Category Archives: Network

Browsers, firewalls

Setting up a public facing webserver behind a Netcomm NF18ACV

Note: this will move your Broadband Router’s web-configuration to an unexpected port :8080, instead of the :80 your browser expects.

Navigate to Management | Access Control | Services then disable the WAN side HTTP service (why would you even expose this?), change the port for the LAN side to the Alternate HTTP port of 8080, and hit Apply/Save.

Navigate to Advanced Setup | NAT | Virtual Servers and hit Add. Select the correct interface, fill in the other details including the Web Server’s LAN address, ensure you’ve got Status: Enabled for the port forwarding, and hit Apply/Save.

Run up a trial HTTP server using something like
sudo python -m SimpleHTTPServer 80
and check for access from outside. Kill the server, because that isn’t safe for production use.

Install exim4 STARTTLS using a free LetsEncrypt certificate

Here we are on a Debian Linux, such as Ubuntu and we want to run a mail server. Exim4 is currently the most popular email server, but getting it up and working for free is a hassle – who wants to pay for a SSL certificate, on an ongoing basis? And then there’s the maintenance of the security of it – constant renewal, renouncing and re-installation of the certificates.

Wherever you see example.com, swap in your Fully Qualified Domain Name. That may be mail.example.com
It’s assumed you’re not logged in as root, but user ubuntu
Wherever you see 1.2.3.4, swap in your machine’s local IP address, from
ifconfig | grep "inet addr" | grep -v "127.0.0.1"

Security is all handled automatically by LetsEncrypt’s certbot. I’ll let you look that one up yourself. Run it up and get your certificate for example.com

Once you’ve got that handled, punch a hole in your firewall so that port 25 can get through from the outside world to your machine. Be aware: the outside world is filled full of botnets trying to hack into your machine. After installing exim, keep an eye on the logs in /var/log/exim4/ for a while.

Let’s install exim4:
sudo apt-get install exim4
sudo dpkg-reconfigure exim4-config

pick “Internet site”
system mail name is example.com
IP address is 1.2.3.4 (the one returned by ifconfig, not the externally accessable one)
Other destinations: example.com
No relays
No smarthost
No Dial-on-Demand
mbox format (or whatever)
Split the files
ubuntu for postmaster mail

Check we’re now running a mail server:
sudo netstat -napt
should show
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 1.2.3.4:25 0.0.0.0:* LISTEN 25700/exim4

Now we have a mail server, the world needs to find it. Check your nameserver setting to ensure mail is destined this machine. You probably want only one MX record.

Check the Internet can send mail to our server. After allowing for the appropriate propagation delay for your nameserver changes, use gmail or something to send an email to ubuntu@example.com – you should be able to read it by typing
mail

Now it’s time to enable MTA-MTA link encryption for secure transport of mail, by enabling STARTTLS on exim4 using our LetsEncrypt certificate
sudo nano /etc/exim4/conf.d/main/03_exim4-config_tlsoptions
Enable STARTTLS by adding/setting in the tlsoptions section:
MAIN_TLS_ENABLE = yes MAIN_TLS_CERTKEY = no
before any of the IF shenanigans. Also add/replace pointers to the certificates:
tls_certificate = /etc/letsencrypt/live/example.com/fullchain.pem tls_privatekey = /etc/letsencrypt/live/example.com/privkey.pem

The MAIN_TLS_CERTKEY = no entry fixes an exim4 log message
2017-04-16 09:13:24 TLS error on connection from your.home.ip.com (IcePlanet) [5.6.7.8] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Error while reading file.
You will see this when testing with swaks:
$ swaks -a -tls -q HELO -s example.com -au test -ap '<>'
=== Trying example.com:25... === Connected to example.com. < - 220 your.vps.host.com ESMTP Exim 4.86_2 Ubuntu Sun, 16 Apr 2017 09:13:24 +0000 -> EHLO IcePlanet < - 250-your.vps.host.com Hello your.home.ip.com [5.6.7.8] STARTTLS < ** 454 TLS currently unavailable *** STARTTLS attempted but failed -> QUIT < - 221 your.vps.host.com closing connection === Connection closed with remote host.

Allow exim (which when running runs as user Debian-exim) to get to the certificates:

sudo groupadd privkey_users
sudo usermod -aG privkey_users Debian-exim
sudo sudo chmod g+rx /etc/letsencrypt/live/
sudo sudo chmod g+rx /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/cert1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/chain1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/privkey1.pem
sudo chown root:privkey_users /etc/letsencrypt/archive/example.com/fullchain1.pem
sudo chown root:privkey_users /etc/letsencrypt/live/
sudo chown root:privkey_users /etc/letsencrypt/live/example.com/

Changing these permissions doesn’t affect apache2’s ability to get them.
The reason we’ve used a group here is to allow both exim and any other app (for example, a secondary service that wants to use 8080 to serve up a configuration page) to access the private keys; just add any other user that needs to use the private keys to the privkey_users group.

