netnerds.net

20Feb/118

OpenWRT & PPTPD: A Love Story

Firesheep got me thinkin' that I should probably do a little more to beef up the security of my Internet connection on public networks. PPTP has always been a favorite of mine, because it hides traffic well enough to deter most people and it's easy to setup on both Linux and Windows. I ran a Windows PPTP server for years, but recently decided to just host the service my WRT54GS v3 router running OpenWRT. Three hours later, I've got it running smoothly. Here's how I did it:

First, I installed and setup OpenWrt Backfire 10.03 and set my internal IP pool to be on the 172.16.x net, with the gateway (OpenWRT router being 172.16.1.1). Then, I headed over to OpenWRT's PPTPD HOW-TO.

opkg update
opkg install pptpd
opkg install kmod-crypto
opkg install kmod-mppe
/etc/init.d/pptpd enable
/etc/init.d/pptpd start


I believe my /etc/ppp/options file doesn't have any modifications, but just in case, this is what it looks like:

#debug
logfile /dev/null
noaccomp
nopcomp
nocrtscts
lock
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1


Now that I think about it, very few modifications were ultimately made to /etc/ppp/options.pptpd

auth
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
default-asyncmap
mtu 1482
mru 1482
nobsdcomp
nodeflate
#noproxyarp
#nomppc
chapms-strip-domain
# Otherwise, your chap-secret file will have to include "DOMAIN\\user" instead of user.
mppe required,no40,no56,stateless
require-mschap-v2
refuse-chap
refuse-mschap
refuse-eap
refuse-pap
ms-dns 172.16.1.1
#plugin radius.so
#radius-config-file /etc/radius.conf


If you compare this to the original file, you'll notice I deleted the entry "172.16.1.1:" at the top of the file, and added the entry: ms-dns 172.16.1.1. I don't know why, but DNS didn't work well when the the client's defaults were used so I forced them to use the router's LAN DNS server.

Then I added some users to the /etc/ppp/chap-secrets file. I'll paste the contents, then go over the details. Oh, and don't forget to chmod 600 /etc/chap-secrets because the file's perms are insecure by default:

#USERNAME  PROVIDER  PASSWORD  IPADDRESS
iphone  pptp-server     suprAdv4ncedPwd!       192.168.80.1
ipad    pptp-server     rlyAdv4ncedPwd!       192.168.80.11
hackbook        pptp-server     megaAdv4ncedPwd!       191.68.80.3
windows pptp-server     ttllyAdv4ncedPwd!       192.168.80.2
extra           pptp-server     megaAdv4ncedPwd! 192.68.80.4


The chap-secrets file alone suggests that OpenWRT/PPTP is not an enterprise solution. I wouldn't propose it for any company with a decent budget, but times are tough and ghetto is looking better than ever to many companies.

I would actually have fewer entries in this file if the IPADDRESS field was not such a big issue. Unfortunately, it seems that the DHCP pool has been compiled into the service. It sets up the router's pppN to be 192.168.0.x and assigns the clients a 192.168.1.x address by default. Which is unfortunate, because SO DOES EVER OTHER RESIDENTIAL ROUTER, EVER. So routing issues keep pop up. Because of that, I force PPTPD to assign each user a specific IP, in the 192.168.80.x range because I've never seen any router use that subnet.

The usernames are whatever you'd like them to be (I made them the name of my devices) but if you are dialing-in from a Windows machine, you will have to preface the username with the Windows domain name or the name of your workstation if you are not on a domain UPDATE: adding chapms-strip-domain to options.pptpd fixes this. The "pptp-server" is what the service was named in options.pptd, the password is just that, and the IPADDRESS is the IP that the given client will be assigned.

Initially, my /etc/firewall.user didn't have all the proper entries, so my client was able to authenticate and all that, but no traffic was being routed to the 172.16.x subnet, nor was it being routed to the Internet. Here's what worked:

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
iptables    -A input_wan -p tcp --dport 1723 -j ACCEPT
iptables    -A input_wan -p gre -j ACCEPT

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT


The first block allows clients to connect to the PPTP service and the second one allows it to communicate with both the Internet and the local network. And voila, you are done. I know it seems straightforward and doesn't deviate much for the default install, but it took over three hours of trial and error to get here. I've logged in successfully with an iPhone (over 3G, EDGE and wifi), an iPad, a Windows 7 machine and Mac OS X. The iPhone is of special importance to me -- after connecting to a local coffee shop's unsecured network on my laptop and my iPhone, I successfully hijacked my iPhone's Facebook app session using FireSheep. So, now I'll be encapsulating all of my traffic by sending it over to the fiber connection at my office, what what.

