Hackers!!

Hackers are trying to get in.

Not to alarm anyone, but if you didn’t know already, unscrupulous individuals are trying to get into your system every day.  Most people are protected by their routers and firewall software.   These allow traffic to come into your device ONLY if you have initiated a connection to the remote device from within your own network or computer.

Fair enough.  But for someone who wants to play with their network from remote locations, herein lies the problem.  In order to connect to my Linux box from anywhere outside of my home, I first have to direct port 22 (for SSH) in  my router to my linux.  Now I can have access.  But so can anyone else who attempts a connection to my IP address.  Likely they have a script running that methodically runs down IP addresses, trying to get a response.  Now when they hit my IP address with SSH, instead of the standard no response, they get a LOGIN: prompt.  Now they know it’s something worth trying to access.  The next script starts trying standard login names, then when it hits a upon a valid name, it then goes through the passwords.  Here’s what it looked like last night.

This is a small excerpt from my /var/log/auth.log (grep -i failed /var/log/auth.log)

As you can see, they were using standard names alphabetically.  They did way more than that, using standard usernames like “user, sysadmin, admin, guest, matrix, neo, trinity” and so on.  The lesson learned here is that any usernames on your system should not be dictionary words.  Too easy to guess.  Make it something you can remember, but somewhat resembles a secure password (numbers, big & small letters).

iftop

How did I know someone was hitting my box?  Pure luck.  I figured people were trying before, but did not realize to what extent.  I also wonder how many of these script kiddies had hit my box before?

Every now and then when I’m logged into my linux box, I like to just play around to keep myself in practice of some of the many tools there are, like ipcalc and such.  One of the tools I’ve installed is iftop. It’s much like top, but for network interfaces.  I have a second network card on my box connected to my Cisco router.  The port on that router mirrors all the other ports so that it can see ALL the traffic on my network.  The benefit of this is when I run iftop on this interface, I can see ALL my traffic, not just the data specific to that IP address.  It’s great too for working with WireShark.

(sudo iftop -p -B -i eth1)  (iftop does not come with linux, you must install it)

I can see devices on my network communicating with each other.  Nagios on my linux box polling devices, websites being delivered to another PC on my home network, the router looking for other routers, etc.   What I did see last night though was a URL that did not look right.  It ended with a .gr, not the usual .com, .net, .org and was not on my local network.

I performed a whois on that sucker and found it was from Greece.  The University of Patras in Greece.   Ahhhhh, it figures.  Kid goes to college, takes some computer science cources, learns all about computers, networking and so on.  Now he figures he can make his own little scripts to access networks around the world.  And he is probably successful at times.  Not this time.  I found him.

Now that I see him, what to do?  Well, since I’ve a Cisco router and the know-how.  I create an ACL (access control list) to block him.   I could have blocked just his address, but was not sure if he’d just get another one somehow and try again, so I wanted to block the whole country.  My friend Sean had recently created a perl script that will create an ACL for you to include EVERY ip range for the country of your choice.  Perfect.  I ran this sucker and WOW, Greece had 180 IP ranges.  Weird enough, none of them included my hackers address ( I mean the University of Greece).  We’ll work on that later.  So I applied the new ACL, including a range for the university and applied it to my Interface.

As you can see by the last few lines of my ACL, that after it was applied (BTW, my /var/log/auth.log automatically stopped logging because now he could not get through) I still had 4,677 hits from him.  But he was stopped at the router.

That last line was to make sure anyone else (myself especially) could get through.   Okay, so that does not stop the others.  We’ll get to that soon.  But in the mean time, this particular misfit is denied.

Yes, I need to block out the world and yet still let myself in.   So now I’ll create a smaller ACL that denies everyone except my local region.  This being because I may want to get in from different places, i.e. my parents, work, coffee shops, etc.

So a smaller and complete ACL is shown below.

I changed the real IP addresses for display purposes.  The first 3 lines permit access from 2 major ISPs in my geographical area.  Line 90 allows DNS queries to succeed.  Line 91 allows FTP connections (I’d rather not as it’s not too secure, but I have a couple websites that the hosting companies don’t seem to care too much about the security).  Line 92 allows PING to work.  It’s nice to be able to ping a website and get a response just to know certain things are working while I’m troubleshooting.  Then line 100 allows anything that I’ve initated to come through.  So if I want to access a web page hosted at the University of Greece, I can.  But their students cannot enter my domain.

Take a look at that last line that denies everyone else, there’s 16 matches.  I have these logged, as you can see.  From the log I found hits from China, France and Poland.  All within a few hours.

Log Entry:
Apr 28 23:55:57.064:  list 2100 denied tcp 83.16.20.98 –   Connection attempt from Poland.

More to come

Now this does not totally protect me.  I am still vulnerable from my local area, but for a limited time.  Sean has offered me access to his secure network that will allow me to do one thing and one thing only from there, to connect to my network.  Now he has a static IP address, so my ACL can then be written to allow an un-established connection from the outside from that particular IP address only.

Another safeguard is IPTABLES.  I have briefly toyed with this firewall option built into Linux that is very flexible.  Supposedly one can set it up to allow a set number of failed login attempts before it disables that particular IP address for a set amount of time.  This would seriously slow down script kiddies and others.  However if I were to mistype my password that number of times, I could lock myself out for some time as well.  Oh well, guess I better slow down on my typing.

Vanity Plate

Take a Break

Okay, I’m going to take a break at this moment from the regularly non-scheduled blogging of Networking and Linux to share something still Linux related.  My new vanity plate.

I’ve always toyed with the idea of getting a vanity plate, but I did not want something too ordinary or obvious.  I wanted something unique, yet still relevant to something a portion of society could relate to or understand.  I did have a few ideas, but they were taken, such as 127001, which would be the IP address 127.0.0.1 which is the localhost or loopback IP address translating basically to “this device”.

Well I recieved my plates in the mail yesterday.

My Vanity Plate

SUDO MV.  For those new to Linux, SUDO is the command given to allow superuser (root) privileges to do whatever it is that regular users do not have access to.  It could be configuring system files, to modifying another users files.  It’s the SUPER USER.  The MV is “move”.  So as my car traverses the data bus known as the highway (not informational nor super) it is being moved by the Super User.  Oh yeah!!

Yes, it’s the little things in life that add up to something big.

To illustrate the point of SUDO a little more I’ve attached a comic from xkcd that was some of the inspiration for my choice of plates.

And that is how things take place in Linux.  There are times I try to run a command or edit a file and I’m denied.  It is then I need to use SUDO.

Tip: If you type a long command and are denied due to needing superuser ability, type “sudo !!“.  The double exclamation points insert the last command.  Try it, you’ll like it.

How can Dynamic DNS help you?

What is DNS? (domain name system)

Let me put it in terms most people can relate to.  The phone book.  When you want to call someone who’s phone number you don’t have, you grab the white pages (or yellow if it’s a business) and then you find their name and listed phone number.  You now have a number to call and so then you dial it on your phone.  In the world of networks, the internet being the biggest, connections are made by IP addresses, not the URL (i.e. technopotomus.com).

With DNS, it’s all taken care of for you.  Your computer is programmed with a DNS server either statically or dynamically when when it obtains its temporary IP address.  Now when you enter a web address that your computer does not know the IP for, it asks the DNS server what the IP address is for the URL you requested.  It then will tell your computer the number and your browser then uses that IP address to communicate with the web server.  Much like a 411 operator can connect your call after you ask for someones number.

The benefit of this to you and I is that we don’t have to remember the IP address for google.com, ubuntu.com or technopotomus.com.  We just have to remember their name, and that’s alot easier.  Especially when devices start using IPV6, you do NOT want to remember those numbers.

What is dynamic DNS?

Now if you want to connect to your home network from work, your buddies house or wherever else you have an internet connection, how are you going to do that?  Most people do not have a static IP address for their home internet connection.  Why?  Because your ISP has a pool of addresses and when your computer or your router logs into the internet with your local provider, it gives your device a temporary IP address and then when you disconnect, the IP address goes back into the pool.  The next time you connect, your IP address is likely to be different from the last time.  For most people, this is no big deal.  It’s been that way for some time without many people knowing, or caring, just so long as they can surf the net.

