When adding a new VM (in this example the nextcloud appliance VM from https://www.hanssonit.se/nextcloud-vm/) to an old version of proxmox like version 6 (debian 10), the VM might not boot and stay stuck showing Booting from Hard Disk ...
Updating a proxmox system from version 6.4.x to 7.x using https://pve.proxmox.com/wiki/Upgrade_from_6.x_to_7.0
Proxmox VE 6.x is based on Debian 10.x which is called “buster”.
Proxmox VE 7.x is based on Debian 11.x which is called “bullseye”.
sources.list file, should look like this:cat /etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main contrib
deb http://deb.debian.org/debian bullseye-updates main contrib
# security updates
deb http://security.debian.org bullseye/updates main contribsed -i 's/buster\/updates/bullseye-security/g;s/buster/bullseye/g' /etc/apt/sources.list to update "buster" to "bullseye".
cat /etc/apt/sources.list.d/pve-enterprise.listWhen running Proxmox VE 7.x with No-Subscription use:
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription
deb https://enterprise.proxmox.com/debian/pve bullseye pve-enterprise
pveversion -vpve6to7 scriptroot@prxmx024a:~# pve6to7
= CHECKING VERSION INFORMATION FOR PVE PACKAGES =
Checking for package updates..
PASS: all packages uptodate
Checking proxmox-ve package version..
PASS: proxmox-ve package has version >= 6.4-1
Checking running kernel version..
PASS: expected running kernel '5.4.203-1-pve'.
= CHECKING CLUSTER HEALTH/SETTINGS =
SKIP: standalone node.
= CHECKING HYPER-CONVERGED CEPH STATUS =
SKIP: no hyper-converged ceph setup detected!
= CHECKING CONFIGURED STORAGES =
PASS: storage 'local' enabled and active.
PASS: storage 'local-lvm' enabled and active.
PASS: storage 'storageusbhdd01' enabled and active.
= MISCELLANEOUS CHECKS =
INFO: Checking common daemon services..
PASS: systemd unit 'pveproxy.service' is in state 'active'
PASS: systemd unit 'pvedaemon.service' is in state 'active'
PASS: systemd unit 'pvestatd.service' is in state 'active'
INFO: Checking for running guests..
PASS: no running guest detected.
INFO: Checking if the local node's hostname 'proxmox1' is resolvable..
INFO: Checking if resolved IP is configured on local node..
PASS: Resolved node IP '192.168.2.106' configured and active on single interface.
INFO: Checking backup retention settings..
INFO: storage 'local' - no backup retention settings defined - by default, PVE 7.x will no longer keep only the last backup, but all backups
PASS: no problems found.
INFO: checking CIFS credential location..
PASS: no CIFS credentials at outdated location found.
INFO: Checking custom roles for pool permissions..
INFO: Checking node and guest description/note legnth..
PASS: All node config descriptions fit in the new limit of 64 KiB
PASS: All guest config descriptions fit in the new limit of 8 KiB
INFO: Checking container configs for deprecated lxc.cgroup entries
PASS: No legacy 'lxc.cgroup' keys found.
INFO: Checking storage content type configuration..
PASS: no problems found
INFO: Checking if the suite for the Debian security repository is correct..
INFO: Make sure to change the suite of the Debian security repository from 'buster/updates' to 'bullseye-security' - in /etc/apt/sources.list:6
SKIP: NOTE: Expensive checks, like CT cgroupv2 compat, not performed without '--full' parameter
= SUMMARY =
TOTAL: 20
PASSED: 17
SKIPPED: 3
WARNINGS: 0
FAILURES: 0
root@prxmx024a:~#
root@prxmx024a:~#
pve6to7 script with the parameter -full root@prxmx024a:~#
root@prxmx024a:~# pve6to7 --full
= CHECKING VERSION INFORMATION FOR PVE PACKAGES =
Checking for package updates..
PASS: all packages uptodate
Checking proxmox-ve package version..
PASS: proxmox-ve package has version >= 6.4-1
Checking running kernel version..
PASS: expected running kernel '5.4.203-1-pve'.
= CHECKING CLUSTER HEALTH/SETTINGS =
SKIP: standalone node.
= CHECKING HYPER-CONVERGED CEPH STATUS =
SKIP: no hyper-converged ceph setup detected!
= CHECKING CONFIGURED STORAGES =
PASS: storage 'local' enabled and active.
PASS: storage 'local-lvm' enabled and active.
PASS: storage 'storageusbhdd01' enabled and active.
= MISCELLANEOUS CHECKS =
INFO: Checking common daemon services..
PASS: systemd unit 'pveproxy.service' is in state 'active'
PASS: systemd unit 'pvedaemon.service' is in state 'active'
PASS: systemd unit 'pvestatd.service' is in state 'active'
INFO: Checking for running guests..
PASS: no running guest detected.
INFO: Checking if the local node's hostname 'proxmox1' is resolvable..
INFO: Checking if resolved IP is configured on local node..
PASS: Resolved node IP '192.168.2.106' configured and active on single interface.
INFO: Checking backup retention settings..
INFO: storage 'local' - no backup retention settings defined - by default, PVE 7.x will no longer keep only the last backup, but all backups
PASS: no problems found.
INFO: checking CIFS credential location..
PASS: no CIFS credentials at outdated location found.
INFO: Checking custom roles for pool permissions..
INFO: Checking node and guest description/note legnth..
PASS: All node config descriptions fit in the new limit of 64 KiB
PASS: All guest config descriptions fit in the new limit of 8 KiB
INFO: Checking container configs for deprecated lxc.cgroup entries
PASS: No legacy 'lxc.cgroup' keys found.
