Monday, January 16, 2017

DevOoops: Client Provisioning (Vagrant)


Notes from the 2015 Devoops Talk

Vagrant used to ship with a default keypair and was difficult to rotate.

**fixed with new versions of Vagrant. Finding hosts using the default key still pretty likely.


Did you change your SSH keys?


Default Credentials

root/vagrant  vagrant/vagrant

No pass to sudo :-)


Scanning for the default key using metasploit (ssh_login_pubkey module)



Identify real from fake by ssh version scan



Log in with private key

CG

1 comment:

sandip said...

You can always protect your website with Web Application Firewall from cloud-based security provider like Incapsula.

Tools Lists

1. Scan My Server
2. SUCURI
3. Qualys SSL Labs, Qualys FreeScan
4. Quttera
5. Detectify
6. SiteGuarding
7. Web Inspector
8. Acunetix
9. Asafa Web
10. Netsparker Cloud
11. UpGuard Web Scan
12. Tinfoil Security