Admins eHow SysAdmin Tips & Tricks

January 20, 2016

Transparent SSL Socks Proxy using Raspberry pi

Filed under: Debian,Raspberry pi,Security — Tags: , , , — admin @ 8:58 am

A Transparent SSL Socks proxy can be useful to encrypt and secure all TCP connections and/or infiltrate Internet censorship systems.
In order to make this setup, you need two Linux based boxes, one in your local network and one which will act as server in a remote location.
Theoretically what we are going to achieve is to intercept all TCP connections on our local network transparently, encrypt them and then tunnel them to our remote server.
This can be achieved easily using a powerful Linux application called Stunnel.
In my own setup, I am using a raspberry pi 2 for my local device. it is a cheap device and has a very low power usage and can be running 24/7, so it is very suitable to act as a full featured Linux based router. although you can use a PC or a virtual machine to achieve the same.
Debian is my favorite Linux distro, so my guide will be based on Debian.
Enough introduction, lets get started.

Part I: Setting up SSL Socks Proxy
1.Install stunnel on both local and remote devices:
Download and install the latest version of stunnel from stunnel website: https://www.stunnel.org/downloads.html
You may need to compile it from source.

2.Create stunnel config on local device /etc/stunnel/stunnel.conf:

foreground = no
socket = r:TCP_NODELAY=1
output = /var/log/stunnel.log
#compression = zlib
syslog = no

[SOCKS Client Direct]
client = yes
PSKsecrets = /etc/stunnel/secrets.txt
accept = 0.0.0.0:LOCAL_PORT
connect = REMOTE_SERVER_IP:REMOTE_PORT
protocol = socks

LOCAL_PORT: The local port which stunnel will listen on.
REMOTE_SERVER_IP: The remote server IP.
REMOTE_PORT: The port which remote server will accept connections on.

Note I: I noticed raspbian prebuilt openssl package doesn’t support zlib compression, so in my case I had to recompile openssl with zlib support. If you have an openssl package with zlib support you can uncomment “compression = zlib” line.
Note II: If you need to see the log messages for debug purposes, you can set “foreground = yes” temporarily. “foreground = no” makes stunnel to run in daemon mode.

3.Create local PreShareKey secret file /etc/stunnel/secrets.txt:

USERNAME:PASSWORD_MORE_THAN_20_CHARS

pick your username and password accordingly.

4.Create stunnel config on remote server /etc/stunnel/stunnel.conf:

foreground = no
socket = l:TCP_NODELAY=1
#compression = zlib

[SOCKS Server]
PSKsecrets = /etc/stunnel/secrets.txt
accept = 0.0.0.0:REMOTE_PORT
protocol = socks

REMOTE_PORT: The port which remote server will accept connections on.
The notes which I mentioned in previous section also apply to this section.

5.Create /etc/stunnel/secrets.txt on remote server identical to secrets file on local device.

6.Run both stunnel instances on local device and remote server.

stunnel /etc/stunnel/stunnel.conf

Part II: Making the SSL Socks Proxy Transparent
In order to make the SSL Socks Proxy Transparent, we need to setup our local device as the router and gateway of our local network and intercept all TCP connections.

The following settings should be made on local device.
1.Enable IPv4 forwarding in /etc/sysctl.conf:

net.ipv4.ip_forward=1

and apply the changes:

sysctl -p

2.Redirect all TCP connections to socks proxy:

iptables -t nat -A PREROUTING -p tcp -d LOCAL_IP_ADDRESS_CLASS -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-ports LOCAL_PORT

iptables -t nat -A OUTPUT -p tcp -d REMOTE_SERVER_IP --dport REMOTE_PORT -j ACCEPT
iptables -t nat -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-ports LOCAL_PORT

LOCAL_IP_ADDRESS_CLASS: It is very important to set this option correctly otherwise you will lose your network access to your local device. it should be the network address of your local network for example : 192.168.0.0/16 or 10.0.0.0/8 or 192.168.1.0/24
LOCAL_PORT: The local port which stunnel is listening on.
REMOTE_SERVER_IP: The remote server IP.
REMOTE_PORT: The port which remote server will accept connections on.

The PREROUTING rules redirects all TCP connections of other clients on the LAN to Socks Proxy and The OUTPUT rules redirects all TCP connections of local device to Socks Proxy.

