Wednesday, April 5, 2017

Rotten Apples

I have been using apple products for a very very long time. However the most recent updates have me a slighted. In their attempt to gain recognition for the most recognizable device's and OS they have taken away some of the creature albeit hackish creature comforts that I loved.

One small one that probably a very small percentage of the mac population used, was the ability to adjust the dock into the bottom right corner, instead of the middle of the screen. Are they so adamant that all MacOS's on every device look the same, so that they can be instantly recognized in every starbucks on the planet as an Apple product, and a Apple Macintosh OS, that they no longer allow the dock to be moved 3 inches to the right. So the new configuration file that dictates this behavior, isnt editable by a normal user, even on that has root privileges. Why? I paid over 3 thousand dollars for a MacBook Pro, I would like to make at least minor adjustments as I see fit. I feel like this is the same as buying house, and then being told by the bank in which you financed with, that you aren't allowed to paint any of the walls in the house.

Another from the latest update is the is that they dropped support for pptp vpn's. This is ridiculous, of course pptp is an old protocol, and it isn't the most secure on the block, but it sure does help when your ISP is trying to inspect your traffic and limit bandwidth to certain applications, or if you're a Time Warner Cable (Now Spectrum) customer, and their plant is extra crappy, and the transport sucks. As soon as you establish a simple pptp vpn connection, boom your speeds and throughput are back to being what you paid for. Due to the fact that they dropped pptp support, I literally had to change my broadband provider, which worked out for the best. New Wave cable had just come to my area a few weeks prior, and offered a faster speed at a lower price with 10x the reliability eliminating my need for a pptp vpn altogether.  I would have been really upset if TWC/Spectrum remained my only option as I would probably spend lots of money tethering my phone in order to get reliable internet without the VPN.

Anyway grew up using Apple products, from a very early age. My father was a die hard Apple fan, he still do this day maintains a collection of late 80's and 90's Apple equipment. For those of you that know the story of Steve Jobs, he also has a Next NextStep PC. This is why it is so frustrating to me. Coming from a time when Apple was the "Think Different" company that had allowed their users to make their computer their own, to a company that now makes computers that make you their own. Conform or die..

Enclosed are a few photos of my collection, so you know I am not fibbing when I say im an old school Apple user. However I am no longer a fan boy. While I still can't bring myself to not purchase Apple hardware, I am seriously contemplating something different for my next laptop. I come from a professional Linux administration background, and I use Fedora workstation everyday, while maintaining Red Hat servers. If any of you out there in internet land actually read this, and would like to give me suggestions on hardware that is comparable to a MacBook Pro, please chime in. The last 2 MBP's that I have owned have lasted 7+ years, and still been able to display up to date graphics, and run largely bloated and complex software packages, years after my initial purchase. I do not like buying new PC's every couple of years, I prefer that they last a little bit longer. I am not a gamer so I do not demand cutting edge graphics all the time, which might have something to do with the longevity compared to some gamers out there.

A few photos from the collection of old Apple hardware. My original Apple Newton Message pad from 1992 (The original iPad if you will) and a Duo Dock docking station, for my duo 210 laptop. This setup was commonly seen in the background of many Seinfeld episodes, in Seinfeld's apartment. Over the years I had several LC's, a quadra, the duo dock setup, followed by an original Bondi Blue iMac, then a G4 Cube, a power book G3, and a G4 titanium, a black macbook, a MacBook Pro 2007, then onto a MBP 2015 with retina display. Of course the original Newton message pad 100 with 110 board upgrade, while my father had a 120. I had one iPhone once, a 3G then I left it for a Google Android Nexus 1, and remained on Android ever since.

Newton 100 message pad





Duo Dock box and a few others lingering around in Dads basement


The boxes for the Newton 100 and 120

Google's Googel

Have you tried Google's new search engine Googel yet? It's just like the regular google, but it looks different. No? Okay, good because its not real. However google does have 2 or more ways to do the same exact thing with more than one product. I find this quite confusing, and I wonder if anyone else feels the same way, or like me has just thought, "Why does google keep merging, and or separating, and then sometimes re-merging projects?"

Example, Allo and Duo, they work well together, but what about google hangouts. Wasn't that the whole premise of hangouts? Then they included a dialer, texting, and basically merged the product with google voice for a one stop shop for telecommunications in the web and mobile devices. However google voice still exists, and now allo and duo exist parallel to hangouts. NOW WE HAVE SO MANY OPTIONS, BUT WHICH ONE DO WE USE!?

