Raspberry Pi as a bind DNS slave and an exim MX backup

DRAFT, to be completed, but this still might help you:

This was for an Rpi B with 512MB RAM.  Raspbian Jessie.

This is a custom exim 4.86 TLS build to use OpenSSL instead of GNUTLS.

Follow the instructions here, to secure your Rpi: Setting up your pi ; if you don’t do this “they” will take it over in minutes, once you enable the ssh port forwards in your router.

P.S. for the “Jessie” distribution, the static IP address instructions above do not work.  You need to edit /etc/dhcpcd.conf (read it! not dhcpd.conf, but dhcpcd.conf).

DO NOT set the static IP address until you have disabled the “pi” account and root login.

Log in as your new user.

sudo bash

# apt-get install update

# apt-get install upgrade

Have a coffee.

apt-get install -y bind9 clamav-daemon dnsutils libdb5.3-dev libldap2-dev libpcre3-dev libssl-dev libxaw7-dev libxt-dev slapd whois ftp

Have some food.

useradd -s /bin/false -g exim -U exim

cd /usr/local/src

wget http://www.mirrorservice.org/sites/ftp.exim.org/pub/exim/exim4/exim-4.86.tar.gz

after checking the checksum:

tar xvfz exim-4.86.tar.gz

cd exim-4.86

Copy in the makefiles to ./Local (to be uploaded soon).

make

make install

… to be continued…

 

 

Posted in DNS, Linux, smtp | Comments Off on Raspberry Pi as a bind DNS slave and an exim MX backup

Cassandra – IP address in Windows Community Edition

Edit

C:\Program Files\DataStax Community\apache-cassandra\conf\cassandra.yaml

Change

seeds: "127.0.0.1,<MY NEW IP>"
listen_address:<MY NEW IP>
rpc_address:<MY NEW IP>

Where <MY NEW IP>, e.g. 192.168.1.3

Restart the service

To connect to your server from your workstation, e.g.

C:\WINDOWS\system32>"C:\Program Files\DataStax Community\python\py
thon.exe" "C:\Program Files\DataStax Community\apache-cassandra\bi
n\cqlsh" "192.168.1.3" "9042"
Connected to Test Cluster at 192.168.1.3:9042.
[cqlsh 5.0.1 | Cassandra 2.1.9 | CQL spec 3.2.0 | Native protocol v3]
Use HELP for help.
cqlsh>

Note that the quotes ARE IMPORTANT!

Posted in Uncategorized | Comments Off on Cassandra – IP address in Windows Community Edition

DDNS failover script

A useful script for automating dynamic DNS updates when you are serving on multiple IP addresses.

#!/bin/bash
EMAIL=me@mydomain.co.uk
HOSTMASTER=hostmaster.mydomain.co.uk
KEY=yxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxgQ==
SERVER=ns1.mydomain.co.uk
ZONE=otherdomain.co.uk
DOMAIN=ddns.otherdomain.co.uk
IPV4LIST="10.0.0.1 10.0.0.2"
IPV6LIST=""
TESTPAGE=ddns.asp
MAILER=/usr/exim/bin/exim
ERRORLIST="error,unavailable,bad request"
failcode=0
function TestHostForURL () {
        # Parameters
        # $1 - hostname
        # $2 - IP URL
        echo curl --connect-timeout 5 --header "Host: $1 " $2
        out=$( curl --connect-timeout 5 --header "Host: $1 " $2 2>&1 )
        # Assign the exit value to c
        c=$?
        if [ 0 -eq $c ]
        then
                bad=0
                # Save IFS before we temporarily change it
                OIFS=$IFS
                IFS=','
                arr=$ERRORLIST
                for e in $arr
                do
                        echo $out | grep -i $e 2>&1 1>/dev/null
                        c=$?
                        if [ 0 -eq $c ]
                        then
                                # Error found
                                bad=1
                                break
                        fi
                done
                # restore IFS
                IFS=$OIFS
        else
                bad=2
                # Nothing there
        fi
        echo $1 $2 $bad
        failcode=$bad
}
f=/tmp/$RANDOM
rm -f $f
touch $f
echo    "server $SERVER" >> $f
echo    "zone $ZONE." >> $f
echo    "update delete $DOMAIN. A" >> $f
if [ $IPV6LIST -ne "" ]
then
        echo    "update delete $DOMAIN. AAAA" >> $f
fi
for IP in $IPV4LIST
do
        TestHostForURL "$DOMAIN" "http://$IP/$TESTPAGE"
        if [ $failcode -eq 0 ]
        then
                echo    "update add $DOMAIN. 60 A $IP" >> $f
        fi
done
for IP in $IPV6LIST
do
        TestHostForURL "$DOMAIN" "http://$IP/$TESTPAGE"
        if [ $failcode -eq 0 ]
        then
                echo    "update add $DOMAIN. 60 AAAA $IP" >> $f
        fi
done
echo "show" >> $f
echo "send" >> $f
cat $f
if [ ! -e "/etc/ddns/$DOMAIN" ]
then
        cp $f /etc/ddns/$DOMAIN
fi
diff /etc/ddns/$DOMAIN $f
if [ 0 -ne $? ]
then
        # differ
        echo "Doing update"
        echo "Subject: DDNS UPDATE\n" | cat $f | $MAILER $EMAIL
        nsupdate -y "$HOSTMASTER:$KEY" << EOF
`cat $f`
EOF
        logger $f
        cp $f /etc/ddns/$DOMAIN
        rm -f $f
fi

