π¦ Bin For Twitter Ads - SEND SCREANSHOAT FOR MORE :
Bin: 5262845xxx262xxx
Country: USA πΊπΈ
Currency: USD$
RAND
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
Bin: 5262845xxx262xxx
Country: USA πΊπΈ
Currency: USD$
RAND
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ > SERVER SECURITY > TIPS 2 :
T.me/UndercodeTesting
A useful function of the network where this machine is located 12, BIND domain name server (use with caution !!!):
Control management interface controls section syntax Format:
controls {
[inet ip_addr
port ip_port
allow {;};]
[unix path_name
perm number
owner number
group number;]
}; The control
section provides a management interface. If the first type (inet) is used, it will
listen on the specified IP (interface) and port, but only allow to restrict the list of allowed IP addresses in allow. If the second type
(unix) is used, a FIFO control pipeline is generated, and the authority, owner, and user group are defined by their parameters.
--- [[Authentication and Verification of Area Record Transmission by TSIG]] ---------------------------
First of all, please make sure your BIND domain name server software has been updated to the latest version!
In BIND 8.2+, Transaction Signatures (TSIG!) Can be used
to verify and verify the area record data. It requires that an
encryption key be configured on the primary and secondary domain name servers , and notify the server to use the key to communicate with other domain name servers. (Note that the
use of TSIG requires that the domain name server must be clock synchronized!)
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ > SERVER SECURITY > TIPS 2 :
T.me/UndercodeTesting
A useful function of the network where this machine is located 12, BIND domain name server (use with caution !!!):
Control management interface controls section syntax Format:
controls {
[inet ip_addr
port ip_port
allow {;};]
[unix path_name
perm number
owner number
group number;]
}; The control
section provides a management interface. If the first type (inet) is used, it will
listen on the specified IP (interface) and port, but only allow to restrict the list of allowed IP addresses in allow. If the second type
(unix) is used, a FIFO control pipeline is generated, and the authority, owner, and user group are defined by their parameters.
--- [[Authentication and Verification of Area Record Transmission by TSIG]] ---------------------------
First of all, please make sure your BIND domain name server software has been updated to the latest version!
In BIND 8.2+, Transaction Signatures (TSIG!) Can be used
to verify and verify the area record data. It requires that an
encryption key be configured on the primary and secondary domain name servers , and notify the server to use the key to communicate with other domain name servers. (Note that the
use of TSIG requires that the domain name server must be clock synchronized!)
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ server security by undercode tip 3 :
A. If you need to use TSIG signatures to manually update the secure DNS database, the specific steps are very simple:
1. Use the dnskeygen tool that comes with BIND to generate TSIG keys .
# dnskeygen -H 128 -h -n tsig-key.
Two files will be generated. '' Ktsig-key. + 157 + 00000.key '' reads as follows:
tsig-key. IN KEY 513 3 157 awwLOtRfpGE + rRKF2 + DEiw ==
'' Kvip-key. + 157 + 00000.private '' reads as follows:
Private-key-format: v1.2 Algorithm: 157 (HMAC) Key: awwLOtRfpGE + rRKF2 + DEiw ==
Note that these keys have been BASE64 encoded. Put them in the configuration file of the local domain name server. For example
:
key tsig-key. {Algorithm hmac-md5; secret "" awwLOtRfpGE + rRKF2 + DEiw == "";};
zone "" dns.nsfocus.com "" {
...
...
allow-update {key tsig-key.;};
}
Remember to restart the named daemon.
γγThen copy the two key files to the client system (or secondary domain name server), for example, / var
/ named / tsig directory. Finally, run the following command:
nsupdate -k / var / named / tsig: tsig-key.
