Archief voor de ‘Security’ Categorie

VPN Manager for OpenVPN OpenELEC/LibreELEC Kodi

22 april 2017 Geen reacties
Categorieën:Kodi, Security Tags:

Mysql server wachtwoord reset

23 februari 2017 Geen reacties

Bleek in webmin na een nieuwe installatie Mysql server niet toegankelijk omdat het wachtwoord onbekend was.
Het commando hieronder loste dit probleem op:

sudo dpkg-reconfigure mysql-server-5…. (afhankelijk van de versie, TAB laat na de 5. de juiste versie zien)

Categorieën:Algemeen, Security Tags:

SSL (https) Certificaat installeren in Synology DSM 6.0

19 februari 2017 Geen reacties

Op deze link naar de Synology Knowledge Database is informatie te vinden hoe je een certificaat installeert.

Categorieën:Security, Synology NAS Tags:

How to install and configure Tor to work with ZeroNet on Mac OSX

28 oktober 2016 Geen reacties

How to install and configure Tor to work with ZeroNet on Mac OSX

Guide mac tor zeronet guide mac tor zeronet

I figured I’d make a quick guide, since I just had to explain this, and more mac users seem to be coming onto zeronet with very little instructions on how to do things. So without further ado, here’s how to set up ZeroNet with Tor on Mac.
1. Make sure you have homebrew installed. Mac Ports apparently works too, but I use brew. For convenience, the terminal command to install homebrew is:
/usr/bin/ruby -e “$(curl -fsSL”
2. Run brew install tor in the terminal to download/install the tor daemon.
3. After it’s done downloading and installing, navigate to the /usr/local/etc/tor folder on your computer. The easiest way to do this is to open finder and hit cmd+shift+g and paste it in there. You should see a torrc.sample file.
4. Copy the torrc.sample file and rename the copy to just torrc with no extension. Open it up in a plain-text editor. You should probably a plain-text editor or a code editor like sublime to prevent auto-formatting from messing it up. Avoid using mac’s built-in one.
5. Look for #ControlPort 9051 and simply remove the #.
6. Two lines down you should see #CookieAuthentication 1 remove the # from this one too.
7. Save the file and exit. Then launch tor using tor in the terminal.
8. Restart zeronet and it’ll run with tor. If you want to use tor for every connection (rather than just having one for a bridge or to access tor-only peers) then on the zero net homepage, click on the tor button in the top right, and hit ‘enable tor for every connection’ at the bottom. Then restart zeronet a second time. You can disable it in the same way.

ZeroNet starten op MAC OSX:

Uitleg hier:
Het ZeroNet bestand vanuit de Finder in een terminal trekken en starten:


Let op: om ZeroNet met een TOR verbinding te starten moet de hele startopdracht zijn:
sudo /Users/…./Documents/ZeroBundle/ –tor_proxy –tor_controller

Categorieën:OSX, Security Tags:

Synology NAS mappen mounten vanaf VPS

14 september 2016 Geen reacties

1.On the Ubuntu server run this command:
sudo sshfs -o uid=1000 -o gid=1000 -o allow_other -o nonempty admin@xx.xx.xx.xx:/music /media/music
The Synology music map is now connected with the VPS and in the Emby library all the music is visible on the path /media/music 🙂

Getest en werkend vanaf de Synology NAS gemount op de Raspberry Pi:
sudo mount -t cifs //192.168.178…/music /media/music -o username=…..,password=…..

Categorieën:Security, Synology NAS Tags:

Dark Web OSINT With Python and OnionScan

8 augustus 2016 Geen reacties

Dark Web OSINT With Python and OnionScan

July 28th, 2016

You may have heard of this awesome tool called OnionScan that is used to scan hidden services in the dark web looking for potential data leaks. Recently the project released some cool visualizations and a high level description of what their scanning results looked like. What they didn’t provide is how to actually go about scanning as much of the dark web as possible, and then how to produce those very cool visualizations that they show.

