Admins eHow SysAdmin Tips & Tricks

January 20, 2016

Transparent SSL Socks Proxy using Raspberry pi

Filed under: Debian,Raspberry pi,Security — Tags: , , , — admin @ 8:58 am

A Transparent SSL Socks proxy can be useful to encrypt and secure all TCP connections and/or infiltrate Internet censorship systems.
In order to make this setup, you need two Linux based boxes, one in your local network and one which will act as server in a remote location.
Theoretically what we are going to achieve is to intercept all TCP connections on our local network transparently, encrypt them and then tunnel them to our remote server.
This can be achieved easily using a powerful Linux application called Stunnel.
In my own setup, I am using a raspberry pi 2 for my local device. it is a cheap device and has a very low power usage and can be running 24/7, so it is very suitable to act as a full featured Linux based router. although you can use a PC or a virtual machine to achieve the same.
Debian is my favorite Linux distro, so my guide will be based on Debian.
Enough introduction, lets get started.

Part I: Setting up SSL Socks Proxy
1.Install stunnel on both local and remote devices:
Download and install the latest version of stunnel from stunnel website: https://www.stunnel.org/downloads.html
You may need to compile it from source.

2.Create stunnel config on local device /etc/stunnel/stunnel.conf:

foreground = no
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log
#compression = zlib
syslog = no

[SOCKS Client Direct]
client = yes
PSKsecrets = /etc/stunnel/secrets.txt
accept = 0.0.0.0:LOCAL_PORT
connect = REMOTE_SERVER_IP:REMOTE_PORT
protocol = socks

LOCAL_PORT: The local port which stunnel will listen on.
REMOTE_SERVER_IP: The remote server IP.
REMOTE_PORT: The port which remote server will accept connections on.

Note I: I noticed raspbian prebuilt openssl package doesn’t support zlib compression, so in my case I had to recompile openssl with zlib support. If you have an openssl package with zlib support you can uncomment “compression = zlib” line.
Note II: If you need to see the log messages for debug purposes, you can set “foreground = yes” temporarily. “foreground = no” makes stunnel to run in daemon mode.

3.Create local PreShareKey secret file /etc/stunnel/secrets.txt:

USERNAME:PASSWORD_MORE_THAN_20_CHARS

pick your username and password accordingly.

4.Create stunnel config on remote server /etc/stunnel/stunnel.conf:

foreground = no
socket = l:TCP_NODELAY=1
#compression = zlib

[SOCKS Server]
PSKsecrets = /etc/stunnel/secrets.txt
accept = 0.0.0.0:REMOTE_PORT
protocol = socks

REMOTE_PORT: The port which remote server will accept connections on.
The notes which I mentioned in previous section also apply to this section.

5.Create /etc/stunnel/secrets.txt on remote server identical to secrets file on local device.

6.Run both stunnel instances on local device and remote server.

stunnel /etc/stunnel/stunnel.conf

Part II: Making the SSL Socks Proxy Transparent
In order to make the SSL Socks Proxy Transparent, we need to setup our local device as the router and gateway of our local network and intercept all TCP connections.

The following settings should be made on local device.
1.Enable IPv4 forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward=1

and apply the changes:

sysctl -p

2.Redirect all TCP connections to socks proxy:

iptables -t nat -A PREROUTING -p tcp -d LOCAL_IP_ADDRESS_CLASS -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports LOCAL_PORT

iptables -t nat -A OUTPUT -p tcp -d REMOTE_SERVER_IP --dport REMOTE_PORT -j ACCEPT
iptables -t nat -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports LOCAL_PORT

LOCAL_IP_ADDRESS_CLASS: It is very important to set this option correctly otherwise you will lose your network access to your local device. it should be the network address of your local network for example : 192.168.0.0/16 or 10.0.0.0/8 or 192.168.1.0/24
LOCAL_PORT: The local port which stunnel is listening on.
REMOTE_SERVER_IP: The remote server IP.
REMOTE_PORT: The port which remote server will accept connections on.

The PREROUTING rules redirects all TCP connections of other clients on the LAN to Socks Proxy and The OUTPUT rules redirects all TCP connections of local device to Socks Proxy.

3.Set the gateway of network devices on local network to local device IP address. you can configure it manually or configure your DHCP server to assign the new gateway to DHCP clients. if you have an advanced router, you can probably set it up in your router configuration, otherwise you may need to disable your router DHCP server and install a full featured DHCP server on your local device.