2. The content of the main domain name server configuration file (excerpt) is as follows:
// Define the authentication method and shared key
key master-slave {
algorithm hmac-md5;
secret "" mZiMNOUYQPMNwsDzrX2ENw == "";
};
// Define the auxiliary domain name Some features of the
server server 192.168.8.18 {
transfer-format many-answers;
keys {master-slave;};
};
// zone record definition
zone "" nsfocus.com "" {
type master;
file db.nsfocus.com;
allow-transfer {192.168.8.18;};
};
3. The content of the auxiliary domain name server configuration file (excerpt) is as follows:
// Define the authentication method and shared key
key master-slave {
algorithm hmac-md5;
secret "" mZiMNOUYQPMNwsDzrX2ENw == "";
};
// Define some characteristics when communicating with the main domain name server
server 192.168.8.19 {
transfer-format many-answers;
keys {master-slave;};
};
// zone record definition
zone "" nsfocus.com "" {
type slave;
file "" bak.db.nsfocus.com " ";
masters {192.168.8.19;};
allow-transfer {none;};
};
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ server security by undercode tip 3 :
A. If you need to use TSIG signatures to manually update the secure DNS database, the specific steps are very simple:
1. Use the dnskeygen tool that comes with BIND to generate TSIG keys .
# dnskeygen -H 128 -h -n tsig-key.
Two files will be generated. '' Ktsig-key. + 157 + 00000.key '' reads as follows:
tsig-key. IN KEY 513 3 157 awwLOtRfpGE + rRKF2 + DEiw ==
'' Kvip-key. + 157 + 00000.private '' reads as follows:
Private-key-format: v1.2 Algorithm: 157 (HMAC) Key: awwLOtRfpGE + rRKF2 + DEiw ==
Note that these keys have been BASE64 encoded. Put them in the configuration file of the local domain name server. For example
:
key tsig-key. {Algorithm hmac-md5; secret "" awwLOtRfpGE + rRKF2 + DEiw == "";};
zone "" dns.nsfocus.com "" {
...
...
allow-update {key tsig-key.;};
}
Remember to restart the named daemon.
γγThen copy the two key files to the client system (or secondary domain name server), for example, / var
/ named / tsig directory. Finally, run the following command:
nsupdate -k / var / named / tsig: tsig-key.
2. The content of the main domain name server configuration file (excerpt) is as follows:
// Define the authentication method and shared key
key master-slave {
algorithm hmac-md5;
secret "" mZiMNOUYQPMNwsDzrX2ENw == "";
};
// Define the auxiliary domain name Some features of the
server server 192.168.8.18 {
transfer-format many-answers;
keys {master-slave;};
};
// zone record definition
zone "" nsfocus.com "" {
type master;
file db.nsfocus.com;
allow-transfer {192.168.8.18;};
};
3. The content of the auxiliary domain name server configuration file (excerpt) is as follows:
// Define the authentication method and shared key
key master-slave {
algorithm hmac-md5;
secret "" mZiMNOUYQPMNwsDzrX2ENw == "";
};
// Define some characteristics when communicating with the main domain name server
server 192.168.8.19 {
transfer-format many-answers;
keys {master-slave;};
};
// zone record definition
zone "" nsfocus.com "" {
type slave;
file "" bak.db.nsfocus.com " ";
masters {192.168.8.19;};
allow-transfer {none;};
};
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ server security tip 4
--- [[implement DNSSec function]] -------------------- ----------------------------- To be
1) honest, I have been thinking about whether to implement the DNSSec function in the current version. Because although ISC
has added DNSSec implementation after BIND 8.1.x version, the actual application is not common, and
2) the NXT remote security vulnerability announced last year is related to DNSSec (in fact, NXT is one of the functions implemented by DNSSec).
Finally, I decided not to discuss how to implement the DNSSec security function in this article.
3) But it is undeniable that DNSSec is indeed a good security technology, which improves the
security of DNS services by encrypting DNS data . The master encryption key is used to encrypt and sign the encryption key of the first-level domain
name .
4) The first-level domain name (.com,.
For example, the domain name server of exmaple.com is signed by the .com domain key, and the nsfocus.com domain key is used to
encrypt and sign the www.example.com domain name.
stsite.com
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ server security tip 4
--- [[implement DNSSec function]] -------------------- ----------------------------- To be
1) honest, I have been thinking about whether to implement the DNSSec function in the current version. Because although ISC
has added DNSSec implementation after BIND 8.1.x version, the actual application is not common, and
2) the NXT remote security vulnerability announced last year is related to DNSSec (in fact, NXT is one of the functions implemented by DNSSec).
Finally, I decided not to discuss how to implement the DNSSec security function in this article.
3) But it is undeniable that DNSSec is indeed a good security technology, which improves the
security of DNS services by encrypting DNS data . The master encryption key is used to encrypt and sign the encryption key of the first-level domain
name .
