Sep 19

Restricted user for SSH port forwarding

Reading time: 2 – 2 minutes

I love “ssh -R” reverse SSH is really useful when you have to get access to a Linux machine behind a NAT or firewall. One of the most powerful scenarios to get that running is use a third machine with a public IP address. The idea will be run reverse SSH command in target Linux and publish a forward port at the third server, so you only have to connect to a published port in that third server and you’ll get the target Linux thanks to the reverse SSH connection open between them.

reverse-ssh-schema

A long time ago I talked about that in my podcast “2×04 SSH avançat“.

With this scenario we have a security challenge with the SSH user account on the “third server”, we want a secure user:

  • without shell and sftp access
  • secure enough to only allow port forwarding features
  • access only allowed with authorized keys

I’m not going to give precise Linux instructions on that limited user, but for user you’re not going to have problems to get that:

/etc/passwd(-):

limited-user:x:1001:1001::/home/limited-user:

/etc/shadow(-):

limited-user:!:17037:0:99999:7:::

/etc/ssh/sshd_config:

Match User limited-user
    GatewayPorts yes
    ForceCommand echo 'This account can only be used for maintenance purposes'

Of course, you’ll have your own UID, GID and use your own username. And at “/home/limite-user/.ssh/authorized_ssh” you’ll have to pub public key of the clients that want to use the service.

I’ve got my inspiration to get that from: How to create a restricted SSH user for port forwarding?. Thank you askubnutu.com.

Sep 12

Ubuntu server as wifi AP and Mikrotik as a DHCP server

Reading time: 2 – 3 minutes

It’s important to have a very clear picture about the scenario that we’re going to configure in that case because it’s a little bit particular. This is an evolution of the previous post: Ubuntu server as wifi AP and Mikrotik as a DHCP server

schema

There is a server running Ubuntu 16.04 and offering wifi service as an AP. The wifi interface is in bridge mode with the ethernet port and send all traffic to the Mikrotik gateway where there is a DHCP server in charge to serve IP address to wifi clients.

Start by configuring the bridge in the Ubuntu server. File “/etc/network/interfaces”:

source /etc/network/interfaces.d/*

auto lo br0
iface lo inet loopback

#ethernet interface
allow-hotplug enp2s0
iface enp2s0 inet manual

#wifi interface
allow-hotplug wlp3s0
iface wlp3s0 inet manual

# Setup bridge
iface br0 inet static
    bridge_ports enp2s0 
    address 192.168.2.2
    netmask 255.255.255.0
    network 192.168.2.0

Pay attention on “bridge_ports” the wifi interface is not added on the list, this is because until the hostapd is running it doesn’t make sense to do that. You’ll see “bridge=br0” option on hostapd.conf which will fix that misbehavior.

Wifi AP configuration, “/etc/default/hostapd”:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

and “/etc/hostapd/hostapd.conf”:

bridge=br0                # bridge interface
interface=wlp3s0          # wifi interface name
driver=nl80211
ssid=the_ssid_name        # name of your network
hw_mode=g
channel=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=the_secret_key   # secret key to joing with the wifi network
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
logger_syslog=-1
logger_syslog_level=3
logger_stdout=-1
logger_stdout_level=1

DHCP server configuration on Mikrotik:

# setting the interface address, in my case ether4
/ip address
add address=192.168.2.1/24 interface=ether4 network=192.168.2.0

# setting up DHCP on interface 4 of the mikrotik device
/ip dhcp-server
add address-pool=dhcp-pool disabled=no interface=ether4 name=dhcp-pool

# network of the DHCP server
/ip dhcp-server network
add address=192.168.2.1.0/24 dns-server=8.8.8.8 domain=your_network.local gateway=192.168.2.1 netmask=24

# IP pool used by the DHCP server
/ip pool
add name=dhcp-pool ranges=192.168.2.65-192.168.2.70
Sep 05

Cookbook: set-up a TFTP server on Ubuntu

Reading time: 1 – 2 minutes

Sometimes TFTP is the only protocol available to exchange files with an embedded system. So, it’s very easy to have that supported in our workstation or any other place to exchange files with those systems.

