linux – Page 4 – Ryan Schulze

Bash Scripting

October 13, 2008Ryanbash, linux, scripting, shell, vim

I’ve been doing a bit of bash scripting lately. Anyone who is interrested in bash scripting should also have a look at the “bash support” vim script http://www.vim.org/scripts/script.php?script_id=365. A fair amount of the addons are aimed at a gui usage (like gvim), but even if you are a console user like me, it adds enough features to be worth while. After using it for a few days you get addicted to the neat features, scripting in a vim without it is like typing with your nose. It’s not impossible, but you aren’t having much fun either.

MSI Wind U100

October 11, 2008Ryan1 CommentDebian, Laptop, linux, MSI, Windows

I bought myself a laptop this week. To be more precise I bought a MSI Wind U100 “Luxury” version in white with 2GB Ram. It arrived today, and I have been spending most of the afternoon setting up Windows. I must say, I’m positively surprised about how good it works and the default setup. It came with 3 partitions, the first (about 3GB) is a rescue system, the second (about 50GB) has windows installed, and the rest (100GB) was an empty partition. I reduced the last partition to 50GB and will be installing Linux in the other half later on (Dual-Boot). It seems most of the community is only interested in installing ubuntu on the msi wind, so let’s see how far I get with a “normal” debian install. Not that ubuntu is bad, I use it often enough as a desktop installation, but this laptop isn’t really your standard hardware or usage here. So debian it will be, and minimized/customized to to what I want efficiently and good looking ;-).

Since there are plenty of reviews floating around the ‘net, I’ll spare you all a rant about how cool the notebook is.

Hackit Server downtime

October 7, 2008Ryanbroken, hackit, linux, ssh

Sorry for the downtime, wasn’t planned. It was late last night when I set up the knock daemon, I somehow managed to accidently copy and past my terminal which resulted in about a quarter of my /etc/init.d/* scripts getting broken. Unfortunatly I didn’t notice it right away. I did notice it when I rebooted the server (kernel change) and lot’s of daemons didn’t come up (oh unimportant stuff like SSH 🙁 ) Well, that’s what backups are for.

knock daemon with INPUT chain set to default ACCEPT

October 6, 2008March 12, 2011Ryanbasg, iptables, knock, linux, Server, ssh

I know there are plenty of pages floating around the Internet about knock daemons that open ports in a firewall after a predefined series of ports are “knocked”. For some reason ALL the pages I found assumed that a) you want the filter in your INPUT chain, and that the INPUT chain defaulted to DROP or REJECT.
In my case, I’m defiantly not going to have a iptables firewall with a default that drops packets. Every few weeks I try out some new software and can’t be bothered with adjusting my firewall every time. All I need it to do is keep pesky people off my ssh, that’s all.

So here is a short tutorial how to set up s knock daemon with a ACCEPT default for INPUT:

/etc/knockd.conf

[options]
UseSyslog

[opencloseSSH]
sequence      = 76:udp,123:tcp,7630:tcp,1921:udp
seq_timeout   = 25
tcpflags      = syn,ack
start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT
cmd_timeout   = 20
stop_command  = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT

[options]

UseSyslog

[opencloseSSH]

sequence = 76:udp,123:tcp,7630:tcp,1921:udp

seq_timeout = 25

tcpflags = syn,ack

start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT

cmd_timeout = 20

stop_command = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT

iptables:

iptables -N SSH-Knock
iptables -A INPUT -p tcp --dport 22 -j SSH-Knock
iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable
/etc/init.d/iptables save active

iptables -N SSH-Knock

iptables -A INPUT -p tcp --dport 22 -j SSH-Knock

iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable

/etc/init.d/iptables save active

Hackit Contest

September 23, 2008Ryanbuha, contest, grsecurity, hackit, hardening, linux, Server

Ok, the contest is ready. I’ll start off with the information everybody has been waiting for:

IP: 80.190.250.213

There is a webserver running with a brief description of the target and rules of the contest http://80.190.250.213/ The webserver is actually part of the contest since people are supposed to deface this page. To make it a bit more interresting, the ssh sessions are recorded with script and saved here for everyone to see (e.g. “less -r filename”).

Rules and Target of the contest:
As stated above, deface this page. To achieve this goal, everything is allowed. Do what you need/want to achieve the goal.
Unfortunatly we will still need a short list of actions that are not allowed:

(D)DoS against this box, or via this box against other hosts are
of course not allowed
Brute Force attacks against accounts are not prohibited … but trust me, you really don’t want to waste your time with that
Be nice, don’t try to make the accounts or box unusable for others
If you are doing something that isn’t aimed at solving the contest, than it probably isn’t allowed

A few details to the box and the system:

It is a vmware box (so I can reset it and/or access the console without any problems)
Linux debian testing is installed
some basic hardening done with normal linux tools and grsecurity
Don’t worry, I left enough room for you all to poke around, I didn’t make it “too secure to have fun”
This time no holes were intentionally added to the system. On the other hand there will also be no updates of software packages or changes to the RBAC system, no matter what security flaws arise (or I may have overseen)
On a scale of 1 to 10: I’d say the security is around 7

Have fun 😉

btw. I’m also posting this in the buha forums for anyone who prefers a German description.