NOP, just NOP

IT

IT | 2013-04-18 17:08:51

I’m a pretty big fan of TeamViewer.

There are heaps of remote desktop apps like GoTo Assist and the like that are able to punch through NAT by creating a reverse tunnel, but each to their own.

The latest Ubuntu install 8.0.17864 creates a daemon to bring your machine online. Maybe I’m just being a fritata but whenever the daemon was active, the machine would show online, but I could never connect to it. Even when the machine was a added as a partner it would show online, but it would always sit at “Connecting” when you try and remote into it.

The only way I could get into the remote machine was to open the GUI on the remote machine. Once the GUI was open the machines “online” status never changed, but I could remote in.

Due to the nature of a remote machine, you’ll never have remote access to open the GUI in order to remote to it. So the below startup script will launch the GUI upon login so you can successfully remote in. It is exactly the same script that is run when you click on the GUI icon for TV.

/opt/teamviewer8/tv_bin/script/teamviewer

HTH



IT | 2013-04-18 17:00:39

I’ve had an annoying problem with my Linux VirtualBox Host + Guest combo for some time and have now only just got around to solving it, so hopefully this can help others in the same situation.

My Host runs Ubuntu 11.04 Desktop, but I run this headless. Unfortunately when it’s run headless and you VNC/TeamViewer/Weaponofchoice you get an 800×600 res. The latest version of VirtualBox + guest additions for Windows guests lets you define resolutions up to 6400×1200 without having to resize the guest window from the host GUI of VirtualBox.

Unfortunately my Ubuntu 12.04 guest wasn’t so lucky, and it defaulted to 800×600 even with the guest additions. The resizing of the guest window from the host worked, but in my case my host was at 800×600 and resizing was a massive pain in the ass.

I spent many hours scouring for how to manually resize a guest and came across many answers, none of which worked for me. I’ll throw what didn’t work below just in case anyone tries the same thing.

x90@ban-roy-x90-vm:~$ cvt 1280 102
# 1280×1024 59.89 Hz (CVT 1.31M4) hsync: 63.67 kHz; pclk: 109.00 MHz

Modeline “1280x1024_60.00”  109.00  1280 1368 1496 1712  1024 1027 1034 1063 -hsync +vsync

x90@ban-roy-x90-vm:~$ xrandr –newmode “1280x1024_60.00” 109.00  1280 1368 1496 1712  1024 1027 1034 1063 -hsync +vsync
x90@ban-roy-x90-vm:~$ xrandr –addmode VBOX0 1280x1024_60.00
x90@ban-roy-x90-vm:~$ xrandr –output VBOX0 –mode 1280x1024_60.00

vboxmanage setextradata global GUI/MaxGuestResolution 1280,1024
vboxmanage setextradata “VM name” “CustomVideoMode1” “1280x1024x16”

None of these worked. In the end I had to create a custom xorg.conf file that manually specified the resolution. As newer versions of Ubuntu did away with a default xorg.conf file I created:

/usr/share/X11/xorg.conf.d/20-monitor.conf

Which contained the below:

Section “Device”
Identifier      “Configured Video Device”
Driver   “vboxvideo”
EndSection
Section “Monitor”
Identifier      “Configured Monitor”
Option   “DPMS”
EndSection
Section “Screen”
Identifier      “Default Screen”
Monitor  “Configured Monitor”
Device   “Configured Video Device”
DefaultDepth    24
SubSection      “Display”
Depth   24
Modes   “1280×1024”
EndSubSection
EndSection

I guess I could have restarted gdm but after a reboot everything was finally working as expected without ever having to resize the guest window!



IT | 2012-06-26 14:57:57

A while ago I was working on a project to decommission the old TACACS server and we chose to replace it with Radius for Cisco router authentication.

After trying a few different radius packages (on Linux) one of our engineers said that he had luck in the past with Radiator – a closed source radius package for Linux. The Radiator software http://open.com.au/radiator/index.html is probably under-utilised for basic authentication, but has been rock solid in our production environment for 6 months+.

What we now have is a radius server that accepts authentication requests from our Cisco devices, checks whether the username or Calling-Station-Id is in a blacklist, authenticates them against LDAP to our Domain Controller and then checks the users group membership to allow them to authenticate. All failed and accepted attempts are also logged.