Then on the total opposite spectrum we have gmail, its great has a nice web interface, its free, and it has a task manager built in. The task manager has been there for a long time, 3rd party apps have been made to sync them to your phone, but google never made an official one. Why not? They made an app called keep which has no integration to the task manager in gmail what so ever. So now we have to use 2? If your'e like me this isnt a huge deal as I mostly use 3rd party mail applications, like apple mail, to access my email, but what about those people who use the web client as the main interface. One would think spending lots of time in the web interface you would be inclined to use the built in task manager if you spend a lot of time in it, instead of the keep web interface. Dont even get me started on the gmail app vs the inbox mail app. Again both by google, but why? Is one geared more toward enterprise? If that is so I think they should market it as such, and perhaps that is why some of their apps die, marketing for new or improved products doesn't seem to be their strong suit.

If anyone out there in interweb land is reading this I would like to hear your thoughts, and comments.

Tuesday, January 22, 2013

Fedora 18 google 2 factor authentication problems.

If you have upgraded to fedora 18 and are having some trouble logging in with the open source google 2 factor PAM, and authenticator app, look to at your display managers login window and make sure that the time is set properly.

I recently upgraded from Fedora 17 to 18 and noticed that it set my workstation to network time by default. In fedora 18 the network card by default will not make a connection until the user logs in. (Assuming this is a measure to prevent hacking attempts/exploits.) So naturally the workstation was not on the same time as my phone, and thereby far surpassing the 1 minute and 30 second time sync differential (can go up to 4 minutes depending on how you setup you .google_authenticator conf file.)

So I appended the kernel arguments by, pressing 'e' on the current kernel of the grub screen to edit the arguments. I used '-a single' followed by pressing F10 to boot the machine into single user mode. I then removed the pam_google_authenticator.so line from the gdm-password file located in /etc/pam.d. This allowed be to login with just my user password. After successfully logging into the machine I turned off network time set my time zone to EST, and then re-entered pam_google_authenticator.so back into the gdm-password file. Logged out to test it, and then it started working fine.

There are ways of getting the machine to connect to the network before or during the display managers login window, but these are outside the scope of this article. Luckily if you log out and have an services running as a daemon, most specifically under root for good measure these services will continue to run. This article was intended for those using fedora as a desktop workstation rather than a server. There are also ways of stopping one from booting into single user mode from the grub, though booting this way usually requires physically access, if you don't have sensitive information on your workstation I would not recommend disabling single user arguments, just in case of scenarios like this.

Sunday, October 28, 2012

PPTP VPN Routing Internet Traffic. (CentOS)

I recently setup up a personal VPN on CentOS 6.3 to cover myself from sniffers while connected to public hotspots. I read a few tutorials to see if much has changed on PPTP installations in the last few years as the last time I set one up was 2009. Not much had changed, but I noticed in the comments of most tutorials that lots of people out there where having trouble routing internet traffic through the VPN after the install. I will cover a couple things that could be causing this problem.

First I noticed that there are some tutorials out there that skip the IPTables rule to allow PPTP traffic to your server, in order to successfully connect you will need to unblock port 1723, and you can do so by adding the following rule to /etc/sysconfig/iptables

-A INPUT -p tcp -m tcp --dport 1723 -J ACCEPT

Or from a command prompt enter:

# iptables -A INPUT -p tcp -m tcp --dport 1723 -J ACCEPT

Next you will also need to allow GRE protocol on your primary interface, add this rule to the INPUT chain in /etc/sysconfig/iptables:

-A INPUT -p gre -i eth0 -j ACCEPT

Or from the command prompt:

# iptables -A INPUT -p gre -i eth0 -j ACCEPT

These rules will allow your remote client to connect to PPTPD.

Second, sometimes fresh installs of an operating system such as CentOS have the iptables forward policy set to drop forwarding connections. This is needed to pass traffic from eth0 to your ppp connections. In order to allow this from the command line type:

# iptables -P FORWARD ACCEPT

This changes iptables forward policy to allow forwarding between interfaces.

Lastly are 2 important IPTables forwarding rules that allow traffic to be passed back and forth between eth0 and all ppp connections. I will use a wildcard of + for the ppp connections, this is important if you have multiple users of the VPN as it will tell iptables that all ppp connections should pass through eth0 and vice versa. You can add these 2 rules to the bottom of your INPUT chain in the file /etc/sysconfig/iptables :


-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT

Or from a command line:

# iptables -A FORWARD -i ppp+ -o eth0 -j ACCEPT
# iptables -A FORWARD -i eth0 -o ppp+ -j ACCEPT

This should have you successfully connecting and routing internet traffic from the VPN server to your remote clients!

