Archive for the 'Linux' Category

Is a hardware firewall really a software firewall anyway?

Published
by
Greg
on March 5, 2008
in Internet, Linux, Networking and Security
. Comments

I love how people always say that a software firewall like IPCop is a “lesser” product than a hardware system. I ran into one site speaking of Netsentron as a hardware solution. I’d also include Endian Firewall and Untangle when we talk about a “linux based hardware firewall”. Well here’s my thought. These systems offer a hardware solution, but aren’t these products really the same thing as the downloaded software version they provide? And if so, these products are really only a “hardware/software bundle”, right? (I think they actually advertise them this way anyway, but my gripe is with all those techs out there under the notion that these are real hardware based products.)

I can’t comment on any Cisco or Sonicwall, hardware firewalls, because I have not used any of them. But are these also just software running on hardware? And the main thing I’ve heard from security people about the lesser quality software products is that they are not good at defending against DOS attacks. Is this really true? Even if so, in the last 10 years I’ve ran some sort of Linux based firewall, whether home-brewed or special firewall distribution, I’ve not once had a break in. I’ve not once had a DOD attack. (THIS IS NOT AN INVITATION!)

Now, I have had a DOD attack directly on and Exchange or IIS server that was port forwarded directly to the Internet. Not pretty! Which is a big reason why I don’t run these systems directly anymore. But this is off topic. (maybe another blog coming!)

I’ll do some of my own research, but maybe if someone out there can shed some light on the deficiencies of a Linux firewall, in particular IPCop or Smoothwall. For my use, IPCop with a few addons, make for a fantastic filtering firewall, provided we pick good hardware to run it, and configure it properly. Is Sonicwall truly better at providing security?

Ah, just thinking out loud again. I am sure someone out there will give me hell for saying things like this. I am not a security expert, not even close. But, sometimes I just wonder about things… J

Fixing Grub and IPCop boot on Linux after cloning a hard drive

Published
by
Greg
on October 22, 2007
in Linux, PC Repair and Security
. Comments

First thing, when you clone your Linux hard drive with Ghost or Drive Image (or any other imaging software) you might not be able to load Grub. Usually just running some Grub commands off a Linux System Rescue CD will fix it. I think most any bootable Linux Live CD will work. You would run these commands:

After boot, run “grub”. (the following lines are from the “grub>” prompt.)

……………………

find /boot/grub/stage1

    (hd0,0)

root (hd0,0)

setup (hd0)

quit

……………………

You would replace “root (hd0,0)” with whatever is output from the find command above. The above assumes you have /boot on the same root partition.

On IPCop, boot is on a separate partition. So you need to be a little fancier. The key is to tell it what device to use. In the example below, we will assume we know what drive the boot record is on. (hd0,0). Also note, that IPCop because IPCop has boot on a separate partition, running the find command would be like so:

find /grub/stage1

Ok, so using the device command, and since we know our root is on hd0 …
(all on the grub prompt)

……………………

device (hd0) /dev/hda

root (hd0,0)

setup (hd0)

quit

……………………

 

Now grub should load ok. This would apply to most images/clones made, I think. But, now, what if your distro uses symlinks to represent your hard drives? I ask, because this stopped me from running IPCop off an image. Took me a while to realize two things.

  1. IpCop uses symlinks for /dev/harddisk instead of /dev/hda. (Can someone tell me why they do that? Why change that? Every other Linux distro I have used uses /dev/hda1 for the first partition on IDE drive.)
  2. When I cloned the system, the grub.conf (also known as menu.lst on other systems) listed the root filesystem as /dev/hda4, and yet, there was no hda4 in dev directory. It didn’t even exist on the old drive, so I have no idea how IpCop was booting!

Solution to #2 above was again to boot to a Linux Live CD, mount the boot partition on hda1, edit grub.conf and change all the /dev/hda4 entries to /dev/hda3, where the root filesystem actually resided.