4) The first-level domain name (.com,.
For example, the domain name server of exmaple.com is signed by the .com domain key, and the nsfocus.com domain key is used to
encrypt and sign the www.example.com domain name.
stsite.com
written by Undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ server security tip 5 by Undercode"::
--- [[Realize BIND's chroot]] ---------------
(Take FreeBSD system platform as an example)
Step 1: Get and install the latest source code version of BIND-8,
please go to The ISC FTP site downloads the latest version of BIND.
BIND 8: http://www.isc.org/products/BIND/bind8.html
BIND 9: http://www.isc.org/products/BIND/bind9.html
Step 2: Construct a static named And named-xfer binaries
After compilation and installation, you need to construct a statically linked version of the executable file. Simply
modify the Makefile.set file in the% BIND% / src / port / freebsd directory.
γγModify the content of the file:
'' CDEBUG = -O2 -g ''
Replace with:
'' CDEBUG = -O2 -static ''
Switch to the source code path of BIND, execute "" make clean "" and "" make "" command.
In the following steps, these files will be copied to the chroot () directory.
# cd / tmp / bind / src
# make clean; make
The static link execution file constructed in this step does not need to load the dynamic link library at runtime. In a chroot ()
environment, this "stand-alone" executable file avoids the problem of missing link library files. It
does not require any static link library in the chroot () environment, which can simplify the service configuration. All other network daemons can also
compile and use this statically linked version.
Step 3: Construct the BIND directory Construct the BIND directory
for the chroot () environment. This directory will be treated as the system
root directory by BIND in the chroot () environment . Here I use / chroot / bind as the root directory after chroot.
# cd / chroot / bind
# mkdir / chroot
# mkdir / chroot / dev
# mkdir / chroot / etc
# mkdir / chroot / etc / namedb
# mkdir / chroot / usr
# mkdir / chroot / usr / sbin
# mkdir / chroot / var
# mkdir / chroot / var / run
γγneeds to copy the following files to the corresponding subdirectories under it, and perform some necessary processing:
# cp /etc/namedb/named.conf / chroot / bind / etc /
# cp / etc / localtime / chroot / bind / etc /
# grep bind / etc / group> / chroot / bind / etc / group
# cp -R / etc / namedb / / chroot / bind / etc / namedb /
# mknod / chroot / bind / dev / null c 2 2
# chmod 666 / chroot / bin / dev / null
# cp / tmp / bind / src / bin / named / named / chroot / bind / usr / sbin /
# cp / tmp / bind / src / bin / named-xfer / named-xfer / chroot / bind /
In addition, you can also specify the logging directory (such as / var / log), please refer to the following chapter or
the man page of named.conf.
Step 4: Add bind users and groups (if not. If there are already users
or groups like bind or named , skip this step.)
Add bind users and groups in / etc / passwd and / etc / group files . They are
the UID / GID when the DNS server is running .
At this point, you can execute the "" chown -R bind.bind / chroot / bind / etc /
namedb "" command in the chroot environment . In this way, when you send an interrupt signal (kill -INT) to the system, the named process can save the
server cache and statistics. If the directory is owned by root, the named process cannot write output to the directory
, but it does not affect the named server function. Another option is to only change directory permissions (so that named users
have write permissions), while the owner is still root. This method is also feasible, but must be carefully set to ensure that
Its users will not modify named records!
*** Important warning ***
Do not run named with an existing UID / GID (such as "" nobody ""). Remember,
using any existing UID / GID in a chroot environment may affect the security of the service. You must develop the habit of
providing a separate UID / GID for each daemon in the chroot environment.
Step 5: Other necessary adjustments
γγIf additional directories and files are specified in named.conf, they should also be set accordingly in the chroot () environment
(in this case, / chroot / bind / directory).
π¦ server security tip 5 by Undercode"::
--- [[Realize BIND's chroot]] ---------------
(Take FreeBSD system platform as an example)
Step 1: Get and install the latest source code version of BIND-8,
please go to The ISC FTP site downloads the latest version of BIND.
