jullrich
commented
8 years ago possible URL encoding issue. will try to reproduce it.
Closed screwzloose closed 8 years ago
jullrich
commented
8 years ago possible URL encoding issue. will try to reproduce it.
jullrich
commented
8 years ago btw: try to replace the + with %43 and see if that helps.
bdmeyer
commented
8 years ago I have this same problem. I have a regular email address, I have entered my authkey where is asks for the apikey. I am guessing this is the same thing? I have typed the authkey in maybe 8 times. Copy paste doesn't work.
Error message is: Your API Key Verification Failed.
jullrich
commented
8 years ago could you please send me your email address ( jullrich = at = sans.edu ) so I can check the logs at my end? Thanks!
bdmeyer
commented
8 years ago Yes Sir.
bdmeyer44@msn.com mailto:Bdmeyer44@msn.com
From: Johannes Ullrich [mailto:notifications@github.com] Sent: Wednesday, May 18, 2016 6:23 PM To: DShield-ISC/dshield dshield@noreply.github.com Cc: Bruce Meyer bdmeyer44@msn.com; Comment comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
could you please send me your email address ( jullrich = at = sans.edu ) so I can check the logs at my end? Thanks!
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/DShield-ISC/dshield/issues/16#issuecomment-220176129 https://github.com/notifications/beacon/AEpUAOmmhEMe7A5rWRdRRYODkoLVnorhks5qC5FZgaJpZM4H-CmO.gif
bdmeyer
commented
8 years ago I figured it out. One of the characters was a zero. The font used on the web site makes it look like a capital ‘oh’ O0
Would help to use a monotype font that slashes the zero so it is apparent.
Sorry for the trouble.
From: Johannes Ullrich [mailto:notifications@github.com] Sent: Wednesday, May 18, 2016 6:23 PM To: DShield-ISC/dshield dshield@noreply.github.com Cc: Bruce Meyer bdmeyer44@msn.com; Comment comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
could you please send me your email address ( jullrich = at = sans.edu ) so I can check the logs at my end? Thanks!
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/DShield-ISC/dshield/issues/16#issuecomment-220176129 https://github.com/notifications/beacon/AEpUAOmmhEMe7A5rWRdRRYODkoLVnorhks5qC5FZgaJpZM4H-CmO.gif
jullrich
commented
8 years ago I will change the font. Thanks for the feedback!
On May 19, 2016, at 9:21 AM, Bruce Meyer notifications@github.com wrote:
I figured it out. One of the characters was a zero. The font used on the web site makes it look like a capital ‘oh’ O0
Would help to use a monotype font that slashes the zero so it is apparent.
Sorry for the trouble.
From: Johannes Ullrich [mailto:notifications@github.com] Sent: Wednesday, May 18, 2016 6:23 PM To: DShield-ISC/dshield dshield@noreply.github.com Cc: Bruce Meyer bdmeyer44@msn.com; Comment comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
could you please send me your email address ( jullrich = at = sans.edu ) so I can check the logs at my end? Thanks!
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/DShield-ISC/dshield/issues/16#issuecomment-220176129 https://github.com/notifications/beacon/AEpUAOmmhEMe7A5rWRdRRYODkoLVnorhks5qC5FZgaJpZM4H-CmO.gif
— You are receiving this because you commented. Reply to this email directly or view it on GitHub
jullrich
commented
8 years ago Hm. having a hard time finding a better (well supported) font. Oddly enough, all the "fixed fonts" have the same issue with 0 and O looking alike. Instead, I added a note for now suggesting to copy/paste the string and to watch out for 0/Os. I guess another option would be to add some markup to make letters / numbers different colors, or to underline numbers. But I am afraid this will destroy the abiltiy to copy/paste, so I will hold off on this for now until I had a change to experiment a bit.
bdmeyer
commented
8 years ago Noticed on ',myaccount' where the authkey used to be it now says: AuthKey: (copy/paste. confirm zero(0) vs. O) (but no authkey)
Noticed the raspberry dshield is no longer sending reports since the evening of the first day. Rebooted, verified inbound can still see list of open or stealthed ports and I can reach outbound. Is there an active forum? I posted a few things on the forumn under isc.sans.org but very little traffic, and less responses to peoples questions.