Set up steps:

apt-get install tftpd-hpa

modify file “/etc/default/tftpd-hpa”:

TFTP_OPTIONS="--secure --create"

–secure: Change root directory on startup. This means the remote host does not need to pass along the directory as part of the transfer, and may add security. When –secure is specified, exactly one directory should be specified on the command line. The use of this option is recommended for security as well as compatibility with some boot ROMs which cannot be easily made to include a directory name in its request.

–create Allow new files to be created. By default, tftpd will only allow upload of files that already exist. Files are created with default permissions allowing anyone to read or write them, unless the –permissive or –umask options are specified.

Needed to allow uploads in that directory:

chown -R tftp /var/lib/tftpboot

Restart and check if the service is running:

service tftpd-hpa restart
service tftpd-hpa status
netstat -a | grep tftp
Sep 01

New home server working as a wifi AP and DHCP server

Reading time: 2 – 3 minutes

At the beginning of August I’ve received a new home server, I decided to stop my old HP ML110 G5 and substitute that by a new silent and low power server also based on Intel technologies in this case it’s al i5 with 8G of RAM and 128GB of SSD for less than 300€ including custom costs I think it’s a very good investment.

fmp03-geekbuing

 

I installed Ubuntu 16.04 LTS server, I don’t tried de Win10 pre-installed. I happy to see a very new and powerful BIOS with tons of options. But in this blog entry I want to explain how to set-up the wifi card as a wifi AP. I didn’t have to do anything to configure the card. It worked by default.

Ralink corp. RT3090 Wireless 802.11n 1T/1R PCIe

The first thing is check if the wifi network is compatible with the AP mode.

iw list
...
Supported interface modes:
         * IBSS
         * managed
         * AP
         * AP/VLAN
         * monitor
         * mesh point
...

Next thing is install the “hostapd” which is going to take care to set-up the AP. The configuration file have to be something like that “/etc/hostapd/hostpad.conf

interface=wlan0   # change that with the wifi interface name
driver=nl80211
ssid=test         # your wifi network name
hw_mode=g
channel=1         # look up for a free channel
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=1234567890   # passwor to join the wifi network
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

Modify “/etc/default/hostapd” and put that:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

Start the hostapd service:

sudo service hostapd start

Now the AP is running but a DHCP service giving IPs it’s need, I used “isc-dhcp-server”. First thing to configure is “/etc/default/isc-dhcp-server” with the wireless network name:

INTERFACES="wlan0"

Next file to be configured is “/etc/dhcp/dhcpd.conf”:

ddns-update-style none;
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
    range 192.168.1.128 192.168.1.253;
    option domain-name-servers 192.168.1.1;
    option routers 192.168.1.1;
}

Don’t forget to start the service:

sudo service isc-dhcp-server start

If it’s needed remember to create the proper iptables rules and enable “ip_forward” in /proc filesystem. I’m not going to describe that because in my case it’s not going to be useful.

This is not a specially interesting post entry but useful as a reference, when you have to use a fast and easy cookbook to setup a wifi AP.

Aug 22

OpenVPN between pfSense and Mikrotik

Reading time: 3 – 5 minutes

vpn-pfsense-mikrotik-schemaAssuming previous scenario I’m going to describe the required configurations on pfSense and Mikrotik. Certifcate creation is not part of the scope of this document, if you are not familiar about how to do that it’s a good idea to use the pfSense certificate manager to do it. My last advice is take care with certificates 90% of problems that I found in my life when I was working on VPNs are because of that. Take your time to check it before spend your time playing with other configurations.

In that scenario pfSense will play the role of the VPN server and Mikrotik will be the client, so I’m going to start describing pfSense configurations.

