Nasser Heidari

2011-01-27

Block POST Method with VARNISH for Invalid URLS

Filed under: freebsd,Linux — Nasser Heidari @ 16:38

Recently, I’ve experienced very high load on my http server because of spam bots.
After some inspection on the server using tools like varnishtop , tcpdump, apache mod_log_post , I’ve realized that Web Server receives lots of invalid POST Requests.
as I have only few forms on the Web Server that uses POST method, I decide to Block ALL POST method REQUESTS except my forms , lets say the form urls is :
/upload/mainform.php
/form1.php
/form2.php
/form3.php

I just add thease lines to my Varnish configuration:

... ... sub vcl_recv { ... ... if ( req.request == "POST" ) { if ( req.url ~ "/upload/mainform.php" || req.url ~ "/form1.php" || req.url ~ "/form2.php" || req.url ~ "/form3.php" ) { return (pass); } else { error 403 ": Requested Method is not supported by this server."; } } ... ...

2010-04-04

Obtain the HP Server Model information and Serial Number

Filed under: freebsd,Linux — Nasser Heidari @ 09:44

To do this, first install dmidecode , in FreeBSD you can install it easily:

# pkg_add -r dmidecode

then try this:

# dmidecode -s chassis-serial-number
# dmidecode -s system-product-name

FreeBSD: You can find all installed Hard Drives using this way:

# df
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/da0s1a 10154158 263394 9078432 3% /
devfs 1 1 0 100% /dev
/dev/da0s1e 5077038 86 4670790 0% /tmp
/dev/da0s1f 99246150 18245382 73061076 20% /usr
/dev/da0s1d 20308398 2714302 15969426 15% /var

# egrep ‘da[0-9]’ /var/run/dmesg.boot

Hitting this command will show lots of information about your hardware by :

# sysctl hw | less

2010-03-01

FreeBSD: make install – Accept default config

Filed under: freebsd — Nasser Heidari @ 08:28

Using FreeBSD ports means compiling software by executing make install clean. This is great since it automatically fetches the dependencies then compile them.
using make install clean, most of the packages have configuration options in which I have to manually choose the options. So if I install packageA with a lot of dependencies, those dependencies may have each a configuration option in which I have to select.
To select default Configuration i know 3 options that you can make use :
1.
For csh-based Shell:
# setenv BATCH yes
OR for sh-based Shell:
# export BATCH=”yes”

2.
# make -DBATCH install clean

3.
# make config-recursive
usually to get all of the options displayed for you to choose upfront. I say “usually” because not all ports support it, but most do.

2010-02-17

FreeBSD: named[6107]: the working directory is not writable

Filed under: freebsd — Nasser Heidari @ 18:07

To fix this error, edit the following file:

/etc/mtree/BIND.chroot.dist

and change:

/set type=dir uname=root gname=wheel mode=0755

into:

/set type=dir uname=bind gname=wheel mode=0755

and then restart service:

# /etc/rc.d/named restart

From: http://www.howgeek.com/2009/12/02/bind-on-freebsd-7-2-error-named1531-the-working-directory-is-not-writable/

2010-02-16

FreeBSD 8: Poptop – Freeradius – Mysql

Filed under: freebsd — Nasser Heidari @ 01:34

I’ve Installed FreeBSD with Default Configuration, and then I need to Install required packages:

# pkg_add -r mysql51-server poptop
#  cd /usr/ports/net/freeradius2/
# make install clean && rehash
           - Don't forget here to select mysql

Now we have installed required packages, lets start configuration:
– we need to enable ip forwarding and nat, lets see my system configuration files:

# uname -a
FreeBSD BSD.linax.com 8.0-STABLE FreeBSD 8.0-STABLE #0: Mon Feb 15 07:57:39 IRST 2010     root@BSD.linax.com:/usr/obj/usr/src/sys/LINAX  i386

# cat /etc/rc.conf.local
defaultrouter="192.168.126.2"
ifconfig_em0="inet 192.168.126.130 netmask 255.255.255.0"
ifconfig_em1="inet 10.10.10.1 netmask 255.255.255.0"
gateway_enable="YES"
hostname="BSD.linax.com"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""                
#pflog_enable="YES"        
#pflog_logfile="/var/log/pflog" 
#pflog_flags=""

mysql_enable="YES"
radiusd_enable="YES"

pptpd_enable="YES"

# cat /etc/pf.conf

## TRANSLATION RULES (NAT)
nat on em0 inet proto { tcp, udp, icmp } from 172.16.1.0/24 to any -> 192.168.126.130

## FILTER RULES
pass in log all keep state
pass out log all keep state

Note:I’ve reconfigured and added following lines to my kernel to support nat, :
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ

– Configuring PPTP :

/usr/local/etc/pptpd.conf
nobsdcomp
proxyarp
localip 10.10.10.1
remoteip 172.16.1.1-155
pidfile /var/run/pptpd.pid
+chapms-v2
mppe-40
mppe-128
mppe-stateless
plugin radius.so
plugin radattr.so

/etc/ppp/ppp.conf
loop:
    set timeout 0
    set log phase chat connect lcp ipcp command
    set device localhost:pptp
    set dial
    set login
    set ifaddr 10.10.10.1 172.16.1.1-172.16.1.155 255.255.255.255
    add default HISADDR
    set server /tmp/loop "" 0177

loop-in:
    set timeout 0
    set log phase lcp ipcp command
    allow mode direct

pptp:
    load loop
    disable pap
    disable ipv6cp
    enable proxy
    accept dns
    enable MSChapV2
    enable mppe
    disable deflate pred1
    deny deflate pred1
    set dns 8.8.8.8
    set device !/etc/ppp/secure
    set radius /etc/ppp/radius.conf

/etc/ppp/secure
#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

/etc/ppp/radius.conf
auth 127.0.0.1  nasser
acct 127.0.0.1  nasser

– Configuring Mysql & FreeRadius :

# cp /usr/local/share/mysql/my-medium.cnf /usr/local/etc/my.cnf
# sed -i.bak 's:/tmp/:/var/db/mysql/:'  /usr/local/etc/my.cnf
# mysql_install_db
# chown -R mysql:mysql /var/db/mysql/
# /usr/local/etc/rc.d/mysql-server start
# mysql -u root
          mysql> create schema radius;
          mysql> grant all on radius.* to 'radius'@'localhost' identified by 'radpass';
          mysql> flush privileges;
          mysql> \q
# mysql -u root radius < /usr/local/etc/raddb/sql/mysql/schema.sql

– Edit /usr/local/etc/raddb/sql.conf and enter the server, name and password details to connect to your MySQL server and the RADIUS database. The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, switch on sqltrace if you wish – FreeRadius will dump all SQL commands to the debug output with this on.

– Edit /usr/local/etc/raddb/radiusd.conf and uncomment $INCLUDE sql.conf and $INCLUDE sql/mysql/counter.conf .

– Edit /usr/local/etc/raddb/sites-enabled/default and add a line saying ‘sql’ to the authorize{} section (which is towards the end of the file). The best place to put it is just before the ‘files’ entry. Indeed, if you’ll just be using MySQL, and not falling back to text files, you could comment out or lose the ‘files’ entry altogether.

Also add a line saying ‘sql’ to the accounting{} section too between ‘unix’ and ‘radutmp’. FreeRadius will now do accounting to MySQL as well.
At the end your authorize and accounting should look something like this:

authorize {
	preprocess
        chap
        mschap
        unix
        sql
        expiration
        logintime
        noresetcounter
        dailycounter
        monthlycounter
        pap
}
accounting {
	acct_unique
        detail
        unix
        sql
        radutmp
        attr_filter.accounting_response
}

– now setup clients.conf:

 /usr/local/etc/raddb/clients.conf 
client 127.0.0.1 {
        secret          = nasser
        shortname       = PPTP
        nastype         = other
}

- OK , That's IT . lets create a user in mysql :

use radius;
INSERT INTO radgroupcheck (GroupName, Attribute, Value) VALUES ('normalusers', 'Auth-Type', 'MS-CHAP');
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Framed-Compression','Van-Jacobson-TCP-IP' );
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Framed-Protocol', 'PPP' );
INSERT INTO radgroupreply (GroupName, Attribute, Value) VALUES ('normalusers', 'Service-Type', 'Framed-User' );
INSERT INTO radusergroup (UserName, GroupName, priority) VALUES ('nasser', 'normalusers', 1);
INSERT INTO radcheck     (UserName, Attribute, Value)    VALUES ('nasser', 'Password', '123456');
INSERT INTO radcheck VALUES ('2','nasser','Login-Time',':=','Al0800-1200');
INSERT INTO radcheck VALUES ('','nasser','Max-Daily-Session',':=','3600');
INSERT INTO radreply     (UserName, Attribute, Value)    VALUES ('nasser', 'Framed-IP-Address', '172.16.1.33');

Now Reboot the Server.
you should able to connect this server via microsoft VPN Client from Windows .

Thanks to:
http://www.linux-bsd-central.com/index.php/content/view/8/
http://poripori.net/PPTPD_on_FreeBSD.html
http://www.frontios.com/freeradius.html
http://www.rensel.com/wireless/pppoe.cfm
http://www.altctrldel.com/blog/categories/Slackware/PoPToP – Freeradius – MySQL.txt
http://old.nabble.com/account-interim-update-from-pptp-server-td24068962.html
http://cipitunk.wordpress.com/2009/04/08/vpn-server-using-pptp-protocol-and-freeradius-as-aaa-implementation/
http://www.pingle.org/2006/04/11/getting-poptop-to-run-under-freebsd-5-6

2009-08-26

PF – Packet Filter (Part 1)

Filed under: freebsd — Nasser Heidari @ 08:22

From: http://www.openbsd.org/faq/pf

# echo 'pf=YES' >> /etc/rc.conf.local

# pfctl -e    -> activate PF
# pfctl -d    -> deactivate PF 

Note:Note that this just enables or disables PF, it doesn’t actually load a ruleset. The ruleset must be loaded separately, either before or after PF is enabled.

# pfctl -f /etc/pf.confLoad the pf.conf file
# pfctl -nf /etc/pf.conf    Parse the file, but don't load it
# pfctl -Nf /etc/pf.conf    Load only the NAT rules from the file
# pfctl -Rf /etc/pf.conf    Load only the filter rules from the file

# pfctl -sn   		    Show the current NAT rules 
# pfctl -sr                 Show the current filter rules
# pfctl -ss                 Show the current state table
# pfctl -si                 Show filter stats and counters
# pfctl -sa                 Show EVERYTHING it can show

Lists:

Lists are defined by specifying items within { } brackets:

block out on fxp0 from { 192.168.0.1, 10.5.32.6 } to any
block out on fxp0 proto { tcp udp } from { 192.168.0.1, 10.5.32.6 } to any port { ssh telnet }

trusted = “{ 192.168.1.2 192.168.5.36 }”
pass in inet proto tcp from { 10.10.0.0/24 $trusted } to port 22

Note:The commas between list items are optional.

Tables:

table { 192.0.2.0/24 }
table const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table persist file “/etc/spammers”

block in on fxp0 from { , } to any
pass in on fxp0 from to any

Table Address Matching

An address lookup against a table will return the most narrowly matching entry. This allows for the creation of tables such as:

table { 172.16.0.0/16, !172.16.1.0/24, 172.16.1.100 }

block in on dc0 all
pass in on dc0 from to any

Any packet coming in through dc0 will have its source address matched against the table :
• 172.16.50.5 – narrowest match is 172.16.0.0/16; packet matches the table and will be passed
• 172.16.1.25 – narrowest match is !172.16.1.0/24; packet matches an entry in the table but that entry is negated (uses the “!” modifier); packet does not match the table and will be blocked
• 172.16.1.100 – exactly matches 172.16.1.100; packet matches the table and will be passed
• 10.1.4.55 – does not match the table and will be blocked

Manipulating with pfctl

Tables can be manipulated on the fly by using pfctl(8). For instance, to add entries to the table created above:

# pfctl -t spammers -T add 218.70.0.0/16 

This will also create the table if it doesn’t already exist. To list the addresses in a table:

# pfctl -t spammers -T show 

The -v argument can also be used with -Tshow to display statistics for each table entry. To remove addresses from a table:

# pfctl -t spammers -T delete 218.70.0.0/16 

2009-08-25

FreeBSD Policy Routing

Filed under: freebsd — Nasser Heidari @ 14:22

Policy routing is the art of deviating from destination-based shortest-path routing decisions of dynamic routing protocols. Policy routing considers aspects such as source/destination address, ports, protocol, type of service (ToS), and entry interfaces; do not confuse it with a routing policy or traffic policing. Traffic policing and shaping are sometimes summarized as traffic conditioning. Linux offers by far the most evolved policy routing approach of all Unices via multiple routing tables, the Routing Policy Database (RPDB), and the iproute2 (ip and tc) package for administration. Most other UNIX implementations implement policy routing via firewall marks and packet-mangling hooks.
Policy-routing setup on BSD platforms is pretty straightforward, limited, and essentially integrated into firewall architectures . Firewalling, NAT, and policy enforcement are done by basically the same “packet-mangling” structures.

