Tuesday, March 16, 2010

Making permanent mounts in Ubuntu 9.10

sudo gedit /etc/fstab
Add at the end of the file:
/dev/sda7 /media/work ext4 rw,user,auto 0 0
Number "/dev/sda7" can be found with df -h or in system monitor.
"/media/work" is the name of the folder that will be associated with device.
Other options are self-explaining.

P.S. Notice, that folder "/media/work" must exist and permission have to be set to allow appropriate actions for user. Otherwise, only "root" will be able to change something on the hdd.

Sunday, March 14, 2010

Problems with clicking on Flash buttons in Ubuntu 9.10 with compiz

WORKAROUND 1: Disable compiz
WORKAROUND 2: Remove flashplugin-nonfree / flashplugin-installer and install from adobe
WORKAROUND 3: Open a terminal and enter:
gksudo gedit /usr/lib/nspluginwrapper/i386/linux/npviewer
Then add: export GDK_NATIVE_WINDOWS=1 before the last line of text.

Third workaround worked better for me.

Thursday, March 11, 2010

VNC and multi-user environment in Ubuntu 9.10

To allow multiple users connect to our Ubuntu box, we need to install VNC Server with following commands:
sudo apt-get install vnc4server
It allows to use different sessions for multiple logins, so users can be separated from each other and won't fight for mouse as well as they won't see applications of each other :-)
Then we need to assign a password to our VNC logins. It can be done through running this command:
vncpasswd
Then we can launch a test desktop by running:
vncserver :1
Number here is a display number. Local user runs display :0 etc.
Now we can connect to it, by specifying either port number (::5901) or display number (:1) in remote VNC viewer. However, after logging in, the desktop won't be as usual X session. It will be presented as simple GUI with command line or just as a blank screen with cursor in form of cross.
Now we need to shutdown the session  with:
vncserver -kill :1
Next, edit ~/.vnc/xstartup. It should look similar to:
#!/bin/sh

# Uncomment the following two lines for normal desktop:
#unset SESSION_MANAGER
#exec /etc/X11/xinit/xinitrc

#[ -x /etc/vnc/xstartup ] && sh /etc/vnc/xstartup
#[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
#xsetroot -solid grey
#vncconfig -iconic &
#xterm -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" &
#twm &

unset SESSION_MANAGER
sh /etc/X11/xinit/xinitrc

Now we can start the vncserver :1 again and connect to it. Pay attention to user, under which vncserver have been started. It means, that if we have started server under our current user, the remote login will be as the same user.
To enable different user to log in, we should create another user in Ubuntu, install SSH server and make all the steps from above. Then we can first SSH to our Ubuntu box, log in under different user (which we want to use for our remote VNC session), in console session type vncserver :[number] and then launch vnc viewer on remote client and connect to the session just created.

To secure traffic on it's way, we can tunnel it through the SSH connection. For this we need to add SSH tunnel at the Putty menu by specifying source port as "5900" (if we are connecting to display :0) and destination "localhost:5900". Then connect to the server and leave Putty screen as is. Now we just need to connect via VNC to localhost:5900 and our traffic will be tunneled to SSH connection. That's it.


Whew, sounds like a lot of routine, but I haven't found the way to automate it yet.
The good thing is that at least it's working  ;-)

P.S. To get multiple instance of Firefox (or any other Mozilla application) running simultaneously when we logged on the same user as local session, we need to set the environment variable MOZ_NO_REMOTE=1 before starting Firefox.
To do this just use:
export MOZ_NO_REMOTE=1

Firestarter - another great GUI front-end to iptables

We can use apt-get install firestarter to get firestarter running. After startup wizard, our rules will be imported to the iptables. Even if firestarter's gui isn't running, firewall is actually working so we don't have to worry about it.
We can check firewall status by running:
sudo /etc/init.d/firestarter status
By default, GUI won't be started after computer reboot.
To override this, we should make a simple configuration changes to some files.
First of all, we need to add Firestarter to System - Preferences - Startup Applications. The add an entry stating:  
sudo firestarter --start-hidden
However, the password have to be specified to run this command, because it runs with root privileges. Moreover, we can't specify the password since this is logging script, so it just won't work at all. To get it working, we should edit /etc/sudoers file with any text editor or via sudo visudo command which is preferable.Then add the following line to the end of the file or it won't work:
[username] ALL=NOPASSWD: /usr/sbin/firestarter

That's it! Now are done and can start using firewall!