These permission changes prevent the following error message in your log file:
2008-06-03 08:27:35 TLS error on connection from me.at.home.com ([1.2.3.4]) [5.6.7.8] (cert/key setup: cert=/etc/ssl/certs/server.pem key=/etc/ssl/private/server.key): Error while reading file.

Restart the service and the TLS settings ought to be working
sudo service exim4 restart
Test STARTTLS is working from another machine
swaks -a -tls -q HELO -s example.com -au test -ap '<>'
There shouldn’t be any obvious complaining.

Done!

IT upgrades

Ho boy.

The Bushfires Royal Commission has been told staff answering calls at the Bushfire Information Line on Black Saturday were unable to see crucial information about the fires because of an IT upgrade.

More than 12,000 Victorians called the Victorian Bushfire Information Line or on Black Saturday.

Calls that were not answered went to Centrelink.

But the commission was told staff there were unable to see the Department of Sustainability fire database because an IT upgrade had accidentally blocked that access.
…

— ABC News Online

So on the hottest forecast day ever, and which everyone from the Premier down had warned would be the worst fire danger day ever, Centrelink staff, who are the designated backup responders for the bushfire information line, were blocked from getting the information they needed from the DSE web site?

Apart from the timing issues of IT upgrades to systems that are important to the fire-fighting effort, it appears to underscore the severe dangers of restricting network access unnecessarily.

Wifi in your neighbourhood

While I was walking down the street running an errand, I tried scanning for Wifi networks on my N95 phone.

I must have found about 20 or 25 of them during just a few minutes’ walk. Probably every fourth or fifth house seemed to have one.

Many of them appeared to be named after the families living there. Some had obviously default names of common brands… Netgear and the like. A few had gobbledygook names which may or may not have been defaults.

And to my surprise, almost all of them were secured.

Almost.

Two weren’t — one an apparent Apple network, and one Netgear one, both close by to each other.

Hopefully not too many of their neighbours are sponging off them!

How do you name your computers?

These days just about every computer is networked, and that means they have to have a hostname. So how do you name yours? Assuming there’s no particular corporate standard you have to follow, do you make up a theme, or just give them random names?

At home we have lano and woodley.

At my girlfriend’s place, they’ve called them crunchie and munchie.

The company I use for web hosting names their servers after towns and cities around Australia.

At one job I had, we went Red Dwarf, and ended up with holly (main server), kryten (test server) and hudzen (temporary server).

At another job, we started on The Simpsons, with maggie, marge, homer… then moved onto Asterix, with getafix (very appropriate for a machine that needed patching) and obelix.

Dead USB port

So, in building the broadband access machine I’ve found a gift computer (twice as powerful as anything else I owned) that was ‘not working’. After loading XP onto and futzing with it for a while, I figured out that doing anything with the USB port locked up the computer… after a while. I tested the theory by running up a memory/CPU intensive game and letting it run for a few hours. It was happy until I transfered some files off the USB stick. Fault identified. If I want to transfer stuff off the machine, I’ll need to get a USB card, or hook up a network. And I think I’ll do the later.

With fault identification complete, I hooked up the broadband modem (Netcomm NB5) via the ethernet connection (given the USB connection wasn’t going to be working on this machine). Entered the IP of the modem into the browser, and got the modem’s login screen. Everything was good, and I shut down all access other than web via port 80 using the modem’s built-in firewall. Connection to the ISP was established, proxies entered into Firefox (not IE – CERT says there are no secure versions), and Google was available. Connectivity proven.

The web browsing machine got Fedora Core 3 loaded on (a simple process), and the proxy setup was repeated with the same results. FC3 comes with a pre-release version of Firefox, so I loaded up the CD with the .gz for 1.0.4 and loaded that onto the desktop. Then I spent a couple of hours figuring out that I needed to be root to install the browser, and where to install it. Having done that, I still haven’t got it as the default browser – that’s still the prerelease Firefox. But I can run up 1.0.4 from the command line, so at least it’s available, and adBlocker is installed, so well and good.

I figure that I’m going to lock the modem down to a single IP address it’s going to talk to, the FC3 machine. Anything else that wants data from the net is going to have to transfer it from the FC3 machine and won’t be exposed to the big bad internet, because I’m not ready to migrate our entire PC collection over to Linux just yet.

Which means I need to buy a switch.