Thursday, December 29, 2016

HOWTO : Configure OpenVPN on Ubuntu 16.04

There is a very good article by Digital Ocean for setting up OpenVPN on Ubuntu 16.04. After the above setup, you are required to further configure it to make it working properly.

The following additional settings is to allow all VPN clients can use the same certificate to login the VPN server. Meanwhile, it also allow the maximum concurrent users to 100.

sudo nano /etc/openvpn/server.conf

Uncomment (remove ";") the following :


max-clients 100

That's all! See you.

Wednesday, December 28, 2016

HOWTO : Build An Affordable Intrusion Detection And Prevention System For Home Users

What is Intrusion Detection And Prevention System?

Intrusion detection and prevention system (IDPS) monitors incoming and outgoing traffic on your network and blocks the malicious traffic (packets) based on rules (blacklists).

Why home users need IDPS?

Not only big companies need IDPS but also home users as long as they are connecting to the internet. Almost all home users installed anti-virus but it is not enough. They do need more protection against the cyber criminals.

However, most IDPS appliances are very expensive for home users. Most open source solutions are also demanding for them as they do not familiar with networking and technology.

What is Almond Croissants and Why?

Almond Croissants is an open source intrusion detection and prevention system which is based on Suricata engine. Suricata is the next-generation IDPS engine with a lot of outstanding features.

Users of Almond Croissants are not required to be familiar with networking and technology. It is designed for them in mind. Not only that, it is designed for low-end hardware too. It is really "Plug, Play and Forget!".

What are the key features of Almond Croissants?

- Block ports and vulnerabilities scanning
- Block known exploitation on vulnerable systems
- Block known malicious IP addresses to access your systems
- Block known source of Secure Shell (SSH) brute forcing
- Block The Onion Router (TOR) to access your systems
- Prevent from accessing known malicious sites with Secure Sockets Layer (SSL) certificates
- Prevent from being infected by known virus and malware
- Block known annoying advertising servers
- Easy and straight forward analysis with charts on web interfaces
- Compatible with Bittorrent and 4K video streaming
- Ultra-low latency for online gaming
- Compatible with Windows, Linux, macOS, Apple iOS and Android
- Ultra-low latency throughput that drives your network to a limit
- No subscription fee
- More protection for web servers
- More protection from known malware
- Block known phishing sites
- Automatically update and upgrade
- Plug, Play and Forget!

What hardware is required?

If you have a small family with 4 members and have about 200-250Mbps bandwidth, Zotac Mini PC CI323 (Intel Celeron N3150 with 16GB RAM) is recommended. Meanwhile, you may also require a USB 3.0 Gigabit Ethernet dongle. Yes, 16GB RAM. The vendor states that it supports up to 8GB RAM, however, you can install a total of 16GB RAM on it. A 320GB hard drive is also required. It requires a total of 3 network interface cards. The price of the system is below $400-USD. It is low power consumption for long run.

More powerful CPU and more memory are recommended for demanding situation. Almond Croissants is running on dedicated hardware. The minimum requirements for Almond Croissants is 2-4 CPU threads and 16GB RAM.

How to install?

Since ultra-low latency of Almond Croissants, it is recommended to put Almond Croissants between modem and router. Furthermore, you can install it between router and switch too. However, if you have a wireless router, it is recommended to put Almond Croissants in front of the wireless router.

First of all, you need to install Ubuntu Server (LTS edition) on the box. SSH server is recommended to be installed for remote management inside your network. It may need 8 or more hours to install Almond Croissants on Zotac Mini PC CI323. Make sure the box is connecting to the internet as it fetches the packages and data from various servers in the internet.

The installation procedure is well documented on the Almond Croissants official site. It is easy but it kills time.

After the installation, you can plug the Zotac Mini PC CI323 between modem and router. The USB Ethernet Card is connecting to switch. A reboot is required. It needs about 10 minutes to let all the rules and data load into the memory once boot up.

What's next?

Make sure firewall on your router is enabled and do not allow SSH port to be accessed outside your network unless it is well protected. Anti-virus program to be installed on every computer is optional but is recommended.

For further protection on your laptop and smartphone outside your home, you are required to setup a VPN inside your network. When you are using laptop at coffee shop or using smartphone on the road, you can connect to your VPN and your connection will be protected by Almond Croissants.

All rules and upgrade will be conducted during mid-night between 0100 and 0800 hours. Therefore, the box requires running 24/7/365 and server grade hardware is recommended.

See also

Almond Croissants - Intrusion Detection And Prevention System
Zotac Mini PC C Series
Suricata IDPS Engine
Hardening Mobile Devices with Intrusion Prevention System
Know Your Enemies and Know Yourself
OpenVPN official site
How To Set Up an OpenVPN Server on Ubuntu 16.04
Configure OpenVPN on Ubuntu 16.04
Intel Celeron N3150 Specifications

That's all! See you.

Tuesday, December 13, 2016

Know Your Enemies and Know Yourself


Sun Tzu's The Art of War (孙子兵法) says "If you know your enemies and know yourself, you will not be put at risk even in a hundred battles. If you only know yourself, but not your opponent, you may win or may lose. If you know neither yourself nor your enemy, you will always endanger yourself." (知彼知己,百战不殆;不知彼而知己,一胜一负;不知彼,不知己,每战必殆。) [source : Wikipedia]

Sun Tzu's The Art of War also says "All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near." (兵者,诡道也。故能而示之不能,用而示之不用,近而示之远,远而示之近。) [source : Wikipedia]


Most internet attack activities based on recon on the target. Recon can be conducted by active and passive methods. Active recon will cause a lot of noise to the target as it will collect information from the target directly while passive recon does not.

