0x00sec IRC Channel

Apparently kiwiirc.com just blocks all SSL connections from Russia. It’s reachable from my VDS in Germany but it’s not from my laptop. Everything is OK with pings and port 80 in both cases.

Hmm, I think they’re scared about Russian Hackers . We could use another web chat if we could find one that would work well and have the same features. Looking at the analytics a tonne of people don’t really use the web chat, it’s mainly for new members.

Excuse my necromancy, but I think you have some misconseptions about IP addresses. While an IP address should not be handed out willy nilly, you shouldn’t worry about it being visible on IRC. This is because unless you have Internet facing services or some way for someone to enter the network, they can’t just enter your network. Most routers don’t allow external login from the WAN. I personally have a Cisco ASA (Adaptive Security Appliance, aka fancy firewall) that blocks all incoming communications except SSH and FTP, both of which are hosted on my server which is running fail2ban which blocks further login attempts after four failed attempts within a short time span. Case in point, don’t worry too much about your IP address being public on IRC. It’s not all that dangerous. However if you’re really worried about being secure, I wouldn’t trust a VPN either. Many VPNs can see the traffic you send to them, which would include sensitive personally identifying information.

If I’m not wrong, all VPN’s can see your traffic. It’s up to you if it is encrypted and up to the VPN if they log it

I think, for most people, it’s about using the IP for geolocation…

You are right about security. None of us have worries about the security. But you do open yourself up to several potential issues.

• Geolocation - opsec bro
• DDOS - You piss somebody off and they flood you silly
• Some sketchy 0day.
• Somebody running a scanner on your full time for the moment you open up a port they got you.

You also have potential security problems with NAT. But that would only be an issue if they managed to get you to view a web page.

I would also add that some time people use IRC for C&C servers, becouse of its a text base protocol, at those time it become important to hide your ip from feds who might have hanging there for you.

Like this one: https://0x00sec.org/t/aug-16-hacking-a-hacker-hacking-a-wordpress-botnet/966

Let me respond to both @oaktree and @pry0cc in this one response:

Geolocation is overrated. You can’t get a precise location with a simple IP address. You just can’t. Typically, the location consists of where your ISP is located. Even then, if I run a whois lookup on my IP address, it gives me my ISP in an entirely different location from myself. Yes, you can get a general location, such as a macro location (e.g. large picture. such as maybe a country or state or possibly location within a state). However, I don’t really think that geolocation is really that much of an issue. DDoS can be a problem, but only if you’re subject to it. As long as you have your WAN connected router/firewall drop all outside packets that aren’t explicitly destined for a port, or maybe have flood detection, DDoS (or more likely DoS without a botnet or control of multiple clients) won’t be an issue. I can’t even DoS my own internal network, just because of the fact that my firewall (which is the first hop on my network) drops all packets that attempt to pass too frequently.

My only point was as long as you are security conscious and make sure that you have defenses in place for such attacks, you need’nt worry too much about your IP being public, because it already is. However, as @pry0cc brought up, 0-day exploits are hard to defend against. So yes, in that case, mitigation is nigh on impossible, considering the speed at which even CentOS/RHEL release security patches. Unless you were to write the security patch yourself, of course.

@pry0cc I don’t see why someone would waste their time on anyone by running a scanner full time just to wait until a port opens. Also you would probably need a cron job for that to work… and keeping a server up that long running scans constantly would get expensive, and quite suspicious. It wouldn’t be hard to notice that many scans in your logs. But then even if you open a port, it doesn’t mean they will get in. A port doesn’t necessarily equal access. Now, if one were to say, run exploitable services on said port, well then that is bad OpSec. Then again… 0-days exist. Who knows?

This isn’t to say “give everyone your IP address!”. I have a cloak on freenode and any other servers I join as well, because I’m a private person. But it’s not a necessity. I really don’t think it fits anyone’s security model in 0x00sec to worry about VPN/proxy to IRC. That’s a bit overkill, considering no one is (hopefully) being targeted. VPN/proxy to IRC falls into the question of whether the extra time, hit on speed, etc are worth the security it (might) provide. Personally, it’s not worth my time, and I don’t see anyone involved in 0x00sec needing such a secure threat model. Maybe we should have a post about threat modelling? Hm…

I have done IP geolocation of IP’s i know the location of. And it was accurate to the town, 5 miles give or take. It really depends on the IP and the provider, either way its better not to take the chance.

Privacy should be a focus for everybody, regardless of whether they have nefarious intentions or not.

My example of the scans was a slight exaggeration, but it is completely possible, it wouldnt get expensive, especially with an affordable VPS, you wouldn’t need cronjobs either, you just do a while true loop.

The other issue would be if you do have interests in nefarious or grey things, it’s very common. Then you don’t want to be the low hanging fruit for feds or anybody that wants to explore your life.

My general rule of thumb is, don’t give them anything, regardless of what the nature of it is. Information that isn’t useful or relevant right now, may be the golden bullet in 12 months when some new technique appears.

In conclusion, I am not saying having your IP address public poses a security risk, I am saying, in a world where security is rapidly changing, and people who are motivated and funded exist, keeping every piece of personally identifiable information to a minimum is good practice, and should be adopted where reasonably possible.

- pry0cc

Is there a specific reason, why the webclient (http://irc.0x00sec.org/) is only accessible using plain http?

It’s for when we want to practice MITM

Yes. Because s-3.tech hasn’t made an SSL cert for it yet… On their behalf I apologise for this.

@Valkyr

Use a vpn and run your irc through a tor proxy on localhost. For example, apt-get install tor (or something like that), then set your irc to use the socks proxy on localhost:9050.

also there’s tormessenger

That is possibly one of the worst idea’s (if he connects to the unencrypted clearnet address). A tor exit node could snoop all the traffic.

If they use a client, there is a tor address, and https, they’ll be fine.

Not if the client connect to irc server ssl enabled.

Is the following fingerprint the valid fingerprint of the tls-certificate used by the IRCd?
SHA1 Fingerprint = FE:AF:D6:E2:AB:45:32:B3:16:16:A1:D2:63:3C:5A:D6:BF:7F:F3:EC

Main topic updated

The IRC Server uses LetsEncrypt which will expire every 3 months, so don’t expect that fingerprint to match.

Currently seems to be 7c:27:88:2a:6d:87:f5:0b:66:b4:24:9e:0b:a3:c1:94:ca:f3:3f:74:5f:f8:ad:54:cc:70:89:a1:fc:3a:51:a1

Anyway, should probably set up fingerprint page people can go to for the latest one… Or maybe something better? Ideas?

The “something better” is to update your CA trust chains to include LetsEncrypt.

is it possible that nobody is in there the whole last week ?