Again, how are you going to connect to your home network from work?  Dynamic DNS!!

How Dynamic DNS can be of help to you.

If you have your own domain name, this can work.  If you don’t, this can still work.

Keep in mind now there is a slew of Dynamic DNS providers.  Most of them provide this service for free.  Hey what could be better than that?  I suppose if they paid us to use their service, that would be better, but lets keep things on the side of reality here.  Most new household routers also provide a spot where you can enter your Dynamic DNS information (after you’ve signed up with a provider).  If you don’t have a router that will accommodate, or you’d rather not use a router for whatever reasons, you can install a small client on your computer which will do the same thing for you.

How to get service.

DynDNS is just one service.  I am using them as a sample only because that’s a service I have used an am familiar with them.  I imagine the others will be as simple to setup and use.  Once you create an account, you get to chose from a variety of domain names such as blogdns.com, dnsalias.com, hobby-site.com, is-a-geek.com and many, many others.  You then chose your 3rd level name to append to the front of your choice (if it’s available).  So imagine choosing birdhouses.hobby-site.com, then you can refer to your network as such.  And if you chose to setup a web server, you can give this URL out to direct traffic to your website.

Your next step is to enter your login name, password and your new hostname into your router.   If you chose to use an IP update client for your computer, make sure the service you chose has a client for your operating system.  DynDNS has a client for Linux, MacOS and Windows.

How does it work?

Once you have completed your configuration, go make a sandwich or two and eat them.  It will take some time to update.

The process now is that your router or client will periodically connect to your DDNS service with username and password.  When this happens, it grabs your IP address from the packets and now assigns your hostname with your IP address.  (don’t worry if your client is on a machine behind a router, the DDNS service will still obtain your public IP address)

Once the update is complete, requests for birdhouses.hobby-site.com will route to your IP address.  Keep in mind though, that if you try to connect TO your public IP address FROM your public IP address, it will not work. Apparently routers don’t like to try to send out requests for something that it knows is NOT OUT THERE.  I found that out when my DDNS service did not work, then I gave it one last try from work  and it was working.

Be Careful.

Keep in mind now, that if you publish your hostname, it will be more noticeable to others, perhaps people wanting to compromise your network.  Be careful what you put on there, and what security measures you need to take to keep things secure.  If you log into your computer, be sure not to use TELNET.  It sends everything in clear text, so if you log into your computer remotely, anyone using a packet sniffer that comes upon your transmission will see your IP address, username and password.  Wow, now you’ve got a big problem.  To avoid that, use Secure Shell (SSH).  One such client is putty.  You will however have to make sure that you have an SSH server installed on the device you plan to connect to.

So when your IP address changes, for whatever reason, you’ll never be out of your system or users denied access to your website.   As your IP address is Dynamic, so will your Domain.  Cheers.

Debian installation

Cheap Computer

One of the nice things about LINUX (whatever flavor you desire) is that it does not need the latest and greatest top of the line overclocked hardware to operate.   In fact, for my next project, the server I plan on setting up in VLAN 2 will not have a GUI installed, since it will not have a monitor (nor a need for one, as I will do everything I need to it by logging in via another computer on my network or from the internet).  Without having to display graphics and such, this is alot of overhead the Operating System does not have to deal with, leaving it’s processing power to what it needs to do, in this case, pretty much serve up web pages, and monkey with a database perhaps.

Craigslist

Ahhhhh, Craigslist.  The thing I like about Craigslist is that if what I see is not quite adequate, I can look again a few hours later and possibly find what I need.  I found something nice and simple for my needs.   It’s a 100Mhz P3 processor with 512MB of RAM, a 20GB hard drive and a CD-ROM reader.  It has USB ports and a working ethernet port.  Perfect!

To install Debian, the minimum requirements are

Now these are the minimums to run Debian without the GUI.  If I wanted to install the GUI and use it as a server, this still surpasses the minimum requirements.  So we’ll be just fine.