 

Posted in Uncategorized | Comments Off on DDNS failover script

The importance of using stateful firewall rules on port 53 (DNS)

Scenario

A firewall appliance forwards DNS traffic to the outside world. The traffic generated is e.g. for Server 2008 as per here in Technet, i.e.

Traffic Type Source of Transmission Source Port Destination of Transmission Destination Port
Queries from local DNS server Local DNS server A random port numbered 49152 or above Any remote DNS server 53
Responses to local DNS server Any remote DNS server 53 Local DNS server A random port numbered 49152 or above
Queries from remote DNS server Any remote DNS server A random port numbered 49152 or above Local DNS server 53
Responses to remote DNS server Local DNS server 53 Any remote DNS server A random port numbered 49152 or above

What this means it is that it is necessary for any local DNS server to be able to receive incoming traffic on port 53.

(IP addresses and domain names for example only)

Let’s do a port scan on a remote server (warning, it is illegal to do this without permission) using the nmap command:

# nmap -v ns1.mydomain.co.uk

results in:

Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 15:52 BST
Initiating Ping Scan at 15:52
Scanning ns1.mydomain.co.uk (11.12.12.13) [4 ports]
Completed Ping Scan at 15:52, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:52
Completed Parallel DNS resolution of 1 host. at 15:52, 0.00s elapsed
Initiating SYN Stealth Scan at 15:52
Scanning ns1.mydomain.co.uk (11.12.12.13) [120 ports]
Discovered open port 53/tcp on 11.12.12.13
Discovered open port 25/tcp on 11.12.12.13
Discovered open port 3389/tcp on 11.12.12.13
Increasing send delay for 11.12.12.13 from 0 to 5 due to 12 out of 38 dropped probes since last increase.
Discovered open port 443/tcp on 11.12.12.13
Discovered open port 22/tcp on 11.12.12.13

What we happen to know about this server, as it is our own, is that it is our DNS server and it is also running ntp on port 123 – but the firewall rules say that ntp (port 123) is not visible to the outside world.

The Twist

The firewall rules do not block traffic from source port 53 as it is required to receive responses from other servers when doing a lookup. What happens if we spoof a packet with a source port or 53 and a destination port of 123?

nmap -v -P0 -sU -p123 ns1.mydomain.co.uk -g 53

Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 16:08 BST
Initiating Parallel DNS resolution of 1 host. at 16:08
Completed Parallel DNS resolution of 1 host. at 16:08, 0.00s elapsed
Initiating UDP Scan at 16:08
Scanning ns1.mydomain.co.uk (11.12.12.13) [1 port]
Discovered open port 123/udp on 11.12.12.13
Completed UDP Scan at 16:08, 0.05s elapsed (1 total ports)
Nmap scan report for ns1.mydomain.co.uk (11.12.12.13)
Host is up (0.037s latency).
rDNS record for 11.12.12.13: 13.12.12.11.badservers.com
PORT    STATE SERVICE
123/udp open  ntp
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
           Raw packets sent: 1 (76B) | Rcvd: 1 (76B)

What happens if we send it to port 124 (nothing is running on this port)?