On number #1 above, I don’t think fixing it actually caused the system to boot, but I did it anyway. While booted to the Live CD, I edited the /etc/fstab file on the hard drive and changed all the entries for /dev/harddisk1 through 3, to point to /dev/hda1 through 3. There is probably a reason for them doing this, but ya got me why. ?? Changing this might bite me it the butt some day, but for now, it boots beautifully!

Oh, and one might ask, why make a drive image of IPCop when they provide a backup and restore feature using floppy? Well, here’s why: 1. I have a ton of add-on programs installed, and they don’t backup. 2. I like an image better than a floppy!

IpCop is an awesome system, and I’ve had zero problems with it over many years now. But, it doesn’t do enough by itself. I mostly like the BlockOutTraffic addon you can install, giving you detailed control over all communication. I also modify the SSH setup to work the way I like it, using certificate auth and custom ports for several users tunneling into our networks. (works way better than VPN!) On some networks, I have to use PopTOP, the PPTP addon for Ipcop VPN. (not by my choice, it’s a requirement by an application we use.) All these might not backup to a floppy, and it’s so fast to make a Ghost image of the drive. You just have to spend a few extra minutes during restore.

Note: I was using IPCop 1.4.16 during all this.

EDIT 10/22 (later that evening…)

For IPCop, YOU MUST boot to an existing drive on /dev/hda that contains a working copy of IPCop and have your newly cloned drive operational as /dev/hdc. When you run grub, and then all the device, root and setup commands, you need to do it like so.

……………………

device (hd0) /dev/hdc

root (hd0,0)

setup (hd0)

quit

……………………

Notice the /dev/hdc above? Don’t ask me why, but when you try to run this from a Live CD, it won’t work. I really would like to know though, because the fact that it doesn’t work drives me nuts. There must be a simple explanation, and I know it’s just my ignorance of the grub boot loader, but this shouldn’t be needed. (and yet it is!) I just don’t have time to figure it out, when I can simply boot an IPCop as hda and run this quickly. Sometimes it is easier to not ask why, and move on. So make a note of this, YOU MUST boot to and IPCop OS with your new drive installed, then run the grub setup. Stupid, but at least it works.

IPCop 1.4.15 with PPTPd would not run because of libpcap link

Published
by
Greg
on October 3, 2007
in Linux, Networking, Security and Windows Vista
. Comments

I fought with this one for a while, like several hours. I installed the pptp addon for IPCop, which, by the way, you must Google for. I installed version 0.2.9 (pptpd_0.2.9.tar.gz) and found that on a forum somewhere. If you go to the addon’s from IPCop, you will only find 0.2.6, and that wont work with 1.4.13 or higher. (I might have that version a bit off, but I think that’s right) So Google for that file and you should find the file and ftp server IP. I don’t want to provide that, because I don’t have permission to do so.

Anyway, back to the problem. The pptp addon installed just fine on IPCop, and the admin web gui showed the correct items. I could not, however, get Windows to connect. I always got a 619 error, like that is helpful! On the IPCop /var/log/messages, I found this:
pptpd[5740]: GRE: read(fd=5,buffer=804dc00,len=8196) from PTY failed: status = -1 error = Input/output error

You can see the details on the pptpclient help page:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#read_eproto

 

I didn’t know how to do their troubleshooting, especially on IPCop. But then it occurred to me, find pppd, and ask it for help!

I ran this: /opt/pptp/sbin/pppd –help
Returned: /opt/pptp/sbin/pppd: error while loading shared libraries: libpcap.so.0.8.3: cannot open shared object file: No such file or directory

Ah-HA!!!

Run this on IPCop 1.4.15 while in the /usr/lib directory: ln -s libpcap.so.0.9.5 libpcap.so.0.8.3

BINGO! Windows can connect! From Vista no less!