Next up, I'll probably start playing around with the RADIUS plugin. Stay tuned.

Posted by: Chrissy LeMaire   Filed under: Linux, Networking, Security 8 Comments
27Jan/102

Setup WebDAV in Apache2 on SuSE Linux to Support Windows (XP/Vista/7) Clients

Earlier today, a colleague told me that she doesn't like using my servers because I don't have FTP setup thus, she couldn't map my server as a drive. Well, I showed her. I stand firmly against using FTP as any type of web-related solution and thus, decided on WebDAV to address my colleague's demanding needs.

Initially, I set the virtual host up for Basic Authentication but was unable to get Windows 7 and Windows XP to map the drive. Windows complained that "The network path could not be found." I tried mapping the drive from both the command line and from Windows Explorer with no luck. Then I read that theWindows webDAV client does not support Basic Authentication. If this server were on my domain, I'd use Kerberos without a second thought, but it's an Internet web server so that is out of the question. Digest Authentication it is.

I went enable mod_dav, mod_dav_fs, and mod_auth_digest in YaST under Network Services >> HTTP Server >> Server Modules and I restarted the service. I then created the folder /var/davlock, gave it the proper permissions and added the following to httpd.conf

<ifmodule mod_dav.c>
  DAVLockDB /var/davlock/DAVlock
</ifModule>


Then I added the new host, sample.acme.com to my vhosts.conf file and restarted the service.

<virtualHost *:80>
    ServerAdmin nobody@localhost
    ServerName sample.acme.com
    DocumentRoot /www/wordpress/sample
    ErrorLog /var/log/apache2/sample-error_log
    CustomLog /var/log/apache2/sample-access_log combined
    UseCanonicalName Off

<directory "/www/wordpress/sample">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
DAV On

#Auth in the house
AuthType Digest
AuthName "sample"
AuthDigestAlgorithm MD5
AuthDigestDomain http://sample.acme.com
AuthDigestNcCheck Off
AuthDigestNonceLifetime 0
AuthDigestQop auth
AuthDigestProvider file
AuthUserFile /etc/apache2/.htdigest
AuthGroupFile /dev/null
<limitExcept GET HEAD OPTIONS POST>
require valid-user
</limitExcept>
Order allow,deny
Allow from all
</directory>
</virtualHost>


Notice AuthUserFile /etc/apache2/.htdigest. That file was created using htdigest2 (or on most other systems, htdigest).

htdigest2 -c /etc/apache2/.htdigest sample acmeuser

The -c switch creates the file, "sample" correlates with the AuthName directive and acmeuser is the username of my demanding colleague. Also take note that the way I used LimitExcept allows all non-webDAV users to have anonymous access to the site, while any webDAV activity requires a username and password.

Next, I mapped a drive in Windows with the two methods I am familiar with. First, via the command line

W:\>net use * http://sample.acme.com
Enter the user name for 'sample.acme.com': acmeuser
Enter the password for sample.acme.com:
Drive X: is now connected to http://sample.acme.com.


And then via Windows Explorer (My Computer >> Map Network Drive [be sure to click "Connect Using Different Credentials"]). Both worked flawlessly. And of course, this is all better if you can do it over HTTPS, which I plan to setup when I have time. But for now, my servers are totally in style and ready for use by people who aren't fans of vi ;) .

Posted by: Chrissy LeMaire   Filed under: Apache, Linux, Security, Windows 2 Comments
17Jan/100

OpenWRT: iptables-based Firewall Rules for PPTP and IPsec

Just a handy little reference for myself.

#Internal PPTP Server
vpnserver="172.16.1.10"
iptables -N pptp
iptables -A pptp -p tcp --destination-port 1723 --dst $vpnserver -j ACCEPT
iptables -A pptp -p gre --dst $vpnserver -j ACCEPT
iptables -I FORWARD -j pptp
iptables -t nat -N pptp
iptables -t nat -A pptp -i $WAN -p tcp --dport 1723 -j DNAT --to $vpnserver
iptables -t nat -A pptp -i $WAN -p 47 -j DNAT --to $vpnserver
iptables -t nat -A PREROUTING -j pptp