3.Set the gateway of network devices on local network to local device IP address. you can configure it manually or configure your DHCP server to assign the new gateway to DHCP clients. if you have an advanced router, you can probably set it up in your router configuration, otherwise you may need to disable your router DHCP server and install a full featured DHCP server on your local device.

Part III: Setting up DHCP server (OPTIONAL)
1.Install ISC DHCP server:

apt-get install isc-dhcp-server

2.Create /etc/dhcp/dhcpd.conf:

ddns-update-style none;
option domain-name-servers 192.168.1.2;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.50 192.168.1.100;
        option routers 192.168.1.2;
        option broadcast-address 192.168.1.255;
        default-lease-time 86400;
        max-lease-time 172800;
}

It is the exact configuration of my DHCP server, I think it is self explanatory.
192.168.1.2 is my local device (raspberry pi), you need to change it to your local device IP address and also change ranges and broadcast address accordingly.
If you are wondering why I am using my local device as my DNS server, you need to read the next section. you may want to use google public DNS servers 8.8.8.8 and 8.8.4.4.

Part IV: Forward DNS queries on a different port than 53(OPTIONAL)
One of common DNS attacks is called DNS Hijacking.
It is a very easy attack and is performed by hijacking your DNS requests which are sent on port 53 UDP, then the hijacker can send you any reply that he wants and you can not verify if it is a legitimate response or not. Unfortunately in most operating systems you can not configure DNS client to use a different port which is not hijacked or it is very hard to do.
I have invented a very simple, yet brilliant solution for this problem. it can be performed by doing two DNAT operations on our local device and remote server to reach a safe DNS server.
This solution does not encrypt or secure the request, but it changes the DNS port transparently to a non-hijacked port, which works fine 🙂
Here is how it is done:

1.Run the following commands on your local device:

iptables -t nat -A PREROUTING -p udp --dport 53 -d LOCAL_DEVICE_IP -j DNAT --to REMOTE_SERVER_IP:5353
iptables -t nat -A POSTROUTING -p udp --dport 5353 -d REMOTE_SERVER_IP -j SNAT --to LOCAL_DEVICE_IP

Change LOCAL_DEVICE_IP & REMOTE_SERVER_IP accordingly.

Edit: Although the above solution works, I found out it is better to install a caching DNS server on local device rather than forwarding every DNS queries to remote server.

1.Install pdnsd on local device:

apt-get install pdnsd

2.Make following changes to /etc/pdnsd.conf:
in global section:

server_ip = 0.0.0.0

in server section:

ip = REMOTE_SERVER_IP;
port = 5353;

3.Set “START_DAEMON=yes” in /etc/default/pdnsd

4.Restart pdnsd:

service pdnsd restart

5.Run the following commands on your remote server:

iptables -t nat -A PREROUTING -p udp --dport 5353 -d REMOTE_SERVER_IP -j DNAT --to 209.244.0.3:53
iptables -t nat -A POSTROUTING -p udp --dport 53 -d 209.244.0.3 -j SNAT --to REMOTE_SERVER_IP

Change REMOTE_SERVER_IP accordingly.

209.244.0.3 is the IP address of Level3 public DNS server. I used it because it had a very good ping to my remote server. you can use a different DNS server.
If you do it properly, your local device can be used as a DNS server and in my case it would act as Level3 public DNS server. not susceptible to port 53 DNS hijacking.

Part V: Setting up an encrypted TCP based DNS caching server (Solution II for secure DNS – OPTIONAL)
In my experience I noticed forwarding DNS queries on port 5353 can be unreliable and cause problems for web browsing, although there is no technical reason for this problem and it could be just my ISP dropping such UDP packets. also my previous solution was not encrypted and was just used to bypass DNS hijackers listening for DNS packets on port 53.
I tried a new solution and it works much more reliably. I encrypted local device (raspberry pi) TCP connections using 3 new iptables OUTPUT rules (which is explained above) and then set up my DNS caching server to resolve queries only on TCP. using TCP is several times more slower than UDP but it will be encrypted and reliable.
Here is how it is done:

1.Install pdnsd on local device:

apt-get install pdnsd

2.Make following changes to /etc/pdnsd.conf:
in global section:

server_ip = 0.0.0.0
query_method = tcp_only;
min_ttl = 86400;

in server section:

ip = 209.244.0.3;

Note: The DNS server you choose should support resolving DNS queries on TCP port 53. 209.244.0.3 is Level3 public DNS server and supports TCP DNS queries.
Note: “min_ttl = 86400” overrides the default TTL of DNS queries to 24 hours which is OK for 99.999% of websites. But if a website changes its DNS records meanwhile it is in pdnsd cache, you may need to flush the cache manually or wait up to 24 hours for the record to be updated.