Oh, and I know that PPTP is not the best as far as security goes, but it is the only thing I can use. I am running several Wifi Palm devices with a PPTP client on them for Hotsyncing on the Internet. I realize there is another product available that uses IPSec, but that is quite expensive per device. Plus that solution might run into a lot more hassle for the users while on the road trying to connect over hotspots, because IPSec may be blocked. PPTP is just more compatible. I’d really prefer to have an SSL based VPN on the Palm, but I don’t know of one available. So, for now, I’ll at least suffer with PPTP instead of opening my hotsync up to the world. Not perfect, but I can lock down the connection with IPcop too. (sounds like another blog… J )

Self-Signed IIS SSL Certificates using OpenSSL

Published
by
Greg
on June 18, 2007
in Linux, Networking, Security and Windows Server
. Comments

Gregs Uberfast version:

Linux:

openssl genrsa -des3 -out CA.key 1024
openssl req -new -key CA.key -x509 -days 3650 -out CA.crt
chmod 400 CA.key
chmod 400 CA.crt

(the above made a new CA, you want to install the crt into IE’s trusted certs.)

Win:

Make cert request in IIS – take to Lin.

Linux:

(All one line)
openssl x509 -req -days 3650 -in certreq.txt -CA CA.crt
-CAkey CA.key -CAcreateserial -out mail.server.crt

Win:

Take that mail.server.crt and install in IIS. People browsing yoru site will get a “not valid CA” type error, especially in IE7, and they’ll need to accept that. Otherwise, you need to buy a real cert. If it’s only your users on the site, then just have them install the CA.crt into IE, as then they will trust the authority/key from the web server. Every user will need to do that.

Set duplex on linux network card

Published
by
Greg
on March 5, 2007
in Linux and Networking
. Comments

Statically/manually define/set duplex on linux network card
Use mii-tool or ethtool

//////////////////////////////

A Note About Duplex Settings

By default, Linux NICs negotiate their speed and duplex settings
with the switch. This is done by exchanging electronic signals
called Fast Link Pulses (FLP). When the speed and duplex are forced
to a particular setting the FLPs are not sent. When a NIC is in
auto-negotiation mode and detects a healthy, viable link but receives
no FLPs, it errs on the side of caution and sets its duplex to
half-duplex and sometimes it will also set its speed to the lowest
configurable value. It is therefore possible to force a switch port to
100 Mbps full duplex, but have the auto-negotiating server NIC set
itself to 100Mbps half-duplex which will result in errors. The same is
true for the switch if the switch port is set to auto-negotiate and
server NIC is set to 100 Mbps full duplex. It is best to either force
both the switch port and server NIC to either auto-negotiate or
the same forced speed and duplex values.

//////////////////////////////

//////////////////////////////// mii-tool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# mii-tool
SIOCGMIIPHY on ‘eth0′ failed: Operation not supported
eth1: 100 Mbit, half duplex, link ok
[root@bigboy tmp]#

[root@bigboy tmp]# mii-tool -v
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:18, model 33 rev 2
basic mode:   autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
[root@bigboy tmp]#

mii-tool -F 100baseTx-FD eth0

//////////////////////////////// Ethtool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes
[root@bigboy tmp]#

#
# File: /etc/sysconfig/network-scripts/ifcfg-eth0
#
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
ETHTOOL_OPTS=”speed 100 duplex full autoneg off”

////////////////////// or
ethtool -s eth1 speed 100 duplex full autoneg off

Remote ssh rsync linux backups with certificates and no passwords

Published
by
Greg
on October 25, 2006
in Backup, Linux, Scripting and Security
. Comments

Uber quick howto:  (based on Debian)
1. Make sure ssh, rsync and sudo are installed and working.
2. Add a user account,  on remote system.
2.a Add a certificate with openssl or ssh-keygen (look that up elsewhere)
2.b Make sure the cert is unencrypted with no password. Yes,  that is a slight security concern, HOWEVER, if you are very careful to secure that private key, you are ok.  In other words, don’t share it or let it out!
2.c Add your public key to your new users /home/username/.ssh/authorized_keys file.  (how to’s for this stuff are on the web)
2.d Test this user’s login and make sure it logs you in from your local machine.
3.  Now, this new user is unprivileged, so you need to use sudo for running the remote rsync command.  Add this to your remote machine /etc/sudoers file:

 nameofnewuser	remotemachinename=NOPASSWD:/usr/bin/rsync

Above, you replace with the appropriate names.

