Defcon:Blog Keklkakl blog blag

22Jan/162

VPN setup on Cisco IOS that works nice with Windows 7 and Linux w/ NetworkManager

I have a Cisco 2691 router running IOS 12.4 series at home currently, and I've been planning to cook up a VPN setup on it that allows me to connect back home, and also to "trombone" my way back out from home. I wanted toe setup to be as short and simple as possible, but still include encrypted communication. Finally, I wanted this to be available using "standard setup" client software on my XUbuntu+NetworkManager laptop, as well as Windows 7.

The "kicker" that made me finally cook this up, was the need to easily demonstrate to a colleague as well as a few students a simple way to do road warrior VPN using a Cisco IOS router as the termination point.

My setup uses Microsoft PPP Extensions to get encrypted communication, and as such it is a form of PPTP VPN.

The important bits to understand this setup is:

  • I use the IPv4 range 10.0.5.0/24 (or rather a subset of it) for the VPN clients.
  • VPN clients connect to my "Internet" facing address, located on FastEthernet0/0
  • All my internal networks, including VPN clients, use NAT with overload (PAT) for IPv4 communication with "the world"

I suppose it should be possible to use a Mac as a client for this setup too, but to be honest, I can't be bothered to check 🙂

aaa authentication ppp VPDN_AUTH local
!
ip name-server 10.0.2.2
!
vpdn enable
!
vpdn-group RoadWarrior
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
username vpntest privilege 7 password 7 053D1601114D5D1A0E550516
!
interface FastEthernet0/0
 description Internet
 ip nat outside
!...
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
ip nat inside
peer default ip address pool VPNPool
no keepalive
ppp encrypt mppe auto
ppp authentication ms-chap-v2 VPDN_AUTH
!
ip local pool VPNPool 10.0.5.2 10.0.5.31
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list standard NAT
 permit 10.0.5.0 0.0.0.255

3Oct/140

WordPress XMLRPC is a liability

This week I re-launched my blog, and I really wanted to do so silently, without the useless "Oh look, I've upgraded" type of post that so many publish (including myself in the past). But I was hit by a very common abuse-vector that prompts me to write a few words about it. The problem: DoS via WordPress XMLRPC. I've installed WordPress 4.0, a version where flaws in the XML-RPC mechanisms allowing it to be used as part of bot-nets and the like are supposedly resolved. But, after having my new WP installation active for less than 24 hours, my server ground to a halt, with ridiculous load numbers (190+ load), all caused by accesses to /xmlrpc.php

What is XML-RPC anyway?

The XML-RPC API is used by WordPress for a few things. The useful part, is making third-party publishing and administration applications for both desktop and mobile. But it is also used for so-called "pingbacks" and "trackbacks", where WordPress itself notifies other WordPress installations that links to their content has been created in articles/posts/pages. As this mechanism is supposed to run without user intervention, it's done without authentication, unlike the third-party client enabling admin/publish features of the API.

Insecure by default

Before WordPress 3.5, the XML-RPC API was something you had to actively enable. So to be able to use the API for publishing clients and/or pingbacks and trackbacks, you had to be aware of that the API existed, and enable it. For a number of reasons, I think that was a really good idea. Perhaps primarily because the XML-RPC used to have some seriously big flaws that could be used as vectors for abusing a WordPress installation. Now, from version 3.5, most of these flaws have been fixed. And with that, someone decided that users of WordPress are not very bright, and having to enable an API before using a third-party client was very complex and too hard for the users to understand. So they enabled the API by default. And removed the option for turning it off easily! How can possibly having an open API for anonymous, un-authenticated generator of HTTP-requests enabled by default, with no filtering, be a bad idea, right?

Continue reading ...

11Jul/120

Xen on Debian Wheezy (with VLAN networking and LVM storage).

TODO: Add an introduction paragraph, or ingress (so having READ MORE makes sense...)

Preparing the operating system

The absolutely first step in getting a Xen capable Debian Wheezy server, is to install Debian Wheezy. Really, there are no special tricks to this “step”, simply install a base system to your liking. I would reccomend NOT installing any X/Desktop environment at all; keep your Xen server a text-based system. Remember to install SSH server, as you'll probably be remote-managing the system. I'll also suggest you install NTP, VIM and Screen as part of the base install. After completing debian-installer:

apt-get install ntp vim screen

The rest of this prep-section is specific to my setup, you may skip down to “Installing Xen” if you like. In my setup, I'm using two RAID sets, one hardware-array with RAID1 for my root filestystem, and one software-array with RAID5, used as a physical volume for LVM. To set up these, the following packages are needed:

apt-get install mdadm lvm2

Next, to create my sfotware-RAID, I used (after a lot of testing to get acceptable IOPS from the disks):

mdadm --create /dev/md0 \
      --verbose \
      --level=5 \
      --chunk=256 \
      --raid-devices=4 /dev/sd{a,b,c,d}

That creates my /dev/md0, as I said, I'm using that as a PV for LVM:

pvcreate /dev/md0
vgcreate sraid5 /dev/md0

Installing Xen

With the basic operating system installed and (lightly) prepared, it is time take a plunge, and install Xen itself.

Continue reading ...