INFO: Checking storage content type configuration..
PASS: no problems found
INFO: Checking if the suite for the Debian security repository is correct..
INFO: Make sure to change the suite of the Debian security repository from 'buster/updates' to 'bullseye-security' - in /etc/apt/sources.list:6
SKIP: No containers on node detected.
= SUMMARY =
TOTAL: 20
PASSED: 17
SKIPPED: 3
WARNINGS: 0
FAILURES: 0
root@prxmx024a:~#
apt updateapt dist-upgrade pveversion -v' and compare your output (all packages should have equal or higher version numbers): pveversion -v
root@prxmx024a:~#
root@prxmx024a:~# pve6to7
= CHECKING VERSION INFORMATION FOR PVE PACKAGES =
Checking for package updates..
PASS: all packages uptodate
Checking proxmox-ve package version..
PASS: proxmox-ve package has version >= 6.4-1
Checking running kernel version..
PASS: expected running kernel '5.4.203-1-pve'.
= CHECKING CLUSTER HEALTH/SETTINGS =
SKIP: standalone node.
= CHECKING HYPER-CONVERGED CEPH STATUS =
SKIP: no hyper-converged ceph setup detected!
= CHECKING CONFIGURED STORAGES =
PASS: storage 'local' enabled and active.
PASS: storage 'local-lvm' enabled and active.
PASS: storage 'storageusbhdd01' enabled and active.
= MISCELLANEOUS CHECKS =
INFO: Checking common daemon services..
PASS: systemd unit 'pveproxy.service' is in state 'active'
PASS: systemd unit 'pvedaemon.service' is in state 'active'
PASS: systemd unit 'pvestatd.service' is in state 'active'
INFO: Checking for running guests..
PASS: no running guest detected.
INFO: Checking if the local node's hostname 'proxmox1' is resolvable..
INFO: Checking if resolved IP is configured on local node..
PASS: Resolved node IP '192.168.2.106' configured and active on single interface.
INFO: Checking backup retention settings..
INFO: storage 'local' - no backup retention settings defined - by default, PVE 7.x will no longer keep only the last backup, but all backups
PASS: no problems found.
INFO: checking CIFS credential location..
PASS: no CIFS credentials at outdated location found.
INFO: Checking custom roles for pool permissions..
INFO: Checking node and guest description/note legnth..
PASS: All node config descriptions fit in the new limit of 64 KiB
PASS: All guest config descriptions fit in the new limit of 8 KiB
INFO: Checking container configs for deprecated lxc.cgroup entries
PASS: No legacy 'lxc.cgroup' keys found.
INFO: Checking storage content type configuration..
PASS: no problems found
INFO: Checking if the suite for the Debian security repository is correct..
INFO: Make sure to change the suite of the Debian security repository from 'buster/updates' to 'bullseye-security' - in /etc/apt/sources.list:6
SKIP: NOTE: Expensive checks, like CT cgroupv2 compat, not performed without '--full' parameter
= SUMMARY =
TOTAL: 20
PASSED: 17
SKIPPED: 3
WARNINGS: 0
FAILURES: 0
root@prxmx024a:~#
root@prxmx024a:~#
root@prxmx024a:~#
root@prxmx024a:~# pve6to7 --full
= CHECKING VERSION INFORMATION FOR PVE PACKAGES =
Checking for package updates..
PASS: all packages uptodate
Checking proxmox-ve package version..
PASS: proxmox-ve package has version >= 6.4-1
Checking running kernel version..
PASS: expected running kernel '5.4.203-1-pve'.
= CHECKING CLUSTER HEALTH/SETTINGS =
SKIP: standalone node.
= CHECKING HYPER-CONVERGED CEPH STATUS =
SKIP: no hyper-converged ceph setup detected!
= CHECKING CONFIGURED STORAGES =
PASS: storage 'local' enabled and active.
PASS: storage 'local-lvm' enabled and active.
PASS: storage 'storageusbhdd01' enabled and active.
= MISCELLANEOUS CHECKS =
INFO: Checking common daemon services..
PASS: systemd unit 'pveproxy.service' is in state 'active'
PASS: systemd unit 'pvedaemon.service' is in state 'active'
PASS: systemd unit 'pvestatd.service' is in state 'active'
INFO: Checking for running guests..
PASS: no running guest detected.
INFO: Checking if the local node's hostname 'proxmox1' is resolvable..
INFO: Checking if resolved IP is configured on local node..
PASS: Resolved node IP '192.168.2.106' configured and active on single interface.
INFO: Checking backup retention settings..
INFO: storage 'local' - no backup retention settings defined - by default, PVE 7.x will no longer keep only the last backup, but all backups
PASS: no problems found.
INFO: checking CIFS credential location..
PASS: no CIFS credentials at outdated location found.
INFO: Checking custom roles for pool permissions..
INFO: Checking node and guest description/note legnth..
PASS: All node config descriptions fit in the new limit of 64 KiB
PASS: All guest config descriptions fit in the new limit of 8 KiB
INFO: Checking container configs for deprecated lxc.cgroup entries
PASS: No legacy 'lxc.cgroup' keys found.
INFO: Checking storage content type configuration..
PASS: no problems found
INFO: Checking if the suite for the Debian security repository is correct..
INFO: Make sure to change the suite of the Debian security repository from 'buster/updates' to 'bullseye-security' - in /etc/apt/sources.list:6
SKIP: No containers on node detected.