Tuesday, October 23, 2012

Tarpit Server (RHEL/CentOS 6+)(Dual Subnets)


I was recently tasked with replacing an old LaBrea Tarpit server. Due to the unfortunate outcome of the LaBrea project I opted to use xtables addons for IPTables and built-in logging features to implement the new tarpit. Some of the information about putting together a tarpit from scratch is  a little scarce so I decided to share how and what I did to put this server together. For my setup I had two network interfaces, one open to for traffic to tarpit, and one for administrators to use for remote management. The management interface was locked down to an internal subnet. For general purposes one network interface will work just fine, you can skip the part about dual network card setups. This operation was performed on a Red Hat Enterprise Linux 6.3 install but should in fact be identical on any version 5.5 and up.

This is my first attempt at blogging a tutorial so please forgive me if it seems a bit erratic.

I am writing this under the assumption that most people that are setting up a tarpit server already have a basic to intermediate knowledge of linux. Lets get started!

1. Installing XTables 

XTables is a very powerful set of extensions for IPTables that includes the tarpit target and many others such as geo ip etc.  For more on XTables please visit http://sourceforge.net/projects/xtables-addons

We can download the free and open sourced add ons from their site at sourceforge.net. To download the zipped package straight to our machine lets use the wget command.

# wget http://sourceforge.net/projects/xtables-addons/files/Xtables-addons/


This will place the current version of xtables in your current working directory, we can install using this command line syntax:

# cd xtables-addons-1.46 (Version may be replaced, at the time of this writing it was 1.46)
# ./configure
# make && make install
# cd

2. Network Configuration

Now this is a bit tricky since we have 2 network cards and each of them will be assigned to a different subnet, we are going to have to take advantage of Red Hat's advanced routing tables. First however lets make sure we properly have the interfaces setup. We will need to check the network script files and make sure they are configured properly. We will use eth0 as our management interface, and eth1 as the tarpit interface. For this example eth0 will be on the 192.168.2.0 subnet and eth1 will be on 10.3.128.0 subnet, please place your own network information. If you are only using one network interface then skip any information with eth1.

Move to the network-scripts directory

# cd /etc/sysconfig/network-scripts

Using your favorite text editor, open ifcfg-eth0. It should look similar to below, of course the IP's will differ. It should look something like what is listed below.

DEVICE="eth0" ONBOOT="yes" BOOTPROTO="static" IPADDR="192.168.2.10" NETMASK="255.255.255.0" NETWORK="192.168.2.0" BROADCAST="192.168.2.255"

Next open the file ifcfg-eth1, and change the information to the subnet that you wish to have as your tarpit, if you are using one network interface you need not edit this file or it may not exist.

DEVICE="eth0" ONBOOT="yes" BOOTPROTO="static" IPADDR="10.3.128.10" NETMASK="255.255.255.0" NETWORK="10.3.128.0" BROADCAST="10.3.128.255"

After configuring ifcfg-eth1 you will need to restart the network service using:

# service network restart
# cd

Now here is where we need to define individual gateways for each subnet. This step is much easier if you take the commands and store them in an executable script. Reason being that if you need to restart the network services you wont have to go through several steps as a opposed to just re-running the script. So create a file called route-script or something of your liking and copy this information into it only with your networking information. If you have only one network interface you may skip this step.

#!/bin/bash
#Route-Script
#Set up the first subnet's routing table (we'll name it 1 eth0)
/sbin/ip route flush table 1
/sbin/ip route add table 1 to 192.168.2.0/24 dev eth0
/sbin/ip route add table 1 to default via 192.168.2.1 dev eth0

#Set up the second subnet's routing table (we'll call it 2)
/sbin/ip route flush table 2
/sbin/ip route add table 2 to 10.3.128.0/24 dev eth1
/sbin/ip route add table 2 to default via 10.3.128.1 dev eth1

#Create the rules to choose what table to use. Choose based on source IP
#We need to give the rules different priorities; for convenience name priority
#after the table
/sbin/ip rule add from 192.168.2.0/24 table 1 priority 1
/sbin/ip rule add from 10.3.128.0/24 table 2 priority 2

#Flush the cache to make effective
/sbin/ip route flush cache


This script sets up 2 routing tables, giving priority 1 to eth0 and priority 2 to eth1. Next make the script executable.

