DIY IP Threat Feed

A threat feed is a collection of actionable information about threats that allows for mitigating harmful events. This blog post is concerned with developing an IP based threat feed or blacklist. We will look at how to gather, aggregate, enrich, and extract threat data for consumption. Gathering the threat data I have several servers in … Read more DIY IP Threat Feed

Deploying Splunk Universal Forwarders via GPO

When you want to get security event data from your Windows endpoints, there exists a myriad of ways to achieve that objective. Here I am going to outline how to deploy the Splunk Universal Forwarder (UF) using a Group Policy Object (GPO). From there, you can configure the agents using a deployment server to ship the logs … Read more Deploying Splunk Universal Forwarders via GPO

Replacing the Default Splunk Web SSL Certificate

This post  goes over how to sign a SplunkWeb Certificate Signing Request (CSR) using my Root CA in pfSense. I do not cover creating the Root CA. Step 1: Create the directory for the certificates

Step 2: Generate the private key and temporary password

Step 3: Remove the password from the private key … Read more Replacing the Default Splunk Web SSL Certificate

Tracking SSH Brute-force Logins with Splunk

If you manage servers with OpenSSH access, you have no doubt been subject to the barrage of ssh brute-force attempts that occurs across the internet. Some administrators deal with this by either changing the default port (security by obscurity), utilizing public keys, threshold blocking, or white-listing source IP addresses among other things. AWS has security … Read more Tracking SSH Brute-force Logins with Splunk

Running an Authoritative DNS Server

I have been running my own Domain Name Server for several years. Some people argue the merits of doing such a thing when you can just put it in the “cloud”, but I enjoy managing DNS with all the flexibility and  enrichment it brings. I run Bind version 9 in a FreeBSD Jail and it … Read more Running an Authoritative DNS Server