API for Troy Hunts passwords list

TL;DR version: https://github.com/ryanschulze/password-check-api

So NIST updated their recommendations on passwords/authentication a few weeks ago. And while a lot of the reporting was about how password complexity was removed in favor of password length, one point I found intriguing was the suggestion to check if a users password falls into one of these categories:

  • Passwords obtained from previous breach corpuses.
  • Dictionary words.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.

Troy Hunt, the guy behind https://haveibeenpwned.com, deals with a lot of data breaches and made 320 Million passwords from breaches available (at the time of this posting) to help people with checking if passwords that were part of a data breach.

I threw together a small API that can make the data from Troy Hunt easily query-able (or any list of SHA1 hashes for that matter). This can be useful if you have multiple systems that want to query the data, or if you want the data on a separate system.

It’s nothing special, a MySQL backend, a Webserver and an API application using the Slim framework. It’s also stupid fast because there is nothing fancy or special about it. Since it uses a well documented framework it is also easy to change/extend/adjust to your specific requirements.

Bash function to run commands against ansible hosts

I haven’t posted anything ansible related in a while, so here is a nifty little function I regularly use when I want to execute something on all (or a subset) of ansible hosts. It’s just a wrapper around ansible host -m script -a scriptname.sh  but adds –tree so that the output is stored and can easily be parsed by jq 

Usage example:

Keeping track of Jira issues

A Jira search that I find useful (show tickets you created and haven’t been updated in a while) since I often have to track tickets I created across different projects. You can subscribe to searches and get an email sent with the results.

reporter = currentUser() AND updated < -90d AND resolution = Unresolved ORDER BY updatedDate DESC 

Fixing Ubuntu 17.04 DNS problems

I recently upgraded my Ubuntu box to 17.04.

Much to my surprise DNS starting behaving strangely, so I checked my DNS server … worked fine if I queried it directly, so I checked if DHCP was giving out the wrong DNS IP … nope, that was fine too. I checked /etc/nsswitch.conf , and that looked fine too so I checked what was ending up in /etc/resolv.conf and was surprised that it contains nameserver 127.0.0.53  instead of the “real” DNS server.

After a bit of research I found out that Ubuntu switched over to using systemd-resolved, which shoves itself between user land and the DNS servers and (at least in Ubuntu 17.04) has problems with servers that support DNSSEC. Very frustrating when you know everything is OK and worked in the past, just systemd messing with stuff and breaking it.

My workaround was to turn of DNSSEC validation. Not pretty but better than no DNS at all, until Ubuntu get’s their problems sorted out.

 

How to fetch IP ranges/entries from SPF records in bash

Recently I needed to fetch IP ranges from SPF records. After looking at different python/ruby/perl modules I came to the conclusion that a fancy module (sometimes with wonky dependencies) was overkill just to parse a simple SPF record. So I threw together a simple bash script that is mainly just fetching the SPF record with dig and grep:

It iterates through the options (it currently recognizes a, mx, ip4, ip6, include, and redirect), and then sorts the output by ipv4, then ipv6.

Download URL: fetch_spf.sh