Higher Logic notes on screwing with tech…

24Jun/114

Simple host-based firewall Ubuntu style

Tired of pesky port scans? Just want to deploy a firewall for the heck of it? Like that added layer of protection? Whatever your reason lets do a simple one. Here a version where it includes a persistent ruleset and integration with your Ubuntu startup.

For me personally I tend to deploy iptables firewall for simple host-based firewall, e.g. just blocking stuff and making sure no one tries too many things on your server. For something more complicated I prefer to use shorewall (thats another write up for another day :)

Show me the bacon

New Script: /etc/init.d/firewall (something simple for start stop and reload)
This is a pretty simple script all it needs to run is the actual firewall rules in "/etc/default/firewall".


#! /bin/sh
### BEGIN INIT INFO
# Provides: Firewall
# Required-Start: $network
# Required-Stop:
# Default-Start:
# Default-Stop:
# Short-Description: Start/stop Firewall
### END INIT INFO

test -r /etc/default/firewall || exit 0

case "$1" in
start)
echo -n "Starting Firewall Services"
/sbin/iptables-restore < /etc/default/firewall
;;
stop)
echo -n "Stopping Clearing Firewall Rules"
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t mangle -F
/sbin/iptables -t mangle -X
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
;;
restart|reload)
echo -n "Restarting Firewall Services"
/sbin/iptables-restore < /etc/default/firewall
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop|restart|reload}"
exit 1
esac

echo
exit 0

The actual firewall rules, this one is up to you but here's a simple version allowing only DNS and WEB traffic on the inbound and everything on the outbound. Store it under "/etc/default/firewall"

# Generated by iptables-save on Mon Feb 7 19:05:46 2011
*nat
:PREROUTING ACCEPT [2:307]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Mon Feb 7 19:05:46 2011
# Generated by iptables-save on Mon Feb 7 19:05:46 2011
*mangle
:PREROUTING ACCEPT [48:3929]
:INPUT ACCEPT [48:3929]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [22:2312]
:POSTROUTING ACCEPT [22:2312]
COMMIT
# Completed on Mon Feb 7 19:05:46 2011
# Generated by iptables-save on Mon Feb 7 19:05:46 2011
*filter
:INPUT DROP [2:513]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:FILTER - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
# Completed on Mon Feb 7 19:05:46 2011

Now apply the varnish


# Make it executable
chmod +x /etc/init.d/firewall
# Add it to the startup levels
sudo update-rc.d firewall defaults

Kick the tire


# If you are at the console and aren't afraid of your firewall rules locking you out
sudo /etc/init.d/firewall reload
sudo iptables -L -n # check that its loaded
# If you are over a ssh session and you are afraid of being dropped, this way you only get dropped for 10 seconds if you stuff up :)
screen
sudo /etc/init.d/firewall reload && sleep 10 && sudo /etc/init.d/firewall stop

20Jun/110

Reverse DNS wall using DJBDNS

Another DNS post yay! Out of all aspects of DNS services this one is used least. So whats a reverse DNS wall? You know reverse DNS? thats where you look up an IP address and get the name associated as opposed to the other way round.

Now "some" special needs servers on the internet (FTP, SSH) like to do a reverse resolve of the incoming IP and block based upon the result. Some even rarer server would then would do a A record check on the reverse to make sure that matches the originating IP.

Lets say I have a whole bunch of computers that don't have DNS names, not now, not ever, how do they connect to these pesky services? Tell the service provide to stop be daft! Once you recover from the slap they gave you then setup our own reverse DNS wall. When queried these things will respond with the good stuff and take you to the promise land!


# Install
apt-get install daemontools daemontools-run ucspi-tcp djbdns
adduser --no-create-home --disabled-login --shell /bin/false walldns

# Config
walldns-conf walldns dnslog /etc/walldns 1.2.3.4
mkdir /etc/service ; cd /etc/service ; ln -sf /etc/walldns/

# Start and Test
initctl start svscan
# Checking status
svstat /etc/service/walldns
# Shutting down
svc -d /etc/service/walldns
# Starting up
svc -u /etc/service/walldns

Now get the upstream hosters of your IP address delegate the reverse zone to your server and you are good to go.

17Jun/110

Useful Chrome Extensions

I thought I jot down a whole bunch of awesome chrome extensions which has made my life easy:

AdBlock - The grand daddy of all extensions :)

Chrome to Phone - If you have an Android phone this is a easy and painless way to send a link direct to your Android's browser

Instapaper - For those of you who read Instapaper, this takes all the hassle out of adding pages

1Password - Install this one through your 1Password's settings. This is a life saver, a single place for all my passwords and secret information, one click login to any website.

