Chris' Blog » Internet

Punching holes in Firewalls

Chris — Sun, 16 Nov 2008 16:37:09 +0000

It is a lot easier than you think.

OpenSSH, which can only be described as the best utility of all time, is quite a versatile tool one feature people use frequently is port forwarding. This allows you to open a port on your computer that forwards the data over the SSH connection to the destination you specify, very useful when needing access to the an intranet web server when you don’t have a proper VPN set up for example. However, SSH can also do this in reverse! It opens a listening port up on the remote machine which then relays data to the destination you specify. For example you can SSH into a remote host and get SSH to open a port on that host which relays data back to the SSH port on the machine you are connection from, thereby allowing SSH access to a machine where it would normally be impossible.

A practical example:

chris@ktulu:~$ ssh sandman.cs278.org -R 2222:localhost:22

This connects to the server sandman.cs278.org and opens port 2222 which forwards traffic to localhost:22 (localhost is the machine I am connecting from). Once logged into the server I can do this:

chris@sandman:~$ ssh localhost -p 2222

Which opens a connection back to the remote machine.

Blocking SSH Brute Force attempts using iptables

Chris — Sat, 12 Jan 2008 15:53:33 +0000

After my recent break in I have looked into ways of protecting SSH and my server resources. I employ fail2ban on my main server, it has the resources to run such a programme – my Linksys NSLU2′s however do not. The solution is to use iptables to limit the number of connections any host can make in a given time frame. I wrote up a quick how to on this over at my wiki. Enjoy.

Confession

Chris — Thu, 10 Jan 2008 18:17:48 +0000

So today I come to you with a confession, I discovered one of my boxen had been successfully attacked and the attacker had by the looks of things used it for launching DDoS attacks. I feel particularly stupid because the entire thing was my fault, I left the root password as root. Although I must stress I didn’t set it to this, I was using a pre-build debian install because the d-i installer was broken under arm and forgot to change the root password to something a little more secure.

Ekiga VoIP client and SIPGate

Chris — Thu, 29 Nov 2007 17:17:13 +0000

Ekiga is a VoIP client for GNOME. I recently registered with SIPGate.co.uk as I am planning to have a go at setting up Asterisk sometime in the near future. Sadly it wasn’t a well documented process and after searching Google, SIPGate’s website and Ubuntu Forums for help I found some tips on debugging Ekiga. Armed with this knowledge ekiga --debug=[1-6] I managed to discover the required ports for successful NAT traversal. They are as follows:

5060 – 5100/udp
8000 – 8012/udp
5004/udp
10000/udp
3478 – 3497/udp
3478 – 3497/tcp
1720/udp
30000 – 30010/tcp

I am sure they could be refined and there maybe some that are unnecessary but it Works or Me™, use them at your own risk.

Subversion and Apache Gotcha

Chris — Thu, 29 Nov 2007 16:48:36 +0000

So, this is the second time I have tried to address the problem I was getting with some Subversion repositories I was trying to configure to be served by Apache. I was trying to use the SVNPath directive to serve one repository but it was not having any of it, so instead I ended up serving them as a temporary measure using SVNParentPath in the format http://svn.example.com/~name/repos/ which is not what I wanted. I am using the Location container in Apache configuration to configure up my repositories, the path I had specified was /~name/. This is where the problem comes in, I would try to checkout the repository over the network and be greeted with a 405 Method Not Allowed error like so:

svn: PROPFIND request failed on '/~name'
svn: PROPFIND of '/~name': 405 Method Not Allowed (http://svn.example.com)

This stuck me as odd, it seemed the Apache was not serving the repository URI using the WebDAV module. When I gave up on an earlier attempt I reverted to using SVNParentPath and accessing the repository over the URI http://svn.example.com/~name/repos/ which worked perfectly and I couldn’t spot why. Turns out I made a single character mistake, my Apache configuration was set to use the path of /~name/ I should have used /~name because SVN truncates the trailing slash even if you specify it on the command line. Bugger!

Another Thunderbird Tip

Chris — Thu, 22 Nov 2007 12:03:19 +0000

Thunderbird’s default sorting is the wrong way around, IMHO. This has always annoyed me, I found out how to reverse it.

The Day the Routers Died…

Chris — Wed, 14 Nov 2007 20:20:59 +0000

Watch on YouTube

Thunderbird Tip

Chris — Fri, 26 Oct 2007 19:10:19 +0000

So for ages I have been using Thunderbird combined with server side mail sorting, what has been annoying me for a year or so is that Thunderbird only checks the Inbox folder. I had to manually check all the others and that got a little tedious, fortunately I discovered how to get around this.

The trick is to open the configuration editor (Edit -> Preferences -> Advanced) and set the mail.check_all_imap_folders_for_new preference to true. Bingo!

Packages

Chris — Sun, 15 Jul 2007 23:02:53 +0000

I have been playing with packaging for Ubuntu and Debian for a while now and I have one fairly useful package called rsnapshot-scripts which contains a bunch of scripts for use with rsnapshot. It allows you to backup other data sources like MySQL, DPKG and Subversion.

Debian, Postfix and DKIM

Chris — Fri, 25 May 2007 19:37:46 +0000

So how do I get Postfix to verify and sign messages with the DKIM system, under Debian? Here is how.

First we need to install the dependencies.

$ sudo aptitude install libdigest-sha{,1}-perl libemail-{address,mime-encodings}-perl libnet-{dns,server}-perl libcrypt-openssl-rsa-perl liberror-perl make libmailtools-perl

```
$ sudo cpan install Mail::DKIM
```

$ perl Makefile.PL
$ make
$ make install

$ ./configure --prefix=/usr/local
$ make install

$ sudo adduser --system --shell /bin/false --home /var/run/dkimproxy --group dkimproxy

$ sudo mkdir /etc/dkimproxy/
$ cd /etc/dkimproxy/
$ sudo openssl genrsa -out private.key 1024
$ sudo openssl rsa -in private.key -pubout -out public.key
$ sudo chown -R root:dkimproxy .
$ sudo chmod -R a=,u=rwX,g=rX,o=rX .
$ sudo chmod o= private.key

Sorry, this solution will not run nicely on my NSLU2 so I have abandoned the rest of this documentation – it should help you somewhat though, hence I am publishing it anyway.