BIND 8: http://www.isc.org/products/BIND/bind8.html
BIND 9: http://www.isc.org/products/BIND/bind9.html
Step 2: Construct a static named And named-xfer binaries
After compilation and installation, you need to construct a statically linked version of the executable file. Simply
modify the Makefile.set file in the% BIND% / src / port / freebsd directory.
γγModify the content of the file:
'' CDEBUG = -O2 -g ''
Replace with:
'' CDEBUG = -O2 -static ''
Switch to the source code path of BIND, execute "" make clean "" and "" make "" command.
In the following steps, these files will be copied to the chroot () directory.
# cd / tmp / bind / src
# make clean; make
The static link execution file constructed in this step does not need to load the dynamic link library at runtime. In a chroot ()
environment, this "stand-alone" executable file avoids the problem of missing link library files. It
does not require any static link library in the chroot () environment, which can simplify the service configuration. All other network daemons can also
compile and use this statically linked version.
Step 3: Construct the BIND directory Construct the BIND directory
for the chroot () environment. This directory will be treated as the system
root directory by BIND in the chroot () environment . Here I use / chroot / bind as the root directory after chroot.
# cd / chroot / bind
# mkdir / chroot
# mkdir / chroot / dev
# mkdir / chroot / etc
# mkdir / chroot / etc / namedb
# mkdir / chroot / usr
# mkdir / chroot / usr / sbin
# mkdir / chroot / var
# mkdir / chroot / var / run
γγneeds to copy the following files to the corresponding subdirectories under it, and perform some necessary processing:
# cp /etc/namedb/named.conf / chroot / bind / etc /
# cp / etc / localtime / chroot / bind / etc /
# grep bind / etc / group> / chroot / bind / etc / group
# cp -R / etc / namedb / / chroot / bind / etc / namedb /
# mknod / chroot / bind / dev / null c 2 2
# chmod 666 / chroot / bin / dev / null
# cp / tmp / bind / src / bin / named / named / chroot / bind / usr / sbin /
# cp / tmp / bind / src / bin / named-xfer / named-xfer / chroot / bind /
In addition, you can also specify the logging directory (such as / var / log), please refer to the following chapter or
the man page of named.conf.
Step 4: Add bind users and groups (if not. If there are already users
or groups like bind or named , skip this step.)
Add bind users and groups in / etc / passwd and / etc / group files . They are
the UID / GID when the DNS server is running .
At this point, you can execute the "" chown -R bind.bind / chroot / bind / etc /
namedb "" command in the chroot environment . In this way, when you send an interrupt signal (kill -INT) to the system, the named process can save the
server cache and statistics. If the directory is owned by root, the named process cannot write output to the directory
, but it does not affect the named server function. Another option is to only change directory permissions (so that named users
have write permissions), while the owner is still root. This method is also feasible, but must be carefully set to ensure that
Its users will not modify named records!
*** Important warning ***
Do not run named with an existing UID / GID (such as "" nobody ""). Remember,
using any existing UID / GID in a chroot environment may affect the security of the service. You must develop the habit of
providing a separate UID / GID for each daemon in the chroot environment.
Step 5: Other necessary adjustments
γγIf additional directories and files are specified in named.conf, they should also be set accordingly in the chroot () environment
(in this case, / chroot / bind / directory).
> Step 6: Debug
1. Terminate the original syslogd and named daemons in the system.
# killall syslogd named
2. Restart the syslogd daemon with appropriate parameters.
# syslogd -s -p / chroot / bind / var / run / log
3. Restart the named daemon with appropriate parameters.
# / chroot / bind / named -u bind -g bind -t / chroot / bind
4. Check whether the syslogd / named daemon, listening port is normal, and whether the named process in the / var / log / messages file
starts normally.
# ps auwx | grep syslogd
root 5896 0.0 1.7 896 508 ?? Ss 9:44 PM 0: 00.10 syslogd -s -p
/ chroot / bind / var / run / log
# ps auwx | grep named
bind 5941 0.0 4.9 1652 1444 ?? Is 9:52 PM 0: 00.01
/ chroot / bind / usr / sbin / named -u bind -g bind -t / chroot / bind
# netstat
-angrep 53 tcp4 0 0 127.0.0.1.53 *. * LISTEN
tcp4 0 0 192.168.8.19.53 *. * LISTEN
udp4 0 0 127.0.0.1.53 *. *
udp4 0 0 192.168. 8.19.53 *. *
Step 7: Modify the system startup script
γγFor FreeBSD systems, add the following content to the /etc/rc.conf file:
syslogd_enable = "" YES ""
# If you want to prohibit sending logs out, change- Replace s with -ss.
syslogd_flags = ""-s -p / chroot / bind / var / run / log ""
named_enable = "" YES ""
named_flags = ""-u bind -g bind -t / chroot / bind ""
γγNote: If on other system platforms, such as OpenBSD, Linux, Solaris, it may be slightly different.
