So the trial of coinhive and associated monero browser mining has come to an end. It seems most corporate firewalls and security appliances detect and block access to my domain just being associated with the coinhive java-script.
Even though i was being a polite net citizen and disclosing it on the site – firewalls with strict polices dont give it a chance. Several public DNS servers have also block listed the site – hopefully this will be undone soon.
There is a lot of fear around the word “crypto” due to the more malicious crypto-locker virus and it seems that coinhive has been associated to similar hysteria and panic.
Note : the amount of “wasted CPU” is trivial as i would only expect people visiting my site to be donating some cycles. i.e. in most cases i wouldn’t expect and entire company / business behind a firewall to browse my website and be under threat of mass “CPU stealing”
if your working with Ubuntu in lab or test env, you may want to disable firewall…. two simple commands;
sudo ufw disable
sudo apt-get remove ufw
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
0 upgraded, 0 newly installed, 1 to remove and 3 not upgraded.
After this operation, 838 kB disk space will be freed.
Do you want to continue? [Y/n] Y
(Reading database ... 64052 files and directories currently installed.)
Removing ufw (0.35-0ubuntu2) ...
Skip stopping firewall: ufw (not enabled)
Processing triggers for man-db (2.7.5-1) ...
set service nat rule 10 source address 192.168.77.0/24
set service nat rule 10 outbound-interface eth0
set service nat rule 10 type masquerade
set service nat rule 20 source address 10.200.88.0/24
set service nat rule 20 outbound-interface eth0
set service nat rule 20 type masquerade
Essentially every thing leaving from these two networks will be natted via the eth0 interface. i.e. they will be using the same IP as eth0 for their requests.
Static Nat Route (pinhole);
set service nat rule 2 inbound-interface eth0
set service nat rule 2 protocol tcp
set service nat rule 2 type destination
set service nat rule 2 description “Web Server1”
set service nat rule 2 destination address 192.168.109.254
set service nat rule 2 destination port 81
set service nat rule 2 inside-address address 10.200.88.45
set service nat rule 2 inside-address port 80
This rule takes everything that hits port 81 on 192.168.109.254 and sends it through to 10.200.88.45 (which is another routeable network) — in this case a directly attached network on eth1.
Things you’ll need; (basic instructions)
SSH – either Linux or Open SSH for windows (set this up first and ensure its working!). I have only used Linux, so i do not know the details of setting up a Open SSH box on windows (good luck).
Router with pinhole or port forwarding abilities. — forward your external 443 port to internal 22 on your SSH box
Putty.exe – use this to test your SSH connection locally (you should be able to connect on port 22 locally or 443 externally)
Your home IP – setup a dyndns account on one of the free services available on the web (either use your router if it has it or get a dyndns client that runs on your ssh box) — i use dyndns.org
Putty is the client side device that you will use when you are not local to your network. If you are connecting to your SSH box from external (i.e. at work) then you’ll need to configure a SSH connection profile to connect on port 443. If you have a proxy at work (which you will most probably have) you need to ensure you have filled out your proxy address and authentication details — select HTTP then enter your username / password. Then try to connect.
When you can successfully connect to your SSH box from work via 443 you can then create SSH tunnels. Under SSH on putty there is a tunnels option. This is where you can forward local ports to your remote ports… for example – 127.0.0.1:82 –> 192.168.0.10:3389. Then if you fire up RDC you can connect to your remote machine via 127.0.0.1:82
Simple? — if i haven’t made a specific part clear please ask any questions and i’ll try to make it easier to follow