nmap -v -P0 -sU -p124 ns1.mydomain.co.uk -g 53
Starting Nmap 5.51 ( http://nmap.org ) at 2014-06-11 16:10 BST
Initiating Parallel DNS resolution of 1 host. at 16:10
Completed Parallel DNS resolution of 1 host. at 16:10, 0.00s elapsed
Initiating UDP Scan at 16:10
Scanning ns1.mydomain.co.uk (11.12.12.13) [1 port]
Completed UDP Scan at 16:10, 2.04s elapsed (1 total ports)
Nmap scan report for ns1.mydomain.co.uk (11.12.12.13)
Host is up.
rDNS record for 11.12.12.13: 13.12.12.11.badservers.com
PORT    STATE         SERVICE
124/udp open|filtered ansatrader
Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
           Raw packets sent: 2 (56B) | Rcvd: 0 (0B)

There is a subtle but important difference here. In the first scenario a response packet was received whereas in the second scenario one was not.

This means that it is possible for an attacker to scan the server for services that appear to be safely behind a firewall. It’s even possible that an attacker could use the scapy library (as used in the ntp DDOS attack) to explore the entire corporate network.

Resolution

Firewall rules must include something like the following (check your port ranges):

IPT=iptables
WANIFACE=my.public.ip4.address
$IPT -I INPUT -i $WANIFACE -p udp --sport 53 -j DROP
$IPT -I INPUT -i $WANIFACE -p tcp --sport 53 -j DROP
$IPT -I INPUT -i $WANIFACE -p udp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I INPUT -i $WANIFACE -p tcp --dport 1024:65535 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -I OUTPUT -o $WANIFACE -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -I OUTPUT -o $WANIFACE -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
Posted in DNS, Exploits, Linux, Microsoft, Networks, PCI, Vulnerabilities | Comments Off on The importance of using stateful firewall rules on port 53 (DNS)

Upgrading OpenSSL on an old CentOS box

Warning – this procedure is extremely risky (but has worked every time for me).

It is suggested that you do a dry run on a VM before attempting this on a live server.  If anything goes wrong, you may be left with a dead server.

The servers in question are ns1.mydomain.co.uk and ns2.mydomain.co.uk, functioning as DNS servers for almost all of the company domains.

The normal method of updating CentOS is to type

yum update

at the root prompt.

If the kernel gets upgraded, make sure you reboot, by typing (after first checking that the other server is still OK).

shutdown -r now

 

before you continue.

Keep doing

yum update

and

shutdown -r now

until there is nothing left for your unsupported distro.

From here on, these instructions will also work with Slackware.

  • Ensure that you have backups of the /etc, /usr/exim and /var/named folders before you go any further.  Send them back home using the scp command.

 

CentOS 5.1 is no longer supported, so it is necessary now to manually build from source any further updates required for PCI compliance, or other reasons.

This is a completely unsupported solution, so you are on your own with this server from hereon.  Maybe you should have used Slackware instead?

1/. Download necessary packages:

zlib must be up to date
openssl must be up to date
openssh must be up to date

cd /usr/src

Visit:

http://www.zlib.net/ https://www.openssl.org/source/ http://www.mirrorservice.org/pub/OpenBSD/OpenSSH/portable/

use the wget command to fetch the files.

It is good practice to check the file signatures using the

md5sum filename

 

command.

2/.

cd /usr/src
tar xvfz zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure --prefix=/usr
make
make test
(if all is OK)
make install

 

3/.

cd /usr/src
tar xvfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr shared
make
make test
make install

openssl
OpenSSL> version
OpenSSL 1.0.1g 7 Apr 2014
OpenSSL>

 

ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING

4/.

cd /usr/src
tar xvfz openssh-6.6p1.tar.gz
./configure --prefix=/usr --with-tcp-wrappers
make
make install

sshd -?
**OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
**usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-k key_gen_time] [-o option] [-p port]
            [-u len]

 

ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING

NOW FOR THE REALLY RISKY PART

 

which sshd
/usr/sbin/sshd

ps -deaf | grep ssh
root      2529     1  0 11:26 ?        00:00:00 /usr/sbin/sshd
root      4442  2529  0 11:29 ?        00:00:02 sshd: root@pts/0 
root      9794  4444  0 12:18 pts/0    00:00:00 grep ssh

 

DO THESE PATHS MATCH?  IF THEY DO:

kill -15 2529
/usr/sbin/sshd

ps -deaf | grep ssh
root      4442     1  0 11:29 ?        00:00:02 sshd: root@pts/0 
root      9804     1  0 12:20 ?        00:00:00 /usr/sbin/sshd
root      9806  4444  0 12:20 pts/0    00:00:00 grep ssh

 

HAS SSHD RESTARTED – IF NOT YOU WILL HAVE TO FORCE AND RPM REINSTALL (NOT DESCRIBED HERE).  IF YOU DON’T, YOU WILL NEVER BE ABLE TO LOG IN AGAIN!!!!!!!!!!!!!!!