Whilst the documentation is huge and detailed (376 pages) I couldn’t find any specific examples on the net to tie everything we wanted together. So below is a sample configuration for what we are running as detailed above. Essentially we make a Radius user on the domain who can read LDAP (because we don’t allow anon ldap queries right?). We also make a RadiusSG security group which will contain the users that we want to allow login to our devices (because we don’t want to allow a terminal login for all our other AD users).

Note, I have also included a clients-group1.cfg file to specify each NAS into nice groups. I use this option to create multiple includes to split devices by region/country.

file: /etc/radiator/radius.cfg

#Foreground
LogStdout
LogDir          /var/log/radius
DbDir           /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace           3
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
# INCLUDE OUR REGION SETTINGS
include %D/clients-group1.cfg
<Realm DEFAULT>
# LOG ALL FAILED REQUESTS TO /var/log/radius/<YEAR>-<MONTH>-attempts-failed.log
<AuthLog FILE>
Filename %L/%Y-%m-attempts-failed.log
LogFailure 1
LogSuccess 0
FailureFormat %d/%m/%Y %H:%M:%S FAIL Username: %U Password: %P from %{Calling-Station-Id} on %{NAS-IP-Address}
</AuthLog>
# LOG ALL ACCEPTED REQUESTS TO /var/log/radius/<YEAR>-<MONTH>-attempts-ok.log
<AuthLog FILE>
Filename %L/%Y-%m-attempts-ok.log
LogSuccess 1
LogFailure 0
SuccessFormat %d/%m/%Y %H:%M:%S  OK  Username: %U Password: <hidden> from %{Calling-Station-Id} on %{NAS-IP-Address}
</AuthLog>
# CHECK BAD USERNAMES THEN BAD IP’S THEN LDAP FOR AUTHENTICATION
<AuthBy GROUP>
# FLOW THROUGH OUR BLACKLIST MODULES
AuthByPolicy ContinueUntilReject
#CHECK FOR BAD USERNAMES
<AuthBy FILE>
Blacklist
Filename %D/reject-usernames
</AuthBy>
#CHECK FOR BAD IP’S
<AuthBy FILE>
Blacklist
AuthenticateAttribute Calling-Station-Id
Filename %D/reject-ip
</AuthBy>
#CHECK AGAINST OUR AD VIA LDAP
<AuthBy LDAP2>
# SPECIFY THE DOMAIN CONTROLLER ADDRESS AND LDAP PARAMS
Host <INTERNALIPOFDOMAINCONTROLLER>
SSLVerify none
UseTLS
Port 3268
# OUR DC WONT ALLOW ANON READING SO WE HAVE TO AUTH AS A VALID USER
AuthDN cn=Radius, OU=Service Accounts, DC=<DOMAINHERE>, DC=prd
AuthPassword <RadiusUSERPASSWORDHERE>
# USE THE CACHE FOR MULTIPLE ATTEMPTS WHICH SAVES LDAP QUERIES
CachePasswords
# START SEARCHING LDAP FROM THIS DN FORWARDS
BaseDN DC=<DOMAINHERE>, DC=prd
UsernameAttr sAMAccountName
ServerChecksPassword
# REQUIRE GROUP MEMBERSHIP
SearchFilter (&(%0=%1)(memberOf=CN=RadiusGroup SG,  OU=Security Groups, DC=<DOMAINHERE>, DC=prd))
</AuthBy>
</AuthBy GROUP>
</Realm>

I have also created some scripts to poll for top IP offenders (bruteforce attempts etc) so I will most likely post these details soon.



IT | 2012-04-03 12:54:05

Two weeks ago I was fortunate enough to attend Cisco Live (previously networkers).

Part of my goal there was to get clued up on IPv6 transition methods, addressing and all related matter. One of the breakout sessions I attended was on IPv6 security threats and mitigation. All in all very informative, but the major advice for networks not currently running IPv6 was to monitor your IPv6 flows to see what applications and operating systems were doing. Technologies like ISATAP are bound to break security boundaries by tunneling via IPv4 and this is something you should be aware of on your network.

