Archive for the ‘IT’ Category

« Older Entries

Summer of Hacks

Tuesday, May 13th, 2008

My Linode has been experiencing a huge number of brute force login attempts in the past week. I don’t keep detailed statistics, but I would guess there have been 300 attempts in the past week as opposed to the usual rate of about 500 attempts over 200 days (2-3 attempts per day).

Denyhosts has been doing its job perfectly. It should be illegal to run a Internet exposed SSH server without it or a similar tool.*

Thanks to HoopyCat in #linode for pointing me to a SANS Internet Storm Center article explaining the Summer of Hacks phenomenon.

* Unless of course you only accept key based logins.

Tags: , , ,
Posted in GNU/Linux, IT, Open Source, Technology | 1 Comment »

Easy Rsync Remote Backups Using SSH Keys

Wednesday, March 19th, 2008

Rsync is an excellent file transfer utility thats especially well suited for backing up files over the Internet because it only transfers the data that has changed. A friend asked me how to set it up, so I thought I’d post what I sent him here.

Goal: Backup a directory from computer Zim to computer Ark

Details:

  • Both Zim and Ark are subdomains of example.com
  • The user on Ark which receives the backup files is named backupuser
  • The user on Zim with access to the files you want to backup is named steve

Prerequisites:

  • ssh installed on both hosts
  • rsync installed on both hosts
  1. Login to Zim via ssh: 
    ssh steve@zim.example.com
  2. Generate a ssh key pair using: 
    ssh-keygen -t rsa
<press enter when prompted where to save the key>
<press enter twice when asked for a passphrase>
  3. To use the key to login to Ark remotely without manually entering a password you need to copy the public key from Zim to Ark using: 
    ssh-copy-id -i .ssh/id_rsa.pub backupuser@ark.example.com

    If you don’t have ssh-copy-id on your system, get a new system. ;) If thats not possible you can download the script with:

    wget -O ssh-copy-id http://cvsweb.mindrot.org/index.cgi/~checkout~/openssh/contrib/ssh-copy-id?rev=1.6;content-type=text%2Fplain && chmod +x ssh-copy-id

    Then retry the above command only you’ll need to prepend a “./”:

    ./ssh-copy-id -i .ssh/id_rsa.pub backupuser@ark.example.com
  4. Verify the key copied properly by attempting to login to Ark. You should not be prompted for a password: 
    ssh backupuser@ark.example.com
  5. Logout of Ark. The key is setup, so you’re now ready to rsync files without having to manually enter a password.
  6. Test rsync by choosing a small file to backup and using: 
    rsync -tP /some/small/testfile backupuser@ark.example.com:/tmp

    A nice little progress bar should be displayed as the file is transferred. Confirm that “testfile” is now in /tmp on Ark.

  7. You’re finally ready to do a real rsync like: 
    rsync -t /directory/to/backup/* backupuser@ark.example.com:/existing/backup/directory

    Note: There are several useful options for rsync. Check man rsync to find out more.

    • -p — preserve permissions (useful for backups, use -E if you only care about the executable bit)
    • -r — recursively backup directories.
    • -z — compressed uncompressed files
    • And just FYI: -t tells rsync to use the last modified timestamp to determine whether or not to transfer files. It makes rsync a lot faster at determining whether or not files have changed.
  8. To schedule the backup to take place nightly at 1:13 AM edit your crontab using crontab -e and insert the following line: 
    13 1 * * * rsync -qt /directory/to/backup/* backupuser@ark.example.com:/existing/backup/directory

Caveats:

  • These instructions will push files from Zim to Ark. There’s no reason why Ark couldn’t pull files from Zim. In fact, this is often more secure if Zim is a web server with a larger attack surface than Ark. Mea culpa.
  • If the IP address of Ark is dynamic, use a service like dyndns.com. Otherwise SSH will give you errors.
  • Major security warning: If someone breaks into Zim, they can also delete all of your backups on Ark. Never ever ever use the root user for backups on Ark. You can use the root user on Zim to send the backups, but its best to have a special backup user setup on Ark to receive the backup.

Tags: , , ,
Posted in GNU/Linux, IT, Open Source, Technology | No Comments »

Permanent home for firewall-admin

Sunday, February 17th, 2008

The little recipe I posted for a dedicated Linux firewall with a CherryPy powered administrative interface finally has a permanent home over at Google Code.

Many thanks to Kyle Waremburg for creating the project page and helping me develop firewall-admin! I hope other people find it useful.

Tags: , ,
Posted in GNU/Linux, IT, Open Source, Python, Technology | No Comments »

Hostname Tab-Completion for OpenSSH

Wednesday, January 30th, 2008

I use OpenSSH daily. In fact the only app I probably use more is vim. However, until yesterday I was typing out the full username and hostname when using ssh:

   ssh username@ridiculouslylong.domain.com

Ugh

Using the same username makes life a bit simpler:

   ssh ridiculouslylong.domain.com

Meh, better, but I’m really lazy!