22Jun/120

Networking with VLANs on Debian Wheezy

This is a short note on using tagged VLANs on Debian Wheezy. Setting up and using VLANs on Wheezy is slightly changed from previous versions. The most notable difference is that vconfig is finally deprecated also for Debian, and that the “vlan-raw-device” stanza is gone from configuration.

In this short document, I assume that you know how to set up VLAN trunking and -tagging on the network-equipment that your Debian-box is connected to.

Continue reading ...

6Nov/100

Bacula backup server on Debian Lenny, with remote SQL server

This node is a REALLY REALLY incomplete scratch-space for my bacula-related node…

What is Bacula?

First of all, if you are reading this, I hope you have at least a minimal knowledge of what Bacula is. As in, at leas you know that is is a system for backup, recovery and verification of computer data. Hopefully, you also know that it is a scalable, enterprise-ready solution, and you are prepared for that.

As with everything else that gets labeled 'enterprise', and even 'scalable', Bacula is a system that is split into several parts, and is highly configurable. This gives great flexibility, at the cost of being rather complex to set up compared to smaller, simpler systems.

If you are looking to back up your workstation, and only that, bacula is probably not for you. The same is probably true if you are looking at doing backups for a small set of computers; say two-to-four. On the other hand, if you are planning on doing backups for a greater number of systems, across operating systems, and/or require dependable backup volume control, bacula is probably very well suited.

If you are coming from a commercial Enterprise backup solution, you may be surprised (hopefully pleasantly) to see that setup of Schedules, Clients, Jobs and the like are done in text-based configuration files, rather than a point-and-click GUI (or cryptic command line console).

Continue reading ...

19Apr/100

Debian Lenny based PXE boot setup

In this document I will document my base PXE boot-server setup. It is my intention to have quite a few “features” in my setup, including:

  • Menu-based selection of boot options
  • Booting of installers for several open-source operating systems
  • Booting of Live-environments for several open-source OS.
  • A selection of system-tools, like disk-shredder, partitioning tools, disk-backup and antivirus
  • Support for chainloading other net-boot mechanisms.

The setup is built on Debial Lenny, and is based on pxelinux, a part of the syslinux tools. In general, PXE-booting will be useful for booting x86/ia32-related hardware. Details related to making individual operating systems and distributions PXE bootable are left to separate articles.

Continue reading ...

18Oct/090

Creating a Read only Debian Lenny system

The task here is: at work, we have these cute little Vesa-mount-sized computers originally manufactured by DMP Electronics as the eBOX 4310, rebranded as NorhTec MicroClient Sr, that we are going to use backpack-mounted on large-screen HDTV's for our internal digital signage project.

These little boxes are to have no spinning disk, and an as reliable as possible system. To get no moving parts, the boxes skip using a hard drive, and we are setting them up with Compact Flash (CF) as the main storage. But, as any documentation will tell you, CF has a limited number of write-cycles, and as a result of that, it is desirable to have the system running with its filesystem read-only once booted.

Internally we normally standardize on CentOS for servers, and Ubuntu+Fedora as supported desktop Linux'es. But none of these are really “dead simple” to make read-only-rootfs, and to be honest comes with too much bloat in my opinion. So I am trying to do this using Debian Lenny. Debian is stock, standard, known tech, easily modified (ref. Pebble, LEAF, DSL, Ubuntu, Mint), and supportable. The base install is also fairly easy to make small.

Continue reading ...

4Mar/090

Installing Debian Lenny on the Cobalt RaQ4/RaQ550

My preferred method for installing Debian (or any compatible OS really) onto the RaQ, is the "out-of-body" installation. This requires an i386 - i586 (fairly old) PC with IDE/ATA available as a boot controller. There is quite a bit of "post install cleanup" to do compared to a standard Debian install, so read on...

Continue reading ...

4Mar/090

Debian Kernel compilation and installation for Sun/Cobalt RaQ

Compiling and installing a new, working Linux kernel on a RaQ appliance is not as trivial as it would be on a commodity PC/server. Here, I go through how I got my Lenny based RaQ's up and running with new kernels, starting from an already operational Debian Lenny i386 install

Continue reading ...

4Mar/090

Upgrading the ROM on a Cobalt RaQ4

Do not attempt this with a RaQ550, it will damage it!((http://www.osoffice.co.uk/romupdate.html))

For RaQ3, please see the methods for “Flash without OS((http://www.osoffice.co.uk/romupdate.html))((http://wiki.parvi.org/index.php/ROM_Flash_without_OS_Guide))

Installing any modern OS onto the RaQ GenIII hardware, requires that the RaQ's BOOT ROM is upgraded to a version that supports Linux kernels newer than the Linux 2.4 series. The the StrongBolt((http://www.osoffice.co.uk/)), BlueQuartz and Cobalt-ROM((http://sourceforge.net/projects/cobalt-rom)) projects are the sources for newer BOOT-ROM's. How to update your ROM file is outlined at http://www.dincom.co.uk/bq/rom.php and at the StrogBolt OS pages (http://www.osoffice.co.uk/romupdate.html).

Basically, you need a running OS on your RaQ before you start. This is because the flashtool((http://www.dincom.co.uk/bq/centosbqfiles/mirror/flashtool/)) needs to be run on the actual hardware. If you do not have an operational original OS on disk, using the Strongbolt CDROM, or other means of net-booting may get you to your goal.

Continue reading ...