-
Recent Posts
Recent Comments
Archives
Categories
Meta
New site
Posted in Uncategorized
Comments Off on New site
Raspberry Pi as a bind DNS slave and an exim MX backup
DRAFT, to be completed, but this still might help you:
This was for an Rpi B with 512MB RAM. Raspbian Jessie.
This is a custom exim 4.86 TLS build to use OpenSSL instead of GNUTLS.
Follow the instructions here, to secure your Rpi: Setting up your pi ; if you don’t do this “they” will take it over in minutes, once you enable the ssh port forwards in your router.
P.S. for the “Jessie” distribution, the static IP address instructions above do not work. You need to edit /etc/dhcpcd.conf (read it! not dhcpd.conf, but dhcpcd.conf).
DO NOT set the static IP address until you have disabled the “pi” account and root login.
Log in as your new user.
sudo bash
# apt-get install update
# apt-get install upgrade
Have a coffee.
apt-get install -y bind9 clamav-daemon dnsutils libdb5.3-dev libldap2-dev libpcre3-dev libssl-dev libxaw7-dev libxt-dev slapd whois ftp
Have some food.
useradd -s /bin/false -g exim -U exim
cd /usr/local/src
wget http://www.mirrorservice.org/sites/ftp.exim.org/pub/exim/exim4/exim-4.86.tar.gz
after checking the checksum:
tar xvfz exim-4.86.tar.gz
cd exim-4.86
Copy in the makefiles to ./Local (to be uploaded soon).
make
make install
… to be continued…
Cassandra – IP address in Windows Community Edition
Edit
C:\Program Files\DataStax Community\apache-cassandra\conf\cassandra.yaml
Change
seeds: "127.0.0.1,<MY NEW IP>"
listen_address:<MY NEW IP>
rpc_address:<MY NEW IP>
Where <MY NEW IP>, e.g. 192.168.1.3
Restart the service
To connect to your server from your workstation, e.g.
C:\WINDOWS\system32>"C:\Program Files\DataStax Community\python\py thon.exe" "C:\Program Files\DataStax Community\apache-cassandra\bi n\cqlsh" "192.168.1.3" "9042" Connected to Test Cluster at 192.168.1.3:9042. [cqlsh 5.0.1 | Cassandra 2.1.9 | CQL spec 3.2.0 | Native protocol v3] Use HELP for help. cqlsh>
Note that the quotes ARE IMPORTANT!
Posted in Uncategorized
Comments Off on Cassandra – IP address in Windows Community Edition
DDNS failover script
A useful script for automating dynamic DNS updates when you are serving on multiple IP addresses.
#!/bin/bash
EMAIL=me@mydomain.co.uk
HOSTMASTER=hostmaster.mydomain.co.uk
KEY=yxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxgQ==
SERVER=ns1.mydomain.co.uk
ZONE=otherdomain.co.uk
DOMAIN=ddns.otherdomain.co.uk
IPV4LIST="10.0.0.1 10.0.0.2"
IPV6LIST=""
TESTPAGE=ddns.asp
MAILER=/usr/exim/bin/exim
ERRORLIST="error,unavailable,bad request"
failcode=0
function TestHostForURL () {
# Parameters
# $1 - hostname
# $2 - IP URL
echo curl --connect-timeout 5 --header "Host: $1 " $2
out=$( curl --connect-timeout 5 --header "Host: $1 " $2 2>&1 )
# Assign the exit value to c
c=$?
if [ 0 -eq $c ]
then
bad=0
# Save IFS before we temporarily change it
OIFS=$IFS
IFS=','
arr=$ERRORLIST
for e in $arr
do
echo $out | grep -i $e 2>&1 1>/dev/null
c=$?