--Bruce D. Meyer
Date: Thu, 19 May 2016 09:14:59 -0700 From: notifications@github.com To: dshield@noreply.github.com CC: bdmeyer44@msn.com; comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
Hm. having a hard time finding a better (well supported) font. Oddly enough, all the "fixed fonts" have the same issue with 0 and O looking alike. Instead, I added a note for now suggesting to copy/paste the string and to watch out for 0/Os. I guess another option would be to add some markup to make letters / numbers different colors, or to underline numbers. But I am afraid this will destroy the abiltiy to copy/paste, so I will hold off on this for now until I had a change to experiment a bit.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub
jullrich
commented
8 years ago you are saying the key is no longer visible to you? hm. that would be odd.
regarding the raspberry no longer sending: hard to say what is going on... if this happens again, look for free disk space. I may add a diagnostic script to collect some logs
To report any issues with the honeypot, this is the best venue.
bdmeyer
commented
8 years ago I am at work so i can't check right now, I was thinking, if pi send email out via smtp maybe roadrunner is blocking it now. Have to look which email service is running, where the email is headed and see if I can hit it by hand.
--Bruce D. Meyer
Date: Sat, 21 May 2016 18:10:19 -0700 From: notifications@github.com To: dshield@noreply.github.com CC: bdmeyer44@msn.com; comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
you are saying the key is no longer visible to you? hm. that would be odd.
regarding the raspberry no longer sending: hard to say what is going on... if this happens again, look for free disk space. I may add a diagnostic script to collect some logs
To report any issues with the honeypot, this is the best venue.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub
bdmeyer
commented
8 years ago Hi Dr. Ulrich, I found the below, so I'll adjust the port that email is being sent out on:
In the event that your computer is suspected of being infected and sending out spam, a filter may be placed on your cable modem to block outbound port 25 traffic not destined for the TWC Mail servers. This is done to help you stay online and to limit the amount of spam that is sent out while your computer is being cleaned.
To send email outside of the TWC Mail servers, you’ll need to reset your connections from port 25 to port 587.
Note: If changing your outbound SMTP port to 587 still doesn’t allow you to send mail, please consult the documentation for the site that you are trying to connect to.
--Bruce D. Meyer
Date: Sat, 21 May 2016 18:10:19 -0700 From: notifications@github.com To: dshield@noreply.github.com CC: bdmeyer44@msn.com; comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
you are saying the key is no longer visible to you? hm. that would be odd.
regarding the raspberry no longer sending: hard to say what is going on... if this happens again, look for free disk space. I may add a diagnostic script to collect some logs
To report any issues with the honeypot, this is the best venue.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub
jullrich
commented
8 years ago The raspberry pi honeypots should sent reports via HTTPS, not SMTP (SMTP is used by the older scripts, but I changed that to https to make it work with various ISPs that block outbound email)
to send e-mail to DShield, we also have a special mail server, “aolmail.dshield.org” that listens on port 81 (yes, I originally set this up for AOL users :) )
On May 22, 2016, at 2:33 AM, Bruce Meyer notifications@github.com wrote:
Hi Dr. Ulrich, I found the below, so I'll adjust the port that email is being sent out on:
In the event that your computer is suspected of being infected and sending out spam, a filter may be placed on your cable modem to block outbound port 25 traffic not destined for the TWC Mail servers. This is done to help you stay online and to limit the amount of spam that is sent out while your computer is being cleaned.
To send email outside of the TWC Mail servers, you’ll need to reset your connections from port 25 to port 587.
Note: If changing your outbound SMTP port to 587 still doesn’t allow you to send mail, please consult the documentation for the site that you are trying to connect to.
--Bruce D. Meyer
Date: Sat, 21 May 2016 18:10:19 -0700 From: notifications@github.com To: dshield@noreply.github.com CC: bdmeyer44@msn.com; comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
you are saying the key is no longer visible to you? hm. that would be odd.
regarding the raspberry no longer sending: hard to say what is going on... if this happens again, look for free disk space. I may add a diagnostic script to collect some logs
To report any issues with the honeypot, this is the best venue.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub
— You are receiving this because you modified the open/close state. Reply to this email directly or view it on GitHub
bdmeyer
commented
8 years ago That explains why I didn’t find /etc/ssmtp/ssmtp.conf
Ok, I’m stumped.
How can I force an email attempt so I can watch via tcpdump?
Is it the subroutine .$log in dshield.pl? I am hesitant to run it as it seems to do more than send email.