At a high level we need to do the following:

Setup a server somewhere to host our scanner 24/7 because it takes some time to do the scanning work.
Get TOR running on the server.
Get OnionScan setup.
Write some Python to handle the scanning and some of the other data management to deal with the scan results.
Write some more Python to make some cool graphs. (Part Two of the series)

Let’s get started!
Setting up a Digital Ocean Droplet

If you already use Amazon, or have your own Linux server somewhere you can skip this step. For the rest of you, you can use my referral link here to get a $10 credit with Digital Ocean that will get you a couple months free (full disclosure I make money in my Digital Ocean account if you start paying for your server, feel free to bypass that referral link and pay for your own server). I am assuming you are running Ubuntu 16.04 for the rest of the instructions:

The first thing you need to do is to create a new Droplet by clicking on the big Create Droplet button.
Next select a Ubuntu 16.04 configuration, and select the $5.00/month option (unless you want something more powerful).
You can pick a datacenter wherever you like, and then scroll to the bottom and click Create.

It will begin creating your droplet, and soon you should receive an email with how to access your new Linux server. If you are on Mac OSX or Linux get your terminal open. If you are on Windows then grab Putty from here.

On Mac OSX it is: Finder -> Applications -> Utilities -> Terminal
On Linux: Click your start menu and search for Terminal

Now you are going to SSH into your new server. Windows Putty users just punch the IP address in that you received in your email and hit Enter. You will be authenticating as the root user and then type in the password you were provided in your email.

For Mac OSX and Linux people you will type the following into your terminal:
ssh root@IPADDRESS
You will be forced enter your password a second time, and then you have to change your password. Once that is done you should now be logged into your server.
Installing Prerequisites

Now we need to install the prerequisites for our upcoming code and for OnionScan. Follow each of these steps carefully and the instructions are the same for Mac OSX, Linux or Windows because the commands are all being run on the server.

Feel free to copy and paste each command instead of typing it out. Hit Enter on your keyboard after each step and watch for any problems or errors.
apt-get update
apt-get install tor git bison libexif-dev
apt-get install python-pip
apt-get install python-pip
pip install stem

Now we need to install the Go requirements (OnionScan is written in Go). The following instructions are from Ryan Frankel’s post here.
bash < <(curl -s -S -L [[ -s "$HOME/.gvm/scripts/gvm" ]] && source "$HOME/.gvm/scripts/gvm" source /root/.gvm/scripts/gvm gvm install go1.4 --binary gvm use go1.4

Ok beauty we have Go installed. Now let’s get OnionScan setup by entering the following:

go get
go install

Now if you just type:

(eg onionscan 6pxmfodfdstgndoy.onion)

And hit Enter you should get the onionscan command line usage information. If this all worked then you have successfully installed OnionScan. If you for some reason close your terminal and you can’t run the onionscan binary anymore just simply do a:
gvm use go1.4
and it will fix it for you.

Now we need to make a small modification to the TOR configuration to allow our Python script to request a new identity (a new IP address) which we will use when we run into scanning trouble later on. We have to enable this by doing the following:
tor –hash-password PythonRocks
This will give you output that will include the bottom line that looks like this:
Copy this line and then type:

nano -w /etc/tor/torrc

This will open a simple text editor. Now go to the bottom of the file by hitting the following keystrokes (or endlessly scrolling down):


Paste in the following values at the bottom of the file:

ControlPort 9051
HashedControlPassword 16:3E73307B3E434914604C25C498FBE5F9B3A3AE2FB97DAF70616591AAF8

Now hit CTRL+O to write the file and CTRL+X to exit the file editor. Now type:
service tor restart

This will restart TOR and it should have our new settings in place. Note that if you want to use a password other than PythonRocks you will have to follow the steps above substituting your own password in place, and you will also have to later change the associated Python code.

We are almost ready to start writing some code. The last step is to grab my list of .onion addresses (at last count around 7182 addresses) so that your script has a starting point to start scanning hidden services.


Whew! We are all setup and ready to start punching out some code. At this point you can switch to your local machine or if you are comfortable writing code on a Linux server by all means go for it. I find it easier to use WingIDE on my local machine personally.