= SUMMARY =
TOTAL: 20
PASSED: 17
SKIPPED: 3
WARNINGS: 0
FAILURES: 0
root@prxmx024a:~#
root@prxmx024a:~# cat /etc/apt/sources.list
deb http://deb.debian.org/debian buster main contrib
deb http://deb.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib
root@prxmx024a:~#
root@prxmx024a:~#
root@prxmx024a:~# sed -i 's/buster\/updates/bullseye-security/g;s/buster/bullseye/g' /etc/apt/sources.list
root@prxmx024a:~#
root@prxmx024a:~# cat /etc/apt/sources.list
deb http://deb.debian.org/debian bullseye main contrib
deb http://deb.debian.org/debian bullseye-updates main contrib
# security updates
deb http://security.debian.org bullseye-security main contrib
root@prxmx024a:~#
root@prxmx024a:~# cat /etc/apt/sources.list.d/pve-enterprise.list
deb http://download.proxmox.com/debian/pve buster pve-no-subscription
#deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise
root@prxmx024a:~#
root@prxmx024a:~# vi /etc/apt/sources.list.d/pve-enterprise.list
root@prxmx024a:~#
root@prxmx024a:~# cat /etc/apt/sources.list.d/pve-enterprise.list
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription
#deb http://download.proxmox.com/debian/pve buster pve-no-subscription
#deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise
root@prxmx024a:~#
root@prxmx024a:~#
root@prxmx024a:~#
root@prxmx024a:~# apt update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Get:2 http://download.proxmox.com/debian/pve bullseye InRelease [2,768 B]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Hit:4 http://security.debian.org bullseye-security InRelease
Get:5 http://download.proxmox.com/debian/pve bullseye/pve-no-subscription amd64 Packages [427 kB]
Fetched 474 kB in 0s (1,022 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
582 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@prxmx024a:~#root@prxmx024a:~# apt list --upgradable
[...]root@prxmx024a:~# apt dist-upgrade[...]root@prxmx024a:~# reboot
In 2009 there was "New Zealands Hacker con" in Wellington, which had this awesome picture:
Hackers/Attackers dont care about your...
After you reset your VM to a snapshot including RAM you might have to time from the VM snapshot still active. So your apt get using https might fail due to the wrong time: "*update source* is not valid yet (invalid for another 46min 26s)".
Example:
[11:14:04] root@linubu22nf435:~#
[11:14:07] root@linubu22nf435:~# date
Tue 31 Oct 2023 11:14:08 PM CET
[11:14:08] root@linubu22nf435:~#
[11:14:08] root@linubu22nf435:~# apt update && apt install -y software-properties-common
Hit:1 http://ppa.launchpad.net/ondrej/php/ubuntu focal InRelease
Hit:2 http://archive.ubuntu.com/ubuntu focal InRelease
Hit:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease
Hit:4 http://archive.ubuntu.com/ubuntu focal-security InRelease
Ign:5 https://download.webmin.com/download/repository sarge InRelease
Get:6 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Hit:7 https://download.webmin.com/download/repository sarge Release
Reading package lists... Done
E: Release file for http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease is not valid yet (invalid for another 46min 26s). Updates for this repository will not be applied.
[11:14:20] root@linubu22nf435:~#
[11:14:23] root@linubu22nf435:~# sudo hwclock --hctosys
[11:15:06] root@linubu22nf435:~#
[12:37:53] root@linubu22nf435:~# date
Tue 31 Oct 2023 12:38:27 PM CET
[12:38:27] root@linubu22nf435:~#
[12:38:28] root@linubu22nf435:~#
Using sudo hwclock --hctosys you update your time and apt get and apt install with https should work fine again.
Since Microsoft released a patch for Windows in Q4-2023, access to WebDav shares which use basic authentication is blocked:
Example with ionos webdav share:
English: "Microsoft Office has blocked access to
https://webdav.hidrive.ionos.com because the source uses a sign-in method that may be unsecure
German: "Microsoft Office hat den Zugriff auf
https://webdav.hidrive.ionos.com blockiert, da die Quelle eine Anmeldemethode verwendet, die möglicherweise unsicher ist."
To fix this, you have to add the following registry key to Windows 11 with the URL to your destination (in this example it is webdav.hidrive.ionos.com):
[HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity]
"basichostallowlist"="webdav.hidrive.ionos.com"
Its hard to secure your IT services and applications. The list of possible attacks is long, as shown in the Mitre Att&ck framework, the OWASP lists and so on.
What helps drastically reducing the attack surface is to use mutual TLS (explanations see https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/ or https://en.wikipedia.org/wiki/Mutual_authentication#mTLS or https://www.youtube.com/watch?v=x7B5CwcxCDI or https://www.ietf.org/rfc/rfc5246.txt) for authentication to establish access to your service/application. If you use certificates to authenticate your clients before accessing the first byte to of your service/application, you stop attacks at OSI layer 5. The attackers cant reach OSI layer 6 and 7 which contain the most vulnerabilites and weaknesses by far.