### Gateway Router-based IPSEC VPN
# allow IPSEC
iptables -A input_rule -p esp -j ACCEPT
# allow ISAKMP
iptables -A input_rule -p udp -m udp --dport 500 -j ACCEPT
# allow NAT-T
iptables -A input_rule -p udp -m udp --dport 4500 -j ACCEPT
# disable NAT for communications with remote LAN
iptables -t nat -A postrouting_rule -d 172.16.0.0/24     -j ACCEPT
# Allow any traffic between tunnel LANs
iptables -A forwarding_rule -i $LAN -o ipsec0 -j ACCEPT
iptables -A forwarding_rule -i ipsec0 -o $LAN -j ACCEPT
Posted by: Chrissy LeMaire   Filed under: Linux, Networking, Security No Comments
5Oct/094

Securing Apache using mod_ssl, OpenSSL and Microsoft Certificate Authority (CA)

Recently, I used my Windows-based domain's Enterprise Root Certification Authority to secure my subversion repository that is hosted on an Apache-based server. The process was rather straight-forward and relatively fast -- especially because I skipped over all of the file transfers and just used vi/notepad to copy/paste all the key info. The first step in this process is to generate a server key on the Linux machine:

openssl genrsa

ariel:~ # openssl genrsa -des3 -out ariel.corp.netnerds.net.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
................................................................................

...................................++++++
e is 65537 (0x10001)
Enter pass phrase for ariel.corp.netnerds.net.key: **********
Verifying - Enter pass phrase for ariel.corp.netnerds.net.key: **********

Next, I used the key to create a certificate signing request

openssl req

ariel:~ # openssl req -new -key ariel.corp.netnerds.net.key -out ariel.corp.netnerds.net.csr
Enter pass phrase for ariel.key: **********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:LA
Locality Name (eg, city) []:Kaplan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:netnerds
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:ariel.corp.netnerds.net
Email Address []:postmaster@netnerds.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Next, I concatenated the contents of ariel.corp.netnerds.net.csr and copied that into my clipboard. The request looked something like this:

-----BEGIN CERTIFICATE REQUEST-----
wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
......
vwL6
-----END CERTIFICATE REQUEST-----

I then opened up my domain's CA @ http://windowsCA/certsrv and went to

  • Request a certificate
    Or, submit an advanced certificate request.
  • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Saved Request:
    -----BEGIN CERTIFICATE REQUEST-----
    wCvPKErAn5QBKFwlT5RCcOjeSZhAOx3UNe+Ispk874rvvwL6YIApAsMujrUlDNVo
    ......
    vwL6
    -----END CERTIFICATE REQUEST-----

    Certificate Template: Web Server

Note: Be sure to decline when prompted by the browser to install the certificate locally.

I then opened the file in notepad, and copied the contents back into Linux as temp.key. In order to avoid having to type the passphrase in each time Apache is restarted, I decoded the key and moved that to the Apache directory.

openssl rsa -in temp.key -out ariel.corp.netnerds.net-decoded.key

Next, I copied the files into the appropriate directories in /etc/apache/ssl* and modified my /etc/apache2/vhosts.d/vhost-ssl.conf and added the appropriate file locations:

SSLCertificateFile /etc/apache2/ssl.crt/ariel.corp.netnerds.net.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/ariel.corp.netnerds.net-decoded.key

Finally, I restarted the apache service and then partied to Wayne Toups.

Posted by: Chrissy LeMaire   Filed under: Active Directory, Apache, Linux, Networking, Security 4 Comments
2Oct/093

Securing Subversion with Windows 2008 Kerberos-Based SSO and Linux-Based Apache

Some things just belong on Linux. Like Subversion and Apache, for instance. I've seen the ghetto workarounds for Windows-based Apache installs and no thanks -- I'd much rather waste my time on ghetto SharePoint workarounds.

But I sure do like the way Windows-based web servers such as IIS seamlessly and securely authenticate users across a domain. I wanted Apache to do the same and, after a week of trying various methods of authentication, I found the easiest, most efficient way is to use SSL, Kerberos, and Likewise.

I start this project, as I do all of my Linux projects, by using a fresh install of SuSE Linux Enterprise Server (SLES 11). During the initial install, I made sure to use a local passwd file for authentication. Likewise takes care of all the advanced authentication methods after the install is complete. When using Likewise, do not attempt to use YaST to configure authentication or you'll run into a variety of pam and krb5 key issues.