A Note About Screen

You notice that both sets of instructions I have you run the screen command. This is a handy way to keep your session alive even if you get disconnected from your server. When you want to jump back into that session, you simply SSH back into the server and execute:
screen -rx

This will be handy later on when you start doing your scanning work, as it can take days for it to complete fully.

Hele artikel hier

Voorbeeld van resultaat:

onionscan 3g2upl4pq6kufc4m.onion
2016/08/08 04:00:55 Starting Scan of 3g2upl4pq6kufc4m.onion
2016/08/08 04:00:55 This might take a few minutes..

————— OnionScan Report —————
High Risk Issues: 0
Medium Risk Issues: 0
Low Risk Issues: 0
Informational Issues: 4

Info: Missing X-Frame-Options HTTP header discovered!
Why this is bad: Provides Clickjacking protection. Values: deny – no rendering within a frame, sameorigin
– no rendering if origin mismatch, allow-from: DOMAIN – allow rendering if framed by frame loaded from DOMAIN
To fix, use X-Frame-Options: deny
Info: Missing X-XSS-Protection HTTP header discovered!
Why this is bad: This header enables the Cross-site scripting (XSS) filter built
into most recent web browsers. It’s usually enabled by default anyway,
so the role of this header is to re-enable the filter for this particular website if it was disabled by the user.
To fix, use X-XSS-Protection: 1; mode=block
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: The only defined value, “nosniff”, prevents browsers
from MIME-sniffing a response away from the declared content-type.
This reduces exposure to drive-by download attacks and sites serving user
uploaded content that, by clever naming, could be treated as executable or dynamic HTML files.
To fix, use X-Content-Type-Options: nosniff
Info: Missing X-Content-Type-Options HTTP header discovered!
Why this is bad: Content Security Policy requires careful tuning and precise definition of the policy.
If enabled, CSP has significant impact on the way browser renders pages (e.g., inline
JavaScript disabled by default and must be explicitly allowed in policy).
CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.
To fix, use Content-Security-Policy: default-src ‘self’

Categorieën:Security Tags:

Setup OpenVPN Client (Kodi op OSMC op Raspberry Pi 2)

8 november 2015 Geen reacties

Werkende installatie om OpenVPN te installeren op een Raspberry Pi 2 met Kodi op OSMC ( Door Brian Hornsby

The following guide originally appeared on the TV Addons forum. Many thanks to the original author “invisable” for letting me reproduce it here.

This is a guide on how to get your VPN working on your Raspberry Pi using Brian Hornsby’s OpenVPN for Kodi add-on. I have tested this and it works for both Raspbmc and OpenELEC (still to test on XBian). It also works on the OpenELEC versions of Kodi on the Hummingboard so it will probably work on the CuBox-I. This add-on does not work on Apple TV due to it not having a OpenVPN client installed also this only works on Gotham/Kodi and later builds of OpenELEC.

The add-on is a bit simpler then the previous method, which used advanced launcher, but still involves a little bit of work which includes modifying a few files. This guide assumes that you know the basics and you know how to move files and folders from your PC/Mac to your Raspberry Pi. I have tried to make this a simple as possible, thank to rayw1986 as he originally brought the method of editing the files to my attention, also thanks to Brian Hornsby the developer for writing the add-on.

I use Private Internet Access (PIA) as my VPN provider, so I am using them as an example for this guide. Please note: If you are also using using PIA you may need to generate a password for socks, pptp to use on this guide, this can be done by logging into PIA and clicking generate password from the client control panel.

Volledige installatie beschrijving hier:

PS. Proefondervindelijk de volgende zaken uitgezocht die van belang zijn omdat openvpn anders niet werkt:
1. Op de Raspberry Pi via ssh Openvpn installeren:
pi@raspbmc:~$ sudo bash
The prompt should change to indicate you are root. It’s a good idea to update the software repositories first so enter:
root@raspbmc:/home/pi# apt-get update
Depending on your connection it may take a few minutes to complete. To install OpenVPN enter:
root@raspbmc:/home/pi# apt-get install openvpn
2. In de Addon configuratie van Openvpn onder Openvpn Settings het pad naar Openvpn wijzigen van usr/bin/openvpn naar /usr/sbin/openvpn. Als dit niet veranderd wordt start de interface niet op.
3. On xbmc go into settings>apperance>file lists and make sure “show hidden files and directories” is checked.
Next open the filemanager in xbmc, click on add source a window will pop up.
click “Root filesystem” it will open up lots of folders ignore this just press the OK box.
it will now take you back, click on the box at the bottom where it says “Enter a name for this media Source” name it Root then click OK at the bottom
4. Use sudo when running OpenVPN
Set this option to true if you require OpenVPN to be run using sudo (aanvinken dus anders werkt het niet).
Password is required (kan uitgevinkt blijven).
5. Installeer een IP-check Addon om te controleren of alles goed werkt en het juiste IP-adres wordt gebruikt. Andere optie is om via ssh in te loggen en het volgende commando uit te voeren: wget -qO –

Categorieën:Kodi, Raspberry Pi, Security Tags:

Eigen GoDaddy SSL certificaat installeren

2 november 2015 Geen reacties

Zoals in het vorige topic werd beschreven (How To Create a SSL Certificate on Apache for Ubuntu 14.04) gaat de volgende uitleg ervan uit dat Apache2 webserver geïnstalleerd is en een self-signed SSL certificaat is geïnstalleerd.

Voor het genereren van een certificate signing request (csr-bestand) voor Apache 2.x

1. Log in op de terminal van de server (SSH).
2. Typ bij de prompt de volgende opdracht:
openssl req -new -newkey rsa:2048 -nodes -keyout mijndomein.key -out mijndomein.csr
Vervang mijndomein door de domeinnaam die beveiligd moet woirden. Als de domeinnaam is, typ dan goedvoorbeeld.key en goedvoorbeeld.csr.
3. Copy – Paste de inhoud va het gegenereerde CSR-bestand in het volgende scherm:

4. Hierna wordt een zip-download gegenereerd waarin na uitpakken 2 bestanden aanwezig zijn:
6c1db12ra7849e56.crt (als voorbeeld)
5. Plaats deze 2 bestanden in de map /etc/apache2/ssl. In deze map staan tevens de volgende bestanden:
apache.crt (zie vorige topic)
apache.key (zie vorige topic)
In totaal staan er 6 bestanden
6. Ga naar cd /etc/apache2/sites-enabled/ en edit (vim) het bestand default-ssl.conf zodat de volgende verwijzingen naar de volgende certificaten worden aangebracht:
SSLCertificateFile /etc/apache2/ssl/6c1db12fa7839e46.crt
SSLCertificateKeyFile /etc/apache2/ssl/mijndomein.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle-g2-g1.crt

Voer uit: ‘sudo a2enmod ssl’ en herstart Apache door ‘sudo service apache2 restart’.
Als alles goed is uitgevoerd is er een Godaddy SSL certificaat geinstalleerd en zal een browser bij bezoek van de website geen certificaat-fout meer genereren maar een gewoon (GoDaddy certified) slotje laten zien.

Categorieën:Security Tags:

How To Create a SSL Certificate on Apache for Ubuntu 14.04

29 oktober 2015 Geen reacties

Goede handleiding om een werkend SSL (https) certificaat op een domein te creëren:

Meer info op de website van

Apr 23, 2014 Apache, Security Ubuntu


TLS, or transport layer security, and its predecessor SSL, secure sockets layer, are secure protocols created in order to place normal traffic in a protected, encrypted wrapper.
These protocols allow traffic to be sent safely between remote parties without the possibility of the traffic being intercepted and read by someone in the middle. They are also instrumental in validating the identity of domains and servers throughout the internet by establishing a server as trusted and genuine by a certificate authority.
In this guide, we’ll cover how to create a self-signed SSL certificate for Apache on an Ubuntu 14.04 server, which will allow you to encrypt traffic to your server. While this does not provide the benefit of third party validation of your server’s identity, it fulfills the requirements of those simply wanting to transfer information securely.


