What's new

[DIY] - SmallNetworks - Learning by Doing

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

This will give us temps for the Arm devices:

Code:
#!/bin/sh
# Remove the hex "f8" which was surpressing the "C" for celsius and 2 newlines from the file first
cpu=$(tr -d '\xf8\n' < /proc/dmu/temperature | awk '{printf $4}')
echo "$(date) @ $(uname -n)"
echo "CPU => $cpu"

Neat - what do you see for temps there - and does it correlate with the Asus WebGUI numbers?
 
Neat - what do you see for temps there - and does it correlate with the Asus WebGUI numbers?

Yes, it is the same as what is displayed in the Gui. Results as follows:

Code:
-----------------------------------------------------------
Wed May 25 11:16:41 DST 2016 @ RT-AC68U
CPU => 65C
-----------------------------------------------------------
Wed May 25 11:17:43 DST 2016 @ RT-AC87R
CPU => 75C
------------------------------------------------------------
 
Sorry - I've been busy with a couple of other items (forced work computer reimage and migration) that have taken up some of my time... the rewrite is going well - thought I would toss over the Security Section draft as a tidbit of how things are going so far...

This is all in DokuWiki markup - and formats out nicely in that app - would appreciate an comments/feedback and perhaps some shared insight and tip.

sfx

Code:
====== Securing your SNB Basics Server ======

As we have proceeded thru this series - the security concerns have been highlighted and addressed

We've created an admin group and limited admin actions to members of the admin group, we've limited OpenSSH users to specific users and disabled the rootLogin. We've built up services, carefully limiting scope of what IP ranges can access those services, and provided specific accounts to access those services.

By design and intent - security has been part and parcel - not patched on at the end.

This section builds upon this design, and secures the SNB Basis Server project that much more.

==== Tribal Knowledge ====

Much information 'out there' is out of date, and can actually impact security, usability, and stability of the platform.

Specifically - and I hate to call this out - but I feel I must - if you google ubuntu secure 16.04, you'll find this info, and it's been cut and pasted across the internet.

https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics

There is a danger in "tribal knowledge" - we see this even here on SNB forums... I can appreciate enthusiasm, but it's not as easy as going to a web page without understanding the why we do things.

You can review the URL above, but I caution you again, much of that info is out of date.

**Security is a Mindset, not a cut and paste**

As we built this server - and I'm walking along side, this reflects my server build... I'm doing my best to keep your server safe and secure, because my own server needs to be.

Keep in mind that __no__ platform is ever perfectly secure - by careful consideration what applications and services, we can limit the threat surface, and for possible threats, harden them.

__True security is not based in complexity, it's on simplicity__ - and for the most part, we will get there thru this setup.

====== netfilter, iptables, ufw ======

The Linux kernel  provides a packet filtering system called netfilter, and the traditional interface for manipulating netfilter are the iptables suite of commands. iptables provide a complete firewall solution that is both highly configurable and highly flexible.

Becoming proficient in iptables takes time, and getting started with netfilter firewalling using only iptables can be a daunting task.

Now before we get too far - let's take a look at the iptables rules that are part of the default Ubunutu installation

  sudo iptables -L
<code>
sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination       

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination       

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
</code>

===== The Uncomplicated Firewall - UFW =====


==== Install the UFW ====
The Uncomplicated Firewall (ufw) is a frontend for iptables and is particularly well-suited for host-based firewalls.

ufw is a framework for managing netfilter, as well as a command-line interface for manipulating the firewall.

ufw aims to provide an easy to use interface for people unfamiliar with firewall concepts, while at the same time simplifies complicated iptables commands to help an adminstrator who knows what he or she is doing.

  sudo apt install ufw
**Check the UFW status**

  sudo ufw status
  Status: inactive 

So we know it's installed, and not active at the moment

**UFW and IPv6**

If your connection is configured for IPv6, let's ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:

  sudo nano /etc/default/ufw

Then make sure "IPV6" is set to "yes", like so:

  IPV6=yes

==== Configuring the UFW ====
Now let's set up some basic rules to build our config

  sudo ufw default deny incoming
  sudo ufw default allow outgoing

What we've done here is to deny all incoming connections, and we've told the UFW to allow all outgoing connections

Now we build a white list of services that we let in from the outside world - we want to rate limit the number of connection attempts on the ssh port (because this is a good idea if you're port forwarding the system:port on your WAN interface from your Router/Gateway

  sudo ufw limit ssh
(which is shorthand for ufw limit tcp/22)
And we trust our home network for all services

  sudo ufw allow from 192.168.1.0/24
and enable the UFW and check the status

  sudo ufw enable
  sudo ufw status
<code>
Status: active

To                         Action      From
--                         ------      ----
22                         LIMIT       Anywhere                 
Anywhere                   ALLOW       192.168.1.0/24           
22 (v6)                    LIMIT       Anywhere (v6)   
</code>