Here are the following steps and tutorials I used to accomplish my goal of SSO

  1. Install and configure Likewise Open.
    • Joining a domain is as easy as /opt/likewise/bin/domainjoin-cli join corp.netnerds.net Administrator, even when authenticating against Windows 2008 Active Directory.
  2. Setup Apache to support SSL
  3. Setup Apache to support Kerberos-based SSO
    • My ktpass, for example, looks like this:
      ktpass /out http.ktb /princ HTTP/ariel.corp.netnerds.net@CORP.NETNERDS.NET /pass SkiAlta2009 /mapuser corp\linuxweb
  4. Install the One-Click Installer that comes with OpenSuSE by default, but not SLES 11.
    • yast -i yast2-metapackage-handler
  5. Add the subversion packages to the local repository.
    • OCICLI http://software.opensuse.org/ymp/Subversion/SLE_11/subversion.ymp
    • Go into YaST and install the necessary subversion packages.
  6. Follow the OpenSuSE tutorial for Setting Up a Subversion Server Using Aapache 2
  7. Throw a party! Just turn up Pandora's Cajun station and DANCE.

I recommend using your domain's own Certificate Authority to generate the SSL cert that Apache will use. That way, users won't be prompted to accept an untrusted self-signed SSL certificate.

Have fun!

Posted by: Chrissy LeMaire   Filed under: Active Directory, Apache, Linux, Networking, Security 3 Comments
1Oct/094

Apache: Pre-compiled mod_auth_pam for SLES 11

This was ridiculous. Since apache-devel isn't available in SLES (and I do understand why, but give me the option at least!), I had to sync up one of my SLES machines to an OpenSuSE repository and get all of my necessary packages required to compile mod_auth_pam. I was required to downgrade quite a few packages, but whatever works, eh?

For those of you running SLES and are trying to get mod_auth_pam to work, you can grab a precompiled copy of mod_auth_pam.tgz.

This works on the standard Apache2 install that comes with SLES 11. I presume it also works on OpenSuSE 11 as well. Just download the tgz, extract the contents, and run ./install. Then you can load up Novell's step-by-step tutorial on how to get this to work. Take note at the instructions to manually change a few files because that still needs to be done.

For my future reference, here are the Apache directives I ended up using:

AuthPAM_Enabled On
AuthPAM_FallThrough Off
AuthBasicAuthoritative Off
AuthGROUP_Enabled Off
AuthUserFile /dev/null
AuthType Basic
AuthName ADDomain
require valid-user

While this works, it isn't seamless like way mod_auth_ntlm_winbind, but it works over SSL, unlike mod_auth_ntlm_winbind.

Posted by: Chrissy LeMaire   Filed under: Active Directory, Apache, Linux, Security 4 Comments
1Oct/093

Enable Windows NTLM Pass-through Authentication in Linux-based Apache

Thank Science for SuSE Linux Enterprise 11; it's made this process relatively easy. SLES 10 SP2 was giving me a headache because of some Windows 2008 based Active Directory authentication issues but upgrading SLES 11 took care of all that.

First thing is first, setup samba to authenticate to AD. Next, install the OpenSuSE mod_auth_ntlm_winbind RPM.

rpm --install http://download.opensuse.org/distribution/11.0/repo/oss/suse/i586/apache2-mod_auth_ntlm_winbind-0.0.0.lorikeet_svn_682-135.1.i586.rpm

The wiki for this Apache 2 module can be found here. Next, we're going to instasll pam_smb, set the proper permissions on winbindd_privileged, add the module to apache and restart the web service.

yast -i pam_smb
setfacl -m u:wwwrun:rx /var/lib/samba/winbindd_privileged
a2enmod auth_ntlm_winbind
rcapache2 restart

Finally, add something to the effect of this to your Apache config file:

<directory " /srv/www/htdocs">
  AuthName "NTLM Authentication"
  NTLMAuth on
  NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
  NTLMBasicAuthoritative on
  AuthType NTLM
  require valid-user
</directory>

Restart the service and you should be authenticating automatically. Don't forget to add the website to your browser's Intranet zone if needed.

Also, I read that, unfortunately, auth_ntlm_winbind, doesn't work over SSL but I'm going to try it anyway. In the event that it doesn't, I'll be exploring Kerberos authentication within Apache.

Posted by: Chrissy LeMaire   Filed under: Active Directory, Apache, Linux, Security 3 Comments
1Oct/094

SuSE (SLES) 11 Works Flawlessly with Windows Server 2008 Authentication

Well that couldn't have been easier! Here's all it takes to authenticate SLES 11 to Windows Server 2008 based Active Directory. During the initial install of SLES, I performed the following:

  • Selected samba-client and winbind during the software installer phase
  • Added my domain's DNS servers to the intitial network config using NetworkManager
  • Ensured I had the right DNS search suffix (the name of my domain: base.netnerds.net)

Surprisingly, I didn't even have to configure samba after my install was completed. I was prompted to join the domain during the initial OS install and everything went as expected. Here are the settings I used:

samba

I logged in using the domain\username format and this too, worked as expected:

login as: base\chrissy
Using keyboard-interactive authentication.
Password:
Creating directory '/home/BASE/chrissy'.
Creating directory '/home/BASE/chrissy/bin'.
Creating directory '/home/BASE/chrissy/.fonts'.
Creating directory '/home/BASE/chrissy/.mozilla'.
BASE\chrissy@ariel:~>

Next up, setting up NTLM pass-through authentication in Apache!

Update: If you plan to use Kerberos, I recommend you skip straight to using Likewise for all of your authentication needs. I had nothing but headaches from reported bugs with SuSe's built-in Samba and krb5/Kerberos.

Posted by: Chrissy LeMaire   Filed under: Active Directory, Linux, Networking, Security 4 Comments
15Feb/090

Free DB2 Express-C 9.5 on SuSE Linux Enterprise Server

IBM DB2's free version "DB2 Express-C" is available for download at db2express.com. So far, I've successfully installed and uninstalled DB2 Express on SLES 10 SP2. While there was a command line installer included (db2_install), the server wouldn't start after a supposedly successful install. I figured I would have to use the GUI install, but my SLES instance doesn't run X-windows so I had to download X-Win32 and export my display (export DISPLAY=cracklin:0.0) to my laptop and go from there.

Administration of DB2 Express-C is performed using IBM Data Server Client (registration required), which also includes the IBM DB2 OLE DB drivers needed to create a DB2 linked server in SQL Server.

After working with the Server Client (which contains the Control Center, DB2's equivalent to SQL Server's Enterprise Manager), I wanted to reinstall DB2 with different parameters, specifically the administrator account and the TCP port. DB2's default port is 50000 but the Linux install sets it to 50001 for some reason. I can probably change this using the built in command-line tools but I didn't want to invest to time to track it down, so I uninstalled DB2 and reinstalled the server by executing the following:

chmod +x /opt/ibm/db2/V9.5/instance/*
chmod +x /opt/ibm/db2/V9.5/bin/*
chmod +x /opt/ibm/db2/V9.5/adm/*
chmod +x /opt/ibm/db2/V9.5/das/bin/*
/opt/ibm/db2/V9.5/das/bin/db2admin stop
/opt/ibm/db2/V9.5/instance/dasdrop
/opt/ibm/db2/V9.5/bin/db2ilist
/opt/ibm/db2/V9.5/adm/db2stop force
/opt/ibm/db2/V9.5/bin/db2 terminate
/opt/ibm/db2/V9.5/instance/db2idrop db2inst1
/opt/ibm/db2/V9.5/install/db2_deinstall -a
rm -rf /opt/ibm/db2

Then I reinstalled with a whole new perspective on the way things work. If you're interested in what the IBM Control Center looks like, here's a sample from my own environment (Windows client, Linux server).


Click to enlarge.

So far, so fun :)

Posted by: Chrissy LeMaire   Filed under: DB2, Linux No Comments
11Jan/092

VMWare ESXi 3.5: Creating an ISO Image from a CD/DVD-ROM

I always use ISOs in the datastore as CD/DVD devices in my virtual machines. Tonight, I had to make images of my Windows 2008 DVDs but because my tiny laptop doesn't have a DVD/CD-ROM build-in, I had to rely on my ESXi servers to create the ISOs. Creating an ISO in ESXi is as almost easy as creating one in Linux -- the only thing that presents a small challenge is VMware's use of an unconventional device path for the DVD/CD-ROM. Ultimately, I used VIC (VM->Properties->CD/DVD->Host Device) to find the name of my device, which turned out to be "/vmfs/devices/genide/vmhba0\:0\:0"

After opening up the SSH port on ESXI by using this tutorial, I created an ISOs folder in the datastore, placed the DVD in the drive and, finally, created the ISO by issuing the following command:

dd if=/vmfs/devices/genide/vmhba0\:0\:0 of=/vmfs/volumes/datastore3/isos/win2k8EEx64.iso
Posted by: Chrissy LeMaire   Filed under: Linux, Virtualization 2 Comments
   Older Entries »

About

    We are IT consultants who grew up living and loving life in Cajun Country.

Authors


    +
    View Chrissy LeMaire, BSc. MCITP's profile on LinkedIn


    +
    View Brandon Abshire, MCDBA's profile on LinkedIn

Categories