Before you begin, you should have some configuration already taken care of.
We will be operating as a non-root user with sudo privileges in this guide. You can set one up by following steps 1-4 in our Ubuntu 14.04 initial server setup guide.
You are also going to need to have Apache installed. If you don’t already have that up and running, you can quickly fix that by typing:

sudo apt-get update
sudo apt-get install apache2

Step One — Activate the SSL Module

SSL support actually comes standard in the Ubuntu 14.04 Apache package. We simply need to enable it to take advantage of SSL on our system.

Enable the module by typing:

sudo a2enmod ssl

After you have enabled SSL, you’ll have to restart the web server for the change to be recognized:

sudo service apache2 restart

With that, our web server is now able to handle SSL if we configure it to do so.

Step Two — Create a Self-Signed SSL Certificate

Let’s start off by creating a subdirectory within Apache’s configuration hierarchy to place the certificate files that we will be making:

sudo mkdir /etc/apache2/ssl

Now that we have a location to place our key and certificate, we can create them both in one step by typing:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

When you hit “ENTER”, you will be asked a number of questions.
The most important item that is requested is the line that reads “Common Name (e.g. server FQDN or YOUR name)”. You should enter the domain name you want to associate with the certificate, or the server’s public IP address if you do not have a domain name.

The questions portion looks something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []
Email Address []

The key and certificate will be created and placed in your /etc/apache2/ssl directory.

Step Three — Configure Apache to Use SSL

Now that we have our certificate and key available, we can configure Apache to use these files in a virtual host file. You can learn more about how to set up Apache virtual hosts here.
Instead of basing our configuration file off of the 000-default.conf file in the sites-available subdirectory, we’re going to base this configuration on the default-ssl.conf file that contains some default SSL configuration.
Open the file with root privileges now:

sudo nano /etc/apache2/sites-available/default-ssl.conf

With the comments removed, the file looks something like this:

< IfModule mod_ssl.c>
< VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
< FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
< /FilesMatch>
< Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
< /Directory>
BrowserMatch “MSIE [2-6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
< /VirtualHost>
< /IfModule>

This may look a bit complicated, but luckily, we don’t need to worry about most of the options here.

We want to set the normal things we’d configure for a virtual host (ServerAdmin, ServerName, ServerAlias, DocumentRoot, etc.) as well as change the location where Apache looks for the SSL certificate and key.

In the end, it will look something like this. The entries in red were modified from the original file:

< IfModule mod_ssl.c>
< VirtualHost _default_:443>
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
< FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
< /FilesMatch>
< Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
< /Directory>
BrowserMatch “MSIE [2-6]” \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown
< /VirtualHost>
< /IfModule>

Save and exit the file when you are finished.

Step Four — Activate the SSL Virtual Host

Now that we have configured our SSL-enabled virtual host, we need to enable it.
We can do this by typing:

sudo a2ensite default-ssl.conf

We then need to restart Apache to load our new virtual host file:

sudo service apache2 restart

This should enable your new virtual host, which will serve encrypted content using the SSL certificate you created.
Step Five — Test your Setup

Now that you have everything prepared, you can test your configuration by visiting your server’s domain name or public IP address after specifying the https:// protocol, like this:


Categorieën:Security, Ubuntu Tags:

How To Set Up an OpenVPN Server on Ubuntu 14.04

24 februari 2015 Geen reacties


Want to access the Internet safely and securely from your smartphone or laptop when connected to an untrusted network such as the WiFi of a hotel or coffee shop? A Virtual Private Network (VPN) allows you to traverse untrusted networks privately and securely to your DigitalOcean Droplet as if you were on a secure and private network. The traffic emerges from the Droplet and continues its journey to the destination.

When combined with HTTPS connections, this setup allows you to secure your wireless logins and transactions. You can circumvent geographical restrictions and censorship, and shield your location and unencrypted HTTP traffic from the untrusted network.

OpenVPN is a full-featured open source Secure Socket Layer (SSL) VPN solution that accommodates a wide range of configurations. In this tutorial, we’ll set up an OpenVPN server on a Droplet and then configure access to it from Windows, OS X, iOS and Android. This tutorial will keep the installation and configuration steps as simple as possible for these setups.

Meer info hier

Categorieën:Security, Ubuntu Tags: