Security – Wapnet Blog

Install Pihole on Synology with docker

Unfortunately, there isn’t a pihole addon in the Synology package center. But you can build your pihole in a docker container instead 🙂

The reason you must use docker-compose instead of the Synology docker package itself is that you want to bridge net NIC of your Synology and place the pihole direct in your network. You cannot do this with the GUI.

The steps:

Install docker with the package center
Activate SSH
Download de image pihole/pihole:latest
Login with ssh
type vi docker-compose.yaml
Paste the content from the docker-compose.yaml example into the vi
Change the IP adressen to your own network
Type :wr to save the file
Type :q to quit vi
Type “sudo docker-compose up”
Have fun!

Docker-compose.yaml Example

# Note: 192.168.123.xxx is an example network, you must update all these to match your own.

version: '2'

services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    hostname: pihole
    domainname: localhost             # <-- Update
    mac_address: d0:ca:ab:cd:ef:01
    cap_add:
      - NET_ADMIN
    networks:
      pihole_network:
        ipv4_address: 192.168.123.199   # <-- Update
    dns:
      - 127.0.0.1
      - 1.1.1.1
    ports:
      - 443/tcp
      - 53/tcp
      - 53/udp
      - 67/udp
      - 80/tcp
    environment:
      ServerIP: 192.168.123.199                 # <-- Update (match ipv4_address)
      VIRTUAL_HOST: pihole.localhost            # <-- Update (match hostname + domainname)
      WEBPASSWORD: "justarondompassword"        # <-- Add password (if required)
    restart: unless-stopped

networks:
  pihole_network:
    driver: macvlan
    driver_opts:
      parent: ovs_eth0
    ipam:
      config:
        - subnet: 192.168.123.0/24            # <-- Update
          gateway: 192.168.123.1              # <-- Update
          ip_range: 192.168.123.192/28        # <-- Update

When you want to update the docker container, all you have to do is:

sudo docker-compose down

and

sudo docker-compose up

A good article I used to figure everything out is: http://tonylawrence.com/posts/unix/synology/free-your-synology-ports/

Create a strong self-signed certificate for multiple years

If you follow these steps you can create a self signed certificate with the following specifications:

Wildcard certificate
SHA256 hash
10 years
2048 bits public key
Client and server verification
Sha1 fingerprint

Be aware that self-signed certificates can manipulate by a man-in-the-middle. You should not use this in critical production environments.

Please use windows 10 powershell in admin mode. Otherwise you will get errors

New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname *.domain.local -NotBefore $([datetime]::now.AddDays(-15)) -NotAfter $([datetime]::now.AddDays(3560))

Now export the certificates. Before you copy/paste change the thumbprint with the thumbprint you get from the above command.

$CertPassword = ConvertTo-SecureString -String "YourPassword" -Force –AsPlainText
Export-PfxCertificate -Cert cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919  -FilePath C:\test.pfx -Password $CertPassword
Export-Certificate -Cert Cert:\LocalMachine\My\C6B46CEB7D3A40DB08E78B19FEDD3A24EA7A7919 -FilePath C:\tstcert.cer

Now you can import the PFX with IIS and bind the certificate in IIS.
And import the *.CER in your MMC > Certificates > Computer account > trusted root Certification authority > Certificates

Have fun with your certificate the next 10 years 😀

Inspiration

Convert PFX to PEM and upload the certificate to Plesk

Export the Private Key:
# openssl pkcs12 -in filename.pfx -nocerts -out key.pem
Remove the password from the SSL certificate (unencrypted is needed for plesk):
# openssl rsa -in key.pem -out server.key
Export the certificate:
# openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Now upload the certificate:

And bind the certificate in your hosting settings:

Brute force example MD5 password using hashcat

hashcat -n 2 -m 0 -a 3 --pw-min 9 hashfile.txt ?l?l?l?l?l?l?l?l?l?l

-n = 2 threads
-m 0 = md5
–pw-min 9 = minimal 9 characters
hashfile.txt = is txt file where the hash is located
?l?l?l?l?l?l?l?l?l?l = lowercase password

Have fun!

Social hacking with FOCA

Social hacking starts with: FOCA (Fingerprinting Organizations with Collected Archives)

Happy hacking 🙂

URL: https://www.elevenpaths.com/labstools/foca/index.html

Zenoss reverse proxy with Pound (CentOS)

Zenoss don’t support SSL certificates out-of-the-box. If you want to use an SSL connection to your zenoss monitor server the only thing you can do is use an reverse proxy. You can use this howto to install and configure a pound reverse proxy.

Install pound with the EPEL

Install the EPEL (more info about EPEL) repository with these commands:

su -c 'rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm'

yum update

Install pound

yum install pound

Install pound without the EPEL

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/Pound-2.6-2.el6.x86_64.rpm
rpm -ivh Pound-2.6-2.el6.x86_64.rpm

Configure Pound

I had a lot of trouble because I used a real SSL certificate immediately. The cause was I dropped the SSL cert in the wrong linux folder. Best practice is first create a selfsigned SSL, test pound and then replace the selfsigned with a real SSL certificate.

cd /etc/ssl && openssl req -x509 -newkey rsa:1024 -keyout local.server.pem -out local.server.pem -days 365 -nodes

Configure Pound

nano /etc/pound.cfg

Config file:

User "pound"
Group "pound"
Control "/var/lib/pound/pound.cfg"

ListenHTTPS
Address 192.168.0.x
Port    443
Cert    "/etc/ssl/local.server.pem"
End

Service
BackEnd
Address 127.0.0.1
Port    8080
End
End

Now start the pound service

service pound start

Change the Zenoss config the handle the HTTPS traffic

nano /opt/zenoss/etc/zope.conf

Ad these 3 lines:

<cgi-environment>
HTTPS ON
</cgi-environment>

Restart zope

su - zenoss
restart zopectl

Replace the selfsigned SSL with a wildcard SSL (optional)

Create a PFX in windows. Tranfer the PFX to the Zenoss server and tranform the PFX to PEM (Linux certificate format). The command:

openssl pkcs12 -in validcertificate.pfx -out wilcard.domain.nl.pem -nodes

Now change the pound cert:

nano /etc/pound.cfg

ListenHTTPS
Address 192.168.0.x
Port    443
Cert    "/etc/ssl/wilcard.domain.nl.pem"
End

Restart the service

service pound restart

Source: Enabling SSL in Zenoss 4.2 – Open Source Network Monitoring and Systems Management