3.Set “START_DAEMON=yes” in /etc/default/pdnsd

4.Restart pdnsd:

service pdnsd restart

July 11, 2015

Fix Wireless lan lag/spike in Windows 7/8

Filed under: Windows — Tags: , , , , , , — admin @ 12:25 pm

If you are experiencing regular latency spikes on your WLAN in widows 7/8, it could be because of windows “Auto configuration logic”. the solution is to disable it by following command :

netsh wlan set autoconfig enabled=no interface="NAME_OF_WLAN_INTERFACE"

Replace NAME_OF_WLAN_INTERFACE with your own WLAN interface name.

May 21, 2015

Block Torrent Trackers on Linux

Filed under: linux,Security,Torrent — Tags: , , , — admin @ 2:38 am

Create “/etc/trackers” with a list of trackers which you want to be blocked.
My current file contains:

9.rarbg.com
announce.torrentsmd.com
bigfoot1942.sektori.org
bt.careland.com.cn
bttrack.9you.com
bttracker.crunchbanglinux.org
coppersurfer.tk
explodie.org
i.bandito.org
mgtracker.org
open.demonii.com
opensharing.org
torrent.fedoraproject.org
torrent.gresille.org
tracker.best-torrents.net
tracker.blucds.com
tracker.btzoo.eu
tracker.coppersurfer.tk
tracker.dler.org
tracker.istole.it
tracker.leechers-paradise.org
tracker.nwps.ws
tracker.openbittorrent.com
tracker.publicbt.com
tracker.tfile.me
tracker1.wasabii.com.tw

You can have duplicates in the list, script will take care of that.

Now create “/usr/bin/blocktrackers” script:

#!/bin/bash

IFS=$'\n'
L=$(/usr/bin/sort /etc/trackers | /usr/bin/uniq)
for fn in $L; do
        /sbin/iptables -D INPUT -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -D FORWARD -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -D OUTPUT -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -A INPUT -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -A FORWARD -d $fn -j DROP -m comment --comment "Tracker"
        /sbin/iptables -A OUTPUT -d $fn -j DROP -m comment --comment "Tracker"
done

Make it executable and create a cronjob to run it daily because trackers change IP address very often.

March 22, 2015

Linux dig utility for Windows x64

Filed under: dns,General,linux,Windows — Tags: , , , — admin @ 5:00 pm

I have created an installer for Linux DNS dig utility for Windows x64. it is extracted from BIND 9.10.2.x64.
It installs dig into system32 folder of Windows so it is already included in PATH and can be invoked from anywhere in command prompt.

Download : DIG_9.10.2.x64

February 18, 2015

snmpd: error on subcontainer ‘ia_addr’ insert (-1)

Filed under: Debian — Tags: , , , — admin @ 11:07 am

If you get many errors like the following in syslog:

snmpd[xxxx]: error on subcontainer 'ia_addr' insert (-1)

It’s because of a bug in Debian, Run the following commands to resolve the issue:

sed -i 's/Lsd/LS6d/g' /etc/default/snmpd
service snmpd restart

October 20, 2014

How to watch Twitch streams without lag or stutter in Source quality

Filed under: General — Tags: , , , , — admin @ 1:16 am

As a gamer, I am also a fan of watching other people playing games on Twitch. I mostly watch pro players playing Dota 2.
If you have ever tried watching Twitch, you would know how much it matters to be able to watch the streams in Source quality. Good streamers usually stream in Full HD (1920×1080 30 FPS or 60 FPS) which may require a consistent 4-6 mps of bandwidth. well you may think 4-6 mps is not much, your broadband connection supports multiple times of this number but in the reality is not that simple and you may get lag and stutter while watching in Source quality.
The reason behind this is the complexity of Internet. Twitch stream may not be routed to you through an optimal route, Also many broadband ISPs play all kind shenanigans with users traffic in order to save bandwidth and make more money.
Unfortunately for me thats the case. Normally I am not able to watch Twitch streams in Source quality and I hate anything less than Full HD.
But being a system administrator has its own privileges and I have found two ways to be able to watch Twitch streams in Source quality which I am going to share with you :