4. Copy your private key from the remote machine and save it on the local machine where you will be backing up to.  For example, save it in the local user’s .ssh directory.  /home/localuseraccount/.ssh/private.key

5. You need to create a script.  In the example below, I have an exclude.txt file also, so I can exclude directories and files.  Look that up in the rsync how-to’s.

#!/bin/bash
rsync -avz --rsync-path="sudo /usr/bin/rsync" 	

	--exclude-from=exclude.txt -e

 	"ssh -p 22 -i /home/localuseraccount/.ssh/private.key"

  	remoteuseraccount@remote.server.com:/ /backup/to/path

In case you didn’t catch that, the section above with the rsync command is all one line!

Debian apt error mmap ran out of room

Published
by
Greg
on October 25, 2006
in Linux
. Comments

I spent quite a while searching for solutions to this issue:

Reading Package Lists... Error!

E: Dynamic MMap ran out of room

I found several posts and sites that mention updating the cache limit, but that did not work. Here’s what I found though.

First, create the file if it does not exist.
/etc/apt/apt.conf

Then, add this:

APT::Default-Release "stable"; 

APT::Cache-Limit "141943904";

And that did the trick!  You can probably find this lots of places, but it took me too long to find the right fix, so I saved this here for myself!

Have a great day!

Setup virtual users and domains on Courier (Debian package)

Published
by
Greg
on April 2, 2006
in Linux
. Comments

Courier Virtual Email Hosting – No SQL Servers

Using USERDB

  1. Add the domain(s)
    Add your domain name to esmtpacceptmailfor.dir/default
    Add your domain name to hosteddomains/default
    Then create the courier system files, run:

      makeacceptmailfor
      makehosteddomains

  2. Add the users
    You run 2 commands to add a user. (same user/pw for smtp also)
    userdb and userdbpw

    Let’s say we want to add a user account for misc@1stbyte.com.

    1st create the virtual account home dirs. I save mine in /home/virtual. You will create a sub dir for each domain, then user. And you must create the Maildir folders in this home folder. So it will look like this:
    /home/virtual/domain.com/user
    Run:
    mkdir /home/virtual/1stbyte.com/misc
    maildirmake /home/virtual/1stbyte.com/misc/Maildir
    chown -Rv 999.999 /home/virtual/1stbyte.com/misc
    userdb misc@1stbyte.com set uid=999 gid=999 home=/homevirtual/1stbyte.com/misc
    userdbpw | userdb misc@1stbyte.com set systempw

    userdbpw will ask for a password and pipe into the “set systempw” command and save it into the userdb database. You can see the data in /etc/courier/userdb.

    When you are done run: makeuserdb

  3. Setup any aliases

    if you have any aliases, set them in aliases/system. Edit the file and add full email account names like:
    vuser@domain.com: mailaccount@domian.com

    It’s alias: realaccount.
    The can be other domains too:
    fakeuser@accptedmaildomain.com: realaccount@realhosteddomain.com
    info@1stbyte.com: misc@1stbyte.com

    And of course, run: makealiases

Compile Apache 2 with PHP 4 and MySQL 5 (while MySQL 4 is also installed)

Published
by
Greg
on April 2, 2006
in Databases and Linux
. Comments

Download and unpack Apache and PHP. MySQL 5 is install already. (as per another blog: http://www.1stbyte.com/2006/04/02/mysql-5-upgrade-compiled/

Make sure you have the proper dev packages. In my case I had to install ‘libflex’ and ‘libgdbm-dev’ using apt-get install to install PHP. (I have Debian Unstable)

./configure –prefix=/var/httpd –enable-so –enable-proxy –enable-proxy-ftp –enable-proxy-http –enable-ssl –enable-headers –enable-rewrite –enable-cgi –enable-deflate –enable-mime-magic –enable-dav –enable-dav-fs –enable-userdir –enable-status –enable-info

make && make install

then I copied the original Apache conf from /etc/apache2 to the new root, /var/httpd/conf. I also had to update the httpd.conf file to set the correct server root and other misc server directives, but mostly they were all the same.