# pass out quick on bge0 to bge1:192.168.1.1 from 172.16.1.200 to any
# pass out log quick on bge0 route-to le0:192.168.1.1 proto icmp from le0 to any
# pass out log quick on bge0 proto icmp from any to any

Original Document: etutorials.org

2009-07-10

Netcat: The TCP/IP Swiss army knife

Filed under: freebsd,Linux,Miscellaneous,Security Tips and Issues — Nasser Heidari @ 13:44


Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
It is designed to be a reliable “back-end” tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

In this little guide I’ll quickly cover some very helpful usage’s of netcat .

Simple Chat:

The simplest example of netcat usage is to create a server-client chat system. In the following example it is assumed that the machine that creates the listening socket (server) has the 192.168.0.1 IP address. So, create the chat server on this machine and set it to listen to 12345 TCP port:

# nc -lp 12345

or

# nc -l 12345

If you now connect to port 12345 on that host, everything you type will be sent to the other party, which leads us to using netcat as a chat server.
Connect to it from another machine by entering this command:

# nc 192.168.0.1 12345

Now both parties can chat!

Port Scanner:

Netcat can be a port scanner. It does not have as many features as say nmap, but if you just want to see what ports are open on a given machine, you can simply do:

# nc -vzw 1 localhost 1-1000

Transferring Files:

Let’s say you want to transfer a file from machine A to machine B . you can use netcat as a file transfer software.
On machine A do the following, where 12345 is some unused port on which you want to send the file:

# nc -lp 12345 < myfile.tar.bz2

OR

# nc -l 12345 < myfile.tar.bz2

then go to the machine B and run this command: (192.168.0.1 is machine A IP address)

# nc 192.168.0.1 12345 > myfile.tar.bz2

Aanother Examples:

# tar -czf - /etc/ | nc -lp 12345

and then:

 # nc 192.168.0.1 12345 > mybackup.tar.gz

Simple Single page Web Server:

# while true; do nc -lp 8080 -q 1 < test.html; done

now if you connect to http://YOUR-IP-ADDRESS:8080 , you will see contents of test.html page .

Netcat as a Backdoor !!!

netcat can be used as a backdoor! You can specify the shell (or for that matter any executable) you want netcat to run at a successful connection with the -e parameter:

# nc -lp 54321 -e /bin/bash

now if you connect to the port 54321 , you will have a shell :

Getting System Information

# while true; do nc -lp 12345 -e /usr/bin/uptime; done

The user who wants to obtain system information has to issue the following command:

# nc 192.168.0.1 12345 

2009-07-08

Disable Beep/Bell ( Hardware beep )

Filed under: freebsd,Linux — Nasser Heidari @ 06:55

Linux:
Linux kernel has PC speaker beeper driver called pcspkr.ko. This driver is responsible for generating beeps while working at shell prompt / x terminal. To turn off the beep, simply remove driver from kernel. You also need to black list this driver so that it will not get loaded automatically.

# rmmod -v pcspkr

to prevent this module load automatically when you reboot your pc:
Open /etc/modprobe.d/blacklist file and add pcspkr:

blacklist pcspkr

appending a module here prevents the hotplug scripts from loading it .

you can use this command To turn it back on:

# modprobe pcspkr 

FreeBSD:
To enable or disable bell use MIB hw.syscons.bell under FreeBSD operating systems. Type the following command to disable for current session:

# sysctl hw.syscons.bell=0

Make sure settings remains same after you reboot you pc, enter:

# echo "hw.syscons.bell=0" >> /etc/sysctl.conf

X11

If you are working with X11, you can turn off the console beep using the command xset.

To turn the console beep off enter:

# xset b off

To turn it back on, enter:

# xset b on

You can also set the volume and the pitch of the beep. This is not always supported, depending on the hardware.

However if you want to set volume and pitch you can do something like that:

# xset b 10 1000 100

Send E-mail When sudo Runs

Filed under: freebsd,Linux,Security Tips and Issues — Nasser Heidari @ 06:41

Sudo can be configured to to send e-mail when the sudo command is used.
Edit /etc/sudoers file:

mailto "me@example.com"
mail_always on

* mailto “me@example.com” : Admin email Address.
* mail_always : Send mail to the mailto user every time a users runs sudo.

Additional options:

Option Description
mail_badpass Send mail to the mailto user if the user running sudo does not enter the correct password. This flag is off by default.
mail_no_host If set, mail will be sent to the mailto user if the invoking user exists in the sudoers file, but is not allowed to run commands on the current host. This flag is off by default.
mail_no_perms If set, mail will be sent to the mailto user if the invoking user is allowed to use sudo but the command they are trying is not listed in their sudoers file entry or is explicitly denied. This flag is off by default.
mail_no_user If set, mail will be sent to the mailto user if the invoking user is not in the sudoers file. This flag is on by default.

Next Page »