Now let's say I want to drop a rule - here's an easy way to do that

  sudo ufw status numbered

<code>
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22                         LIMIT IN    Anywhere                 
[ 2] Anywhere                   ALLOW IN    192.168.1.0/24           
[ 3] 22 (v6)                    LIMIT IN    Anywhere (v6) </code>

And we can then drop a rule using ufw delete [number]

If you want to disable the UFW

  sudo ufw disable

And let's say we want to start all over and put UFW back to fresh

  sudo ufw reset

Which will clear all the rules, and disable the firewall - easy peasy

The [[https://help.ubuntu.com/community/UFW|Ubuntu Community Wiki]] has even more info on the UFW, and additional links to read up on it.

my rulesets for UFW:
<code>
sudo ufw default deny incoming
sudo ufw default allow outgoing

sudo ufw limit ssh

sudo ufw allow from 192.168.1.0/24
sudo ufw allow from fe80::/64
# done for most purposes

# if you want to be more specific on the LAN side - we limit ports to link-local
sudo ufw allow proto tcp to any port 135 from 192.168.1.0/24
sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

sudo ufw allow proto tcp to any port 135 from fe80::/64
sudo ufw allow proto udp to any port 137 from fe80::/64
sudo ufw allow proto udp to any port 138 from fe80::/64
sudo ufw allow proto tcp to any port 139 from fe80::/64
sudo ufw allow proto tcp to any port 445 from fe80::/64

sudo ufw allow proto udp to any port 5353 from 192.168.1.0/24
sudo ufw allow proto udp to any port 5353 from fe80::/64

sudo ufw allow proto tcp to any port 80 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 443 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 80 from fe80::/64
sudo ufw allow proto tcp to any port 443 from fe80::/64

</code>

**Block an IP Address** 

To block all network connections that originate from a specific IP address, 15.15.15.51 for example, run this command :- and this will pop that IP to the top of the list and block all traffic from it
  
    sudo ufw insert 1 deny from 15.15.15.51 
  
In this example, from 15.15.15.51 specifies a source IP address of "15.15.15.51". If you wish, a subnet, such as 15.15.15.0/24, may be specified here instead. The source IP address can be specified in any firewall rule, including an allow rule.
 
Last edited:
Here's the fail2ban section that goes right behind it - it's over 10k characters in this section, so have to break it up

Code:
===== Fail2Ban =====

Fail2ban is a program that can be installed to limit brute force attack attempts using IPTables - Fail2ban allows you, as the admin, to configure what is known as jails. These jails are specific settings for various programs such as ssh and other services - this section walks one thru how to install, configure, and integrate Fail2Ban with the UFW.

**Install fail2ban**

  sudo apt install fail2ban
Create a local jail file - we do this as it will override the jail.conf file, and if updated, it will preserve our changes

  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Set some basic items in jail.local
<code>
# ignoreip = 127.0.0.1/8
ignoreip = 127.0.0.1/8 192.168.1.0/24
# bantime = 600
bantime  = 7200
# finditime = 600
findtime  = 300
# maxretry = 6
maxretry = 3
</code>

Save the file, and restart fail2ban

  sudo service fail2ban restart

And that's basically it - by default, Ubuntu will set the sshd jail automatically when installed

to check status of fail2ban

  fail2ban-client -d

==== Fail2Ban - UFW Integration ====

Out of the box Fail2ban works with iptables rules, and it works ok without integration into UFW, but we can do a bit more, and tie UFW and Fail2ban together as a comprehensive solution.

First lets go into /etc/fail2ban/jail.conf and change the default jail for ssh to use ufw actions that we will create:

  sudo nano /etc/fail2ban/jail.local
Edit/Modify the sshd jail - note that I've commented out the default action, and added new lines

<code>
[sshd]
#port    = ssh
#logpath = %(sshd_log)s
enabled = true
port = 22
banaction = ufw-ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
</code>

Now we create an action file for ufw-ssh integration

  sudo nano /etc/fail2ban/action.d/ufw-ssh.conf
<code>
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH
</code>

What we've done here is to define the jail for sshd, create an action in the actions.d/ufw-ssh.conf - this inserts a rule on the fly into the UFW ruleset at the top of the list - when the ban timer expires, the rule is removed

More info here -- https://blog.vigilcode.com/2011/05/ufw-with-fail2ban-quick-secure-setup-part-ii/
 
Last edited:
And here's the User Management Section that also deals with Security

Code:
====== Managing User Accounts ======

Security First...

**Activate and Secure ROOT's account**

  sudo passwd root

Pick a long random password - 16 to 24 characters is good enough - don't need to remember it, as you can always reset it as the primary admin.

**Setup SUDOERS**

We create the ADMIN group - only they can act as ADMINS, other accounts cannot - they will not have sudo access

  test@testbox:~$ sudo groupadd admin
  test@testbox:~$ sudo usermod -a -G admin test

**Adding User Accounts**

Only add the ones you absolutely need - you're the admin, and you're in control - do it up front, and save pain later...

Access to the SNB Basics Service is not a right, it's a privilege.

