Tuesday, August 15, 2017

iptables adventures

Supratim Sanyal's Blog: Linux iptables security reference example

I use iptables to secure my Linux-based internet-facing hobbyist servers. The current iptables, residing at one of these servers ( at /etc/sysconfig/iptables, is as below.

This particular server runs on CentOS 7. The iptables rules provide basic network exploit protection from syn flood, nul, christmas and fragmented packets and adds rate-limited DDOS flood protection for ssh, telnet, smtp, dns, http, pop3, ntp, IMAP, https, smtps, starttls, imap-ssl/tls, pop-ssl/tls, dovecot, sieve, managesieve, DECnet bridge (HECnet), stunnel, syslog etc. ports that are usual for any internet-facing server providing public services. It has the following open ports for the services it provides:
  • ssh
  • telnet, forwarded to CLOUDY VAX - the hosted DECVAX-11/780 SIMH simulated Digital VAX server running OpenVMS 7.3
  • SMTP (authenticated, not public)
  • DNS - this DNS server blocks advertising and tracking websites as well as malware
  • http - a basic static web-site is hosted on this server; also reachable over the TOR network at fz2koi5kviaph4bl.onion)
  • POP (authenticated, not public)
  • NTP - this server is an official stratum-2 public NTP server listed and is a member of the NTP Pool Project
  • IMAP (authenticated, not public)
  • https (currently unused)
  • STARTTLS / SMTPS (authenticated, not public)
  • IMAP SSL/TLS (authenticated, not public)
  • POP SSL/TLS (authenticated, not public)
  • Dovecot Sieve / ManageSieve
  • DECnet bridge connecting QCOCAL (SIMH MicroVAX 3900/OpenVMS 7.3 at home), JUICHI (SIMH DEC PDP-11/24 RSX-11M PLUS at home) and CLOUDY VAX (SIMH VAX-11/780 OpenVMS 7.3) to HECnet the global hobbyist DECnet network
  • TOR Proxy service (authenticated, not public)
  • stunnel (secure tunnel) service to syslog daemon for encrypted remote logging
  • syslog
  • TOR relay node (this server is a TOR relay-only node, not a TOR exit node; no TOR traffic is logged at all on this server)

Sunday, August 13, 2017

How to find Solaris device name of NTFS partition on external USB hard drive HDD storage

Instead of running GParted as described in my post on Oracle Solaris 11.3 64-bit installation steps, here is a quicker command-line way to identify the device name corresponding to a NTFS partition on an external USB hard drive connected to a Oracle Solaris 11.3 system.

Unlike my previous post that applies to OpenIndiana, this post applies to true Oracle Solaris 11.3 64 bit.

STEP 1 - Use rmformat and fdisk to identify the device name for the NTFS partition

$ rmformat -l
Looking for devices...
     1. Logical Node: /dev/rdsk/c1t1d0p0
        Physical Node: /pci@0,0/pci-ide@1,1/ide@0/sd@1,0
        Connected Device: VBOX     CD-ROM           1.0
        Device Type: <Unknown>
        Bus: IDE
        Size: <Unknown>
        Label: <Unknown>
        Access permissions: <Unknown>
     2. Logical Node: /dev/rdsk/c2t0d0p0
        Physical Node: /pci@0,0/pci106b,3f@6/storage@1/disk@0,0
        Connected Device: WD       My Book 1110     1030
        Device Type: Removable
        Bus: USB
        Size: 1430.1 GB
        Label: <Unknown>
        Access permissions: <Unknown>
     3. Logical Node: /dev/rdsk/c2t0d1p0
        Physical Node: /pci@0,0/pci106b,3f@6/storage@1/disk@0,1
        Connected Device: WD       Virtual CD 1110  1030
        Device Type: CD Reader
        Bus: USB
        Size: 668.0 MB
        Label: <None>
        Access permissions: <Unknown>
$ sudo fdisk /dev/rdsk/c2t0d0p0
             Total disk size is 60771 cylinders
             Cylinder size is 48195 (512 byte) blocks

      Partition   Status    Type          Start   End   Length    %
      =========   ======    ============  =====   ===   ======   ===
          1                 IFS: NTFS         0  60771    60772    100

   1. Create a partition
   2. Specify the active partition
   3. Delete a partition
   4. Change between Solaris and Solaris2 Partition IDs
   5. Edit/View extended partitions
   6. Exit (update disk configuration and exit)
   7. Cancel (exit without updating disk configuration)
Enter Selection: 7

This tells us the NTFS partition is the first partition on raw device /dev/rdsk/c2t0d0p0. Therefore, the device name for our NTFS partition will be disk partition /dev/dsk/c2t0d0p1 (without the "r" for raw device under /dev).

STEP 2 - Mount it!

$ mkdir /media/USB-Storage
$ sudo /usr/bin/lowntfs-3g -o uid=21,gid=21 /dev/dsk/c2t0d0p1 /media/USB-Storage/

And presto, we can now see the NTFS partition files at /media/USB-Storage.

Installing ntfs-3g on Solaris without introducing instability and kernel panics is tricky. I ended up building ntfs-3g from sources to get a rock-solid stable Oracle Solaris 11.3 server with NTFS-3g; I have documented my approach in a separate post in the section Install the Tools to Mount NTFS Volume: FUSE and NTFS-3G for Solaris 11.

Thursday, August 10, 2017

My tshark cheat-sheet

Supratim Sanyal's Blog: Wireshark

Ever-evolving list of tshark command lines I use for various purposes, with a goal of avoiding trolling through wireshark and tcpdump man pages every time to find the filters. Generally adding a -V, -VV or -VVV switch increases verbosity levels. I also usually prepend the tshark command with nice -n 19 ionice -c3 to try to minimize processor (CPU) and disk I/O usage when running tshark.

  • Monitor DECnet-UDP bridged traffic to HECnet. The following is for the VPS hosting CLOUDY:: and JUICHI:: which bridges DECnet over UDP to HECnet update host and QCOCAL:: hosted on (described in my post here):
    # tshark -i ens33 -f "host" -f "host" -f "udp port 4711" -f "udp port 4712"
  • Capture all NTP traffic:
    # tshark -i ens33 -f "udp port 123"
  • Capture all NTP server traffic. This mostly logs NTP time served by this server to other hosts.
    # tshark -i ens33 -f "udp port 123" | grep "server"
  • To capture all NTP traffic for this host serving time to other hosts, grep like follows:
    # tshark -i ens33 -f "udp port 123" | egrep " ->" | grep server
  • Capture all NTP client traffic. This mostly logs NTP traffic that synchronizes this host from remote clock source hosts.
    # tshark -i ens33 -f "udp port 123" | grep "client"
  • Capture all traffic to SanyalCraft Minecraft server (on port 25565) and our experimental Minecraft server on port 25566:
    # tshark -i ens33 -f "tcp port 25565" -f "tcp port 25566" 

Recommended Products from Amazon