Create OpenVPN server on proper section:

pfsense-openvpn-server

 

Important things to take in account when you set up the parameters are socket has to be a TCP socket in my case I decided to use port 1201:

pfsense-openvpn-server-configNext settings on the same place are about local network and tunnel IP addresses, this is required to create proper routing rules on the server and the client.

pfsense-openvpn-server-config2

 

Last part to configure on this sections is extremly simple, only take care to unmark everything and check “address pool” setting.

pfsense-openvpn-server-config3

 

Remember to open that port on Firewall rules.

pfsense-firewall-rules

 

A VPN user is required to authenticate the process, just go to “User Management” inside the “System” menu:

pfsense-user-manager-oriol

 

pfSense is configured, now it’s time to set-up the OpenVPN client on Mikrotik using Winbox. Remember to import the certificates:

certificates-mikrotik

 

Click on “PPP” this on the left menu:

ppp-mikrotik

 

Add an OVPN Client connection using the “+” button, the parameters for that connection are:

ppp-interface

 

Another required thing to define on “PPP” is the profile, click on the tab “Profile” and using the button with symbol “+” create a new profile like that:

ppp-profile

 

Everything is ready, now it’s time to check if the connection is OK. First go to the OVPN client on Mikrotik, remember this is on “PPP” menu option and inside tab “Interfaces”. Clicking on the interface you’ll see the status details. If it’s disconnect going to pfSense or Mikrotik logs you can see the negotiation details.

Remember usually the problem is with your certificates, but first of all you have to ensure that the negotiation tries to start.

Enjoy it and good luck.

 

Aug 15

Sniffing on Mikrotik and streaming in real-time to Wireshark

Reading time: 2 – 2 minutes

When you have a Mikrotik in any point of your network and you want to launch a sniffer for debugging or troubleshooting, a part from original RouterOS tools, you can stream captured traffic in real-time to Wireshark and inspect packets there.

The idea is exactly the same like I explained on the entry: Sniffing traffic in a Linux box and streaming in real-time to Wireshark on Windows.

Mikrotik configuration using the web interface is like that:

mikrotik-config

We assume 10.2.0.44 is the IP address of the Wireshark box, ensure that you don’t block UDP traffic on port 37008 because the stream from Mikrotik uses that target port. And define your own filters.

About Wireshark configuration is really simple, just set up the filter to allow only traffic from sniffing stream and select the network interface where traffic comes.

wireshark-config

Previous captures allow us to debug DNS queries to Google DNS service, this is the result when you click to the icon marked with a red circle on previous screen capture.

wireshark-traffic

Aug 01

Extracting private and public keys from a p12 file

Reading time: 1 – 2 minutes

PKCS#12 is a container for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. This is a fast and simple summary about how to extract your keys from those kind of files:

#Private key:
openssl pkcs12 -in file_name.p12 -nocerts -out private.key
#Certificates:
openssl pkcs12 -in file_name.p12 -clcerts -nokeys -out public.crt

Recurrently I have to access to a usuful guide about those kind of openssl parameters, let me refer that guide:

The Most Common OpenSSL Commands (local copy)

Update 2016/09/19
Usefull links for SSL:

Jul 27

Mikrotik as a PPTP server for Android

Reading time: 4 – 6 minutes

Two years ago I installed a Mikrotik Cloud Switch and lately I stoped my pfSense and I started using that switch as my network router, firewall and also as a switch. RouterOS is really powerful and allows to do a lot of things with that hardware. One of those things is set-up a VPN server based on PPTP. This is not the most secure way to create VPNs but usually the only requirement is a little bit of security on top of an IP over IP service that allows us to use local service when we’re in remote. In my case I have a lot of services in my LAN and I need some of them when I’m out of home specially I need to use them from my mobile phone.

Next steps describe how I set-up a PPTP server on my Mikrotik server allowing my Android 6 device (Huawei Mate 8) to connect to my home services through the VPN. Bellow you have a simple schema representing the schenario of the solution:

architecture

I’m only going to describe steps from the web console, of course, all those steps can be done using Winbox or the command line. To be honest I’m not used to RouterOS CLI but I think it’s not difficult to figure out the CLI commands to get the same result.