Now, from another window, launch another ssh session to the server

ssh root@ns1.mydomain.co.uk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
78:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:11.
Please contact your system administrator.
Add correct host key in /home/mylogin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/mylogin/.ssh/known_hosts:4
RSA host key for ns1.mydomain.co.uk has changed and you have requested strict checking.
Host key verification failed.

 

This is normal, as when OpenSSL was reinstalled, it changes the server RSA keys.

Edit the /home/mylogin/.ssh/known_hosts file and remove the line for the server.

Is it still all OK?

Restart the server and pray that you don’t have to ask for a KVM over IP session to repair the damage.

NEXT STEPS

It’s time to recompile anything that uses SSL or TLS, i.e. exim, squid? Apache?

 

And the after steps

All of the above is out of date now after OpenSSL1.0.1h – so we have to do it all again.

 

Posted in Uncategorized | Comments Off on Upgrading OpenSSL on an old CentOS box

Katy Lied

Julian and Jas’s new website:
http://www.katyliedmusic.com/

Posted in Uncategorized | Comments Off on Katy Lied

Test post from android

Test

Posted in Uncategorized | Comments Off on Test post from android

Getting ready for IPv6

I want to make sure the Slackware Linux edge servers are ready for IPv6 when eventually the ISPs catch up.

We signed up for a free tunnel endpoint with http://www.gogo6.com/freenet6/tunnelbroker/ to try a few things out. Building the gogoc client from source was easy. The edge server was set up as a host, not a router, as my desktops are all IP4 with a black hole gateway route to the outside world and the server is a proxy. It was great seeing this come back:

# ping6 www.kame.net
PING www.kame.net(2001:200:dff:fff1:216:3eff:feb1:44d7) 56 data bytes
64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=1 ttl=49 time=328 ms
64 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7: icmp_seq=2 ttl=49 time=329 ms

It’s turns out to be fine to use squid proxy 3.1.20 with IP4 clients on the internal network proxied out through an IPv6 address. My IP4 desktops can see the “Dancing Turtle” at http://www.kame.net (proof that they are accessing an IPv6 specific page).

We’ll look at ip6tables another day.

Posted in IPv6, Linux, Networks | Comments Off on Getting ready for IPv6

Patching recent Linux kernels ( > 2.6.32 ) for MPPE and MPPC VPN

There is an excellent introduction here http://www.phparchitecture.com/howto_show.php?id=3&showall

The part that is missing for kernels (I am told up to 2.6.32) is the link to this: http://code.google.com/p/setvps/downloads/detail?name=Linux-2.6.18-mppe-mppc-1.4.patch&can=2&q=

Don’t forget to do a global search and replace of the linux version before patching,

If vi is your favorite editor then:

<esc>
:%s/linux-2.6.18/linux-2.<your>.<version>/g

Later version 2.6 kernels and onwards require even later patches because of changes in the crypto API.

I couldn’t find one myself, so I made my own: a patch that works with kernel 3.2.21 that I have created is available here:
linux-3.2.21-mppe-mppc-1.5.patch.bz2

All original credits of course for the MPPC conversion go to Jan Dubiec of http://mppe-mppc.alphacron.de/ .  All I’ve done is ported it to the new Crypto API (and mixed some of the ppp_mppe.c code in)!

If you try to apply this patch to a very late 2.6 kernel you should take note that the ppp files have moved into their own subfolder of the net directory with the advent of 3 series kernels.  You will need to change the the folder paths to fix this.

Posted in Linux, Microsoft, VPN | Comments Off on Patching recent Linux kernels ( > 2.6.32 ) for MPPE and MPPC VPN

Sample

Dr Ben Sessa is producing a new site.

Posted in Uncategorized | Comments Off on Sample