption). Edward Snowden stated the NSA “isn’t able to compromise the encryption algorithms underlying these technologies. Instead, it circumvents or undermines them by forcing companies to cooperate in other ways. Protonmail has refused to protect the information the NSA wants, this is a concern.

7. Swiss MLAT Law Could Give the NSA Full Access

Protonmail’s Servers Reside In Switzerland, a country with an MLAT treaty that could allow the NSA to continue it’s the mission of recording “nearly everything” about a person’s internet communication. Any doubts the MLAT treaty applies are removed when you take into account that Protonmail is part-owned by FONGIT, a Swiss Government-financed company. Protonmail has also recently revised its Privacy Policy to include wording and requirements from the MLAT treaty. Their actions show they are capitulating with the MLAT treaty. Revisions include a change to their privacy policy allowing them to track your location while you use their service in some situations.

8. Protonmail Uses Radware for DNS/DDOS Protection

Privacy companies like Protonmail are required to use a DNS/DDOS service because of the frequent attacks against their service. Protonmail uses a company called Radware for this purpose. Radware is a low-quality service that has failed to provide adequate protection. Protonmail has been taken offline, sometimes by teenage kids, because they insist on using a sub-par service. It’s worth noting that Radware’s international office is a few miles away from the headquarters of the most powerful Intelligence agency on earth, The Isreali Mossad. Radware can gain complete access to all Protonmail user’s accounts in two ways. They could inject a few lines of code that would reveal all users log in username and passwords, thus allowing them to log in as if they are that user. They could also be given users usernames & passwords by Protonmail. Remember Protonmail has admitted they can access all user’s accounts and decrypt their data. Additionally, it has been reported that Radware has direct connections to the Israeli Defense Force.

9. Protonmail Developers Do Not Use Protonmail

Protonmail’s developers are in a position to know the real security offered by Protonmail. And Protonmail’s developers do not use Protonmail. If you were served food by a cook who refused to eat the food, would that be a cause of concern to you? This is the same situation. Protonmail developers do not use Protonmail, there are likely good reasons for this.

10. Protonmail engages in illegal cyberwarfare

In 2017 Protonmail seems to have used illegal cyber warfare capabilities to unlawfully break into a suspects server. You can see the tweet they posted and read about it here. They soon deleted the tweet and said: “We cannot confirm nor deny if anything happened.” In 2013 the European Union parliament voted to make hacking a crime that carried a prison sentence of 2 years. “Hacking back” is also illegal under Swiss law. Based on Protonmail’s admissions only, they conducted an illegal hack.

11. Protonmail has a history of Dishonesty

From Protonmail’s creation lied to their users. Starting when they crowdfunded $550k to “remain Independent”, a promise they broke almost immediately by selling equity ownership to a US corporation with ties to President Obama and John Podesta.

12. Protonmail does not protect users, if it could cause any legal risk

Protonmail collaborating with EUROPOL in a clear case of political repression against anti-gentrification activists in Paris, and setup IP logging specifically for that user… So even in the clearest violations they are not standing up for users if it means taking legal risks for them.

13. Protonmail censoring “untruth” information about themself, even if you are a small blog

Prontonmail joining the long list of censor trolls asking registrars about identity of domain owner?! (see an aforementioned abuse complaint from Proton AG). They broke away from a tradition of free speech (debunk claims publicly), and from a traditional form of law enforcement. It is very unusual for corporate trolls with armies of lawyers to contact anyone to censor such vague claims on a random blog in a dark corner of the internet. It’s not exactly like the website named like protonmailtruth.ch or whatever.

In our opinion Protonmail is not an email solution you would use if you want privacy or security. Your emails are probably going to end up in a US data center right next to your Gmail emails.

Nowadays Internet is full of crawlers, bots and skids. If their purpose is evil, this could be a significant threat for unprepared users. To reduce risk for ordinary users, there are a few reputation services, providing rating of IP, domain or even URI. Some of them are: AbuseIPDB, SANS DShield, VirusTotal and CSIRTG. Mostly, they are filled by volunteers maintaining own honeypots.

How those websites can be used?

All of them are collecting huge amounts of computer abuse reports from volunteers around the world, then calculating reported IP-address’ suspicity and providing huge lists of bad addresses to avoid, or even nullroute. Thus harm from low-effort and non-targeted attack, involving huge subnets, can be minimized.

How to maintain own honeypot?

You just need some time to configure software, computer, server or Raspberry Pi, etc (I suggest to use any Linux distribution on such host) and static IPv4 (to open 22/tcp port).

If you are ready, let’s start. I will show example for CentOS 7 (should be valid for CentOS 8 Stream too), but in case of any errors at distro of your choice don’t forget to search information on the net.

1) Install Cowrie

Firstly, we need to create new user - it will be used to run our SSH honeypot:

useradd -mU cowrie && cd /home/cowrie

Install required packages:

sudo yum -y install git python3-virtualenv vim

Then, we need to download latest sources. Let’s login to cowrie user:

sudo -u cowrie -c git clone https://github.com/cowrie/cowrie && cd cowrie

Preparing environment for honeypot:

sudo -u cowrie virtualenv-3 --python=python3 cowrie-env && sudo -u cowrie -s

Enter prepared environment:

source cowrie-env/bin/activate

Install dependencies:

pip install --upgrade pip && pip install --upgrade -r requirements.txt && exit

2) Configuration

In this guide I will use vim as my text editor. But you are free to use any other: nano, kate, etc.