Add additional users
<code>
test@testbox:~$ sudo useradd -m alice
test@testbox:~$ sudo passwd alice
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
</code>

You can check that the command passed by looking at /home

<code>
$ cd /home
$ ll
total 16
drwxr-xr-x  4 root   root   4096 May 29 16:28 ./
drwxr-xr-x 23 root   root   4096 May 23 23:02 ../
drwxr-xr-x 27 test    test    4096 May 28 15:26 test/
drwxr-xr-x  3 alice alice 4096 May 29 16:28 alice/
</code>

Any additional accounts are not part of the admin group, so if they attempt to use sudo - they'll fail - see below, you can try it yourself -
<code>
test@testbox:~$ su alice
Password: <alice's passwd you set above>

alice@testbox:/home/test$
</code>

As she tries to list the directory for something outside of her home directory as sudo

<code>
sudo ls /etc
[sudo] password for alice: <alice's passwd>
alice is not in the sudoers file.  This incident will be reported.
</code>

If you trust that account - you can add that user by using the usermod command as above - adding them to the admin group, but security is based on trust, and trust is more than just knowing/liking someone - they also have to have the need to access - most don't.

**Deleting a user account**

You can delete a user at any time by the following command - **userdel**

<code>
sudo userdel alice
</code>

This will remove the user, but keep their /home/newuser directory intact for further review - if you want to remove the users directory, add the -r switch to the command
<code>
sudo userdel -r alice
</code>

**Disabling the Guest Session**

If you prefer to not allow guest access to your computer, you can disable the Guest Session feature. To do so, press Ctrl+Alt+T to open a terminal window, and then run this command (it's one long command, even if it may be shown wrapped on the screen - copy and paste to get it right):

<code>
sudo sh -c 'printf "[SeatDefaults]\nallow-guest=false\n" >/usr/share/lightdm/lightdm.conf.d/50-no-guest.conf'
</code>

The command creates a small configuration file. To re-enable Guest Session, simply remove that file:
<code>
sudo rm /usr/share/lightdm/lightdm.conf.d/50-no-guest.conf
</code>
 
Last edited:
Here's one that'll get you into trouble, lol... but a good walk-thru on how to obtain code, build, and install software that isn't in the repo's for the linux platform.

Code:
====== SNB Security - Extras ======

While this is optional - it's a useful tool and exercise to obtain, build, and install sourcecode that is not necessarily part of the repo's of the installation. Even if they are, sometimes one wants something more current/up to date than what is available via **apt**...

===== NMAP - Network Security Scanner =====

The best defense is a good offense - NMAP will help you discover 'issues' on your network (and others, nudge nudge)

<code>
                    ___.-------.___
                _.-' ___.--;--.___ `-._
             .-' _.-'  /  .+.  \  `-._ `-.
           .' .-'      |-|-o-|-|      `-. `.
          (_ <O__      \  `+'  /      __O> _)
            `--._``-..__`._|_.'__..-''_.--'
                  ``--._________.--''
   ____  _____  ____    ____       _       _______
  |_   \|_   _||_   \  /   _|     / \     |_   __ \
    |   \ | |    |   \/   |      / _ \      | |__) |
    | |\ \| |    | |\  /| |     / ___ \     |  ___/
   _| |_\   |_  _| |_\/_| |_  _/ /   \ \_  _| |_
  |_____|\____||_____||_____||____| |____||_____|

  NMAP IS A POWERFUL TOOL -- USE CAREFULLY AND RESPONSIBLY
</code>

**What is NMAP?**

//Nmap is an open source and cross-platform software that provides users with one of the most powerful network discovery and security auditing utility appreciated by numerous system administrators and security professionals around the world.//

**Features at a glance**

//Key features include the ability to monitor service and host uptime, manage service upgrade schedules, do network inventory, discover available hosts on a network based on raw IP packets, as well as to discover running services and operating systems on a specific network.//

//In addition, it supports a wide range of advanced network mapping techniques, including ping sweeps, TCP/UDP port scanning mechanisms, as well as the ability to scan networks of hundreds of thousands of computers.//

==== Installing NMAP ====

Now there's a few ways to get this - can grab it directly from apt, download the tarball from nmap.org, or we can do it the old-school way.

It's a good chance to do it the old-school way

In this how-to we will

  - install dependencies
  - sync up to an online source code repository
  - compile the software
  - install by hand the NMAP

So let's get started:

 
sudo apt install build-essential subversion libssl-dev autoconf pwgen python-gtk2 python2.7-dev gksu

Checkout the NMAP source from NMAP's Subversion Repo

  sudo svn co https://svn.nmap.org/nmap
This will place a local working copy in /home/test/nmap

  cd /home/test/nmap

**Building NMAP**

This is generally a configure, make, make install

This builds the make file

  sudo ./configure
Does the build

  sudo make
This installs nmap - see the note below about ''su root''

  su root
  make install
**Whoa - what's this su root thing?**

NMAP gets installed into things that only root can do - even as admin with sudo powers, you can't go there - so if you haven't activated root, or don't remember the root passwd

<code>
sudo pwgen 24
[sudo] password for test:
xi0thaiguthohJ7OhDek8Eeb yohs5Keep4Ay3ailahna3ePo yuG6vai8zai0eeZ7hua0eibi
(and more)
</code>

pick one - put it on the clipboard and then

  sudo passwd root

paste that clipboard item in, and when it asks to confirm, paste again

As the admin, you can change root's passwd any time you need to...
==== Running NMAP ====


NMAP is pretty easy to run, many options - go overboard, and that target host might crash - here's a quick command line example

  sudo nmap -v -A 192.168.1.1
We're targeting that consumer grade Router/AP that is our WAN/LAN gateway - might be surprised at what you find... might need to power cycle it afterwards...

   -v: Increase verbosity level (use -vv or more for greater effect)
   -A, to enable OS and version detection, script scanning, and traceroute

Many, many more options are available - check the well documented man page for more details
  man nmap

==== NMAP audit results of the SNB Basics Server config ====


Below is an NMAP audit of the SNB Basics configuration - I'm not too worried about things, as we know what services we've built, and we've done our best to secure them - the NETBIOS (Samba) is as good as we can make it, and if you don't need the SAMBA, you can turn it off...

Let's analyze this from a security perspective

  * **SSH** - we have access control, and it is crypto secure
  * **SMTP** - access control again, and while port 25 is open, only the gmailuser@gmail.com can use it (cryto again thru SASL), and we have it firewalled
  * **HTTP/PHP** - runs as www-data, and is limited only to the document root in the apache2 configuration and security directives
  * **NETBIOS/Samba** - runs as it's own user, and only has access to /var/share and /var/media - Samba only users cannot log in to unix if they don't have a Unix password (useradd vs. adduser)

<code>
Nmap scan report for 192.168.1.6
Host is up (0.00042s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 (protocol 2.0)
25/tcp   open  smtp        Postfix smtpd
|_smtp-commands: testbox, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=testbox
| Issuer: commonName=testbox
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2016-05-20T22:55:38
| Not valid after:  2026-05-18T22:55:38
| MD5:   aabb 1122 4ab4 4c4f 3f7d 60a2 7f3a b7c9
|_SHA-1: ccdd 3344 6b46 4974 59b7 e5c1 016b b042 2c3e 619c
|_ssl-date: TLS randomness does not represent time
80/tcp   open  http        Apache httpd
| http-methods:
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache
|_http-title: the bluepill
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
5901/tcp open  vnc         VNC (protocol 3.8)
| vnc-info:
|   Protocol version: 3.8
|   Security types:
|     VNC Authentication (2)
|     Tight (16)
|   Tight auth subtypes:
|_    STDV VNCAUTH_ (2)
6001/tcp open  X11         (access denied)
Service Info: Host:  testbox

Host script results:
| nbstat: NetBIOS name: TESTBOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   TESTBOX<00>          Flags: <unique><active>
|   TESTBOX<03>          Flags: <unique><active>
|   TESTBOX<20>          Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: testbox
|   NetBIOS computer name: TESTBOX
|   Domain name:
|   FQDN: testbox
|_  System time: 2016-05-22T14:39:58-07:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Nmap done: 1 IP address (1 host up) scanned in 15.87 seconds
</code>
 
Last edited:
And here's the User Management Section that also deals with Security
-----
Sfx,

The command "sudo useradd <newuser>" does not create the home directory for the new user unless I add the "-m" option. I checked the "/etc/login.defs" file which has DEFAULT_HOME set to Yes, but does not include a line for enabling CREATE_HOME.

I´m running Ubuntu Desktop 16.04 in a VirtualBox VM.

Ole
 
Going back to the UFW/Fail2Ban section - this is why we do this - even with iptables rate limiting, and openssh session limiting, the 'bots are out there - it's all secure, but we can do more...

output from Logwatch

ssh is exposed to the outside world - one day's logs...

Code:
--------------------- pam_unix Begin ------------------------

sshd:
    Authentication Failures:
       root (222.186.56.119): 573 Time(s)
       unknown (91.224.161.46): 39 Time(s)
       unknown (58.220.253.195): 27 Time(s)
       root (91.224.161.46): 17 Time(s)
       unknown (200.11.218.76): 16 Time(s)
       unknown (1.85.2.100): 5 Time(s)
       unknown (219.219.114.120): 5 Time(s)
       root (200.11.218.76): 3 Time(s)
       root (58.220.253.195): 3 Time(s)
       unknown (13.65.90.17): 3 Time(s)
       unknown (163.172.204.238): 3 Time(s)
       root (1.85.2.100): 2 Time(s)
       unknown (14.155.117.211): 2 Time(s)
       unknown (37.189.119.36): 2 Time(s)
       mysql (201.116.36.202): 1 Time(s)
       root (13.65.90.17): 1 Time(s)
       root (14.155.117.211): 1 Time(s)
       root (163.172.204.238): 1 Time(s)
       root (201.116.36.202): 1 Time(s)
       root (219.219.114.120): 1 Time(s)
       root (37.189.119.36): 1 Time(s)
       unknown (104.148.116.66): 1 Time(s)
       unknown (125.212.232.142): 1 Time(s)
    Invalid Users:
       Unknown Account: 104 Time(s)
 
Sfx,

The command "sudo useradd <newuser>" does not create the home directory for the new user unless I add the "-m" option. I checked the "/etc/login.defs" file which has DEFAULT_HOME set to Yes, but does not include a line for enabling CREATE_HOME.

I´m running Ubuntu Desktop 16.04 in a VirtualBox VM.

Ole

Good catch - I normally do useradd for samba accounts - I'll fix the post...

What @oletuv is mentioning is the -m switch to create a home directory for the new user - important if the new user has a linux account on the system, but if they're a samba account, it's not as important.

Code:
man useradd

-m, --create-home

Create the user's home directory if it does not exist. The files and directories contained in
the skeleton directory (which can be defined with the -k option) will be copied to the home
directory.

By default, if this option is not specified and CREATE_HOME is not enabled, no home
directories are created.
 
Last edited:
Good catch - I normally do useradd for samba accounts - I'll fix the post...

What @oletuv is mentioning is the -m switch to create a home directory for the new user - important if the new user has a linux account on the system, but if they're a samba account, it's not as important.

This is a good example of peer review and collaboration - thanks man!
 
Going back to the UFW/Fail2Ban section - this is why we do this - even with iptables rate limiting, and openssh session limiting, the 'bots are out there - it's all secure, but we can do more...

output from Logwatch

ssh is exposed to the outside world - one day's logs...


--------------------- pam_unix Begin ------------------------

sshd:
Authentication Failures:
root (222.186.56.119): 573 Time(s)
[/QUOTE]

And with the nmap installed - we can reach back... since they poked us first... and we see that this is probably a big Windows cluster running in China...

Code:
$ sudo nmap -v -A 222.186,56,119
Starting Nmap 7.12SVN ( https://nmap.org ) at 2016-05-29 19:02 PDT
NSE: Loaded 138 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 19:02
Completed NSE at 19:02, 0.00s elapsed
Initiating NSE at 19:02
Completed NSE at 19:02, 0.00s elapsed
Initiating Ping Scan at 19:02
Scanning 222.186.56.119 [4 ports]
Completed Ping Scan at 19:02, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:02
Completed Parallel DNS resolution of 1 host. at 19:02, 0.04s elapsed
Initiating SYN Stealth Scan at 19:02
Scanning 222.186.56.119 [1000 ports]
Discovered open port 1026/tcp on 222.186.56.119
Completed SYN Stealth Scan at 19:02, 23.45s elapsed (1000 total ports)
Initiating Service scan at 19:02
Scanning 1 service on 222.186.56.119
Completed Service scan at 19:03, 56.77s elapsed (1 service on 1 host)
Initiating OS detection (try #1) against 222.186.56.119
Retrying OS detection (try #2) against 222.186.56.119
Initiating Traceroute at 19:03
Completed Traceroute at 19:04, 3.06s elapsed
Initiating Parallel DNS resolution of 12 hosts. at 19:04
Completed Parallel DNS resolution of 12 hosts. at 19:04, 10.90s elapsed
NSE: Script scanning 222.186.56.119.
Initiating NSE at 19:04
Completed NSE at 19:04, 0.31s elapsed
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Nmap scan report for 222.186.56.119
Host is up (0.21s latency).
Not shown: 991 closed ports
PORT     STATE    SERVICE        VERSION
25/tcp   filtered smtp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
1025/tcp filtered NFS-or-IIS
1026/tcp open     msrpc          Microsoft Windows RPC
4444/tcp filtered krb524
6129/tcp filtered unknown
Device type: general purpose|switch
Running (JUST GUESSING): Microsoft Windows XP|2003 (88%), Allied Telesyn embedded (85%)
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003::sp2 cpe:/h:alliedtelesyn:rapier_g6
Aggressive OS guesses: Microsoft Windows Fundamentals for Legacy PCs (XP Embedded derivative) (88%), Microsoft Windows Server 2003 SP2 (86%), Allied Telesyn Rapier G6 switch (85%), Microsoft Windows XP SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 17 hops
TCP Sequence Prediction: Difficulty=248 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 113/tcp)
HOP RTT       ADDRESS
1   0.43 ms   192.168.1.1
2   12.41 ms  10.143.0.1
<snip>
8   218.97 ms 202.97.51.221
9   ...
10  180.23 ms 202.97.33.93
11  205.15 ms 202.97.92.22
12  ... 13
14  254.30 ms 222.186.4.66
15  ... 16
17  214.16 ms 222.186.56.119

NSE: Script Post-scanning.
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Initiating NSE at 19:04
Completed NSE at 19:04, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 102.59 seconds
           Raw packets sent: 1193 (56.080KB) | Rcvd: 1061 (43.520KB)
 
And that - one can't do with AsusWRT... not enough memory to run UFW/Fail2Ban/nmap

But an Raspberry Pi2 can ;)
 
bonus points for today - this is draft, and likely will change... it does depend on the LAMP install - we're install phpmyadmin to manage mysql, a lightweight Wiki, and a cute little network benchmark - speedtest.mini...

Code:
====== Web Apps ======

This is a quick walk-thru on apps delivered via HTTP.

Apache sees things two ways - docs on in ''/var/www'', and apps via CGI are in ''/usr/share''

And then PHP kind of gets in the middle of things...

===== phpmyadmin - mysql gui admin =====

Prerequisites - LAMP Install

**install phpmyadmin**

  sudo apt install phpmyadmin

When prompted - select apache as the web server, and say <yes> when asked for db-common - you'll be prompted for a password for phpmyadmin - this is the user account for phpmyadmin, and the password is for the database, as well as the weblogin for phpmyadmin - so make a note of it.

HINT - This screen trips folks up - pay attention! apache2 is highlighted, but not selected

Warning: When the first prompt appears, apache2 is highlighted, but not selected. If you do not hit Space to select Apache, the installer will not move the necessary files during installation. Hit Space, Tab, and then Enter to select Apache.

So I think I've hinted enough here

<code>

┌────────────────────────┤ Configuring phpmyadmin ├─────────────────────────┐
│ Please choose the web server that should be automatically configured to   │
│ run phpMyAdmin.                                                           │
│                                                                           │
│ Web server to reconfigure automatically:                                  │
│                                                                           │
│    [*] apache2                                                            │
│    [ ] lighttpd                                                           │
│                                                                           │
│                                                                           │
│                                  <Ok>                                     │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
</code>

Don't forget to hit the spacebar on apache2 to select...

<code>
┌────────────────────────┤ Configuring phpmyadmin ├─────────────────────────┐
│                                                                           │
│ The phpmyadmin package must have a database installed and configured      │
│ before it can be used. This can be optionally handled with                │
│ dbconfig-common.                                                          │
│                                                                           │
│ If you are an advanced database administrator and know that you want to   │
│ perform this configuration manually, or if your database has already      │
│ been installed and configured, you should refuse this option. Details on  │
│ what needs to be done should most likely be provided in                   │
│ /usr/share/doc/phpmyadmin.                                                │
│                                                                           │
│ Otherwise, you should probably choose this option.                        │
│                                                                           │
│ Configure database for phpmyadmin with dbconfig-common?                   │
│                                                                           │
│                    <Yes>                       <No>                       │
│                                                                           │
└───────────────────────────────────────────────────────────────────────────┘
</code>

Just say yes here if a fresh install (which we are)

It'll prompt you for a password - this will be the phpmyadmin password to login to the phpmyadmin page...

NOTE - if you go down the db-common config path, any existing databases with phpmyadmin or information-schema will be dropped and replaced with new databases - if you're migrating an old install, just be aware - check phpmyadmin's documents for more info on migrating old installs.

Installing the missing php modules

  sudo apt install php-mbstring php-gettext

and enable them - yes, one can hotpatch php without reloading/restarting apache2 - scary thought, eh?

  sudo phpenmod mcrypt
  sudo phpenmod mbstring

See that they're hot - http://testbox.local/lbd/phpinfo.php

**Login to phpmyadmin**

Go to http://testbox.local/phpmyadmin, and you should see the webapp running - login as phpmyadmin with the password you set in the previous step

**TIP** - Now here's where things get a bit tricky if you're an old hand at LAMP - MySQL 5.7 changed the security model, not allowing MySQL root user login without sudo (while the password can be blank).

So things will likely go odd - one can login to the phpmyadmin, but that user can't make changes as the phpmyadmin user doesn't have the global privileges or grant options

Here's the fix

  sudo mysql --user=root mysql
  GRANT ALL PRIVILEGES ON *.* TO 'phpmyadmin'@'localhost' WITH GRANT OPTION;
  FLUSH PRIVILEGES;
  quit

Logout of phpmyadmin, and log back in, and you'll be right as rain...

Here - have a [[http://www.oracle.com|cookie]] - just kidding ;)

Now to make these services persistent = they should be, but let's make sure...

  sudo systemctl enable apache2
  sudo systemctl enable mysql

===== dokuWiki - taking notes =====

This is an example - while DokuWiki is in the Debian/Ubuntu repos - if you don't believe me you can check - apt list dokiwiki

Don't take the easy way out - let's do it the real way... This is a good walkthru on how to hand install software

DokuWiki is chosen as it's lightweight enough to run on Raspberry Pi, and still be easy to install and use. All of these documents/walkthru's have been composed with DokuWIki

So hold on to your shorts, we're not in Kansas anymore...

Enable Apache Rewrite module and restart apache2

  sudo a2enmod rewrite
  sudo service apache2 restart

Download and uncompress the latest stable release.

  cd /var/www/html
  sudo wget http://download.dokuwiki.org/src/dokuwiki/dokuwiki-stable.tgz
  sudo tar xvf dokuwiki-stable.tgz
  sudo mv dokuwiki-*/ dokuwiki

Change permissions

  sudo chown -R www-data:www-data /var/www/html/dokuwiki

Change AllowOverrides setting in Apache2 to use .htaccess files for security

  sudo nano /etc/apache2/apache2.conf

For directory ''/var/www/'' replace\\ ''AllowOverride None''\\ with\\ ''AllowOverride All''

Restart Apache2 service

  sudo service apache2 restart

Visit ''http://testbox.local/dokuwiki/install.php'' to initially configure your DokuWiki. It's going to ask for a few things - but now this is your app, you can make your choices...

Don't forget to delete the install.php file after finished installing.

  sudo rm /var/www/html/dokuwiki/install.php

Note - SMTP daemon is needed for sending email (e.g. user registration), see postfix section if you skipped it earlier

Enjoy your own DokuWiki server.

===== SpeedTest.mini =====

People want to see how fast their connections are - here's a simple in-network way to support this on your LAN

Downloading Speedtest.Net mini... go to http://www.speedtest.net/mini.php

Sign up for an account - once done, you will be offered a link to download mini.zip

Once done - upload/copy it to /var/www/html/

unpack the file into a directory - you should have /var/html/www/mini

  sudo unzip /var/www/html/mini.zip

rename /var/www/html.miniindex-php.html to index.html

  sudo mv /var/www/html/mini/index-php.html /var/www/html/mini/index.html
do a change owner, as the apache needs to access this...

  sudo chown -R www-data:www-data /var/www/html/mini

and give it the right perms

  sudo chmod -R 755 /var/www/html/mini

and point your browser to http://testbox.local/mini

This little webapp does require a current flash plugin for your browser
 
Last edited:
And here's the current LAMP

Code:
====== Install LAMP ======

Here we install the basics - Apache2, MariaDB (mysql), and PHP

===== Install mysql =====
comment - mariadb is the future for debian based builds, it's a drop in replacement for mysql

  sudo apt install mariadb-server mariadb-client

Setting up mysql

for mariadb - there is a little bit more to do

  sudo mysql_secure_installation

follow the prompts - note, when it asks for root, it's the mysql root, not system root

  Enter current password for root (enter for none): <-- press enter
  Set root password? [Y/n] <-- y, note, this is mysql root, not system root
  New password: getaccess <-- Enter the new MariaDB root password here, this is example, choose a different one
  Re-enter new password: <-- Repeat the password
  Remove anonymous users? [Y/n] <-- y
  Disallow root login remotely? [Y/n] <-- y
  Reload privilege tables now? [Y/n] <-- y

check to make sure mysql is good...

  test@testbox:~$ sudo mysql --user=root mysql
   
  Welcome to the MariaDB monitor.  Commands end with ; or \g.
  MariaDB > quit

===== Install Apache =====

  sudo apt install apache2

start up apache2

  sudo service apache2 start

Then one should be able to fire up a web browser and go to http://testbox.local and see the default page

TIP - install the Apache2 Documentation Package if you're not an experienced Apache2 admin - l

  sudo apt install apache2-doc

ots of good info in there, and can review it by going to http://testbox.local/manual/en/index.html

**Security Hint**

Reduce Apache2 Data Leakage - might be of interest if your pushing your SNB Basics server to the public internet

Edit the Apache2 configuration security file :

  sudo nano /etc/apache2/conf-enabled/security.conf

Edit/Change the following lines and save:

  ServerTokens Prod
  ServerSignature Off

Restart Apache server

  sudo service apache2 restart


===== Install PHP =====
install php7 and the various modules

  sudo apt install php7.0 libapache2-mod-php7.0 php-pear

and kick apache

  sudo service apache2 restart

do the phpinfo page to check that php is enable

  sudo nano /var/www/html/info.php

  <?php
  phpinfo();
  ?>

Change the owner/group of the info.php file

  sudo chown www-data:www-data /var/www/html/info.php

then fire up a browser and go to http://testbox.local/info.php

should get the cool php info screen with lots of good info

now lets get mysql support for php

  sudo apt install php7.0-mysql php7.0-curl php7.0-gd php7.0-intl php-pear php-imagick php7.0-imap php7.0-mcrypt php-memcache  php7.0-pspell php7.0-recode php7.0-sqlite3 php7.0-tidy php7.0-xmlrpc php7.0-xsl php7.0-mbstring php-gettext

and bounce apache again...

  sudo service apache2 restart
Congrats - you now have a fully capable battlestation (erm, SNB Basics LAMP Server)

===== Webserver/HTML excercise =====

Ok, now that we have a working LAMP server...

