Skip navigation

Monthly Archives: February 2008

Ok, well I’ve just had my first unpleasant surprise with Ubuntu Gutsy. Just checked my IPtables rules as i’m at home effectively outside my firewall just testing my security, and it seems that by default, the ruleset is set to allow all traffic…..I’m pretty shocked….. when stacked side by side with Fedora, which i’ve been using at work, which is downright agressive about security from the word go. Ubuntu by it’s very nature is aimed at making Linux more accessible, and from reading the Ubuntu forums the majority of new users wouldn’t even consider checking…

I appreciate that most people seem to think that a firewall is unnecessary on a Linux box, as no daemons are running on a default install – but suppose (as I do) you then install an SSH server, and you want Windows machines on your network to access files….and a plethora of other bits and pieces – eventually you end up with loads of holes.  I’d rather find out an application doesn’t work until I open corresponding ports than have data visible from the public internet…

My untouched IPtables config looked like this:

roachy@roachy-laptop:~$ sudo iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Then after modification (yes I cheated and used Firestarter!)

roachy@roachy-laptop:~$ sudo iptables –list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 192.168.2.1 anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp — 192.168.2.1 anywhere
ACCEPT 0 — anywhere anywhere
ACCEPT icmp — anywhere anywhere limit: avg 10/sec burst 5
DROP 0 — anywhere 255.255.255.255
DROP 0 — anywhere 192.168.2.255
DROP 0 — BASE-ADDRESS.MCAST.NET/8 anywhere
DROP 0 — anywhere 224.0.0.0/8
DROP 0 — 255.255.255.255 anywhere
DROP 0 — anywhere 0.0.0.0
DROP 0 — anywhere anywhere state INVALID
LSI 0 -f anywhere anywhere limit: avg 10/min burst 5
INBOUND 0 — anywhere anywhere
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Input’

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp — anywhere anywhere limit: avg 10/sec burst 5
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Forward’

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 192.168.2.11 192.168.2.1 tcp dpt:domain
ACCEPT udp — 192.168.2.11 192.168.2.1 udp dpt:domain
ACCEPT 0 — anywhere anywhere
DROP 0 — 224.0.0.0/8 anywhere
DROP 0 — anywhere BASE-ADDRESS.MCAST.NET/8
DROP 0 — 255.255.255.255 anywhere
DROP 0 — anywhere 0.0.0.0
DROP 0 — anywhere anywhere state INVALID
OUTBOUND 0 — anywhere anywhere
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere LOG level info prefix `Unknown Output’

Chain INBOUND (1 references)
target prot opt source destination
ACCEPT tcp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp — anywhere anywhere state RELATED,ESTABLISHED
LSI 0 — anywhere anywhere

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER 0 — anywhere anywhere
LOG tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
LOG tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP tcp — anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
LOG icmp — anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ‘
DROP icmp — anywhere anywhere icmp echo-request
LOG 0 — anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound ‘
DROP 0 — anywhere anywhere

Chain LSO (1 references)
target prot opt source destination
LOG_FILTER 0 — anywhere anywhere
LOG 0 — anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound ‘
REJECT 0 — anywhere anywhere reject-with icmp-port-unreachable

Chain OUTBOUND (1 references)
target prot opt source destination
ACCEPT icmp — anywhere anywhere
ACCEPT tcp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:www
ACCEPT udp — 192.168.2.11 anywhere udp dpt:www
ACCEPT tcp — 192.168.2.11 anywhere tcp dpts:netbios-ns:netbios-ssn
ACCEPT udp — 192.168.2.11 anywhere udp dpts:netbios-ns:netbios-ssn
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:microsoft-ds
ACCEPT udp — 192.168.2.11 anywhere udp dpt:microsoft-ds
ACCEPT tcp — 192.168.2.11 anywhere tcp dpt:https
ACCEPT udp — 192.168.2.11 anywhere udp dpt:https
LSO 0 — anywhere anywhere

Quite a significant difference…..

I’ve just been configuring an AXIS video server that monitors one of our sites, and had a thought……I wonder how many of these cameras are publicly visible on the web (ours is hidden behind a firewall and visible over a VPN from here), so I did a quick google search with some quite cool results:

intitle:”Live View / -AXIS” reveals…..