if [ 0 -eq $c ]
then
# Error found
bad=1
break
fi
done
# restore IFS
IFS=$OIFS
else
bad=2
# Nothing there
fi
echo $1 $2 $bad
failcode=$bad
}
f=/tmp/$RANDOM
rm -f $f
touch $f
echo "server $SERVER" >> $f
echo "zone $ZONE." >> $f
echo "update delete $DOMAIN. A" >> $f
if [ $IPV6LIST -ne "" ]
then
echo "update delete $DOMAIN. AAAA" >> $f
fi
for IP in $IPV4LIST
do
TestHostForURL "$DOMAIN" "http://$IP/$TESTPAGE"
if [ $failcode -eq 0 ]
then
echo "update add $DOMAIN. 60 A $IP" >> $f
fi
done
for IP in $IPV6LIST
do
TestHostForURL "$DOMAIN" "http://$IP/$TESTPAGE"
if [ $failcode -eq 0 ]
then
echo "update add $DOMAIN. 60 AAAA $IP" >> $f
fi
done
echo "show" >> $f
echo "send" >> $f
cat $f
if [ ! -e "/etc/ddns/$DOMAIN" ]
then
cp $f /etc/ddns/$DOMAIN
fi
diff /etc/ddns/$DOMAIN $f
if [ 0 -ne $? ]
then
# differ
echo "Doing update"
echo "Subject: DDNS UPDATE\n" | cat $f | $MAILER $EMAIL
nsupdate -y "$HOSTMASTER:$KEY" << EOF
`cat $f`
EOF
logger $f
cp $f /etc/ddns/$DOMAIN
rm -f $f
fi
Posted in Uncategorized
Comments Off on DDNS failover script
The importance of using stateful firewall rules on port 53 (DNS)
Scenario
A firewall appliance forwards DNS traffic to the outside world. The traffic generated is e.g. for Server 2008 as per here in Technet, i.e.
| Traffic Type | Source of Transmission | Source Port | Destination of Transmission | Destination Port |
| Queries from local DNS server | Local DNS server | A random port numbered 49152 or above | Any remote DNS server | 53 |
| Responses to local DNS server | Any remote DNS server | 53 | Local DNS server | A random port numbered 49152 or above |
| Queries from remote DNS server | Any remote DNS server | A random port numbered 49152 or above | Local DNS server | 53 |
| Responses to remote DNS server | Local DNS server | 53 | Any remote DNS server | A random port numbered 49152 or above |
What this means it is that it is necessary for any local DNS server to be able to receive incoming traffic on port 53.
(IP addresses and domain names for example only)
Let’s do a port scan on a remote server (warning, it is illegal to do this without permission) using the nmap command:
# nmap -v ns1.mydomain.co.uk
results in:
Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 15:52 BST Initiating Ping Scan at 15:52 Scanning ns1.mydomain.co.uk (11.12.12.13) [4 ports] Completed Ping Scan at 15:52, 0.09s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 15:52 Completed Parallel DNS resolution of 1 host. at 15:52, 0.00s elapsed Initiating SYN Stealth Scan at 15:52 Scanning ns1.mydomain.co.uk (11.12.12.13) [120 ports] Discovered open port 53/tcp on 11.12.12.13 Discovered open port 25/tcp on 11.12.12.13 Discovered open port 3389/tcp on 11.12.12.13 Increasing send delay for 11.12.12.13 from 0 to 5 due to 12 out of 38 dropped probes since last increase. Discovered open port 443/tcp on 11.12.12.13 Discovered open port 22/tcp on 11.12.12.13
What we happen to know about this server, as it is our own, is that it is our DNS server and it is also running ntp on port 123 – but the firewall rules say that ntp (port 123) is not visible to the outside world.
The Twist
The firewall rules do not block traffic from source port 53 as it is required to receive responses from other servers when doing a lookup. What happens if we spoof a packet with a source port or 53 and a destination port of 123?
nmap -v -P0 -sU -p123 ns1.mydomain.co.uk -g 53 Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 16:08 BST Initiating Parallel DNS resolution of 1 host. at 16:08 Completed Parallel DNS resolution of 1 host. at 16:08, 0.00s elapsed Initiating UDP Scan at 16:08 Scanning ns1.mydomain.co.uk (11.12.12.13) [1 port] Discovered open port 123/udp on 11.12.12.13 Completed UDP Scan at 16:08, 0.05s elapsed (1 total ports) Nmap scan report for ns1.mydomain.co.uk (11.12.12.13) Host is up (0.037s latency). rDNS record for 11.12.12.13: 13.12.12.11.badservers.com PORT STATE SERVICE 123/udp open ntp Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds Raw packets sent: 1 (76B) | Rcvd: 1 (76B)
What happens if we send it to port 124 (nothing is running on this port)?