Make a subdirectory and move the default index.html and info.php files there...

  sudo mkdir /var/www/html/lbd
  sudo mv /var/www/html/index.html /var/www/html/lbd/default.html
  sudo mv /var/www/html/info.php /var/www/html/lbd/phpinfo.php

They'll be in http://hostname.local/lbd/ - and then create a small html page to replace the default install index.html page (but we keep it for safe keeping, as nice stuff there)

  sudo nano /var/www/html/index.html 

type in the following
<code>
<!DOCTYPE HTML PUBLIC>
<HTML>
<HEAD>
  <TITLE>the bluepill</TITLE>
</HEAD>
  <P>You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to believe.</P> 
  <P>You take the red pill, you stay in wonderland, and I show you how deep the rabbit hole goes. </P>
  <A HREF="http://www.google.com">take the blue pill</A>
  <p></p>
  <A HREF="http://testbox.local/lbd/phpinfo.php">take the red pill</A>
</HTML>
</code>

(I know, really bad HTML, but has all the legal elements needed for a browser to render a page)

Anyways - we're going to revisit this page as we move forward into other web apps - consider this your portal
 
So I'm still cleaning up a couple of items - the ssh/vnc section, postfix, and the storage section which ended up being really huge due to abstractions in how linux can manage storage and file (this section basically builds a fully feature NAS from scratch).

Again - be patient - I'm working on it - and always feel free to provide feedback/comments...
 
once you have the lamp and webapps... just having some fun here...

Screen Shot 2016-05-29 at 8.09.54 PM.png
 
Here's the fail2ban section that goes right behind it - it's over 10k characters in this section, so have to break it up

Code:
===== Fail2Ban =====

Fail2ban is a program that can be installed to limit brute force attack attempts using IPTables - Fail2ban allows you, as the admin, to configure what is known as jails. These jails are specific settings for various programs such as ssh and other services - this section walks one thru how to install, configure, and integrate Fail2Ban with the UFW.

**Install fail2ban**

  sudo apt install fail2ban
Create a local jail file - we do this as it will override the jail.conf file, and if updated, it will preserve our changes

  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Set some basic items in jail.local
<code>
# ignoreip = 127.0.0.1/8
ignoreip = 127.0.0.1/8 192.168.1.0/24
# bantime = 600
bantime  = 7200
# finditime = 600
findtime  = 300
# maxretry = 6
</code>

Save the file, and restart fail2ban

  sudo service fail2ban restart

And that's basically it - by default, Ubuntu will set the sshd jail automatically when installed

to check status of fail2ban

  fail2ban-client -d

==== Fail2Ban - UFW Integration ====

Out of the box Fail2ban works with iptables rules, and it works ok without integration into UFW, but we can do a bit more, and tie UFW and Fail2ban together as a comprehensive solution.

First lets go into /etc/fail2ban/jail.conf and change the default jail for ssh to use ufw actions that we will create:

  sudo nano /etc/fail2ban/jail.local
Edit/Modify the sshd jail - note that I've commented out the default action, and added new lines

<code>
[sshd]
#port    = ssh
#logpath = %(sshd_log)s
enabled = true
port = 22
banaction = ufw-ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
</code>

Now we create an action file for ufw-ssh integration

  sudo nano /etc/fail2ban/actions.d/ufw-ssh.conf
<code>
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ufw insert 1 deny from <ip> to any app OpenSSH
actionunban = ufw delete deny from <ip> to any app OpenSSH
</code>

What we've done here is to define the jail for sshd, create an action in the actions.d/ufw-ssh.conf - this inserts a rule on the fly into the UFW ruleset at the top of the list - when the ban timer expires, the rule is removed

More info here -- https://blog.vigilcode.com/2011/05/ufw-with-fail2ban-quick-secure-setup-part-ii/

Wow lot's to do! I am working my way thru the fail2ban section and I believe I may have discovered a typo:

The line "sudo nano /etc/fail2ban/actions.d/ufw-ssh.conf"
should be "sudo nano /etc/fail2ban/action.d/ufw-ssh.conf"

No "s" on the reference to the "action" directory.

Hope this helps!
 
If you get to the point where DokuWiki is installed, here's a table of contents that you can use to create your own copy - all of these how-to's are in dokuwiki markup...

Code:
==== Table of Contents ====

  * [[SNB Basics - HW and SW Requirements]]
  * [[SNB Basics - Linux Install]]
  * [[SNB Basics - Managing Users]]
  * [[SNB Basics - Network Management]]
  * [[SNB Basics - Network Services]]
  * [[SNB Basics - Remote Access]]
  * [[SNB Basics - LAMP Server Install]]
  * [[SNB Basics - WebApps]]
  * [[SNB Basics - Network Monitoring]]
  * [[SNB Basics - Monitoring]]
  * [[SNB Basics - Storage]]
  * [[SNB Basics - Simple NAS Server]]
  * [[SNB Basics - Security]]
  * [[SNB Basics - Security Extras]]
 
There's a small fix in the NTP section - change follows

sudo apt install ntp ntpdate

change to below

sudo apt install ntp

ntp and ntpdate can conflict with each other, and ntp will lose, segfaulting out, so decided to remove ntpdate as ntp basically does the same thing,.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top