  1. Use a VPN or Proxy : Using a good VPN or Proxy may actually improve your Internet speed. The reason is that your ISP may not have the best routes to all other networks but may have good routes to few other networks, now if you can get a VPN or Proxy on one of those good networks, it causes all of your traffic to be routed through those good routes and it improves your Internet speed. Also using a VPN or Proxy will save you from shenanigans of your ISP because it is usually encrypted and they can not tamper with it.
    But there is a trick, using any VPN or Proxy will not help you and may even degrade your Internet speeds. You should use a VPN or Proxy which has a good route to you and its quality is decent so forget about free ones. What I recommend to you is to get a service from a reputable VPN provider – like StrongVPN – they provide many VPN servers in diffenet locations which enables you to find the one which works for you by trial and error. you can also speed test their servers and find out which one has the best route to you.
    Another advantage of using a VPN or Proxy is that you can use it in your mobile device. Sometimes I like to watch streams lying in bed on my tablet and without a VPN, I am not able to watch in source quality.
  2. Use Livestreamer : I found this solution just last night when even my beloved Proxy servers could not help me. Livestreamer is a software which allows you to watch online streams in external media players like VLC. it has many features like saving the stream and etc which I am not going to explain here and you can read the documentation if you are interested : http://livestreamer.readthedocs.org/en/latest/cli.html
    First thing which you need to do is to download and install Livestreamer from this link : http://livestreamer.readthedocs.org/en/latest/install.html
    Also if you dont already have VLC installed on your PC, go ahead and download and install it : http://www.videolan.org/
    Now we need to configure Livestreamer, find Livestreamer configuration file and open it in a text editor. It is located under “%APPDATA%\livestreamer\livestreamerrc” in Windows and under “~/.livestreamerrc” for MACOSX and Linux.
    First uncomment the appropriate player line in configuration file. For me it is :

    player="C:\Program Files\VideoLAN\VLC\vlc.exe" --file-caching=5000

    It specifies the location of vlc.exe so Livestreamer can launch it.
    Now scroll to the end of file and enable these two options with following values :

    hls-segment-threads=10
    hds-segment-threads=10

    These two lines will do the trick for us in order to be able to watch stream without stutter. The reason is that in HLS (Twitch Streaming Protocol) and HDS, unlike other streaming protocols which stream is sent in one continuous stream, it is sliced and chunked in several pieces and sent over HTTP protocol. So it is possible to download these chunks simultaneously with multiple connections exactly like how download managers work.
    Save the config file and our setup is complete. We can use it now to watch Twitch stream in source quality in VLC by following command :

    Livestreamer.exe LINK_TO_TWITCH_STREAM best

    For example :

    Livestreamer.exe http://www.twitch.tv/sing_sing best

    It takes about 15 seconds for Livestreamer to establish connections and launch VLC.

Update : I have written a small utility to comfortably launch livestreamer on Windows. It needs .Net framework 4.5 to work.
You can download it here : LiveStream Launcher

October 2, 2014

Minima wallpaper pack for Mobile / Tablets

Filed under: Android,Apple,General — Tags: , , — admin @ 3:50 am

Here are some beautiful minimalist wallpapers for your mobile device. Preview :

wallpaper-preview

Download : Minima-WP-Pack

September 25, 2014

The Internet’s hilarious reaction to #bendgate

Filed under: General — admin @ 9:34 am

Very well deserve it #Apple 😀 #GETREKT


(more…)

September 24, 2014

Apple released iPant and special bend fixing tools for iPhone 6/6+ owners

Filed under: Apple,iPhone — Tags: , , , , — admin @ 7:19 pm

In the wake of the news that iPhone 6/6+ are being bent in the pockets of users :
http://www.reddit.com/r/iphone/comments/2hbmwd/so_have_any_of_your_6plus_actually_bent/


(more…)

September 21, 2014

#AppleWave, The new way to charge your iPhone super fast

Filed under: Apple — Tags: , , , , , — admin @ 6:34 am

If you have an iPhone 6/6+ or an older iPhone with with iOS 8, then you can benefit from Apple’s new technology called Apple Wave. iOS 8 contains drivers which enables iPhone to be charged using any normal household microwave. I personally tried it myself and was able to charge an iPhone from 20% to 90% in about 60 seconds. This is really awesome.

Here is Apple’s official introduction to Apple Wave :

apple-wave

« Newer PostsOlder Posts »

Powered by WordPress