I’d heard about tab-completion for hostnames from various blogs, but never knew how to do it. I hopped into #debian and thirty seconds later someone had kindly told me about ~/.ssh/config

Not only is any host listed in your ~/.ssh/config auto-completed on the command line by hitting tab, but you can also specify what username to connect as! So my .ssh/config file looks something like:

Host host1.domain.com
     User randomuser
Host www.somewhereelse.com
     User someotheruser
Host mail.domain2.com
Host domain3.com

Now I can just type:
   ssh h<TAB><ENTER>
to connect to host1.domain.com as randomuser.

Beautiful.

Check out man ssh_config for details and other options.

Also, if you’re not using ssh keys instead of passwords, you’re doing too much work. Seahorse makes SSH keys simple.

Tags: ,
Posted in GNU/Linux, IT, Open Source, Technology | 5 Comments »

Wireless Bridges are a Scam

Tuesday, December 18th, 2007

Disclaimer: I am not a hardware guy. The days when I enjoyed cracking open a computer case and poking around are long since past. These days if I can’t fix something via keyboard, I want no part of it.

Unfortunately, for a client I needed to extend a LAN from Building A across 30 feet of asphalt to Building B. Time to don my Net Admin hat to install a nice straightforward WiFi bridge.

Despite already owning a Linksys WRT54G series router, I decided to just pickup 2 Linksys WET54G wireless bridges (version 3.1). The bridges are actually more expensive than routers. But that just means they’re better suited for their simple task, right? Wrong…

The 2 WET54Gs have been nothing but trouble for me. Their web interface sometimes redirects to the hardcoded IP address. They drop their connection and require resetting a lot. They just don’t work reliably.

So I flashed the WRT54G with Tomato firmware to replace one of the WET54Gs, and so far things are working much better.

If I’ve never mentioned it before: I love Tomato firmware. I’ve been using it at home for ages and never have to reset it. The features are outstanding (QoS with ACK Prioritization is a lifesaver when working over SSH).

From now on anytime I need a WiFi router, access point, or bridge, I’m going to buy a WRT54G and put Tomato on it. Its cheaper than buying specialized Access Points or Bridges and has lots more features.

Did I mention Tomato generates sexy real-time graphs in SVG? Have a screenshot:

Tomato Firmware Bandwidth Graph

Tags: , , , ,
Posted in GNU/Linux, IT, Open Source, Technology | 2 Comments »

Recipe for a Transparent Linux Firewall and CherryPy Control Panel

Tuesday, November 6th, 2007
firewalladmin screenshot

At my previous job I built a transparent firewall with the help of a student. He hacked up some iptables scripts, and I hacked up a CherryPy application to control the firewall. It turned out to be pretty handy, so I’m finally getting around to posting it somewhere…

Recipe: A transparent firewall to block certain IP addresses and a nice web based control panel to edit the blacklist.

Ingredients:

Directions:

  1. Extract firewall-admin.tar.gz and change to the base directory. By default its setup to be in /srv/firewall-admin
  2. If you didn’t extract to /srv/firewall-admin, edit etc/rc.local and basedir in firewalladmin.config to reflect the current directory.
  3. By default firewalladmin/lib/bridge.py bridges eth1 and eth2, and eth0 should be attached to your LAN to access SSH and the web control panel.
  4. Edit firewalladmin.config to run on the IP address assigned to your administrative NIC and remember what port its set to run on.
  5. Add the commands from etc/rc.local to your system’s existing /etc/rc.local script. This will start the transparent firewall and web control panel on boot.
  6. Next you’ll need to setup the database. Edit line 28 in firewalladmin/model.py to set a default password and then run createdb.py
  7. You’re now ready to start the firewall and control panel simply by running sudo etc/rc.local (see Caveats below). You can always test out just the web interface by running start-firewalladmin.py
  8. Browse to the web interface using the IP and Port setup in step 4, login using the username and password setup in step 6, and start configuring your transparent firewall!

The firewall allows creating multiple blacklists (aka Categories) which can be edited/paused/deleted individually. It has has allow lists (aka Whitelists) which can be used to allow specific internal IPs access to specific sites that might otherwise be blocked by a blacklist.

Important: When a user visits a blocked site they are redirected to the IP and Port specified on line 10 of firewalladmin/lib/iptables.py. We setup Apache to listen on that port and serve up a generic You’ve been blocked page, but you could be even more clever. You’ll need a .htaccess file like the following to properly map all blocked traffic to your block page:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.html [L,QSA]

Caveats

  • All scripts as well as the web control panel are executed as root. This setup should only be run on dedicated hardware and not on a server with other services.
  • No test suite. Mea culpa.
  • Little to no error handling. You’ve been warned. ;)
  • Basically this is a quick hack and should not be used in the same way you use tested and maintained software. YMMV

This little setup has proved very useful at the school for augmenting their existing content filtering system, and all web traffic passes through it without trouble. An old PIII can run a 3,000 domain blacklist at wirespeed on a 10 Mbps link while using less than 10% of the CPU.

Tags: , ,
Posted in GNU/Linux, IT, Python, Technology | 2 Comments »

« Older Entries