Want to scan your network?

# Get the memcached nmap script -

# Nmap network for open memcached ports (example, replace with your range)
sudo nmap -p 11211 -sU -sS --script memcached-info >> memcrashed.log 

# Sort nmap log and find IPs that are actually vuln 
cat memcrashed.log | grep -B 16 Authentication | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" >> sorted_memcrashed.log 

# Can verify with this one liner
cat sorted_memcrashed.log | while read a; do echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u $a 11211 ; done

So… I recently started using BelugaCDN for, as they were kind enough to give us free service (being a non-profit and all). But I found that they don’t have any kind of automated (easy) way to install Let’s Encrypt certs. I’m too cheap to pay for certs, and besides, we have Let’s Encrypt after all. Now, this tutorial is a bit hacky when it gets to the BelugaCDN part, so don’t say I didn’t warn you.. I’m only scripting renewals for one subdomain at the moment.. I setup the CNAME -> with Cloudflare, spun up a Debian Stretch VM and my journey began..

1. Getting a certificate from Let’s Encrypt

Make sure the proper dependencies are installed.
apt install python-pip build-essential python-dev curl libffi-dev libssl-dev openssl curl sed grep mktemp git

Install Lexicon with python-pip.
pip install dns-lexicon

Create a user.
root@moon:~# useradd -m -s bash letsencrypt

Login to the user.
root@moon:~# su letsencrypt

Go to home directory.
letsencrypt@moon:~$ cd /home/letsencrypt

Clone the Dehydrated repository.
letsencrypt@moon:~$ git clone /home/letsencrypt

Make the script an executable.
letsencrypt@moon:~$ chmod +x /home/letsencrypt/dehydrated/dehydrated

Add domain to list.
letsencrypt@moon:~$ echo "" > /home/letsencrypt/dehydrated/domains.txt

Download the default Dehydrated script and make it an executable.
letsencrypt@moon:~$ wget -P /home/letsencrypt/dehydrated
letsencrypt@moon:~$ chmod +x /home/letsencrypt/dehydrated/

Add needed export variables to You’ll need your global Cloudflare API key. Example:

export LEXICON_CLOUDFLARE_TOKEN=234dcef90c3d9aa0eb6798e16bdc1e4b

Accept the terms…
/home/letsencrypt/dehydrated/dehydrated --register --accept-terms

Launch the script! After this you should have your cert issued shortly after.
/home/letsencrypt/dehydrated/dehydrated --cron --hook /home/letsencrypt/dehydrated/ --challenge dns-01

By default the cert/key will be located in the directory of the script under “certs”. Example:

deploy_cert called:, /home/letsencrypt/dehydrated/certs/, /home/letsencrypt/dehydrated/certs/, /home/letsencrypt/dehydrated/certs/, /home/letsencrypt/dehydrated/certs/

2. Pushing your new certificate to BelugaCDN

Now the next part is a bit more annoying. I’m slightly disappointed that BelugaCDN doesn’t have easier ways to automate this. Although their API seems good, the process is completely unintuitive for newbies. And the only way to easily do it, is to paste the certificate, chain and private key into the site. Obviously that method (if you’re using Let’s Encrypt) would require you to paste the new cert in every 3 months, which is cumbersome.

I didn’t feel like making a script to create the initial certificate in this next part, so I simply did this manually. Renewals CAN be scripted easily though with tools readily available.

Logout of your user if still logged in.
letsencrypt@moon:~$ exit

Install beluga-py with pip.
root@moon:~# pip install beluga-py

Log back in.
root@moon:~# su letsencrypt

Go back to home base.
letsencrypt@moon:~$ pwd

Push the initial cert. After this finishes, wait until BelugaCDN pushes it to their edge nodes. Example:
letsencrypt@moon:~$ beluga --username --password 3x@mp13 --path ssl-certificates --method POST --body '{"certificate": "-----BEGIN CERTIFICATE-----\n[certificate data]\n-----END CERTIFICATE-----","key": "-----BEGIN CERTIFICATE-----\n[certificate data]\n-----END CERTIFICATE-----", "site": ""}'

If you want to check the status on BelugaCDN’s end, you can use a command like this:

letsencrypt@moon:~$ beluga --username --password PASSWORD --path ssl-certificates

You will see the status as “pending” until BelugaCDN fully pushes it. After, it will state “active”.