I've asked ChatGPT to make a list to compare regular web applications with web applications, which use mutual TLS:
| Attack Type | Regular Web Application | Secured Web Application (Mutual TLS) | Mitre ATT&CK Tactic(s) |
|---|---|---|---|
| Cross-Site Scripting (XSS) | Vulnerable | Protected | Initial Access, Execution, Persistence |
| SQL Injection | Vulnerable | Protected | Collection, Credential Access, Execution |
| Cross-Site Request Forgery (CSRF) | Vulnerable | Protected | Initial Access, Collection |
| Session Hijacking | Vulnerable | Protected | Collection, Credential Access |
| Brute Force Attacks | Vulnerable | Protected | Credential Access, Execution |
| Clickjacking | Vulnerable | Protected | Collection, Defense Evasion |
| Directory Traversal | Vulnerable | Protected | Collection, Exfiltration |
| File Upload Vulnerabilities | Vulnerable | Protected | Execution, Collection |
| LDAP Injection | Vulnerable | Protected | Collection, Credential Access |
| Man-in-the-Middle (MitM) Attacks | Vulnerable | Protected | Collection, Credential Access, Execution |
| Remote File Inclusion | Vulnerable | Protected | Execution, Collection |
| XML External Entity (XXE) Injection | Vulnerable | Protected | Collection, Credential Access |
| Security Misconfigurations | Vulnerable | Way less vulnerable | Defense Evasion, Discovery |
| HTTP Header Injection | Vulnerable | Protected | Defense Evasion, Execution |
| DDoS Attacks | Vulnerable | Way less vulnerable | Impact |
| API Security Issues | Vulnerable | Protected | Collection, Credential Access, Execution |
| HTTP Parameter Pollution | Vulnerable | Protected | Defense Evasion, Execution |
| Session Sidejacking | Vulnerable | Protected | Credential Access, Collection |
| Social Engineering Attacks | Vulnerable | Protected | Collection, Defense Evasion |
| Cross-Site Tracing (XST) | Vulnerable | Protected | Credential Access, Collection |
| Fuzzing Attacks | Vulnerable | Protected | Execution, Defense Evasion |
| Cryptanalysis | Vulnerable | Way less vulnerable | Collection, Credential Access |
| Reverse Engineering | Vulnerable | Protected | Collection, Credential Access |
| Subdomain Takeover | Vulnerable | Protected | Initial Access, Collection |
| Session Token Theft | Vulnerable | Protected | Credential Access, Collection |
| Vulnerabilies/0days | Vulnerable | Way less vulnerable | Initial Access |
| Broken Object Level Authorization (BOLA) | Vulnerable | Protected | Credential Access, Authorization |
| Improper Rate Limiting | Vulnerable | Way less vulnerable | Defense Evasion, Impact |
| Insecure Direct Object References (IDOR) | Vulnerable | Protected | Collection, Credential Access |
| Insufficient Logging and Monitoring | Vulnerable | Way less vulnerable | Discovery, Defense Evasion |
| Insecure Deserialization | Vulnerable | Protected | Execution, Defense Evasion |
| Lack of Resources and Rate Limiting | Vulnerable | Protected | Defense Evasion, Impact |
| Mass Assignment | Vulnerable | Protected | Credential Access, Collection |
| Insecure Cryptographic Storage | Vulnerable | Vulnerable | Collection, Credential Access |
| Use of Components with Known Vulnerabilities | Vulnerable | Way less vulnerable | Collection, Execution |
| Unvalidated Redirects and Forwards | Vulnerable | Protected | Defense Evasion, Initial Access |
| XML External Entity (XXE) Injection | Vulnerable | Protected | Collection, Credential Access |
Caution: This is a simplified point of view - it is only focusing on the inital access. Mutual TLS certificate based authentication make the initial access for attackers almost impossible. Therefore most attacks are not possible anymore without the attackers gets his hands on a client certificate with its private key. However your IT stack is still vulnerable to OSI layer 1-5 attacks as well as e.g. to vulnerabilities within OpenSSL, LibreSSL etc.
During a proxmox update (e.g. from proxmox version 6 to 7) you receive the following error:
[...]
100% [608 zstd 34.1 kB/630 kB 5%] 1,337 kB/s 0s
100% [Working] 1,337 kB/s 0s
Fetched 255 MB in 2min 30s (1,702 kB/s)
W: (pve-apt-hook) !! WARNING !!
W: (pve-apt-hook) You are attempting to remove the meta-package 'proxmox-ve'!
W: (pve-apt-hook)
W: (pve-apt-hook) If you really want to permanently remove 'proxmox-ve' from your system, run the following command
W: (pve-apt-hook) touch '/please-remove-proxmox-ve'
W: (pve-apt-hook) run apt purge proxmox-ve to remove the meta-package
W: (pve-apt-hook) and repeat your apt invocation.
W: (pve-apt-hook)
W: (pve-apt-hook) If you are unsure why 'proxmox-ve' would be removed, please verify
W: (pve-apt-hook) - your APT repository settings
W: (pve-apt-hook) - that you are using 'apt full-upgrade' to upgrade your system
E: Sub-process /usr/share/proxmox-ve/pve-apt-hook returned an error code (1)
E: Failure running script /usr/share/proxmox-ve/pve-apt-hook
root@proxmox1:~#
root@proxmox1:~#
buster”.bullseye”. /etc/apt/sources.list.d/pve-enterprise.list file and /etc/apt/sources.list file still have "buster" (proxmox version 6) in them and replace it with "bullseye". E.g. with sed -i -e 's/buster/bullseye/g' /etc/apt/sources.list.d/pve-install-repo.list apt update againapt dist-upgrade againUpdate a Proxmox 6.x system to latest 6.4 using the guide https://pve.proxmox.com/wiki/Downloads#Update_a_running_Proxmox_Virtual_Environment_6.x_to_latest_6.4:
Proxmox VE 6.x is based on Debian 10.x which is called “buster”.