The main reason is that the syslog implementation is different on different platforms. For example, for OpenBSD and Linux systems,
the command to open the log alias socket is "" syslogd -a / chroot / bind / var / run / log "", and the Solaris
syslogd daemon does not support aliases.
E N J O Y
WRITTEN BY UNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
1. Terminate the original syslogd and named daemons in the system.
# killall syslogd named
2. Restart the syslogd daemon with appropriate parameters.
# syslogd -s -p / chroot / bind / var / run / log
3. Restart the named daemon with appropriate parameters.
# / chroot / bind / named -u bind -g bind -t / chroot / bind
4. Check whether the syslogd / named daemon, listening port is normal, and whether the named process in the / var / log / messages file
starts normally.
# ps auwx | grep syslogd
root 5896 0.0 1.7 896 508 ?? Ss 9:44 PM 0: 00.10 syslogd -s -p
/ chroot / bind / var / run / log
# ps auwx | grep named
bind 5941 0.0 4.9 1652 1444 ?? Is 9:52 PM 0: 00.01
/ chroot / bind / usr / sbin / named -u bind -g bind -t / chroot / bind
# netstat
-angrep 53 tcp4 0 0 127.0.0.1.53 *. * LISTEN
tcp4 0 0 192.168.8.19.53 *. * LISTEN
udp4 0 0 127.0.0.1.53 *. *
udp4 0 0 192.168. 8.19.53 *. *
Step 7: Modify the system startup script
γγFor FreeBSD systems, add the following content to the /etc/rc.conf file:
syslogd_enable = "" YES ""
# If you want to prohibit sending logs out, change- Replace s with -ss.
syslogd_flags = ""-s -p / chroot / bind / var / run / log ""
named_enable = "" YES ""
named_flags = ""-u bind -g bind -t / chroot / bind ""
γγNote: If on other system platforms, such as OpenBSD, Linux, Solaris, it may be slightly different.
The main reason is that the syslog implementation is different on different platforms. For example, for OpenBSD and Linux systems,
the command to open the log alias socket is "" syslogd -a / chroot / bind / var / run / log "", and the Solaris
syslogd daemon does not support aliases.
E N J O Y
WRITTEN BY UNDERCODE
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Pandora Premium Accounts verified :
> brandon1240@yahoo.com:R2id3rs19
Plan: Pandora Premium monthly subscription
Auto-Renew: YES
@undercodeTesting
================
traceyd775@yahoo.com:daryl775
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
erinndave@sbcglobal.net:Emmamay1
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
rickmyers3@yahoo.com:sixers
Plan: Pandora Premium monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
taverious5@yahoo.com:Radio5
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
cindy8076@gmail.com:jazmine1
Plan: Pandora Premium monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
larryevil@aol.com:ank1128
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
dpotter562@hotmail.com:shan1119
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetestingTelegram
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦ Pandora Premium Accounts verified :
> brandon1240@yahoo.com:R2id3rs19
Plan: Pandora Premium monthly subscription
Auto-Renew: YES
@undercodeTesting
================
traceyd775@yahoo.com:daryl775
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
erinndave@sbcglobal.net:Emmamay1
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
rickmyers3@yahoo.com:sixers
Plan: Pandora Premium monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
taverious5@yahoo.com:Radio5
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
cindy8076@gmail.com:jazmine1
Plan: Pandora Premium monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
larryevil@aol.com:ank1128
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetesting Telegram
================
dpotter562@hotmail.com:shan1119
Plan: Pandora Plus monthly subscription
Auto-Renew: YES
@undercodetestingTelegram
β β β ο½ππ»βΊπ«Δπ¬πβ β β β