Axis Live View

I’m terrible for forgetting to exit a root session after I’ve been performing administrative functions on my machine, so I looked for some way of reminding me, and found this simple solution:

Edit the /etc/bashrc file to include the following function….

function setprompt
{
local RED="[$(tput setaf 1)]"
local RESET="[$(tput sgr0)]"
if [ `id -u` = 0 ] # check if user is root
then
PS1="$RED[u@h:W]$RESET "
else
PS1="[u@h:W]$RESET "
fi
}
setprompt

This then changes the prompt colour to red (or any colour you like) when logged on as root…..

Red Shell Prompt

Just found this useful list of commands on Fosswire – as it’s released under the Creative Commons Attribution-ShareAlike 3.0 Unported licence, I’ve copied it to here for easy reference!

Unix/Linux Command Line reference

Previously I knew how to test for traditional Open Relays on mail servers – but was looking for some more extensive testing and stumbled across this site:

http://www.dsbl.org/relay-methods

Among the list is methods of testing against double bounce and webmail relaying….

In addition to this the base-64 encoding and decoding tool can be used to test SMTP Auth on servers:

http://legacy.dillfrog.com/tools/base-64_encode/

Very useful 🙂

After struggling to fully join a linux box to the AD domain at work, I’ve now successfully managed it.
This was done in Fedora Core 8, but theres no reason why this shouldn’t work regardless of distro.
Going to give it a go on Ubuntu next!!  (Note that the Active Directory domain in this is example is RC.local and the AD/DNS/Kerberos server is RCSRV01 – replace these entries with your own details…)
Here’s a checklist to follow:

1 – Ensure that the AD domain is correctly configured (DNS,DHCP, etc)

2 – Add the AD domain controller as the first DNS server on the linux box
(and check using /etc/resolv.conf)

3 – Ensure the kerberos and samba packages are installed on the linux box

4 – Set the hostname on your linux box in /etc/sysconfig/network

5 – Ensure you have the correct hostname (using your FQDN) in/etc/hosts. Mine looks like:

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 RCFedora rcfedora.rc.local localhost
::1 localhost6.localdomain6 localhost6

6 – Ensure your linux box is set to use the Windows Domain controller as an NTP server
and that your time zone is correct (this caught me out – the time zone was incorrectly set
and it wouldn’t allow me to join the domain!)

7 – Edit /etc/krb.conf to include the following on the FIRST 2 LINES!!

RC.LOCAL rcsrv01.rc.local:88
RC.LOCAL rcsrv01.rc.local:749 admin server

8 – Next I added the file /etc/krb.realms, and added the following line

.rc.local RC.LOCAL

9 – In /etc/krb5.conf, check that the following options are there and correct:

[libdefaults]

default_realm = RC .LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]

RC.LOCAL = {
kdc = rcsrv01.rc.local:88
admin_server = rcsrv01.rc.local:749
kpasswd_server = rcsrv01.rc.local:464
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
*.addomain.local = RC.LOCAL
.addomain.local = RC.LOCAL

10 – Next check /etc/nsswitch.conf for the following entries:

passwd: compat winbind
group: compat winbind
hosts: files dns winbind

11 – Check /etc/pam.d/system-auth for the following in the session section

session required pam_mkhomedir.so skel=/etc/skel umask=0022

12 – Under the global settings in the /etc/samba/smb.conf you should have the following

unix charset = LOCALE
workgroup = RC
netbios name = RCFEDORA
password server = RCSRV01
realm = RC.LOCAL
server string = Fedora8
security = ads
allow trusted domains = No
idmap backend = idmap_rid:RC=16777216-33554431
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
log level = 1
syslog = 0
log file =var/log/samba/%m
max log size = 50
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
winbind offline logon = true
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = Yes
printcap name = CUPS printing = cups

and under HOMES you should have

comment = Home Directories
browseable = no
writable = yes
; valid users = %D%U
; valid users = MYDOMAIN%S

13 – Finally stop the Winbind and Samba services, and run the following commands:

rm -f /etc/samba/*tdb
rm -f /var/cache/samba/*tdb
rm -f /var/cache/samba/*dat
net ads join -U Administrator

then start the winbind and samba services again and reboot!

You should then be able to log on with domain credentials!