sources.list file, should look like this:cat /etc/apt/sources.list
deb http://deb.debian.org/debian buster main contrib
deb http://deb.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib
cat /etc/apt/sources.list.d/pve-enterprise.listWhen running Proxmox VE 6.x with No-Subscription use:
deb http://download.proxmox.com/debian/pve buster pve-no-subscription
deb https://enterprise.proxmox.com/debian/pve buster pve-enterprise
pveversion -v
apt update
apt dist-upgrade
pveversion -v' and compare your output (all packages should have equal or higher version numbers): pveversion -v
root@prxmx053b:~#
root@prxmx053b:~# cat /etc/apt/sources.list
deb http://deb.debian.org/debian buster main contrib
deb http://deb.debian.org/debian buster-updates main contrib
# security updates
deb http://security.debian.org buster/updates main contrib
root@prxmx053b:~#
root@prxmx053b:~#
root@prxmx053b:~# apt update
Hit:1 http://security.debian.org buster/updates InRelease
Hit:2 http://download.proxmox.com/debian/pve buster InRelease
Hit:3 http://deb.debian.org/debian buster InRelease
Hit:4 http://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
242 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@prxmx053b:~#
root@prxmx053b:~#
root@prxmx053b:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
[...]
root@prxmx053b:~#
root@prxmx053b:~# pveversion -v
proxmox-ve: 6.4-1 (running kernel: 5.4.73-1-pve)
pve-manager: 6.4-15 (running version: 6.4-15/af7986e6)
pve-kernel-5.4: 6.4-20
pve-kernel-helper: 6.4-20
pve-kernel-5.4.203-1-pve: 5.4.203-1
pve-kernel-5.4.73-1-pve: 5.4.73-1
ceph-fuse: 12.2.11+dfsg1-2.1+deb10u1
corosync: 3.1.5-pve2~bpo10+1
criu: 3.11-3
glusterfs-client: 5.5-3
ifupdown: 0.8.35+pve1
ksm-control-daemon: 1.3-1
libjs-extjs: 6.0.1-10
libknet1: 1.22-pve2~bpo10+1
libproxmox-acme-perl: 1.1.0
libproxmox-backup-qemu0: 1.1.0-1
libpve-access-control: 6.4-3
libpve-apiclient-perl: 3.1-3
libpve-common-perl: 6.4-5
libpve-guest-common-perl: 3.1-5
libpve-http-server-perl: 3.2-5
libpve-storage-perl: 6.4-1
libqb0: 1.0.5-1
libspice-server1: 0.14.2-4~pve6+1
lvm2: 2.03.02-pve4
lxc-pve: 4.0.6-2
lxcfs: 4.0.6-pve1
novnc-pve: 1.1.0-1
proxmox-backup-client: 1.1.14-1
proxmox-mini-journalreader: 1.1-1
proxmox-widget-toolkit: 2.6-2
pve-cluster: 6.4-1
pve-container: 3.3-6
pve-docs: 6.4-2
pve-edk2-firmware: 2.20200531-1
pve-firewall: 4.1-4
pve-firmware: 3.3-2
pve-ha-manager: 3.1-1
pve-i18n: 2.3-1
pve-qemu-kvm: 5.2.0-8
pve-xtermjs: 4.7.0-3
qemu-server: 6.4-2
smartmontools: 7.2-pve2
spiceterm: 3.1-1
vncterm: 1.6-2
zfsutils-linux: 2.0.7-pve1
root@prxmx053b:~#
root@prxmx053b:~# reboot
az aks get-credentials as it reveals sensitive data of AKS.
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ az aks get-credentials --resource-group rgaks04app23 --name AKS04
Merged "AKS04" as current context in /home/azureksmoq/.kube/config
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$ cat /home/azureksmoq/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZ[...]RVJUSUZJQ0FURS0tLS0tCg==
server: https://mykubernetescluster-dns-[...].hcp.eastus.azmk8s.io:443
name: AKS04
contexts:
- context:
cluster: AKS04
user: clusterUser_rgaks04app23_AKS04
name: AKS04
current-context: AKS04
kind: Config
preferences: {}
users:
- name: clusterUser_rgaks04app23_AKS04
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ[...]RS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJV[...]0VZLS0tLS0K
token: bl0c8ko2[...]73m4ltf
azureksmoq [ ~ ]$
azureksmoq [ ~ ]$
This command can be helpful for developers or admins - but it is dual use as it reveals sensitive information. I recommend increasing your SIEM risk score or even make a use case with alerting.
Microsoft documentation for az aks get-credentials can be found here: https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials or see here: https://azure.github.io/kubelogin/quick-start.html. See also https://learn.microsoft.com/en-us/azure/aks/control-kubeconfig-access
Get access credentials for a managed Kubernetes cluster.
By default, the credentials are merged into the .kube/config file so kubectl can use them. See -f parameter for details.
az aks get-credentials --name
--resource-group
[--admin]
[--context]
[--file]
[--format]
[--overwrite-existing]
[--public-fqdn]Get access credentials for a managed Kubernetes cluster. (autogenerated)
az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup
Name of the managed cluster.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Get cluster administrator credentials. Default: cluster user credentials.
If specified, overwrite the default context name. The --admin parameter takes precedence over --context.
Kubernetes configuration file to update. Use "-" to print YAML to stdout instead.
Specify the format of the returned credential. Available values are ["exec", "azure"]. Only take effect when requesting clusterUser credential of AAD clusters.
Overwrite any existing cluster entry with the same name.
Get private cluster credential with server address to be public fqdn.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
In order to update your whole IDE (e.g. visual studio code), you can run git pull to all subfolders one by one using:
ls | xargs -I{} git -C {} pull
Or you run it in parallel for multiple subfolders using:
ls | xargs -P10 -I{} git -C {} pull
DEVFLO@SYS40DEVCL001 MINGW64 /c/git
$
DEVFLO@SYS40DEVCL001 MINGW64 /c/git
$
DEVFLO@SYS40DEVCL001 MINGW64 /c/git
$ cd splunk-apps/
DEVFLO@SYS40DEVCL001 MINGW64 /c/git/splunk-apps
$ ls | xargs -I{} git -C {} pull
Already up to date.
remote: Enumerating objects: 64, done.
remote: Counting objects: 100% (28/28), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 64 (delta 15), reused 12 (delta 12), pack-reused 36
Unpacking objects: 100% (64/64), 12.38 KiB | 56.00 KiB/s, done.