P.S. It's not recommended to start GUI automatically on system startup since it's a security breach.
P.P.S. Uninstalled it  after 1 day of using. Allows only 2 network interfaces to be configured as local or outside, making other interfaces to work improperly. For example, pings won't be allowed from those unconfigured interfaces at all. Maybe more inconveniences are present, but I haven't tested it any further. Moreover, after removing the Firestarter, ufw stopped working and I had to install Firestarter back and then remove it completely with apt-get remove purge command. It didn't heal ufw, so I had to completely remove it too and then install it back. Sounds ugly, isn't it?

Wednesday, March 10, 2010

UFW - simply great firewall for Linux

UFW is a very simple and powerful firewall which allows us to configure our policies in minutes!
Moreover, it allows us to configure forwarding traffic between interfaces and even NAT!
We can check UFW status by typing sudo ufw status or even just sudo ufw to see the list of available options.
By default, all outbound traffic is permitted. UFW is stateful firewall, so it tracks connections via maintaining connection table. Returning traffic permitted to pass through the firewall only if corresponding connection is in the table. Or simply, traffic allowed to return only if connection were originated from the inside network.
To open ports in the firewall, so inbound connections can be allowed, we have to add the rules. It's simple:
sudo ufw allow port number[/tcp|udp]
or 
sudo ufw deny port number[/tcp|udp] to block open ports.
To disable logging we can execute
sudo ufw logging off

Here are steps to configure routing and NAT.

First, packet forwarding need to be enabled.
We need to modify 2 configuration files:
1.  /etc/default/ufw change DEFAULT_FORWARD_POLICY to "ACCEPT".
2.  /etc/ufw/sysctl.conf uncomment /net/ipv4/ip_forward=1
After previous steps our Linux machine will begin to forward packets between it's interfaces!
Only NAT configuration left and it pretty straightforward.
We need to add rules to the /etc/ufw/before.rules file. We need to add the following string right to the top of the file after the header comments:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
To enable Port Forwarding, also add the following string before COMMIT keyword. If ports to be forwarded are different on NAT device and destination then simply add :[portNumber]
-A PREROUTING -i eth1 -p tcp --dport 3389 -j DNAT --to 192.168.139.101:[portNumber]
Of course, ip networks and interface names should be replaced with appropriate. eth0 in this example is our outside interface on which translation will be performed. 192.168.0.0/24 subnet is our internal subnet which requires translation.
Only restarting the firewall left.
sudo ufw disable && sudo ufw enable

Using ACL's in a switch

vlan access-map map-name [sequence]
 math {ip | mac} {acl-name | acl - number}
 action {drop | forward | redirect type mod/num}
 exit

vlan filter map-name vlan-list vlan-list

Troubleshooting:
show vlan filter
show vlan access-map

Private Vlan's

First, we need to define secondary vlan's. We have to do it first, because they will be mapped to the primary vlan in a latter step.
vlan 201
 private-vlan community
vlan 202
 private-vlan isolated

Next, we need to identify primary vlan's and they association with secondary vlans

vlan 2
 private-vlan primary
 private-vlan association  201, 202

Now we need to identify switch ports. First, let's configure the ports connected to the user devices.


int fa0/1
 switchport mode private-vlan host
 switchport private-vlan host-association 2 201

int range fa0/2 - 3 
 switchport mode private-vlan host
 switchport private-vlan host-association 2 202

Now we need to identify any promiscuous ports on the switch. Routers will be connected to those ports.

int fa0/24
 switchport mode private-vlan promiscuous
 switchport private-vlan mapping 2 201, 202

How to check system specification in Ubuntu

sudo lshw -html >> /home/igro/Desktop/1.html

Tuesday, March 9, 2010

Ntpdate + Crontab

Crontab is used to automate repetitive tasks.
We can use command crontab -e to enter the editor mode and then add tasks we need.
crontab -l shows scheduled commands for particular user.

Ntpdate is a simple program that allows us to synchronise system time once. It's not so sophisticated as ntpd daemon that continuously synchronising system time, running in background.
It's usage is also simple: ntpdate servername

It can be really handy to combine it with crontab to synchronise system clock periodically.