Let’s edit /etc/systemd/system/cowrie.service. Paste this:

[Unit]
Description=A SSH and Telnet honeypot service
After=network.target
After=rsyslog.service

[Service]
Type=forking
User=cowrie
Group=cowrie
Restart=on-error
RestartSec=1
ExecStart=/bin/sh -c 'cd /home/cowrie/cowrie; source cowrie-env/bin/activate; bin/cowrie start;'
ExecStop=/bin/sh -c 'cd /home/cowrie/cowrie; source cowrie-env/bin/activate; bin/cowrie stop;'

[Install]
WantedBy=multi-user.target

Now let’s edit /home/cowrie/cowrie/etc/cowrie.cfg:

sudo -u cowrie vim /home/cowrie/cowrie/etc/cowrie.cfg

Paste following config:

[ssh]
enabled = true
forwarding = false
sftp_enabled = false
listen_endpoints = tcp:2222:interface=0.0.0.0


[telnet]
enabled = true
listen_endpoints = tcp:2323:interface=0.0.0.0


[output_jsonlog]
enabled = false


# Send login attemp information to SANS DShield
# See https://isc.sans.edu/ssh.html
# You must signup for an api key.
# Once registered, find your details at:
# https://isc.sans.edu/myaccount.html
# Enable DShield later
[output_dshield]
enabled = false
userid = YOUR_USERID
auth_key = YOUR_AUTH_KEY
batch_size = 1


# VirusTotal output module
# You must signup for an api key.
# Enable VT output later
[output_virustotal]
enabled = false
api_key = YOUR_API_KEY
upload = True
debug = False
scan_file = True
scan_url = True


# https://www.abuseipdb.com
# You have to set api_key to
# enable abuseipdb reporting
[output_abuseipdb]
enabled = false
api_key = YOUR_API_KEY_HERE
rereport_after = 24
tolerance_window = 0
tolerance_attempts = 1

Don’t forget to carefully read comments in the config and add needed credentials or api keys to upload reports.

Before starting cowrie, we need to move our SSH to different port. We need to edit /etc/ssh/sshd_config. Change this:

#Port 22

To this:

Port YOUR_RANDOM_PORT

You have to change YOUR_RANDOM_PORT to any port of your choice. I suggest to use ephermal port like 32976. And open this port in our firewall:

sudo firewall-cmd --permanent --zone=public --add-port=YOUR_RANDOM_PORT/tcp

Don’t forget to restart ssh daemon:

sudo systemctl restart sshd

Now let’s activate service:

sudo systemctl enable --now cowrie

For security reasons, cowrie listens on ports >1024. So, we need to forward requests from 22 and 23 to 2222 and 2323 respectively. To do this we can simply use firewalld (I assume you have properly configurated it):

sudo firewall-cmd --permanent --zone=public --add-forward-port=port=22:proto=tcp:toport=2222
sudo firewall-cmd --permanent --zone=public --add-forward-port=port=23:proto=tcp:toport=2323

So, our honeypot is ready to catch any chineese/american bot.

Thanks for reading.

Introduction

Everybody ever seen that page with title “Attention Required! | Cloudflare”, which forces you to complete some sneaky CAPTCHA. And this is very annoying, specially if you use TOR (not only browser, but network) for privacy reasons, or to circumvent censorship. But this is not only issues with Cloudflare (lets call it simply - CF), there are a few more articles about them: 1, 2 and 3 for details.

Problem

I have been used to serve DNS requests for this domain by CF network, only because it is very fast provider with fancy API and DNSSEC support, but after small research, I found nicevps.net provider, which promotes as uncensored and private one.

Solution

So, nicevps.net pretend to became chosen domain registrar for sergprog.xyz transfer. Most important feature for me is DNSSEC support, which is provided according to product page.

nicevps.net

Unfortunately, transfer and renew price is higher here (nicevps: €11.99 / €12.00, CF: $8.00), but you can pay with cryptocurrencies! Another nicevps opportunity is fully anonymous domain registration - you can use TOR mirror and provide none of PII. Even more - cryptopayments gateway done on their side, so no info shared with third parties. Very nice.

Transfer done quickly (less than hour), however, there are no import/export functionality in nicevps’s hPanel. Anyway, I have been copied all my DNS entries manually 😠.

One more minus is manual DNSSEC activation - it requires writing ticket to support (maybe only if domain was transfered), but this is not so problem, because they respond quickly enough (1 hour) after doing all required work on their side (signing zone). Then you have to add some DS records in panel. Not so simple like CF does, but still good.

So, to overall nicevps vs. CF comparison:

• ? this is namesilo reseller
• ? minimum TTL is 1800s, but who really needed low TTL?
• ? a bit longer DNSSEC signing process (but this one is one-time process, so don’t count)
• + isn’t monopolized MitM registar
• + provide Web and Email Forwarding
• + you can order domain name anonymously
• + provide Glued / Registered Name Servers
• - higher price
• - no import/export functionality
• - no API for DNS manager, “and it is not planned, sorry” 💔

? means not advantage neither flaw

Conclusion

If you really want to enhance web decentralization, stay anonymous, care about privacy or don’t want to support world biggest MitM - nicevps.net is really good choise as registar, but consider to search some DNSSEC-supported DNS hosting (dns.he.net plans to add DNSSEC 😏). Anyway I recommend you to done own research and find your trusted provider from current ICANN-accredited registrars list (or .xyz ICANN-accredited registrars list for .xyz domain, like this one).

Thank you for reading! Let’s make Web great again!!!