From https://git.dev.domain.tld/splunk-apps/all_indexes
21ef148..dc3191d master -> origin/master
Updating 21ef148..dc3191d
Fast-forward
local/indexes.conf | 95 ++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 75 insertions(+), 20 deletions(-)
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 16 (delta 8), reused 6 (delta 2), pack-reused 0
Unpacking objects: 100% (16/16), 2.00 KiB | 34.00 KiB/s, done.
From https://git.dev.domain.tld/splunk-apps/hf_inputs_http
45221cc..9ba7459 master -> origin/master
Updating 45221cc..9ba7459
Fast-forward
local/inputs.conf | 74 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 72 insertions(+), 2 deletions(-)
remote: Enumerating objects: 314, done.
remote: Counting objects: 100% (33/33), done.
remote: Compressing objects: 100% (28/28), done.
remote: Total 314 (delta 17), reused 5 (delta 5), pack-reused 281
[...]
DEVFLO@SYS40DEVCL001 MINGW64 /c/git/splunk-apps
$
DEVFLO@SYS40DEVCL001 MINGW64 /c/git/splunk-apps
$
DEVFLO@SYS40DEVCL001 MINGW64 /c/git/splunk-apps
$ ls | xargs -P10 -I{} git -C {} pull
Already up to date.
Already up to date.
Already up to date.
Already up to date.
Already up to date.
Already up to date.
remote: Enumerating objects: 101, done.
remote: Counting objects: 100% (76/76), done.
remote: Compressing objects: 100% (38/38), done.
remote: Total 101 (delta 46), reused 53 (delta 35), pack-reused 25
Receiving objects: 100% (101/101), 101.59 KiB | 12.70 MiB/s, done.
Resolving deltas: 100% (61/61), completed with 1 local object.
From https://git.dev.domain.tld/splunk-apps/search_securitywork
7c8b27a..913ed1e master -> origin/master
Updating 7c8b27a..913ed1e
Fast-forward
{local => default}/data/ui/nav/default.xml | 0
.../ui/views/security__asset_information.xml | 4 +-
.../ui/views/security__dashkpi1__logsource.xml | 4 +-
.../ui/views/security__dashkpi2__usecases.xml | 4 +-
.../views/security__dashkpi3__technology.xml | 2 +-
.../ui/views/security__dashkpi4_logvolume.xml | 2 +-
{local => default}/macros.conf | 0
{local => default}/mlspl.conf | 0
{local => default}/savedsearches.conf | 160 +++++++++++++++++----
{local => default}/transforms.conf | 0
lookups/uc_info.csv | 8 +-
14 files changed, 152 insertions(+), 50 deletions(-)
rename {local => default}/data/ui/nav/default.xml (100%)
rename {local => default}/data/ui/views/security__asset_information.xml (94%)
rename {local => default}/data/ui/views/security__dashkpi1__logsource.xml (99%)
rename {local => default}/data/ui/views/security__dashkpi2__usecases.xml (99%)
rename {local => default}/data/ui/views/security__dashkpi3__technology.xml (97%)
rename {local => default}/data/ui/views/security__dashkpi4_logvolume.xml (99%)
[...]
The website msportals.io is listing a nice overview of Microsofts portals. For example administrator portals:
Mitre published another awesome framework called d3fend.mitre.org
It is using the att&ck framework but from a defenders perspective :-)
If you have an atlassian confluence running, which is published by a loadbalancer or reverse proxy using another domain, you might run into an XSRF error.
Some actions like uploading your profile picture (https://confluence.domain.tld/users/profile/editmyprofilepicture.action) do not work. You'll receive an generic error from the confluence page (see red box of the screenshot below). If you check the HTTP Header response, you'll see XSRF check failed. It is caused by the confluence cross site request forgery (CSRF) protection.
server.xml and add the FQDN from the LoadBalancer or reverse proxy.More information can be found here: https://confluence.atlassian.com/kb/cross-site-request-forgery-csrf-protection-changes-in-atlassian-rest-779294918.html
Splunk published this awesome Splunk Enterprise update plan: https://docs.splunk.com/images/d/d3/Splunk_upgrade_order_of_ops.pdf
Regardless if you have a single-site or multi-site splunk installation, if your are running a stand-alone or distributed and/or clustered architecture, if you are using Splunks Universal Forwarder, the Deployment server, a License Master, Search Head cluster or Indexer Cluster master or not - this plan has your environment setup covered.
Step by step it guides you in updating your Splunk Enterprise environment including backuping up every system, checking each systems health and possible connectivity issues as well as the updates itself, may it be a simple upgrade or a rolling upgrade. Additional informations about each step can be found in the PDF as a link to docs.splunk.com.
With Googles release of the DNS top-level-domains .zip and .mov a new phishing (mitre att&ck T1566) trick is possible as bobbyrsec wrote about.
https://www.google.com/?q=example.text <— FQDN = google.com
https://www.google.com/example/text/@v1271.zip <— FQDN = google.com right? No, it is v1271.zip. Because the @ character describes e.g. the authentication of the URL.
https://www.google.com/example/text/v1271.zip <— FQDN = google.com
So doublechecking URLs becomes harder. Using Fido2, Passkeys or password-managers (e.g. bitwarden.com) with auto-fill becomes more important because they dont fall for that trick and are more phishing-resistant.