Just do the following:
sudo crontab -e
@hourly /usr/sbin/ntpdate 1.it.pool.ntp.org

This crontab job should be executed as root or the date won't be synchronised.
Also, the path for the program in the crontab job should be a full path. Even so ntpdate servername command would work from terminal execution, it won't from crontab job. For crontab we have to specify the full path, e.g. /usr/sbin/ntpdate servername. That is a general rule for crontab.
To check the full path of the command, we can use which command.
For example, which ntpdate.

Crontab  example:
0 */2 * * * /home/igro/Desktop/backupGNS

Following string allows us to execute backupGNS script every two hours.

Installing Packet Tracer i386 in Linux 64-bit.

I've downloaded PacketTracer-5.2.bin and my first intention was to simply install it with: chmod +x .....bin   ./....bin However, the installation complains about inconsistent architecture. The workaround is to extract .deb package from this .bin file and then to force it to install it under 64-bit operating system.
For this to be accomplished, we need to begin the installation of .bin file and after EULA has been displayed, navigate to /tmp/selfextract.[randomNumber] and get the .deb file from this directory. Then simply force it to install without checking the architecture.
sudo dpkg -i --force-all ./PacketTracer-5.2-u.i386.deb

Enjoy!

Monday, March 8, 2010

How to mount and why do we need it

Sometimes, it would be useful for us to add a path to a script that contains spaces.
Something like: "/home/igro/Ubuntu One".
For example tar can't accept path like this one.
As a workaround we can mount this path as a different folder on disk and use it as in a path script as a path.

For example:
mount -B "/igro/home/Ubuntu One" "/NewFolderName"
And after that:
tar /NewFolderName <- this is not an actual command, but the idea is about the path used.
Don't forget, that we need to create the destination folder prior to use it in mount command.

Executing .bin files

.bin files are similar to installation files in Windows.
1. First we should add an execution permission with chmod +x /[path]/[filename]
2. Navigate to file's folder.
3. Execute the file ./[filename]

Sunday, March 7, 2010

Securing Switch Access

If an interface is undergoing the restrict or protect condition, we might need to clear the learned MAC addresses so that a specific host can use the switch port. We can clear a MAC address or the complete port cache with the following command:
Switch# clear port-security dynamic [address mac-addr | interface type mod/num]

Checking port states:
show port-security interface
show interfaces status err-disabled
show port-security
=================================================
Steps to enable dot1x authentication:
Switch(config)# aaa new-model
Switch(config)# radius-server host {hostname | ip-address} [key string]
Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface type mod/num
Switch(config-if)# dot1x port-control {force-authorized | forceunauthorized | auto}
Here, the 802.1x state is one of the following:
force-authorized—The port is forced to always authorize any connected client. No authentication is necessary. This is the default state for all switch ports when 802.1x is enabled.
force-unauthorized—The port is forced to never authorize any connected client. As a result, the port cannot move to the authorized state to pass traffic to a connected client.
auto—The port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This requires an 802.1x-capable application on the client PC.
If the switch should expect to find multiple hosts present on the switch port, use the following interface configuration command:
Switch(config-if)# dot1x host-mode multi-host
Verifying dot1x operations:
show dot1x all
=================================================
DHCP Snooping
When DHCP snooping is enabled, switch ports are categorized as trusted or untrusted. Legitimate DHCP servers can be found on trusted ports, whereas all other hosts sit behind untrusted ports. A switch intercepts all DHCP requests coming from untrusted ports before flooding them throughout the VLAN. Any DHCP replies coming from an untrusted port are discarded because they must have come from a rogue DHCP server. In addition, the offending switch port automatically is shut down in the Errdisable state. DHCP snooping also keeps track of the completed DHCP bindings as clients receive legitimate replies. This database contains the client MAC address, IP address offered, lease time, and so on.

Configuration:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan vlan-id [vlan-id]
By default, all switch ports are assumed to be untrusted so that DHCP replies are not expected or permitted. Only trusted ports are allowed to send DHCP replies.

Switch(config)# interface type mod/num 
Switch(config-if)# ip dhcp snooping trust 
For untrusted ports, an unlimited rate of DHCP requests is accepted. If we want to rate-limit DHCP traffic on an untrusted port, use the following interface configuration command: 
Switch(config)# interface type mod/num  
Switch(config-if)# ip dhcp snooping limit rate rate

DHCP option-82 feature is enabled by default. We can enable or disable option-82 globally with the following configuration command:
Switch(config)# [no] ip dhcp snooping information option

Verifying:
Switch# show ip dhcp snooping [binding]
We can use the binding keyword to display all the known DHCP bindings that have been overheard.

