sfx2000
Part of the Furniture
Neat - what do you see for temps there - and does it correlate with the Asus WebGUI numbers?
[DIY] - SmallNetworks - Learning by Doing
- Thread starter sfx2000
- Start date
Neat - what do you see for temps there - and does it correlate with the Asus WebGUI numbers?
HardCat
Regular Contributor
Yes, it is the same as what is displayed in the Gui. Results as follows:
Code:
-----------------------------------------------------------
Wed May 25 11:16:41 DST 2016 @ RT-AC68U
CPU => 65C
-----------------------------------------------------------
Wed May 25 11:17:43 DST 2016 @ RT-AC87R
CPU => 75C
------------------------------------------------------------sfx2000
Part of the Furniture
Sorry - I've been busy with a couple of other items (forced work computer reimage and migration) that have taken up some of my time... the rewrite is going well - thought I would toss over the Security Section draft as a tidbit of how things are going so far...
This is all in DokuWiki markup - and formats out nicely in that app - would appreciate an comments/feedback and perhaps some shared insight and tip.
sfx
This is all in DokuWiki markup - and formats out nicely in that app - would appreciate an comments/feedback and perhaps some shared insight and tip.
sfx
Code:
====== Securing your SNB Basics Server ======
As we have proceeded thru this series - the security concerns have been highlighted and addressed
We've created an admin group and limited admin actions to members of the admin group, we've limited OpenSSH users to specific users and disabled the rootLogin. We've built up services, carefully limiting scope of what IP ranges can access those services, and provided specific accounts to access those services.
By design and intent - security has been part and parcel - not patched on at the end.
This section builds upon this design, and secures the SNB Basis Server project that much more.
==== Tribal Knowledge ====
Much information 'out there' is out of date, and can actually impact security, usability, and stability of the platform.
Specifically - and I hate to call this out - but I feel I must - if you google ubuntu secure 16.04, you'll find this info, and it's been cut and pasted across the internet.
https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics
There is a danger in "tribal knowledge" - we see this even here on SNB forums... I can appreciate enthusiasm, but it's not as easy as going to a web page without understanding the why we do things.
You can review the URL above, but I caution you again, much of that info is out of date.
**Security is a Mindset, not a cut and paste**
As we built this server - and I'm walking along side, this reflects my server build... I'm doing my best to keep your server safe and secure, because my own server needs to be.
Keep in mind that __no__ platform is ever perfectly secure - by careful consideration what applications and services, we can limit the threat surface, and for possible threats, harden them.
__True security is not based in complexity, it's on simplicity__ - and for the most part, we will get there thru this setup.
====== netfilter, iptables, ufw ======
The Linux kernel provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.
Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task.
Now before we get too far - let's take a look at the iptables rules that are part of the default Ubunutu installation
sudo iptables -L
<code>
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
</code>
===== The Uncomplicated Firewall - UFW =====
==== Install the UFW ====
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls.
ufw is a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.
ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing.
sudo apt install ufw
**Check the UFW status**
sudo ufw status
Status: inactive
So we know it's installed, and not active at the moment
**UFW and IPv6**
If your connection is configured for IPv6, let's ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:
sudo nano /etc/default/ufw
Then make sure "IPV6" is set to "yes", like so:
IPV6=yes
==== Configuring the UFW ====
Now let's set up some basic rules to build our config
sudo ufw default deny incoming
sudo ufw default allow outgoing
What we've done here is to deny all incoming connections, and we've told the UFW to allow all outgoing connections
Now we build a white list of services that we let in from the outside world - we want to rate limit the number of connection attempts on the ssh port (because this is a good idea if you're port forwarding the system:port on your WAN interface from your Router/Gateway
sudo ufw limit ssh
(which is shorthand for ufw limit tcp/22)
And we trust our home network for all services
sudo ufw allow from 192.168.1.0/24
and enable the UFW and check the status
sudo ufw enable
sudo ufw status
<code>
Status: active
To Action From
-- ------ ----
22 LIMIT Anywhere
Anywhere ALLOW 192.168.1.0/24
22 (v6) LIMIT Anywhere (v6)
</code>
Now let's say I want to drop a rule - here's an easy way to do that
sudo ufw status numbered
<code>
Status: active
To Action From
-- ------ ----
[ 1] 22 LIMIT IN Anywhere
[ 2] Anywhere ALLOW IN 192.168.1.0/24
[ 3] 22 (v6) LIMIT IN Anywhere (v6) </code>
And we can then drop a rule using ufw delete [number]
If you want to disable the UFW
sudo ufw disable
And let's say we want to start all over and put UFW back to fresh
sudo ufw reset
Which will clear all the rules, and disable the firewall - easy peasy
The [[https://help.ubuntu.com/community/UFW|Ubuntu Community Wiki]] has even more info on the UFW, and additional links to read up on it.
my rulesets for UFW:
<code>
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw limit ssh
sudo ufw allow from 192.168.1.0/24
sudo ufw allow from fe80::/64
# done for most purposes
# if you want to be more specific on the LAN side - we limit ports to link-local
sudo ufw allow proto tcp to any port 135 from 192.168.1.0/24
sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 135 from fe80::/64
sudo ufw allow proto udp to any port 137 from fe80::/64
sudo ufw allow proto udp to any port 138 from fe80::/64
sudo ufw allow proto tcp to any port 139 from fe80::/64
sudo ufw allow proto tcp to any port 445 from fe80::/64
sudo ufw allow proto udp to any port 5353 from 192.168.1.0/24
sudo ufw allow proto udp to any port 5353 from fe80::/64
sudo ufw allow proto tcp to any port 80 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 443 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 80 from fe80::/64
sudo ufw allow proto tcp to any port 443 from fe80::/64
</code>
**Block an IP Address**
To block all network connections that originate from a specific IP address, 15.15.15.51 for example, run this command :- and this will pop that IP to the top of the list and block all traffic from it
sudo ufw insert 1 deny from 15.15.15.51
In this example, from 15.15.15.51 specifies a source IP address of "15.15.15.51". If you wish, a subnet, such as 15.15.15.0/24, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.
Last edited:
sfx2000
Part of the Furniture
Here's the fail2ban section that goes right behind it - it's over 10k characters in this section, so have to break it up
Code:
===== Fail2Ban =====
Fail2ban is a program that can be installed to limit brute force attack attempts using IPTables - Fail2ban allows you, as the admin, to configure what is known as jails. These jails are specific settings for various programs such as ssh and other services - this section walks one thru how to install, configure, and integrate Fail2Ban with the UFW.
**Install fail2ban**
sudo apt install fail2ban
Create a local jail file - we do this as it will override the jail.conf file, and if updated, it will preserve our changes
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Set some basic items in jail.local
<code>
# ignoreip = 127.0.0.1/8
ignoreip = 127.0.0.1/8 192.168.1.0/24
# bantime = 600
bantime = 7200
# finditime = 600
findtime = 300
# maxretry = 6
maxretry = 3
</code>
Save the file, and restart fail2ban
sudo service fail2ban restart
And that's basically it - by default, Ubuntu will set the sshd jail automatically when installed
to check status of fail2ban
fail2ban-client -d
==== Fail2Ban - UFW Integration ====
Out of the box Fail2ban works with iptables rules, and it works ok without integration into UFW, but we can do a bit more, and tie UFW and Fail2ban together as a comprehensive solution.
First lets go into /etc/fail2ban/jail.conf and change the default jail for ssh to use ufw actions that we will create:
sudo nano /etc/fail2ban/jail.local
Edit/Modify the sshd jail - note that I've commented out the default action, and added new lines
<code>
[sshd]
#port = ssh
#logpath = %(sshd_log)s
enabled = true
port = 22
banaction = ufw-ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
</code>
Now we create an action file for ufw-ssh integration
sudo nano /etc/fail2ban/action.d/ufw-ssh.conf
<code>
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH
</code>
What we've done here is to define the jail for sshd, create an action in the actions.d/ufw-ssh.conf - this inserts a rule on the fly into the UFW ruleset at the top of the list - when the ban timer expires, the rule is removed
More info here -- https://blog.vigilcode.com/2011/05/ufw-with-fail2ban-quick-secure-setup-part-ii/
Last edited:
sfx2000
Part of the Furniture
And here's the User Management Section that also deals with Security
Code:
====== Managing User Accounts ======
Security First...
**Activate and Secure ROOT's account**
sudo passwd root
Pick a long random password - 16 to 24 characters is good enough - don't need to remember it, as you can always reset it as the primary admin.
**Setup SUDOERS**
We create the ADMIN group - only they can act as ADMINS, other accounts cannot - they will not have sudo access
test@testbox:~$ sudo groupadd admin
test@testbox:~$ sudo usermod -a -G admin test
**Adding User Accounts**
Only add the ones you absolutely need - you're the admin, and you're in control - do it up front, and save pain later...
Access to the SNB Basics Service is not a right, it's a privilege.
Add additional users
<code>
test@testbox:~$ sudo useradd -m alice
test@testbox:~$ sudo passwd alice
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
</code>
You can check that the command passed by looking at /home
<code>
$ cd /home
$ ll
total 16
drwxr-xr-x 4 root root 4096 May 29 16:28 ./
drwxr-xr-x 23 root root 4096 May 23 23:02 ../
drwxr-xr-x 27 test test 4096 May 28 15:26 test/
drwxr-xr-x 3 alice alice 4096 May 29 16:28 alice/
</code>
Any additional accounts are not part of the admin group, so if they attempt to use sudo - they'll fail - see below, you can try it yourself -
<code>
test@testbox:~$ su alice
Password: <alice's passwd you set above>
alice@testbox:/home/test$
</code>
As she tries to list the directory for something outside of her home directory as sudo
<code>
sudo ls /etc
[sudo] password for alice: <alice's passwd>
alice is not in the sudoers file. This incident will be reported.
</code>
If you trust that account - you can add that user by using the usermod command as above - adding them to the admin group, but security is based on trust, and trust is more than just knowing/liking someone - they also have to have the need to access - most don't.
**Deleting a user account**
You can delete a user at any time by the following command - **userdel**
<code>
sudo userdel alice
</code>
This will remove the user, but keep their /home/newuser directory intact for further review - if you want to remove the users directory, add the -r switch to the command
<code>
sudo userdel -r alice
</code>
**Disabling the Guest Session**
If you prefer to not allow guest access to your computer, you can disable the Guest Session feature. To do so, press Ctrl+Alt+T to open a terminal window, and then run this command (it's one long command, even if it may be shown wrapped on the screen - copy and paste to get it right):
<code>
sudo sh -c 'printf "[SeatDefaults]\nallow-guest=false\n" >/usr/share/lightdm/lightdm.conf.d/50-no-guest.conf'
</code>
The command creates a small configuration file. To re-enable Guest Session, simply remove that file:
<code>
sudo rm /usr/share/lightdm/lightdm.conf.d/50-no-guest.conf
</code>
Last edited:
sfx2000
Part of the Furniture
Here's one that'll get you into trouble, lol... but a good walk-thru on how to obtain code, build, and install software that isn't in the repo's for the linux platform.
Code:
====== SNB Security - Extras ======
While this is optional - it's a useful tool and exercise to obtain, build, and install sourcecode that is not necessarily part of the repo's of the installation. Even if they are, sometimes one wants something more current/up to date than what is available via **apt**...
===== NMAP - Network Security Scanner =====
The best defense is a good offense - NMAP will help you discover 'issues' on your network (and others, nudge nudge)
<code>
___.-------.___
_.-' ___.--;--.___ `-._
.-' _.-' / .+. \ `-._ `-.
.' .-' |-|-o-|-| `-. `.
(_ <O__ \ `+' / __O> _)
`--._``-..__`._|_.'__..-''_.--'
``--._________.--''
____ _____ ____ ____ _ _______
|_ \|_ _||_ \ / _| / \ |_ __ \
| \ | | | \/ | / _ \ | |__) |
| |\ \| | | |\ /| | / ___ \ | ___/
_| |_\ |_ _| |_\/_| |_ _/ / \ \_ _| |_
|_____|\____||_____||_____||____| |____||_____|
NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
</code>
**What is NMAP?**
//Nmap is an open source and cross-platform software that provides users with one of the most powerful network discovery and security auditing utility appreciated by numerous system administrators and security professionals around the world.//
**Features at a glance**
//Key features include the ability to monitor service and host uptime, manage service upgrade schedules, do network inventory, discover available hosts on a network based on raw IP packets, as well as to discover running services and operating systems on a specific network.//
//In addition, it supports a wide range of advanced network mapping techniques, including ping sweeps, TCP/UDP port scanning mechanisms, as well as the ability to scan networks of hundreds of thousands of computers.//
==== Installing NMAP ====
Now there's a few ways to get this - can grab it directly from apt, download the tarball from nmap.org, or we can do it the old-school way.
It's a good chance to do it the old-school way
In this how-to we will
- install dependencies
- sync up to an online source code repository
- compile the software
- install by hand the NMAP
So let's get started:
sudo apt install build-essential subversion libssl-dev autoconf pwgen python-gtk2 python2.7-dev gksu
Checkout the NMAP source from NMAP's Subversion Repo
sudo svn co https://svn.nmap.org/nmap
This will place a local working copy in /home/test/nmap
cd /home/test/nmap
**Building NMAP**
This is generally a configure, make, make install
This builds the make file
sudo ./configure
Does the build
sudo make
This installs nmap - see the note below about ''su root''
su root
make install
**Whoa - what's this su root thing?**
NMAP gets installed into things that only root can do - even as admin with sudo powers, you can't go there - so if you haven't activated root, or don't remember the root passwd
<code>
sudo pwgen 24
[sudo] password for test:
xi0thaiguthohJ7OhDek8Eeb yohs5Keep4Ay3ailahna3ePo yuG6vai8zai0eeZ7hua0eibi
(and more)
</code>
pick one - put it on the clipboard and then
sudo passwd root
paste that clipboard item in, and when it asks to confirm, paste again
As the admin, you can change root's passwd any time you need to...
==== Running NMAP ====
NMAP is pretty easy to run, many options - go overboard, and that target host might crash - here's a quick command line example
sudo nmap -v -A 192.168.1.1
We're targeting that consumer grade Router/AP that is our WAN/LAN gateway - might be surprised at what you find... might need to power cycle it afterwards...
-v: Increase verbosity level (use -vv or more for greater effect)
-A, to enable OS and version detection, script scanning, and traceroute
Many, many more options are available - check the well documented man page for more details
man nmap
==== NMAP audit results of the SNB Basics Server config ====
Below is an NMAP audit of the SNB Basics configuration - I'm not too worried about things, as we know what services we've built, and we've done our best to secure them - the NETBIOS (Samba) is as good as we can make it, and if you don't need the SAMBA, you can turn it off...
Let's analyze this from a security perspective
* **SSH** - we have access control, and it is crypto secure
* **SMTP** - access control again, and while port 25 is open, only the gmailuser@gmail.com can use it (cryto again thru SASL), and we have it firewalled
* **HTTP/PHP** - runs as www-data, and is limited only to the document root in the apache2 configuration and security directives
* **NETBIOS/Samba** - runs as it's own user, and only has access to /var/share and /var/media - Samba only users cannot log in to unix if they don't have a Unix password (useradd vs. adduser)
<code>
Nmap scan report for 192.168.1.6
Host is up (0.00042s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: testbox, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=testbox
| Issuer: commonName=testbox
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-20T22:55:38
| Not valid after: 2026-05-18T22:55:38
| MD5: aabb 1122 4ab4 4c4f 3f7d 60a2 7f3a b7c9
|_SHA-1: ccdd 3344 6b46 4974 59b7 e5c1 016b b042 2c3e 619c
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache
|_http-title: the bluepill
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
5901/tcp open vnc VNC (protocol 3.8)
| vnc-info:
| Protocol version: 3.8
| Security types:
| VNC Authentication (2)
| Tight (16)
| Tight auth subtypes:
|_ STDV VNCAUTH_ (2)
6001/tcp open X11 (access denied)
Service Info: Host: testbox
Host script results:
| nbstat: NetBIOS name: TESTBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| TESTBOX<00> Flags: <unique><active>
| TESTBOX<03> Flags: <unique><active>
| TESTBOX<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: testbox
| NetBIOS computer name: TESTBOX
| Domain name:
| FQDN: testbox
|_ System time: 2016-05-22T14:39:58-07:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds
</code>
Last edited:
oletuv
Regular Contributor
Sfx,
The command "sudo useradd <newuser>" does not create the home directory for the new user unless I add the "-m" option. I checked the "/etc/login.defs" file which has DEFAULT_HOME set to Yes, but does not include a line for enabling CREATE_HOME.
I´m running Ubuntu Desktop 16.04 in a VirtualBox VM.
Ole
sfx2000
Part of the Furniture
Going back to the UFW/Fail2Ban section - this is why we do this - even with iptables rate limiting, and openssh session limiting, the 'bots are out there - it's all secure, but we can do more...
output from Logwatch
ssh is exposed to the outside world - one day's logs...
output from Logwatch
ssh is exposed to the outside world - one day's logs...
Code:
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (222.186.56.119): 573 Time(s)
unknown (91.224.161.46): 39 Time(s)
unknown (58.220.253.195): 27 Time(s)
root (91.224.161.46): 17 Time(s)
unknown (200.11.218.76): 16 Time(s)
unknown (1.85.2.100): 5 Time(s)
unknown (219.219.114.120): 5 Time(s)
root (200.11.218.76): 3 Time(s)
root (58.220.253.195): 3 Time(s)
unknown (13.65.90.17): 3 Time(s)
unknown (163.172.204.238): 3 Time(s)
root (1.85.2.100): 2 Time(s)
unknown (14.155.117.211): 2 Time(s)
unknown (37.189.119.36): 2 Time(s)
mysql (201.116.36.202): 1 Time(s)
root (13.65.90.17): 1 Time(s)
root (14.155.117.211): 1 Time(s)
root (163.172.204.238): 1 Time(s)
root (201.116.36.202): 1 Time(s)
root (219.219.114.120): 1 Time(s)
root (37.189.119.36): 1 Time(s)
unknown (104.148.116.66): 1 Time(s)
unknown (125.212.232.142): 1 Time(s)
Invalid Users:
Unknown Account: 104 Time(s)sfx2000
Part of the Furniture
Good catch - I normally do useradd for samba accounts - I'll fix the post...
What @oletuv is mentioning is the -m switch to create a home directory for the new user - important if the new user has a linux account on the system, but if they're a samba account, it's not as important.
Code:
man useradd
-m, --create-home
Create the user's home directory if it does not exist. The files and directories contained in
the skeleton directory (which can be defined with the -k option) will be copied to the home
directory.
By default, if this option is not specified and CREATE_HOME is not enabled, no home
directories are created.
Last edited:
sfx2000
Part of the Furniture
This is a good example of peer review and collaboration - thanks man!
sfx2000
Part of the Furniture
--------------------- pam_unix Begin ------------------------
sshd:
Authentication Failures:
root (222.186.56.119): 573 Time(s)
[/QUOTE]
And with the nmap installed - we can reach back... since they poked us first... and we see that this is probably a big Windows cluster running in China...
Code:
$ sudo nmap -v -A 222.186,56,119
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-05-29 19:02 PDT
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:02
Completed NSE at 19:02, 0.00s elapsed
Initiating NSE at 19:02
Completed NSE at 19:02, 0.00s elapsed
Initiating Ping Scan at 19:02
Scanning 222.186.56.119 [4 ports]
Completed Ping Scan at 19:02, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:02
Completed Parallel DNS resolution of 1 host. at 19:02, 0.04s elapsed
Initiating SYN Stealth Scan at 19:02
Scanning 222.186.56.119 [1000 ports]
Discovered open port 1026/tcp on 222.186.56.119
Completed SYN Stealth Scan at 19:02, 23.45s elapsed (1000 total ports)
Initiating Service scan at 19:02
Scanning 1 service on 222.186.56.119
Completed Service scan at 19:03, 56.77s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 222.186.56.119
Retrying OS detection (try #2) against 222.186.56.119
Initiating Traceroute at 19:03
Completed Traceroute at 19:04, 3.06s elapsed
Initiating Parallel DNS resolution of 12 hosts. at 19:04
Completed Parallel DNS resolution of 12 hosts. at 19:04, 10.90s elapsed
NSE: Script scanning 222.186.56.119.
Initiating NSE at 19:04
Completed NSE at 19:04, 0.31s elapsed
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Nmap scan report for 222.186.56.119
Host is up (0.21s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
25/tcp filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1026/tcp open msrpc Microsoft Windows RPC
4444/tcp filtered krb524
6129/tcp filtered unknown
Device type: general purpose|switch
Running (JUST GUESSING): Microsoft Windows XP|2003 (88%), Allied Telesyn embedded (85%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003::sp2 cpe:/h:alliedtelesyn:rapier_g6
Aggressive OS guesses: Microsoft Windows Fundamentals for Legacy PCs (XP Embedded derivative) (88%), Microsoft Windows Server 2003 SP2 (86%), Allied Telesyn Rapier G6 switch (85%), Microsoft Windows XP SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 17 hops
TCP Sequence Prediction: Difficulty=248 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 113/tcp)
HOP RTT ADDRESS
1 0.43 ms 192.168.1.1
2 12.41 ms 10.143.0.1
<snip>
8 218.97 ms 202.97.51.221
9 ...
10 180.23 ms 202.97.33.93
11 205.15 ms 202.97.92.22
12 ... 13
14 254.30 ms 222.186.4.66
15 ... 16
17 214.16 ms 222.186.56.119
NSE: Script Post-scanning.
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.59 seconds
Raw packets sent: 1193 (56.080KB) | Rcvd: 1061 (43.520KB)
sfx2000
Part of the Furniture
bonus points for today - this is draft, and likely will change... it does depend on the LAMP install - we're install phpmyadmin to manage mysql, a lightweight Wiki, and a cute little network benchmark - speedtest.mini...
Code:
====== Web Apps ======
This is a quick walk-thru on apps delivered via HTTP.
Apache sees things two ways - docs on in ''/var/www'', and apps via CGI are in ''/usr/share''
And then PHP kind of gets in the middle of things...
===== phpmyadmin - mysql gui admin =====
Prerequisites - LAMP Install
**install phpmyadmin**
sudo apt install phpmyadmin
When prompted - select apache as the web server, and say <yes> when asked for db-common - you'll be prompted for a password for phpmyadmin - this is the user account for phpmyadmin, and the password is for the database, as well as the weblogin for phpmyadmin - so make a note of it.
HINT - This screen trips folks up - pay attention! apache2 is highlighted, but not selected
Warning: When the first prompt appears, apache2 is highlighted, but not selected. If you do not hit Space to select Apache, the installer will not move the necessary files during installation. Hit Space, Tab, and then Enter to select Apache.
So I think I've hinted enough here
<code>
┌────────────────────────┤ Configuring phpmyadmin ├─────────────────────────┐
│ Please choose the web server that should be automatically configured to │
│ run phpMyAdmin. │
│ │
│ Web server to reconfigure automatically: │
│ │
│ [*] apache2 │
│ [ ] lighttpd │
│ │
│ │
│ <Ok> │
│ │
└───────────────────────────────────────────────────────────────────────────┘
</code>
Don't forget to hit the spacebar on apache2 to select...
<code>
┌────────────────────────┤ Configuring phpmyadmin ├─────────────────────────┐
│ │
│ The phpmyadmin package must have a database installed and configured │
│ before it can be used. This can be optionally handled with │
│ dbconfig-common. │
│ │
│ If you are an advanced database administrator and know that you want to │
│ perform this configuration manually, or if your database has already │
│ been installed and configured, you should refuse this option. Details on │
│ what needs to be done should most likely be provided in │
│ /usr/share/doc/phpmyadmin. │
│ │
│ Otherwise, you should probably choose this option. │
│ │
│ Configure database for phpmyadmin with dbconfig-common? │
│ │
│ <Yes> <No> │
│ │
└───────────────────────────────────────────────────────────────────────────┘
</code>
Just say yes here if a fresh install (which we are)
It'll prompt you for a password - this will be the phpmyadmin password to login to the phpmyadmin page...
NOTE - if you go down the db-common config path, any existing databases with phpmyadmin or information-schema will be dropped and replaced with new databases - if you're migrating an old install, just be aware - check phpmyadmin's documents for more info on migrating old installs.
Installing the missing php modules
sudo apt install php-mbstring php-gettext
and enable them - yes, one can hotpatch php without reloading/restarting apache2 - scary thought, eh?
sudo phpenmod mcrypt
sudo phpenmod mbstring
See that they're hot - http://testbox.local/lbd/phpinfo.php
**Login to phpmyadmin**
Go to http://testbox.local/phpmyadmin, and you should see the webapp running - login as phpmyadmin with the password you set in the previous step
**TIP** - Now here's where things get a bit tricky if you're an old hand at LAMP - MySQL 5.7 changed the security model, not allowing MySQL root user login without sudo (while the password can be blank).
So things will likely go odd - one can login to the phpmyadmin, but that user can't make changes as the phpmyadmin user doesn't have the global privileges or grant options
Here's the fix
sudo mysql --user=root mysql
GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'localhost' WITH GRANT OPTION;
FLUSH PRIVILEGES;
quit
Logout of phpmyadmin, and log back in, and you'll be right as rain...
Here - have a [[http://www.oracle.com|cookie]] - just kidding ;)
Now to make these services persistent = they should be, but let's make sure...
sudo systemctl enable apache2
sudo systemctl enable mysql
===== dokuWiki - taking notes =====
This is an example - while DokuWiki is in the Debian/Ubuntu repos - if you don't believe me you can check - apt list dokiwiki
Don't take the easy way out - let's do it the real way... This is a good walkthru on how to hand install software
DokuWiki is chosen as it's lightweight enough to run on Raspberry Pi, and still be easy to install and use. All of these documents/walkthru's have been composed with DokuWIki
So hold on to your shorts, we're not in Kansas anymore...
Enable Apache Rewrite module and restart apache2
sudo a2enmod rewrite
sudo service apache2 restart
Download and uncompress the latest stable release.
cd /var/www/html
sudo wget http://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
sudo tar xvf dokuwiki-stable.tgz
sudo mv dokuwiki-*/ dokuwiki
Change permissions
sudo chown -R www-data:www-data /var/www/html/dokuwiki
Change AllowOverrides setting in Apache2 to use .htaccess files for security
sudo nano /etc/apache2/apache2.conf
For directory ''/var/www/'' replace\\ ''AllowOverride None''\\ with\\ ''AllowOverride All''
Restart Apache2 service
sudo service apache2 restart
Visit ''http://testbox.local/dokuwiki/install.php'' to initially configure your DokuWiki. It's going to ask for a few things - but now this is your app, you can make your choices...
Don't forget to delete the install.php file after finished installing.
sudo rm /var/www/html/dokuwiki/install.php
Note - SMTP daemon is needed for sending email (e.g. user registration), see postfix section if you skipped it earlier
Enjoy your own DokuWiki server.
===== SpeedTest.mini =====
People want to see how fast their connections are - here's a simple in-network way to support this on your LAN
Downloading Speedtest.Net mini... go to http://www.speedtest.net/mini.php
Sign up for an account - once done, you will be offered a link to download mini.zip
Once done - upload/copy it to /var/www/html/
unpack the file into a directory - you should have /var/html/www/mini
sudo unzip /var/www/html/mini.zip
rename /var/www/html.miniindex-php.html to index.html
sudo mv /var/www/html/mini/index-php.html /var/www/html/mini/index.html
do a change owner, as the apache needs to access this...
sudo chown -R www-data:www-data /var/www/html/mini
and give it the right perms
sudo chmod -R 755 /var/www/html/mini
and point your browser to http://testbox.local/mini
This little webapp does require a current flash plugin for your browser
Last edited:
sfx2000
Part of the Furniture
And here's the current LAMP
Code:
====== Install LAMP ======
Here we install the basics - Apache2, MariaDB (mysql), and PHP
===== Install mysql =====
comment - mariadb is the future for debian based builds, it's a drop in replacement for mysql
sudo apt install mariadb-server mariadb-client
Setting up mysql
for mariadb - there is a little bit more to do
sudo mysql_secure_installation
follow the prompts - note, when it asks for root, it's the mysql root, not system root
Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y, note, this is mysql root, not system root
New password: getaccess <-- Enter the new MariaDB root password here, this is example, choose a different one
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y
check to make sure mysql is good...
test@testbox:~$ sudo mysql --user=root mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
MariaDB > quit
===== Install Apache =====
sudo apt install apache2
start up apache2
sudo service apache2 start
Then one should be able to fire up a web browser and go to http://testbox.local and see the default page
TIP - install the Apache2 Documentation Package if you're not an experienced Apache2 admin - l
sudo apt install apache2-doc
ots of good info in there, and can review it by going to http://testbox.local/manual/en/index.html
**Security Hint**
Reduce Apache2 Data Leakage - might be of interest if your pushing your SNB Basics server to the public internet
Edit the Apache2 configuration security file :
sudo nano /etc/apache2/conf-enabled/security.conf
Edit/Change the following lines and save:
ServerTokens Prod
ServerSignature Off
Restart Apache server
sudo service apache2 restart
===== Install PHP =====
install php7 and the various modules
sudo apt install php7.0 libapache2-mod-php7.0 php-pear
and kick apache
sudo service apache2 restart
do the phpinfo page to check that php is enable
sudo nano /var/www/html/info.php
<?php
phpinfo();
?>
Change the owner/group of the info.php file
sudo chown www-data:www-data /var/www/html/info.php
then fire up a browser and go to http://testbox.local/info.php
should get the cool php info screen with lots of good info
now lets get mysql support for php
sudo apt install php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php-pear php-imagick php7.0-imap php7.0-mcrypt php-memcache php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl php7.0-mbstring php-gettext
and bounce apache again...
sudo service apache2 restart
Congrats - you now have a fully capable battlestation (erm, SNB Basics LAMP Server)
===== Webserver/HTML excercise =====
Ok, now that we have a working LAMP server...
Make a subdirectory and move the default index.html and info.php files there...
sudo mkdir /var/www/html/lbd
sudo mv /var/www/html/index.html /var/www/html/lbd/default.html
sudo mv /var/www/html/info.php /var/www/html/lbd/phpinfo.php
They'll be in http://hostname.local/lbd/ - and then create a small html page to replace the default install index.html page (but we keep it for safe keeping, as nice stuff there)
sudo nano /var/www/html/index.html
type in the following
<code>
<!DOCTYPE HTML PUBLIC>
<HTML>
<HEAD>
<TITLE>the bluepill</TITLE>
</HEAD>
<P>You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to believe.</P>
<P>You take the red pill, you stay in wonderland, and I show you how deep the rabbit hole goes. </P>
<A HREF="http://www.google.com">take the blue pill</A>
<p></p>
<A HREF="http://testbox.local/lbd/phpinfo.php">take the red pill</A>
</HTML>
</code>
(I know, really bad HTML, but has all the legal elements needed for a browser to render a page)
Anyways - we're going to revisit this page as we move forward into other web apps - consider this your portalsfx2000
Part of the Furniture
So I'm still cleaning up a couple of items - the ssh/vnc section, postfix, and the storage section which ended up being really huge due to abstractions in how linux can manage storage and file (this section basically builds a fully feature NAS from scratch).
Again - be patient - I'm working on it - and always feel free to provide feedback/comments...
Again - be patient - I'm working on it - and always feel free to provide feedback/comments...
HardCat
Regular Contributor
Wow lot's to do! I am working my way thru the fail2ban section and I believe I may have discovered a typo:
The line "sudo nano /etc/fail2ban/actions.d/ufw-ssh.conf"
should be "sudo nano /etc/fail2ban/action.d/ufw-ssh.conf"
No "s" on the reference to the "action" directory.
Hope this helps!
sfx2000
Part of the Furniture
If you get to the point where DokuWiki is installed, here's a table of contents that you can use to create your own copy - all of these how-to's are in dokuwiki markup...
Code:
==== Table of Contents ====
* [[SNB Basics - HW and SW Requirements]]
* [[SNB Basics - Linux Install]]
* [[SNB Basics - Managing Users]]
* [[SNB Basics - Network Management]]
* [[SNB Basics - Network Services]]
* [[SNB Basics - Remote Access]]
* [[SNB Basics - LAMP Server Install]]
* [[SNB Basics - WebApps]]
* [[SNB Basics - Network Monitoring]]
* [[SNB Basics - Monitoring]]
* [[SNB Basics - Storage]]
* [[SNB Basics - Simple NAS Server]]
* [[SNB Basics - Security]]
* [[SNB Basics - Security Extras]]sfx2000
Part of the Furniture
There's a small fix in the NTP section - change follows
sudo apt install ntp ntpdate
change to below
sudo apt install ntp
ntp and ntpdate can conflict with each other, and ntp will lose, segfaulting out, so decided to remove ntpdate as ntp basically does the same thing,.
sudo apt install ntp ntpdate
change to below
sudo apt install ntp
ntp and ntpdate can conflict with each other, and ntp will lose, segfaulting out, so decided to remove ntpdate as ntp basically does the same thing,.
Similar threads
Latest threads
-
iPhone 16 Pro w/ GT-Be98 Pro & BQ16
- Started by Jadehsn
- Replies: 0
-
-
Release ASUS ZenWiFi Pro ET12 Firmware version 3.0.0.4.З88_24610 (2024/11/08)- Started by rudoyeugene
- Replies: 0
-
Release ASUS GT-AX11000 Pro Firmware version 3.0.0.6.102_34735 (2024/11/07)
- Started by fruitcornbread
- Replies: 0
-
Release ASUS RT-AX59U Firmware version 3.0.0.4.388_33404 (2024/11/07)
- Started by fruitcornbread
- Replies: 0
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!