VIDEO – Z Ransomware – SHARE 2017-San Jose

For anyone who missed my talk at SHARE 2017 – Ransomware on Z – Checkmate!

Here it is in its entirety. Enjoy! Ransomware on Z – Checkmate!

Please note that these videos and all videos released by SHARE are copyrighted by SHARE and are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license. http://creativecommons.org/licenses/by-nc-nd/3.0/ This means that you can use but not edit or create derivative works of/from this video. All credit for video and its distribution are from SHARE.

New job – Doing what I love

Well – the time has come to start doing what I love to do full time. I couldn’t be happier to announce that I’m working with RSM Partners, Ltd to help bring their amazing mainframe services, security & software business to North America. This is going to be a great challenge and a great opportunity. Super excited to work with all the amazingly talented people at RSM.

RSM Appoints North America Director

Enterprise Systems Media – RSM Partners announces new N. America Director

Iptables brute force protection w/ nat

Setting up a vm on top of linux which communicates via a TAP adapter (on the 10.1.1.x network), I wanted iptables to prevent brute forcing to both the host ports (here 22 for ssh) and ports forwarded to the vm (here 443) as they are exposed to the internet. This little snippet does both by using iptables’ conntrack – simply more than 3 connections to either of those ports mentioned inside 60 seconds will lock that source IP out for 60 seconds.

The offending connections are marked in the nat table – prerouting chain, and checked (depending on whether forwarded or direct to host) in the filter table forward / input chains respectively. Logging is optional, you may choose to just DROP them once you’re confident on your ruleset.

Here’s a sample of the final ruleset I made:

For debugging, I cannot recommend highly enough using the TRACE target on the raw table (PREROUTING chain).

Something like:

Will show in your log, every stop along the iptables chains for every packet, including which rule or policy was acted upon it to get it to it’s final destination and shape. Don’t forget to remove it when you’re done!

Also, install the actual conntrack utility to see the connection tracking tables.