Today I started this quest just by running a regular wireshark session filtering via IPv6. Without a tap or a port span I could only observe multicast traffic, but I picked up on the below packets.

My immediate thought was a users PC was infected with a virus that was acting as part of a botnet and that this PC was using IPv6 to perform its DNS lookups. I went searching for 10 character IPv6 DNS lookups. Luckily what I found meant it wasn’t part of a botnet but I definitely wasn’t expecting what I found. This case has been documented before, so this is definitely nothing new and the fact that this happens in both IPv4 and IPv6 isn’t a suprise. Here are the references I found:
http://code.google.com/p/chromium/issues/detail?id=47262
http://groups.google.com/a/chromium.org/group/chromium-discuss/browse_thread/thread/17bd3e93f3c68448?pli=1
https://isc.sans.edu/diary.html?storyid=10312
http://groups.google.com/a/googleproductforums.com/forum/#!category-topic/chrome/report-a-problem-and-get-troubleshooting-help/dQ92XhrDjfk

As the reports suggest it’s a feature of Chrome to perform fake DNS lookups to determine if your ISP is performing DNS hijacking. In my case our DNS suffix provided by our DHCP server did not get appended, nor was the request a truncation of a proper URL nor was it over IPv4 – but it is most definitely the cause of the events I saw on the network.

As the quest for IPv6 and related security problems goes on I’m sure to throw more stuff up here.



IT | 2012-03-07 10:49:53

Just scrolling through /. and noticed this article:

“Michael Geist reports that last week State of Maryland prosecutors were able to obtain a warrant ordering Verisign, the company that manages the dot-com domain name registry, to redirect the website to a warning page advising that it has been seized by the U.S. Department of Homeland Security. The message from the case is clear: all dot-com, dot-net, and dot-org domain names are subject to U.S. jurisdiction regardless of where they operate or where they were registered. This grants the U.S. a form of ‘super-jurisdiction’ over Internet activities, since most other countries are limited to jurisdiction with a real and substantial connection.”

I’ve been fearful of this for a while and watching this develop over the last year or so. I’ve never understood the legailities involved with the US seizing a site with it’s information when it’s clearly hosted in another country. I guess the loophole has been the ownership of the .com registrar, allowing a pivot for governments to obtain the remainder of the information past the actual domain name. A loophole which is now firmly stated.

I guess the only hope now is one that comes from more awareness. If you don’t want to have your domain seized due to the content on your site – don’t register it through a .com .net or .org.



IT | 2009-01-21 17:22:22

Recently I purchased the Blackberry Storm which is exclusive to Vodafone here in Australia.

I have had some problems finding the initialisation commands for Vodafone in Australia.

Here is the process.

Installing the Blackberry Storm will install 3 modems:
– Standard 33600 bps Modem
– Standard 33600 bps Modem #2
– Standard Modem

Leave the first two alone, but under the standard modem in the advanced properties, enter:

+cgdcont=,,"vfinternet.au"

Next create a new manual internet connection and when it asks for a password enter *99# and do not enter any username or password

Open up the Blackberry Desktop Manager, connect to the new connection and away you go 🙂



IT | 2007-12-11 15:42:56

Well as of Friday 7th December I am now RHCT certified (Red Hat Certified Technician)

I managed to pass with 100% which was awesome, now bring on the RHCE!



IT | 2007-07-11 13:10:29

Over the course of about 2 weeks my raid5 system broke twice requiring new disks and a rebuild.
The controller was a Highpoint RocketRaid 1640 SATA with 4x Seagate 250GB 7200RPM SATAII drives.

Rebuild time was as follows:
Build 1:
raid 5 rebuild started approx 4:25PM
5:27PM – 21%
6:24PM – 40%
7:04PM – 53%
7:28PM – 61%
8:35PM – 82%
9:25PM – 99%
9:27PM – 100%

Build 2:
raid5 rebuild started 11:51AM
2:13PM – 47%
2:51PM – 58%
3:44PM – 76%
4:25PM – 90%
4:55PM – 100%
I couldn’t find any reliable information on an estimated rebuild time, so theres my experience.