Once attackers gathered valuable information about the target, such as running services and versions on the target. They will launch exploits when there are vulnerable services running on the target. Once success, the target will be compromised and under the control of the attackers.

On the other hand, if there is no running vulnerable services on the target, attackers may launch social engineering attacks against the target, such as phishing mails, phishing sites, phishing phone calls, phishing downloads and etc. Social engineering may lead to compromise of the target as a result.

The captioned mention attacks can be based on randomly selected target or targeted victim. Furthermore, some attacks are directly by botnets which randomly selecting the targets and aimed to the vulnerable running services. Botnet attacks also have active recon stage as mentioned before.

Possible Defense

Besides some of social engineering attacks, we all know that all almost all attacks are following by recon. If attackers cannot get any valuable information from us, we can delay or even prevent the attack.

We all know that nmap can obtain information of the running services on the opening ports. If we can block nmap scanning from the beginning, attackers are required to guess which ports are opened and which services and versions are running on that ports. They cannot go further when they have no valuable information about us. If so, we can delay or even prevent the attacks. However, social engineering attacks may be launched soon by the attackers.

Commercial Solution

Some anti-virus for Windows system and some Unified Threats Management System (UTM) as well as some Intrusion Prevention System (IPS) can block port scanning. However, some of them failed to detect and block the nmap scan when it is scanning with special command flags. Meanwhile, anti-virus software and UTM as well as IPS may require to subscribe the signatures annually. In addition, commercial UTM and IPS are very expensive. It may cost a lot when long run.

Open Source Solution

Suricata and Snort are very famous Intrusion Detection and Prevention engines (IDPS). They are running based on blacklisting. Those blacklists are rules to alert or block the traffic when the traffic meets the criteria. There are open rules and paid rules available in the market. Some IDPS engines users can write their own rules to meet their requirements. However, some of the rules are written wrongly that causing false positive alert or even cannot detect the activities.

Not everyone is IDPS expert. Setting up a working Suricata or Snort appliance is painful. Users are required to troubleshoot all the problems that they are encountered. Sometimes are hardware limitations. Sometimes are false positive alerts/drops. Sometimes are IDPS engines limitations.

Plug, Play and Forget!

Almond Croissants is an open source IDPS based on Suricata engine. It is released under GPLv3 by Samiux since 2012. It is well tested on Windows, macOS, Linux, Apple iOS and Android. Engine and rules are updated automatically when they are available. Users are not required to be very familiar with IDPS. It not only can detect and block nmap scanning without pain but also have many outstanding features that most IDPS omitted. It is tasty and really "Plug, Play and Forget!"

That's all! See you.

Monday, December 12, 2016

HOWTO : Traffic and Attack Map for Suricata

"Traffic & Attack Map for Suricata" is forked from Matthew May's Attack Map at GitHub

"Traffic & Attack Map for Suricata" is modified to work with Suricata's eve.json file. It shows the inbound traffic only which includes normal and attack traffic. It is designed for Python 3 and Ubuntu Server 16.04 LTS. It is also designed to install on the box of Suricata.

The map shows "DROP" or "ALERT" when the traffic is dropped or alerted by Suricata. Meanwhile, other traffic will be shown as its nature (Event Type), such as DNS, TLS, FILEINFO and etc.


"Traffic & Attack Map for Suricata" is released under GPLv3 by Samiux.


(1) Working Suricata dedicate server as IDPS on Ubuntu Server
(2) Python 3.x
(3) Web server with websocket function
(4) Redis server


sha256sum fda369bd246048ce883fabb16e085caa022a492a7e188b4f0c99f37ea4bc8bdb attack-map-0.0.1.tar.gz


Step 1 :

sudo apt-get install python3-pip redis-server
sudo pip3 install tornado tornado-redis redis maxminddb

sudo nano /etc/redis/redis.conf

Change from :

To :

Step 2 :

tar -xvzf attack-map-0.0.1.tar.gz
cd attack-map/geoip-attack-map

cd ..
sudo cp -R geoip-attack-map /var/www

Step 3 :

cd ..
sudo cp attackmap.service /lib/systemd/system/
sudo cp dataserver.service /lib/systemd/system/

sudo systemctl enable attackmap.service
sudo systemctl enable dataserver.service

Step 4 :

cd /var/www/geoip-attack-map/DataServer
sudo nano

Go to :
hq_ip = '' replace "hq_ip" with your external IP address.

cd /var/www/geoip-attack-map/AttackMap
sudo nano trafficline.js

Go to :
var webSock = new WebSocket("ws://");

replace the "" with your Suricata IP.

Go to :
var hqLatLng = new L.LatLng(33.936051, -81.048565);

replace the value of L.LatLng with your location. You can go to to find your Latitude and Longitude values.

Then configure your web server to point the root directory to "/var/www/geoip-attack-map/AttackMap". Make sure you have enabled "websocket" module or function on your web server. Meanwhile, the port for the websocket is 8888 by default.

*** Setting up web server to work with this project is out of scope of this guide.

Step 5 :

Since Redis server requires this setting to avoid performance issue, you need to edit the boot parameter in Grub.

sudo nano /etc/default/grub

sudo update-grub

sudo reboot

Step 6 :

Once boot up, you can point your browser to the IP address that you entered in the above steps.


If there is no traffic on the map, it is properly the not working. Restart it is required.

sudo systemctl restart dataserver

*** Please note that it needs time to read the eve.json file from the beginning of the file on every restart.

Please also note that do not refresh or reload the page as it will corrupt the map. You need to restart the browser.


Traffic and Attack Map for Suricata

That's all! See you!