Example:
Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 104
Switch(config)# interface range fastethernet 0/35 – 36
Switch(config-if)# ip dhcp snooping limit rate 3
Switch(config-if)# interface gigabitethernet 0/1
Switch(config-if)# ip dhcp snooping trust

IP Source Guard
IP Source Guard works by making use of the DHCP snooping database and static IP source binding entries. If DHCP snooping is configured and enabled, the switch learns the MAC and IP addresses of hosts that use DHCP. Packets arriving on a switch port can be tested for one of the following conditions:
■ The source IP address must be identical to the IP address learned by DHCP snooping or a static entry. A dynamic port ACL is used to filter traffic. The switch automatically creates this ACL, adds the learned source IP address to the ACL, and applies the ACL to the interface where the address is learned.
■ The source MAC address must be identical to the MAC address learned on the switch port and by DHCP snooping. Port security is used to filter traffic.
If the address is something other than the one learned or statically configured, the switch drops the packet.

For the hosts that do not use DHCP, you can configure a static IP source binding with the following configuration command:
Switch(config)# ip source binding mac-address vlan vlan-id ip-address interface type mod/num
Here, the host’s MAC address is bound to a specific VLAN and IP address, and is expected to be found on a specific switch interface. 
Next, enable IP source guard on one or more switch interfaces with the following configuration commands:
Switch(config)# interface type mod/num
Switch(config-if)# ip verify source [port-security]

Verify the IP source guard status:
Switch# show ip verify source [interface type mod/num]


Dynamic ARP Inspection
When an ARP reply is received on an untrusted port, the switch checks the MAC and IP addresses reported in the reply packet against known and trusted values. A switch can gather trusted ARP information from statically configured entries or from dynamic entries in the DHCP snooping database.
If an ARP reply contains invalid information or values that conflict with entries in the trusted database, it is dropped and a log message is generated. This action prevents invalid or spoofed ARP entries from being sent and added to other machines’ ARP caches.
We can configure DAI by first enabling it on one or more client VLANs with the following configuration command:
Switch(config)# ip arp inspection vlan vlan-range 
By default, all switch ports associated with the VLAN range are considered to be untrusted. We should identify trusted ports as those that connect to other switches.
Switch(config)# interface type mod/num
Switch(config-if)# ip arp inspection trust


If we have hosts with statically configured IP address information, there will be no DHCP message exchange that can be inspected. Instead, we can configure an ARP access list that defines static MAC-IP address bindings that are permitted:
Switch(config)# arp access-list acl-name
Switch(config-acl)# permit ip host sender-ip mac host sender-mac [log]
[Repeat the previous command as needed]
Switch(config-acl)# exit
Now the ARP access list must be applied to DAI with the following configuration command:
Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [static]

Finally, we can specify further validations on the contents of ARP reply packets. By default, only the MAC and IP addresses contained within the ARP reply are validated. This doesn’t take the actual MAC addresses contained in the Ethernet header of the ARP reply. To validate that an ARP reply packet is really coming from the address listed inside it, you can enable DAI validation with the following configuration command:
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Verification:
show ip arp inspection 


 

Wednesday, March 3, 2010

Syslog in Ubuntu

To be able to accept remote syslog message, I installed sysklog ( k in the middle isn't a typo) and changed /etc/defaults/syslog. I added -r options so syslog accepts not only local, but also remote logs.
Then just restart the syslog daemon with:
/etc/init.d/sysklogd restart
Also, we should add a rule to ufw to allow incoming connections on UDP port 514:
sudo ufw allow 514/udp

Done!