“status”: “pending”

Scripting renewals (ghetto)

To script renewals in this next part, you can download this neat python script that does everything for you.
letsencrypt@moon:~$ git clone /home/letsencrypt

Just edit the config.json in that folder, point it to the correct location of your certs, put in your user/pass and domain and launch it!
letsencrypt@moon:~$ cd /home/letsencrypt/beluga-lets-encrypt; python

You can add this to your “letsencrypt” user’s crontab. To edit just enter “crontab -e” when logged in.

letsencrypt@moon:~$ crontab -l
@monthly /home/letsencrypt/dehydrated/dehydrated –cron –hook /home/letsencrypt/dehydrated/ –challenge dns-01; cd /home/letsencrypt/beluga-lets-encrypt; python

Does anyone remember when Saudi Arabia threatened to sue anyone online that compared them to ISIS? I do..

Do you remember when Ashraf Fayadh received the death sentence for apostasy? I do..

Although the sentence was overturned (most likely due to public outcry) he got an 8 year sentence and 800 lashes.. 800 lashes… In addition to his severe punishments he is forced to repent through an announcement in official media, 1984 style. Are we supposed to feel better about this? They probably think so. Should we? Hell no. The fact that Saudi Arabia continually violates human rights according to Amnesty International’s research is daunting. This is the same country that is allied with the US and UK.. The same country that is on the UN human rights panel, even though they execute people in brutal fashion, on public display at times, and for ludicrous reasons.

Do you realize that Saudi Arabia is comparable to ISIS? I do.. And you should too. 🙂

So… I recently called into AT&T to reset a password for an email address, firstly I want to explain some things. It seems AT&T reps are able to reset passwords with crappy 6 character passwords only containing numbers and are authorized to give that password to someone over the phone.

What I really only needed to reset the password for this email address…

  1. A valid account number, and name of account owner.
  2. An “I’m stupid” mentality.
  3. The ability to act confused.
  4. The email address you’d like the password to be reset on.
  5. The name of the person who owns the email account.

Really.. I’m serious.. That’s truly all I needed. It could have been the rep’s fault, and I do think she got pissed off and just thought I was some idiot who knew nothing about computers. She might have just gave in to get me off the phone. How the emails and account got setup was an utter mess though. So I genuinely was confused, and AT&T made me call in to perform the password reset.

So, I called up and was directed to a rep who eventually directed my call to the “technical support” department. After giving the lady with an attitude my client’s details (account # & name on the account) and explaining the situation. She asked me verification questions such as the “passcode” on the account. I was unable to answer the questions as I genuinely didn’t know what it was and neither did my client. I then asked if there was any other way I could verify. She then asked me one of the security questions, again, I didn’t know the answers. She seemed quite frustrated at that point. And it wasn’t just me playing dumb 😀 the person who setup the account didn’t pass down the details and a couple days ago that became a problem. After explaining the situation to her further, with interruptions from her, she angrily said she’s closing out the window because clearly this isn’t my account because I can’t verify my identity. She then asked what the email was where I’d like the password reset on. I told her the email and acted clueless at this point. She took a few minutes and asked me the name of the person who owns the account. She then told me to enter a URL where I could login. She gave me the temporary password. I entered it and was prompted to set a new password along with security questions. At that point I was thinking wtf.. But I was happy to have gotten in anyways.

I’m not sure if this is some big mistake by the rep or a hole in AT&T’s verification process. Nonetheless, it shows that I was able to get into an email account without any verification that I truly was the owner. I would stay FAR away from AT&T for this purpose along with their garbage “U-verse” internet.

If you find that your /var/log/prosody/prosody.err log is being spammed with things like;

Failed to load accounts storage (‘cannot open /var/lib/prosody/xmpp%2eis/accounts/lunar.dat: Too many open files’) for user:

Then the solution is to increase your system’s open file limit in /etc/sysctl.conf, /etc/security/limits.conf and to create a new file called /etc/default/prosody with the limits. You will need to run nano, vi, etc as root or use sudo for this to work.

To do this

nano /etc/sysctl.conf

And add

fs.file-max = 999999

Run sysctl -p to apply the changes to /etc/sysctl.conf

Then also

nano /etc/security/limits.conf

And add

prosody hard nofile 999999
prosody soft nofile 999999

UPDATE 9/23/17

If you’re using systemd garbage you need to modify /etc/systemd/system.conf as well and add this parameter.


Then finally

nano /etc/default/prosody

And add


After you’ve done all this you shouldn’t have a problem and Prosody will be able to open more files. Hope this helps anyone that runs into the same issue!