In case of an IT-security incident, emergency oder if a new critical vulnerability (like log4j in December 2021) arises, it is good to be prepared, so you can quickly answer questions like:
| System | Internet Facing | Protocol | Authentication | Security | Used Products/Vendors | Logs send to SIEM | Contact Person | Known Weaknesses |
| Websites | Yes, exposed to all public-ip-addresses | HTTPS (TCP:443) & HTTP (TCP:80 - HTTP 301 Redirect to HTTPS) | None | Web Application Firewall | F5 BigIP LoadBalancer WAF & Apache Container on OpenShift | Yes | Link to CMDB | Websites may contain 3rd party code, SBOM see CMDB |
| Managed File Transfer | Yes, but limited to dedicated public ip-addresses of partners | HTTPS (TCP:443) | HTTPS Tokens | Web Application Firewall | F5 BigIP LoadBalancer WAF IPSwitch | Yes | Link to CMDB | Runs on VM as appliance, OS might not be hardend from vendor |
| Citrix | Yes, exposed to all public-ip-addresses | HTTPS (TCP:443) | MFA | Netscaler WAF | Citrix Systems + Okta MFA | Yes | Link to CMDB | NetScaler WAF Ruleset might be out-of-date |
| Mailserver | Yes, exposed to all public-ip-addresses | SMTP (TCP:25) | None | AntiSpam Mailgatway & AV-Sandbox | Cisco E-Mail Security | Yes | Link to CMDB | Mailgateways run on Hardware, might not be hardended from vendor |
| SSLVPN S2E | Yes, exposed to all public-ip-addresses | HTTPS (TCP:443) | Mutual TLS Certbased + MFA | Azure DDoS | FortiGate SSLVPN Azure VM + Okta MFA | Yes | Link to CMDB | Possible FortiGate FortiOS SSLVPN Vulnerabilities |
| M365 ActiveSync | Yes, exposed to all public-ip-addresses | HTTPS (TCP:443) | Mutual TLS Certbased | Azure DDoS | Microsoft 365 + Intunes | Yes | Link to CMDB | Not part of own Vulnerability-Scanner |
| VPN S2S | Yes, but limited to dedicated public ip-addresses of partners | IPSec UDP:500 & UDP:4500 & ESP | IPsec IKEv2 Certbased Auth | Azure DDoS | FortiGate SSLVPN Azure VM | Link to CMDB | - | |
| DMARC SaaS | Yes, exposed to all public-ip-addresses | DNS (UDP:53), HTTP (TCP:80), HTTPS (TCP:443), SMTP (TCP:25) | None | - | dmarcadvisor.com SaaS | No | Link to CMDB | Not part of own Vulnerability-Scanner |
| DNS Server | Yes, but limited to dedicated public ip-addresses of partners | DNS (UDP:53 & TCP:53) | None | Azure Network Security Groups | RHEL Bind | Yes | Link to CMDB | - |
| ISP Routers | Yes, but limited to dedicated public ip-addresses of ISP routers | BGP (TCP:179), BFD, Ping (ICMP:0/8) | BGP MD5 Auth | - | Extreme Networks XOS | Yes | Link to CMDB | |
| etc.. | etc.. | etc.. | etc.. | etc.. | etc.. | etc.. | etc.. | etc.. |
Of course you can add many more columns like e.g.:
Alh4zr3d and Grzegorz Tworek wrote about a fileless, local privilege escalation backdoor in order to gain persistence (TA0003) using the following Windows command:
sc.exe sdset scmanager D:(A;;KA;;;WD)
Setting the security descriptor on the service manager allows anyone to start SYSTEM services.
To show the security descriptor of service manager:
sc.exe sdshow scmanager
The Mitre Att&ck framework has technique T1569.002 for this "System Services: Service Execution", writing: "Adversaries may abuse the Windows service control manager to execute
malicious commands or payloads. The Windows service control manager (services.exe) is an interface to manage and manipulate services. The service control manager is accessible to users via GUI components as well as system utilities such as sc.exe and Net."
Microsofts own documentation about sc.exe sdset:
Sets a service's security descriptor, using the Service Descriptor Definition Language (SDDL).
Syntax
sc [<ServerName>] sdset <ServiceName> <ServiceSecurityDescriptor>Parameters
Parameter
Description
<ServerName>
Specifies the name of the remote server on which the service is located. The name must use the Universal Naming Convention (UNC) format (for example, \\myserver). To run SC.exe locally, omit this parameter.
<ServiceName>
Specifies the service name returned by the getkeyname operation.
<ServiceSecurityDescriptor>
Specifies the service descriptor in SDDL.
/?
Displays help at the command prompt.
To explain the DACL D:(A;;KA;;;WD) gav_gall asked ChatGPT to explain:
If you are running GitLab in a docker container and your are using some directory service, for example ActiveDirectory with LDAPS for authentication, you might face the challenge, that when a user is moved in ActiveDirectory to another ad-group or the ad-group which is used as user-filter is deleted, then GitLab marks the user as "blocked".