nmap -v -P0 -sU -p124 ns1.mydomain.co.uk -g 53
Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 16:10 BST Initiating Parallel DNS resolution of 1 host. at 16:10 Completed Parallel DNS resolution of 1 host. at 16:10, 0.00s elapsed Initiating UDP Scan at 16:10 Scanning ns1.mydomain.co.uk (11.12.12.13) [1 port] Completed UDP Scan at 16:10, 2.04s elapsed (1 total ports) Nmap scan report for ns1.mydomain.co.uk (11.12.12.13) Host is up. rDNS record for 11.12.12.13: 13.12.12.11.badservers.com PORT STATE SERVICE 124/udp open|filtered ansatrader Read data files from: /usr/local/share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
There is a subtle but important difference here. In the first scenario a response packet was received whereas in the second scenario one was not.
This means that it is possible for an attacker to scan the server for services that appear to be safely behind a firewall. It’s even possible that an attacker could use the scapy library (as used in the ntp DDOS attack) to explore the entire corporate network.
Resolution
Firewall rules must include something like the following (check your port ranges):
IPT=iptables WANIFACE=my.public.ip4.address
$IPT -I INPUT -i $WANIFACE -p udp --sport 53 -j DROP
$IPT -I INPUT -i $WANIFACE -p tcp --sport 53 -j DROP
$IPT -I INPUT -i $WANIFACE -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I INPUT -i $WANIFACE -p tcp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I OUTPUT -o $WANIFACE -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -I OUTPUT -o $WANIFACE -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
Upgrading OpenSSL on an old CentOS box
Warning – this procedure is extremely risky (but has worked every time for me).
It is suggested that you do a dry run on a VM before attempting this on a live server. If anything goes wrong, you may be left with a dead server.
The servers in question are ns1.mydomain.co.uk and ns2.mydomain.co.uk, functioning as DNS servers for almost all of the company domains.
The normal method of updating CentOS is to type
yum update
at the root prompt.
If the kernel gets upgraded, make sure you reboot, by typing (after first checking that the other server is still OK).
shutdown -r now
before you continue.
Keep doing
yum update
and
shutdown -r now
until there is nothing left for your unsupported distro.
From here on, these instructions will also work with Slackware.
- Ensure that you have backups of the /etc, /usr/exim and /var/named folders before you go any further. Send them back home using the scp command.
CentOS 5.1 is no longer supported, so it is necessary now to manually build from source any further updates required for PCI compliance, or other reasons.
This is a completely unsupported solution, so you are on your own with this server from hereon. Maybe you should have used Slackware instead?
1/. Download necessary packages:
zlib must be up to date openssl must be up to date openssh must be up to date
cd /usr/src
Visit:
http://www.zlib.net/ https://www.openssl.org/source/ http://www.mirrorservice.org/pub/OpenBSD/OpenSSH/portable/
use the wget command to fetch the files.
It is good practice to check the file signatures using the
md5sum filename
command.
2/.
cd /usr/src tar xvfz zlib-1.2.8.tar.gz cd zlib-1.2.8 ./configure --prefix=/usr make make test (if all is OK) make install
3/.
cd /usr/src tar xvfz openssl-1.0.1g.tar.gz cd openssl-1.0.1g ./config --prefix=/usr shared make make test make install openssl OpenSSL> version OpenSSL 1.0.1g 7 Apr 2014 OpenSSL>
ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING
4/.
cd /usr/src
tar xvfz openssh-6.6p1.tar.gz
./configure --prefix=/usr --with-tcp-wrappers
make
make install
sshd -?
**OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
**usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING
NOW FOR THE REALLY RISKY PART
which sshd /usr/sbin/sshd ps -deaf | grep ssh root 2529 1 0 11:26 ? 00:00:00 /usr/sbin/sshd root 4442 2529 0 11:29 ? 00:00:02 sshd: root@pts/0 root 9794 4444 0 12:18 pts/0 00:00:00 grep ssh
DO THESE PATHS MATCH? IF THEY DO:
kill -15 2529 /usr/sbin/sshd ps -deaf | grep ssh root 4442 1 0 11:29 ? 00:00:02 sshd: root@pts/0 root 9804 1 0 12:20 ? 00:00:00 /usr/sbin/sshd root 9806 4444 0 12:20 pts/0 00:00:00 grep ssh
HAS SSHD RESTARTED – IF NOT YOU WILL HAVE TO FORCE AND RPM REINSTALL (NOT DESCRIBED HERE). IF YOU DON’T, YOU WILL NEVER BE ABLE TO LOG IN AGAIN!!!!!!!!!!!!!!!
Now, from another window, launch another ssh session to the server
ssh root@ns1.mydomain.co.uk @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the RSA key sent by the remote host is 78:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:11. Please contact your system administrator. Add correct host key in /home/mylogin/.ssh/known_hosts to get rid of this message. Offending RSA key in /home/mylogin/.ssh/known_hosts:4 RSA host key for ns1.mydomain.co.uk has changed and you have requested strict checking. Host key verification failed.
This is normal, as when OpenSSL was reinstalled, it changes the server RSA keys.
Edit the /home/mylogin/.ssh/known_hosts file and remove the line for the server.
Is it still all OK?
Restart the server and pray that you don’t have to ask for a KVM over IP session to repair the damage.
NEXT STEPS
It’s time to recompile anything that uses SSL or TLS, i.e. exim, squid? Apache?
And the after steps
All of the above is out of date now after OpenSSL1.0.1h – so we have to do it all again.
Posted in Uncategorized
Comments Off on Upgrading OpenSSL on an old CentOS box
Katy Lied
Julian and Jas’s new website:
http://www.katyliedmusic.com/
Posted in Uncategorized
Comments Off on Katy Lied
Getting ready for IPv6
I want to make sure the Slackware Linux edge servers are ready for IPv6 when eventually the ISPs catch up.
We signed up for a free tunnel endpoint with http://www.gogo6.com/freenet6/tunnelbroker/ to try a few things out. Building the gogoc client from source was easy. The edge server was set up as a host, not a router, as my desktops are all IP4 with a black hole gateway route to the outside world and the server is a proxy. It was great seeing this come back:
# ping6 www.kame.net PING www.kame.net(2001:200:dff:fff1:216:3eff:feb1:44d7) 56 data bytes 64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=1 ttl=49 time=328 ms 64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=2 ttl=49 time=329 ms
It’s turns out to be fine to use squid proxy 3.1.20 with IP4 clients on the internal network proxied out through an IPv6 address. My IP4 desktops can see the “Dancing Turtle” at http://www.kame.net (proof that they are accessing an IPv6 specific page).
We’ll look at ip6tables another day.
Patching recent Linux kernels ( > 2.6.32 ) for MPPE and MPPC VPN
There is an excellent introduction here http://www.phparchitecture.com/howto_show.php?id=3&showall
The part that is missing for kernels (I am told up to 2.6.32) is the link to this: http://code.google.com/p/setvps/downloads/detail?name=Linux-2.6.18-mppe-mppc-1.4.patch&can=2&q=
Don’t forget to do a global search and replace of the linux version before patching,
If vi is your favorite editor then:
<esc>
:%s/linux-2.6.18/linux-2.<your>.<version>/g
Later version 2.6 kernels and onwards require even later patches because of changes in the crypto API.
I couldn’t find one myself, so I made my own: a patch that works with kernel 3.2.21 that I have created is available here:
linux-3.2.21-mppe-mppc-1.5.patch.bz2
All original credits of course for the MPPC conversion go to Jan Dubiec of http://mppe-mppc.alphacron.de/ . All I’ve done is ported it to the new Crypto API (and mixed some of the ppp_mppe.c code in)!
If you try to apply this patch to a very late 2.6 kernel you should take note that the ppp files have moved into their own subfolder of the net directory with the advent of 3 series kernels. You will need to change the the folder paths to fix this.