Of course to do the install, we do need a monitor, so I  will use what I have.  After the install, the monitor will be removed and re-connected to its original PC.

Debian

Now of ALL the different distros of Linux out there, why did I chose Debian?  First, it came highly recommended by someone who is quite knowledgeable in the area of Linux and is one of my greatest sources of all Linux knowledge these days.  But also because of it’s ease of use.

The more popular Ubuntu is based on Debian.  One of its great features is its ease of installation of programs.  We’ll get into that later.

The most recent release of Debian is 5.0.1, codename Lenny.  Lenny is named after “Lenny the binoculars” from Toy Story.  In fact all of Debians releases are named after Toy Story characters.  Being a fan of Pixar, I can only say they chose a good theme.

Installation

Now for the installation.  It went very well.  A nice guide with some screen shots of what to expect can be found here.  Keep in mind, that’s just a guide.  For the full manual, you might want to consult this page.

During installation, you are asked a slew of questions, don’t get intimidated, just plod along.  Probably the biggest hurdle is partitioning the hard drive.  Debian has recommended partition sizes, but this is for the Potato release which is quite a few releases back.  The average memory is larger in todays PCs and larger hard drives.   Everyone has  different suggestions, some of which are due to differing systems, but following the guideline at debian.com can help guide you.

It took me about 4 tries before I had all my partitions setup the way I wanted.  The nice thing is that the installer gives you a chance to review your partition setup before proceeding.

An important thing to consider is from where you want to get your updates and other apps you intend to install.  If you don’t plan on connecting your PC to the internet, CD-ROM is fine, but you will be limited.  Otherwise make sure you chose HTTP.

Tweaking

In order to make changes and tweaks, you’ll need to make sure you can edit/copy/move/delete files as superuser.  Hopefully you remember your ROOT password, you’ll need it.  Log in as root and edit /etc/sudoers with the visudo command (very important) .    Look for this section:

# User privilege specification
root    ALL=(ALL) ALL

Underneath the root user, add your username and copy the line above above it.   Now when you are logged in, you’ll have superuser privileges when you preface each command with SUDO.  You’ll need to enter your password alot.  That’s okay, it’s worth the security.

Make sure you get an update as well.  The copy you have, may be a tad bit old and newer updates are likely available.  So issue the command sudo aptitude update.  Of course, make sure you’ve got a good connection to the internet.

If you’re having trouble getting your updates, or if you’re trying to install an app that you know should exist, you may need to edit your /etc/apt/sources.list to the following.

deb http://ftp.debian.org/debian lenny main
deb-src http://ftp.debian.org/debian lenny main

deb http://security.debian.org/ lenny/updates main contrib
deb-src http://security.debian.org/ lenny/updates main contrib

deb http://volatile.debian.org/debian-volatile lenny/volatile main
deb-src http://volatile.debian.org/debian-volatile lenny/volatile main

Now if you have a different release other than lenny, make sure you replace lenny in the file with your particular release name.

Networking

During installation, I opted out of the DHCP setup for my network interface and setup static IP address because I plan on using static IP addresses for my whole network.  If after installation, you find that your network interface is misconfigured edit it with:

sudo nano /etc/network/interfaces

If all goes well, your Linux Box should be up and running.  If you can’t connect to your box remotely, using SSH (I recommend Putty if you’re using a windows machine) to log in, make sure you install OpenSSH server.  You can sudo aptitude install ssh to get both the server and client installed.

Prior to doing any installation, I recommend reading up on the software as much as you can.  You will definitely have some foreknowledge of what to expect and what information you may need to provide.  Be sure to read the installation guide before installing Debian.

Extras

During installation, you will also be asked what packages you want.  I opted out of the GNOME ones since they are for installing the GUI that I did not want.   I did however choose the Web Server.  I can’t remember if it was listed as HTTP, Apache or Web Server.  Nevertheless, that was included and works just fine.  I’ll make another post some day on installing Apache.  Fun.  I might have to uninstall what I’ve got first.  Not fun.