docker exec -it <container-name> gitlab-rails console -e productionprdrhel8180:/ #
prdrhel8180:/ # docker exec -it gitlab gitlab-rails console -e production
--------------------------------------------------------------------------------
Ruby: ruby 2.7.5p203 (2021-11-24 revision f69aeb8314) [x86_64-linux]
GitLab: 15.3.1-ee (518311979e3) EE
GitLab Shell: 14.10.0
PostgreSQL: 12.10
------------------------------------------------------------[ booted in 37.73s ]
Loading production environment (Rails 6.1.6.1)
irb(main):001:0> user = User.find_by_email("someone@e-mail")
=> nil
irb(main):002:0> user = User.find_by_email("someone@e-mail.com")
=> #<User id:55 @someone>
irb(main):003:0> user.state
=> "ldap_blocked"
irb(main):004:0> user.state = "active"
=> "active"
irb(main):005:0> user.save
=> true
irb(main):006:0> exit
prdrhel8180:/ #
prdrhel8180:/ #/var/log/gitlab/gitlab-rails/application.log as:2023-02-02T01:30:18.098Z: LDAP account "cn=lastname\, firstname,ou=deleted-users,ou=someou,dc=internal,dc=domain,dc=local" does not exist anymore, blocking GitLab user "Lastname, Firstname" (firstname.lastname@domain.local)prdrhel8180:/ #
prdrhel8180:/ # docker exec -it gitlab cat /etc/gitlab/gitlab.rbgitlab_rails
gitlab_rails['ldap_servers'] = YAML.load <<- br="">
someldap: #
label: 'LDAP'
host: 'some-ldaps-vip.internal.domain.local'
port: 636
uid: 'sAMAccountName'
[...]
user_filter: '(|(memberOf=CN=SomeGroup,OU=Groups,OU=SomeOU,DC=internal,DC=domain,DC=local)(memberOf=CN=SomeGroup2,OU=Groups2,OU=SomeOU2,DC=internal,DC=domain,DC=local))'
prdrhel8180:/ #Microsoft will release a new version of Local Administrator Password Solution (LAPS), which provides new Azure AD features as well as new Active Directory OnPrem features and some migration features from the old version to the new one.
A video explaining everything in detail can be found here:
This video includes a nice overview showing how LAPS is working internally using CSP (lapscsp.dll), PowerShell (lapspsh.dll) or GPOs and LAPS core logic (laps.dll) which then reads and updates the expiry of accounts as well as updates their password, either in Azure Active Directory or in Windows Server Active Directory on premise:
Source: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-concepts
LAPS can be used as solution against pass-the-hash (https://attack.mitre.org/techniques/T1550/002) and lateral-traversal attacks (https://attack.mitre.org/tactics/TA0008), as well as for securing user help desk access or recover to devices with a fine-grained security model and for RBAC in Azure AD.
Paessler PRTG released version 22.4.81.1532 (stable) in which a PRTG the tag handling system was fixed regarding tag parameters to avoid the risk of a possible Cross Site Scripting (XSS) attack.
Updates are available for PRTG Preview 22.4.81.1504 or PRTG Stable 22.4.81.1532It is a good idea to review your companys Microsoft's Local Administrator Password Solution LAPS installation. Leo Loobeek published a nice powershell-script which helps in finding groups which are specifically delegated by sysadmins and finding users with
"All Extended Rights" that can view passwords, and viewing all computers
with LAPS enabled.
https://github.com/leoloobeek/LAPSToolkit
https://github.com/leoloobeek/LAPSToolkit/blob/master/LAPSToolkit.ps1
Get-LAPSComputersFind-LAPSDelegatedGroupsFind-AdmPwdExtendedRightsWhen you suspect your Microsoft Defender Antivirus to be a bottleneck for your Windows performance, then you may use Microsofts Defender Antivirus performance analyzer. It helps you with the on-premise Windows Defender Antivirus as well as with the cloud solution Microsoft Defender for Endpoint (Defender ATP).
Especially on developer systems with an IDE Microsoft Defender Antivirus can have a significant performance impact on your system due to the many temporary files, which are not digitally signed but contain exectuable code. Microsofts Defender Antivirus performance can help you to detect:
New-MpPerformanceRecording -RecordTo how2itsec-analyze-microsoft-antivirus.etl
Get-MpPerformanceReport [-Path] <String>
[-TopScans <Int32>]
[-TopFiles <Int32>
[-TopScansPerFile <Int32>]
[-TopProcessesPerFile <Int32>
[-TopScansPerProcessPerFile <Int32>]
]
]
[-TopExtensions <Int32>
[-TopScansPerExtension <Int32>]
[-TopProcessesPerExtension <Int32>
[-TopScansPerProcessPerExtension <Int32>]
]
[-TopFilesPerExtension <Int32>
[-TopScansPerFilePerExtension <Int32>]
]
]
]
[-TopProcesses <Int32>
[-TopScansPerProcess <Int32>]
[-TopExtensionsPerProcess <Int32>
[-TopScansPerExtensionPerProcess <Int32>]
]
]
[-TopFilesPerProcess <Int32>
[-TopScansPerFilePerProcess <Int32>]
]
[-MinDuration <String>]
[-Raw]Get-MpPerformanceReport -Path .\how2itsec-analyze-microsoft-antivirus.etl -TopFiles 10
Get-MpPerformanceReport -Path .\how2itsec-analyze-microsoft-antivirus.etl -TopFiles 10 -TopScansPerFile 3 
Get-MpPerformanceReport -Path .\how2itsec-analyze-microsoft-antivirus.etl -TopExtensions:10 -TopProcesses:10 -TopScans:10
Get-MpPerformanceReport -Path .\how2itsec-analyze-microsoft-antivirus.etl -TopScans:100 -MinDuration:100ms
Get-MpPerformanceReport -Path .\how2itsec-analyze-microsoft-antivirus.etl -TopScans:100 -MinDuration:500ms -Raw | ConvertTo-Js
When adding a new VM (in this example the nextcloud appliance VM from https://www.hanssonit.se/nextcloud-vm/ ) to an old version of proxmox ...