Official Facebook Extension - Enough said.

Ultimate Chrome Flag - I stumbled across this extension and boy is it a gem! It tells you lots of useful information about the website you are currently visiting like country, IP address, Google page rank, geo location and trust rating.

IP Address Information - Great extension for those of us that are interested in a bit of networking. Everything you want, DNS, Reverse DNS, ASN, Spam block lists you name it its just plain awesome.

Screen Capture (by Google) - take all those shiney pics of whats inside your tabs

Google Tasks (by Google) - Nice embedded way to access your tasks that sits with Google Calendar.

Google Calendar (by Google) - Nice way to see whats coming in your Google calendar. I found it a little too cumbersome and no quick way of getting to my actual calendar.

Google Calendar Checker (by Google) - Same as above but it acts as an instant jump to your calendar.

Google Translate (by Google) - If you view foreign language pages with any frequency this one will save you some hassle.

Google Share Button (by Google) - If you're a share-a-holic this is great :D

Do you have any favourite extensions? I would love to try it and put it on.

16Jun/110

Ubuntu serial connection to Cisco devices

Nice and short one, I bet its what all the girls say!

# install the bastard
sudo apt-get install minicom
# check out which serial ports you have
$ dmesg | grep ttyl
spidey@app03:~$ dmesg | grep tty
[ 0.000000] console [tty0] enabled
[ 3.278021] serial8250: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 3.278114] serial8250: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
[ 3.278334] 00:05: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A
[ 3.278451] 00:06: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A
# from the above you can see I have ttyS0 which is /dev/ttyS0
# configure away!
sudo minicom -s
# go to "Serial Port Setup"
Set "line speed" to "9600"
Set "hardware flow control" to "No"
Set "serial device" to "/dev/ttyS0"
# Save the settings
# sit back and have some cake
sudo minicom

16Jun/110

Upgrade a cisco IOS

Who wants a new cisco IOS?

There are many ways to get an IOS image onto a cisco device, I'm just going to cover the one I used. Getting a IOS off a cisco ASA device, now thats tricky!

First setup a tftp server, I used the first one i found for OSX :) I'm lazy

Once you got all of that setup just follow these instructions. Assumptions:

  • tftp server is 10.1.1.1
  • IOS image file: asa840-k8.bin
  • ASDM file : asdm-641.bin

copy tftp://10.1.1.1/asa840-k8.bin disk0:/asa841-k8.bin
copy tftp://10.1.1.1/asdm-64099.bin disk0:/asdm-641.bin
hostname(config)# clear configure boot
hostname(config)# boot system disk0:/asa841-k8.bin
hostname(config)# asdm image {disk0:/ | disk1:/}[path/]new_filename
hostname(config)# write memory
hostname(config)# reload

Tagged as: , , No Comments
16Jun/110

Reset Cisco ASA password + factory reset

Forgot your ASA's password? No worries :)

Bypass cisco system configuration

Plug in your serial console,
reboot the ASA
press 'ESC' when its booting

# Now get into configuration management
rommon #0> confreg

# Record this next line we'll need it later.
Current Configuration Register: 0x00000001
Configuration Summary:
boot default image from Flash

Do you wish to change this configuration? y/n [n]: Y
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: y
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

Current Configuration Register: 0x00000040
Configuration Summary:
boot ROMMON
ignore system configuration

Update Config Register (0x40) in NVRAM...
#now lets load the clean settings
rommon #2> boot

The cat's away the mice and play

hostname# copy startup-config running-config
hostname# configure terminal
hostname(config)# password password
hostname(config)# enable password password
hostname(config)# username name password password
#Remember that line I asked you to record :)
hostname(config)# config-register 0x00000001
hostname(config)# copy running-config startup-config

Optional new house!

# Reset to factory settings
config term
config factory-default
#hit spacebar when the ‘more’ thing happens.
(Optional) reload save-config noconfirm

14Jun/110

TXT style record with tinydns (djbdns)

If you want TXT records in tinydns, It looks a little like this:

'higherlogic.com.au:google-site-verification=ENU8Bp1GVPWP3svylgEBHhhw5NDjWcQw:86400

I used this one above for google domain verification. If you have '\n' and ':' and other characters in your TXT be a little careful as tinydns expects it encoded right, and use Anders TXT record builder

Tagged as: , , No Comments
css.php