# chmod 755 route-script

Then run the script.

# ./route-script

Now to verify that each interface is working use:

# ping -I eth0 google.com

If you get results, (assuming that eth0 is not an internal network) then its working. Do the same for eth1

# ping -I eth1 google.com


Next we want to assign multiple addresses or in my case and entire subnet to eth1. In order to this we will need to create a file inside /etc/sysconfig/network-scripts/ called ifcfg-eth1-range0 . Creating this script will effectivley create virtual network interfaces that are bound to eth1, eth1:1 eth1:2 etc.

# cd /etc/sysconfig/network-scripts/
# touch ifcfg-eth1-range0

Now open ifcfg-eth1-range0 in your text editor and add the your IP range.

IPADDR_START=10.3.128.2
IPADDR_END=10.3.128.254
CLONENUM_START=0


The IPADDR_START is your starting IP, and IPADDR_END is your ending IP respectively CLONENUM_START is the number in which the virtual interfaces will start use 0 for the first virtual interface to be eth1:1.

Now we will need to restart the network services again.

# service network restart

Now that we have multiple IP's on the same interface they will also need defined a default gateway. So we will need to re-run our route-script (aren't you glad you saved it!)

# cd
# ./route-script

Check to see if your virtual interfaces are getting to the internet

# ping -I eth1:1 google.com

If it pings successfully then all is well. You can also check the default routes of your interfaces by running the command route -n.

3 IPtables Rules

Now that XTables is installed and both network interfaces are up and running we will need to use iptables to lock down eth0 to port 22 only (ssh for management) and open eth1 to incoming connections. IPTables will also log incoming connections to /var/log/messages for viewing with a custom prefix to make it easy to spot or use grep with. Later in the tutorial I will show you how to remove the IPTables logs from /var/log/messages into their own log.


Ill start by sharing the rules I wrote, you may copy and paste them into /etc/sysconfig/iptables using your own network information. Open /etc/sysconfig/iptables in your editor and add the following rules.

-A INPUT -m state --state NEW -m tcp -p tcp -i eth0 --dport 22 -j ACCEPT  

#LogChain
-N LOGGING
-A INPUT -m iprange --dst-range 10.3.128.2-10.3.128.254  -j LOGGING
-A LOGGING  -j LOG -m limit --limit 30/min  --log-prefix "inbound : " --log-level 7
-A LOGGING -p tcp -j TARPIT
COMMIT



The first line opens only port 22 on eth0 for us to use ssh and manage our server. The LogChain creates a new chain of rules called LOGGING and specifies the iprange on eth1 must pass through it. It then passes the traffic to the logging rule where we have limited the log entries to 30 a min. (You may change this to whatever suites you.) with the prefix "inbound" and logs all traffic on log-level 7 (Debug, highest level of detail). The traffic is then tarpitted, now we need to restart iptables with

# service iptables restart

If all goes will you should see /var/log/messages filling up with kernel"inbound" messages. These will look something like this:

Oct 16 12:01:47 kernel: inbound : IN=eth1 OUT= MAC=00:13:21:1c:5a:1c:00:15:c7:dc:54:80:08:00 SRC=108.141.2.139 DST=10.3.128.131 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=51866 DF PROTO=TCP SPT=56124 DPT=3389 WINDOW=5840 RES=0x00 ACK URGP=0

Showing us source and destination adresses, as well as source and destination ports.

The tarpit is now running!


4. Setting up a tarpit log.

In order to remove the logged connections from /var/log/messages we will need to edit our syslog configuration file. This file is located in /etc/ and is called rsyslog.conf. So using your editor open /etc/rsyslog.conf and add this line in the rules section:

:msg, startswith, "inbound: " -/var/log/iptables
& ~

This will tell the kernel that any messages it recieves with the prefix "inbound: " will need to be placed in /var/log/iptables instead of /var/log/messages.

Now restart rsyslog with the command:

# service rsyslogd restart

Now if you look in /var/log you should see an iptables file. After restarting the syslog it should now fill up with all of the tarpit logs!

Now we have a functioning tarpit server with logs! Of course custom scripting can take this much farther and organize the data but that will be up to you. You may also want to set in place proper log rotation rules to prevent the iptables log from filling up your drive space.

Please feel free to comment, ask questions, or point out mistakes. I for see several edits as I re-read this several times.