Part III: Setting up DHCP server (OPTIONAL)
1.Install ISC DHCP server:

apt-get install isc-dhcp-server

2.Create /etc/dhcp/dhcpd.conf:

ddns-update-style none;
option domain-name-servers 192.168.1.2;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.50 192.168.1.100;
        option routers 192.168.1.2;
        option broadcast-address 192.168.1.255;
        default-lease-time 86400;
        max-lease-time 172800;
}

It is the exact configuration of my DHCP server, I think it is self explanatory.
192.168.1.2 is my local device (raspberry pi), you need to change it to your local device IP address and also change ranges and broadcast address accordingly.
If you are wondering why I am using my local device as my DNS server, you need to read the next section. you may want to use google public DNS servers 8.8.8.8 and 8.8.4.4.

Part IV: Forward DNS queries on a different port than 53(OPTIONAL)
One of common DNS attacks is called DNS Hijacking.
It is a very easy attack and is performed by hijacking your DNS requests which are sent on port 53 UDP, then the hijacker can send you any reply that he wants and you can not verify if it is a legitimate response or not. Unfortunately in most operating systems you can not configure DNS client to use a different port which is not hijacked or it is very hard to do.
I have invented a very simple, yet brilliant solution for this problem. it can be performed by doing two DNAT operations on our local device and remote server to reach a safe DNS server.
This solution does not encrypt or secure the request, but it changes the DNS port transparently to a non-hijacked port, which works fine 🙂
Here is how it is done:

1.Run the following commands on your local device:

iptables -t nat -A PREROUTING -p udp --dport 53 -d LOCAL_DEVICE_IP -j DNAT --to REMOTE_SERVER_IP:5353
iptables -t nat -A POSTROUTING -p udp --dport 5353 -d REMOTE_SERVER_IP -j SNAT --to LOCAL_DEVICE_IP

Change LOCAL_DEVICE_IP & REMOTE_SERVER_IP accordingly.

Edit: Although the above solution works, I found out it is better to install a caching DNS server on local device rather than forwarding every DNS queries to remote server.

1.Install pdnsd on local device:

apt-get install pdnsd

2.Make following changes to /etc/pdnsd.conf:
in global section:

server_ip = 0.0.0.0

in server section:

ip = REMOTE_SERVER_IP;
port = 5353;

3.Set “START_DAEMON=yes” in /etc/default/pdnsd

4.Restart pdnsd:

service pdnsd restart

5.Run the following commands on your remote server:

iptables -t nat -A PREROUTING -p udp --dport 5353 -d REMOTE_SERVER_IP -j DNAT --to 209.244.0.3:53
iptables -t nat -A POSTROUTING -p udp --dport 53 -d 209.244.0.3 -j SNAT --to REMOTE_SERVER_IP

Change REMOTE_SERVER_IP accordingly.

209.244.0.3 is the IP address of Level3 public DNS server. I used it because it had a very good ping to my remote server. you can use a different DNS server.
If you do it properly, your local device can be used as a DNS server and in my case it would act as Level3 public DNS server. not susceptible to port 53 DNS hijacking.

Part V: Setting up an encrypted TCP based DNS caching server (Solution II for secure DNS – OPTIONAL)
In my experience I noticed forwarding DNS queries on port 5353 can be unreliable and cause problems for web browsing, although there is no technical reason for this problem and it could be just my ISP dropping such UDP packets. also my previous solution was not encrypted and was just used to bypass DNS hijackers listening for DNS packets on port 53.
I tried a new solution and it works much more reliably. I encrypted local device (raspberry pi) TCP connections using 3 new iptables OUTPUT rules (which is explained above) and then set up my DNS caching server to resolve queries only on TCP. using TCP is several times more slower than UDP but it will be encrypted and reliable.
Here is how it is done:

1.Install pdnsd on local device:

apt-get install pdnsd

2.Make following changes to /etc/pdnsd.conf:
in global section:

server_ip = 0.0.0.0
query_method = tcp_only;
min_ttl = 86400;

in server section:

ip = 209.244.0.3;

Note: The DNS server you choose should support resolving DNS queries on TCP port 53. 209.244.0.3 is Level3 public DNS server and supports TCP DNS queries.
Note: “min_ttl = 86400” overrides the default TTL of DNS queries to 24 hours which is OK for 99.999% of websites. But if a website changes its DNS records meanwhile it is in pdnsd cache, you may need to flush the cache manually or wait up to 24 hours for the record to be updated.