GNS3 in Ubuntu 9.10

Today was a day of Linux exploration. I made a dual boot for Windows 7 + Ubuntu 9.10 and it works pretty well so far (if doesn't take into account that I almost don't have a free space left on HDD). Let's summarize today's findings:
  1. GNS3 can and better be downloaded as a source. However, we can just start it without any compilation.
  2. Also we need a python-qt4 for GNS3 to work properly. apt-get install python-qt4.
  3. Dynamips should be dowloaded as a binaries. We can just put it to the GNS folder and that's all.
  4. Wireshark can be downloaded as a package via Synaptic Packager Manager (don't forget to launch it as a root or you won't see any interfaces available for capture). We can add gksudo key before path to WireShark in shortcut.
  5. GNS3 should be launched with root privileges to be able to connect routers to tap interfaces. sudo .[path]/gns3 or create a shortcut and add the following to the "command" option  gksudo /[path]/gns3
  6. On of the most important things that I've learned today is that tap interfaces play a role of loopback interfaces in Windows. They can be created with following commands:
    • tunctl -t tap1
      ifconfig tap1 192.168.139.1 netmask 255.255.255.0 up 
  7. These commands require uml-utilities package. So: apt-get install uml-utilities
  8. But they will be gone after rebooting, so to automate the process  we can create a script with commands beyond and place it in /etc/init.d directory. Than we need to add privileges to execute the file with sudo chmod +x /etc/init.d/[file name]. And as a final step we need to execute sudo update-rc.d [file name] defaults. It will add our script to startup scripts.  
At this point we are almost done. Our routers can ping tap interfaces. However, Linux won't route the traffic between interfaces. As a consequence we can't communicate with an outside world or even with VirtualBox guests bridged with another tap interfaces.

In order to make it possible, we should enable routing in Linux. Also we can enable NAT.
I've done it via UFW. Great simple firewall. Actually, it's an front-end to iptables.
Here are steps to configure routing and NAT.

First, packet forwarding need to be enabled.
We need to modify 2 configuration files:
1.  /etc/default/ufw change DEFAULT_FORWARD_POLICY to "ACCEPT".
2.  /etc/ufw/sysctl.conf uncomment /net/ipv4/ip_forward=1
After previous steps our Linux machine will begin to forward packets between it's interfaces!
Only NAT configuration left and it pretty straightforward.
We need to add rules to the /etc/ufw/before.rules file. We need to add the following string right to the top of the file after the header comments:
# nat Table rules
*nat
:POSTROUTING ACCEPT [0:0]

# Forward traffic from eth1 through eth0.
-A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

# don't delete the 'COMMIT' line or these nat table rules won't be processed
COMMIT
Of course, ip networks and interface names should be replaced with appropriate. eth0 in this example is our outside interface on which translation will be performed. 192.168.0.0/24 subnet is our internal subnet which requires translation.
Only restarting the firewall left.
sudo ufw disable && sudo ufw enable

After all we have done, it's just left to enjoy our speedy routers in Linux! Cheers!


P.S. Here is the way to enable communication with an outside world from Blindhog.net.

To configure communication with outside world, we can't just connect router to the eth0 interface in the cloud. First we have to create tap interface and bridge it to the real interface eth0 and then connect router to the tap interface. Following is a copy/paste from blindhog.net blog:

    Here are the steps to manually create a bridge group.
    ======================================
    1. Create a tap interface
      sudo tunctl -t tap0
    2. Remove ip addressing and set eth0 and tap0 to promiscuous mode
      sudo ifconfig tap0 0.0.0.0 promisc up
      sudo ifconfig eth0 0.0.0.0 promisc up
    3. Create a new bridge interface
      sudo brctl addbr br0
    4. Add tap0 and eth0 to the bridge group
      sudo brctl addif br0 tap0
      sudo brctl addif br0 eth0
    5. Enable the bridge interface and give it an ip address
      sudo ifconfig br0 up
      sudo ifconfig br0 10.10.10.99/24
    6. Configure the default route
      sudo route add default gw 10.10.10.254

    Here are the steps to reverse the changes (these can be copied and pasted in)
    ======================================
    sudo ifconfig br0 down
    sudo brctl delif br0 eth0
    sudo brctl delif br0 tap0

    sudo brctl delbr br0
    sudo tunctl -d tap0
    sudo ifconfig eth0 up
    sudo ifconfig eth0 10.10.10.99/24

    sudo route add default gw 10.10.10.254
     
    Add the following to your /etc/network/interfaces config file if you are using static addressing.
    ======================================
    auto br0
    iface br0 inet static
    address 10.10.10.99
    netmask 255.255.255.0
    gateway 10.10.10.254
    bridge-ports eth0 tap0
    pre-up ifconfig eth0 0.0.0.0 promisc up
    pre-up ifconfig tap0 0.0.0.0 promisc up

     
    Add the following to your /etc/network/interfaces config file if you are using dhcp.
    ======================================
    auto br0
    iface br0 inet dhcp
    bridge-ports eth0 tap0
    pre-up ifconfig eth0 0.0.0.0 promisc up
    pre-up ifconfig tap0 0.0.0.0 promisc up