First step is set-up a pool of IP addresses to be assigned to the tunnel endpoints.

01-ip-pool

02-ip-pool

Thanks to an ARP proxy those IP addresses will be available like local IPs, this is transparent for the VPN configuration.

00-arp-proxy

configuration of connection profile is done inside “Profiles” tab:

05-profiles

first of all create a new profile called “default-encription”:

061-profiles

and another profile called “pptp-profile”:

06-profiles

“Secrets” tab is where you have to manage users, in my case only two users are created:

07-secrets

configuration details about my user are:

08-secrets

Inside PPP menu there is a button with a label “PPTP server” click there…

03-pptp-server

… and copy next settings:

04-pptp-server

Don’t forget to check that your PPTP port is accessible from your public IP address. Remember it’s 1703/TCP.

Android configuration is simple, first of all go to “settings” icon. Look for a “More” section bellow network options, and you’ll find VPN managment. Add a new connection, define a name, the type and the IP address and leave the rest by default. After that when you come back to VPN list you’ll find your new VPN in the list, click there and just set-up your PPTP credentials.

android

If you have some trouble the only thing that you can do is go to Mikrotik logs or start sniffing to figure out where is the problem. I had to do some tests before it was working but in the end everything was so simple like I explained here.

Good luck and enjoy it.

Thanks to next blog entries to inspire me:

 

 

Jun 06

Remove old kernels when there is no space in /boot

Reading time: 1 – 2 minutes

The first step is get some space in the partition “/boot” because without that it’s impossible to do anything.

So go to /boot and remove some “initrd” files as they are the biggest ones. A few of them will be enough.

After that a good point is to ensure there is no partial installation pending to finish:

apt-get -f install

Now it’s a good idea to purge all kernels except the running one:

dpkg -l 'linux-*' | sed '/^ii/!d;/'"$(uname -r | sed "s/\(.*\)-\([^0-9]\+\)/\1/")"'/d;s/^[^ ]* [^ ]* \([^ ]*\).*/\1/;/[0-9]/!d' | xargs sudo apt-get -y purge

To avoid that in future before filling the partition, it’s a good idea to install and run periodically: purge-old-kernels. Installation and example of use are:

# installation
apt-get install bikeshed
# keep three old kernels:
purge-old-kernels --keep 3
# if you want to put that in the crontab use that command
purge-old-kernels --keep 3 -qy

If you’re a Grub user don’t forget to run:

update-grub2

Personally I have a nightmare with that problem and Ubuntu, especially with version 12.04 which is installed in a lot of servers that I manage. I repeated the previous process a lot of times and in the end, I decided to document it because I always have to go to Google and find the proper steps to solve that problem.

Jun 05

Protecting your email with MXGuarddog

Reading time: 2 – 2 minutes

mxguarddogAfter using VMWare ESXi for a long time as a Hypervisor for my virtual servers I decided to stop paying OVH for that service and I migrated my virtual machines to VPS servers on OVH. At the end of the day only two VPS with a cost of 3€/month are enough and I can stop a 50€/month dedicated server.

The biggest challenge that I had to solve was migrate mail server to a new server. So far today I was using pfSense a firewall for my virtual servers. They were in a virtual network; pfSense anti-spam services and mail forwarding were enough to receive “cleaned” mail in my private mail server with Postfix and Dovecot.

New configuration is just a cheap VPS (1xCPU+2GB RAM+10GB SSD) with Ubuntu 16.04 and also with Postfix and Dovecot. But I decided to rent the anti-spam, anti-malware and anti-virus service to MX Guarddog. I discovered that service just surfing on the big G. Only 0.25 cents per account per month it’s a very good price and it does all the things that I need and much more. Configuration is really simple if you know what you are doing. They have a very good and simple control panel to manage the service. This is the perfect service to get what I need.

In the control panel you can do all that you need, manage mail accounts and domains. View quarantined mails and all required configurations and tests to validate everything is ready and also maintain white and black lists. We’ll see during next days if the service gets the quality that I expect, I hope I have found a very good and cheap resource.