Test your install /var/httpd/bin/apachectl start
Goto http://localhost and make sure you get the web site.

Now install PHP.
./configure –with-apxs2=/var/httpd/bin/apxs –with-mysql=/var/mysql5010 –with-mysql-sock=/tmp/mysql5.sock –prefix=/var/httpd/php –with-config-file-path=/var/httpd/php –enable-force-cgi-redirect –disable-cgi –with-zlib –with-gettext –with-gdbm

make
cp -p .libs/libphp4.so /var/httpd/modules
cp -p php.ini-recommended /var/httpd/php/php.ini

I then put these into httpd.conf

<IfModule mod_php4.c>
AddType application/x-httpd-php .php .phtml .php3
AddType application/x-httpd-php-source .phps
</IfModule>
LoadModule php4_module modules/libphp4.so

then ran:
make install

Edit: 10/25/05

Additional new notes:

When configure is run, I do it this way now:

./configure –prefix=/var/httpd –enable-so –enable-proxy –enable-proxy-ftp –enable-proxy-http –enable-ssl –enable-headers –enable-rewrite –enable-cgi –enable-deflate –enable-mime-magic –enable-dav –enable-dav-fs –enable-userdir –enable-status –enable-info –enable-cache –enable-disk-cache –enable-mem-cache

And…

For setup with Zope I am running ProxyPass instead of Rewrites:

ProxyRequests On ProxyPass / http://127.0.0.1:18080/VirtualHostBase/http/www.adomain.com:80/clients/adomain_com/VirtualHostRoot/ ProxyPassReverse / http://127.0.0.1:18080/VirtualHostBase/http/www.adomain.com:80/clients/adomain_com/VirtualHostRoot/ ProxyRequests On ProxyPass / http://127.0.0.1:18080/VirtualHostBase/http/domain.1stbyte.org:80/clients/domain_com/VirtualHostRoot/ ProxyPassReverse / http://127.0.0.1:18080/VirtualHostBase/http/domain.1stbyte.org:80/clients/domain_com/VirtualHostRoot/

When you add the PHP config, you need to first add flex.

apt-get install flex

Also, the httpd.conf additons are partially done in the mods-enabled folder for php.conf.

Mysql 5 upgrade - compiled

Published
by
Greg
on April 2, 2006
in Databases and Linux
. Comment

I just upgraded my MySQL server from 5.0.7 to 5.0.10. I wanted to make a few notes about what I did to set it up.

1. I compiled MySQL 5.0.10-beta.

./configure --prefix=/var/mysql5010
--with-unix-socket-path=/tmp/mysql5.sock
--with-mysqld-ldflags=-all-static
--enable-assembler
--with-low-memory
--with-named-curses-libs=/lib/libncurses.so.5
--with-mysqld-user=mysql

2. Did a make && make install
3. Stop mysql507 (on my server I created a script to stop and start mysql and mysql5, this way I can easily run both servers at the same time) stopmysql5
4. mkdir /var/mysql5010/var
5. cp -Rv /var/mysql507/var/* /var/mysql5010/var
6. Chmod -Rv mysql.mysql /var/mysql5010
7. Updated the startmysql5 script to point to the new path (var/mysql5010), same with stopmysql5 script.
8. startmysql5

And I was running!  Now, this might not work on future versions, particularly since MySQL 5.x is in beta right now.

I did not recompile MySQLdb yet, as it is working fine for me, however it might be wise.  In fact, I really should do that because the libraries are pointing to the /var/mysql507 directory.

Edit: 10/25/05

The config options here are for a smaller/slower server.  Use this for normal servers with decent amount of RAM:

./configure --prefix=/var/mysql
--with-unix-socket-path=/tmp/mysql.sock
--with-mysqld-ldflags=-all-static
--enable-assembler
--with-named-curses-libs=/lib/libncurses.so.5
--with-mysqld-user=mysql
--enable-thread-safe-client

This also enables the Thread Safe client, which will work better with mysql-python modules.