3.Set “START_DAEMON=yes” in /etc/default/pdnsd

4.Restart pdnsd:

service pdnsd restart

February 18, 2015

snmpd: error on subcontainer ‘ia_addr’ insert (-1)

Filed under: Debian — Tags: , , , — admin @ 11:07 am

If you get many errors like the following in syslog:

snmpd[xxxx]: error on subcontainer 'ia_addr' insert (-1)

It’s because of a bug in Debian, Run the following commands to resolve the issue:

sed -i 's/Lsd/LS6d/g' /etc/default/snmpd
service snmpd restart

August 20, 2014

Force public key authentication on SSH daemon (disable password authentication)

Filed under: Debian,linux,Security — Tags: , , , , , , — admin @ 2:18 pm

It is a very good security practice to completely disable password authentication on your Linux server and use public key authentication method.
In order to do that you need to create your own public/private key pair and put the public key in ~/.ssh/authorized_keys

mkdir -p ~/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHV80zPWjPAwKo8Be0k1ypBRMdYDC0H2eQchu3MFsEp8av2F/18GNuHsbyMWp0p1uovP5LGZ/oPZ1ISJxLxxOBiqv0fOyb8uTDYWUUITgGvq9Fppj3BNYTjnLCUAVMKdP3VJ7IPk69ygYR1nhAXiv3dSfeG74f2eo3ZYhrylsVS2G84DUh47FuEFOsfn5s2wXVjwAgqdKBhiVQZWrptf6TEK3fZTVg4rCiRJ+YiIwTZr/CfFHbdqOiwDlGR5fWo0PHHq31lrQXzkASfi3C+ahQFnHsy4+8LdCq+TjzC3J6PbuXP1wpLdm1iP35f61hU1wX2hwhyxdvE+SBXT/PpSVB' >> ~/.ssh/authorized_keys

DISCLAIMER : The above key is my public key, if you put it on your server, I will be able to login into your server 😀
Now add/change the following config to /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PubkeyAuthentication yes

and restart ssh service :

service ssh restart

Note : Before closing your current SSH session, I highly recommend you to test that actually you can login into your server by new method. otherwise you may be locked out of your server.

August 7, 2014

Send email alerts if PERC H200 raid fails in Linux

Filed under: Debian,linux — Tags: , , — admin @ 11:18 pm

Recently I have bought a Dell PowerEdge R210 server which is equipped by PERC H200 raid controller.
As I have setup a raid 1 on this server, I needed to monitor its raid status, Here is what I did :
First you need “sas2ircu” utility which can be found on following website :
http://hwraid.le-vert.net/wiki/DebianPackages
Running “sas2ircu 0 STATUS” give you following output :

root@x:/# sas2ircu 0 STATUS
LSI Corporation SAS2 IR Configuration Utility.
Version 16.00.00.00 (2013.03.01)
Copyright (c) 2009-2013 LSI Corporation. All rights reserved.

Background command progress status for controller 0...
IR Volume 1
  Volume ID                               : 79
  Current operation                       : None
  Volume status                           : Enabled
  Volume state                            : Optimal
  Volume wwid                             : xxxxxxxxxxxxxx
  Physical disk I/Os                      : Not quiesced
SAS2IRCU: Command STATUS Completed Successfully.
SAS2IRCU: Utility Completed Successfully.

What we are interested in is “Optimal” status. so if Optimal changes to anything, we want to be notified.
You can use the following script to do that (change MAIL variable to your own email address) :

#!/bin/bash
MAIL=mail@domain.com
RESULT=`sas2ircu 0 STATUS | grep Optimal`
if [ -z "$RESULT" ]; then
    echo "RAID ERROR ON SERVER" | mail -s 'Raid Error' "$MAIL"
    else echo "Raid is OK"
fi

as always do not forget to test if your server is actually able to send mails and you receive them.
Finally save the script in a file and put it in cronjob. I have chosen to run it every 12 hours :

0 */12 * * * /usr/bin/raidcheck

October 24, 2012

The proper way to benchmark disk write performance in Linux

Filed under: CentOS,Debian,linux — Tags: , , , , — admin @ 7:46 am
dd bs=1M count=512 if=/dev/zero of=test conv=fdatasync

The result is something like this :
512+0 records in
512+0 records out
536870912 bytes (537 MB) copied, 1.43334 s, 375 MB/s

September 3, 2012

Install SNMP on Debian

Filed under: Debian — Tags: , , , — admin @ 10:15 am

The following easy steps will install snmp daemon on your Debian server :

apt-get install snmpd snmp

now snmpd simple configuration ( change SECRET_NAME to a complex string ) :

echo rocommunity SECRET_NAME > /etc/snmp/snmpd.conf

restart snmpd :

/etc/init.d/snmpd restart

last step to check snmpd is working ( change SECRET_NAME to the string you have chose before ) :

snmpwalk -v 1 -c SECRET_NAME -O e 127.0.0.1

you should get an output like below :

iso.3.6.1.2.1.1.1.0 = STRING: "Linux debian 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (7026) 0:01:10.26
iso.3.6.1.2.1.1.4.0 = STRING: "root"
iso.3.6.1.2.1.1.5.0 = STRING: "debian"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown"
iso.3.6.1.2.1.1.8.0 = Timeticks: (0) 0:00:00.00
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "View-based Access Control Model for SNMP."

July 16, 2012

How to auth Squid by Radius through PAM in Debian

Filed under: Debian — Tags: , , , , , — admin @ 9:20 am

install libpam-radius-auth

apt-get install libpam-radius-auth

open /etc/pam_radius_auth.conf

nano /etc/pam_radius_auth.conf

and add the following lines into it. Your_IP and PORT are the IP address and Port of Radius sever. SecretKey is the Secret of radius server. 3 is the timeout in seconds.

# server[:port] shared_secret      timeout (s)
YOUR_IP:PORT SecretKey 3

Change the permissions :

chown root /etc/pam_radius_auth.conf
chmod +r /etc/pam_radius_auth.conf

create /etc/pam.d/squid :

nano /etc/pam.d/squid

and add the following lines :

auth sufficient pam_radius_auth.so
account sufficient pam_radius_auth.so

Now install Squid if you have not installed it yet :

apt-get install squid

Lets try and see if Squid PAM works successfully through Radius auth, run the following command and enter username and password with a space between them :

/usr/lib/squid/pam_auth
username password
OK

OK means radius server has accepted the authentication details. ERR means there is a problem.
Now configure Squid to use pam_ath, open /etc/squid/squid.conf :

nano /etc/squid/squid.conf

Add the following lines to the begging of the file :

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm REALM
auth_param basic credentialsttl 2 hours

Add following line in acl section :

acl password proxy_auth REQUIRED

Add following line before http_access deny all :

http_access allow password

December 16, 2011

Linux Delete Empty Directories (Folders)

Filed under: CentOS,Debian,General,linux — Tags: , , , , , , — admin @ 6:01 am

As simple as one single command :

find -type d -empty -delete

September 26, 2011

Gateway on a different subnet on Linux

Filed under: Debian,General,linux — Tags: , , , , , — admin @ 7:50 am

Theoretically host IP and gateway should be on the same IP subnet. but there are some situations where host IP and gateway subnet are on different subnets. like my situation today. I was assigned two additional IPs for my server by my Data-center, but IPs were from a different subnet compared to server main IP. these IPs will work if you set them as additional IPs. but I needed them to create two new VPS’s on my server with bridged network interface. in this situation additional IPs should serve as main IP address and there is no gateway on same subnet available.
So here are the assumptions :

a.b.c.d is the host IP
e.f.g.h is the gateway IP
a.b.c.d & e.f.g.h are on different subnets.

by default if you try to set gateway by following command :

route add default gw e.f.g.h

you will get this error :

SIOCADDRT: No such process

the trick is simple , first add a route to default gateway itself and then set the default gateway , like this :

route add e.f.g.h/32 dev eth0
route add default gw e.f.g.h

remember you may need to change eth0 to your device name , it may be eth1 or wlan0 or anything.

How to make these route changes persistent ?

For Debian/Ubuntu :
Add the following lines to /etc/network/interfaces :

post-up route add e.f.g.h/32 dev eth0
post-up route add default gw e.f.g.h

September 9, 2011

Install Apache2 + PHP5 on Debian

Filed under: Apache,Debian,PHP — Tags: , , , , — admin @ 8:16 am

Very Simple…

apt-get install libapache2-mod-php5
/etc/init.d/apache2 restart
Older Posts »

Powered by WordPress