It’s running, here is is osme output:
debug.log ssh-VC59zeUmpEaJ
pulse-PKdhtXMmr18n systemd-private-412848c2ef5f405eb5f1ca6ec7b1324c-rtkit-daemon.service-Ibm3QH
ssh-QRTxlLAgE0OV
pi@raspberrypi:/etc $ less /tmp/debug.log
S
2016-05-22 10:22:31 -0400 948536993 1 0.0.0.0 0 224.0.0.1 0 2
2016-05-22 10:23:07 -0400 948536993 1 0.0.0.0 0 255.255.255.255 0 139
2016-05-22 10:24:36 -0400 948536993 1 0.0.0.0 0 224.0.0.1 0 2
2016-05-22 10:24:38 -0400 948536993 1 41.84.235.90 33064 192.168.1.132 23 6 S
2016-05-22 10:24:49 -0400 948536993 1 95.211.187.156 5500 192.168.1.132 1010 17
2016-05-22 10:25:04 -0400 948536993 1 66.150.54.1 7171 192.168.1.132 9254 6 A
2016-05-22 10:25:07 -0400 948536993 1 0.0.0.0 0 255.255.255.255 0 139
2016-05-22 10:26:42 -0400 948536993 1 0.0.0.0 0 224.0.0.1 0 2
2016-05-22 10:27:07 -0400 948536993 1 0.0.0.0 0 255.255.255.255 0 139
2016-05-22 10:27:08 -0400 948536993 1 188.214.129.25 5099 192.168.1.132 5060 17
2016-05-22 10:28:29 -0400 948536993 1 95.211.187.156 5172 192.168.1.132 1011 17
2016-05-22 10:28:47 -0400 948536993 1 0.0.0.0 0 224.0.0.1 0 2
2016-05-22 10:28:53 -0400 948536993 1 80.4.132.15 57110 192.168.1.132 11435 6 S
2016-05-22 10:28:53 -0400 948536993 1 80.4.132.15 60412 192.168.1.132 11435 17
2016-05-22 10:29:07 -0400 948536993 1 0.0.0.0 0 255.255.255.255 0 139
2016-05-22 10:30:15 -0400 948536993 1 0.0.0.0 0 255.255.255.255 0 139
2016-05-22 10:30:53 -0400 948536993 1 0.0.0.0 0 224.0.0.1 0 2
I wonder of the authkey weirdness has something to do with it.
Here is what I see:
I have to go build a bed…
I’ll check back before I hit the sack. (Night shift guy)
From: Johannes Ullrich [mailto:notifications@github.com] Sent: Sunday, May 22, 2016 9:37 AM To: DShield-ISC/dshield dshield@noreply.github.com Cc: Bruce Meyer bdmeyer44@msn.com; Comment comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
The raspberry pi honeypots should sent reports via HTTPS, not SMTP (SMTP is used by the older scripts, but I changed that to https to make it work with various ISPs that block outbound email)
to send e-mail to DShield, we also have a special mail server, “aolmail.dshield.org” that listens on port 81 (yes, I originally set this up for AOL users :) )
On May 22, 2016, at 2:33 AM, Bruce Meyer <notifications@github.com mailto:notifications@github.com > wrote:
Hi Dr. Ulrich, I found the below, so I'll adjust the port that email is being sent out on:
In the event that your computer is suspected of being infected and sending out spam, a filter may be placed on your cable modem to block outbound port 25 traffic not destined for the TWC Mail servers. This is done to help you stay online and to limit the amount of spam that is sent out while your computer is being cleaned.
To send email outside of the TWC Mail servers, you’ll need to reset your connections from port 25 to port 587.
Note: If changing your outbound SMTP port to 587 still doesn’t allow you to send mail, please consult the documentation for the site that you are trying to connect to.
--Bruce D. Meyer
Date: Sat, 21 May 2016 18:10:19 -0700 From: notifications@github.com mailto:notifications@github.com To: dshield@noreply.github.com mailto:dshield@noreply.github.com CC: bdmeyer44@msn.com mailto:bdmeyer44@msn.com ; comment@noreply.github.com mailto:comment@noreply.github.com Subject: Re: [DShield-ISC/dshield] API Key Verification Failed (#16)
you are saying the key is no longer visible to you? hm. that would be odd.
regarding the raspberry no longer sending: hard to say what is going on... if this happens again, look for free disk space. I may add a diagnostic script to collect some logs
To report any issues with the honeypot, this is the best venue.
— You are receiving this because you commented. Reply to this email directly or view it on GitHub
— You are receiving this because you modified the open/close state. Reply to this email directly or view it on GitHub
— You are receiving this because you commented. Reply to this email directly or view it on GitHub https://github.com/DShield-ISC/dshield/issues/16#issuecomment-220832850 https://github.com/notifications/beacon/AEpUAAOoyBWNgMWLaDg0NvoTCF0LYV95ks5qEFvxgaJpZM4H-CmO.gif
Hello Folks,
I'm having an issue getting past the API Key Verification... I'm entering in my email address and AuthKey exactly from account but still getting the failed... I'm curious if it has to do with my +sans@outlook.com in my email address.
Thoughts?