Thursday, June 25, 2009

Tool of the Day: www.oldports.org

I had a problem installing Asterisk today, and had to rollback the zaptel port from 1.4.11 to 1.4.6 - the easiest way to do this was to get the port directory misc/zaptel from my old friend http://www.oldports.org

This site has years and years of port iterations, meaning it's painless and easy to get an older version of a port for yourself.

Wednesday, June 24, 2009

SSH host based authentication and security

I use SSH as my main form of connection, even with connecting to other boxes (I just create TCP Tunnels to get to RDP/VNC services). The problem with password based authentication is that social engineering and brute force CAN break through.

I prefer host based authentication - meaning that the server I am connecting to will only allow the server I'm connecting from to login, using DSA or RSA keys for the authentication process.

For clarity, Source means the server/workstation you are connecting FROM, Destination means the server you are connecting TO.

To setup the whole thing, you need to generate a private/public keypair on your Source server, do this with ssh-keygen:

ssh-keygen -t dsa

Follow the prompts and you DONT have to fill in a password if you dont want to, but it adds a level of security. The following files will be created in $HOME/.ssh :

id_dsa
id_dsa.pub

Cat the id_dsa.pub file, and copy the output, this is going to need to be placed on the Destination server. Login to your destination server as the user you normally connect as. Make sure there is a $HOME/.ssh directory and then create a file called "authorized_keys" (Case and spelling sensitive). Paste the previous output of the id_dsa.pub file into this file and save it.

Now you might need to edit your /etc/ssh/sshd_config file to allow host-based key authentication, make sure the following parameters are set:

PermitRootLogin yes (ONLY if you NEED root login, rather su to root)
RSAAuthentication yes (Allow RSA as well as DSA Keys)
PubkeyAuthentication yes (Allow Public key authentication)
AuthorizedKeysFile .ssh/authorized_keys (Location of the Server authorized keys)

Restart sshd, or HUP it (pkill -HUP sshd).

For added security, I disable PAM authentication in the /etc/ssh/sshd_config file:

ChallengeResponseAuthentication no

This prevents ANY type of password authentication, meaning bruteforce attacks are impossible to conduct against your SSH Server.

Should you wish to allow tunnelling through your SSH Server, set these parameters in your /etc/ssh/sshd_config:

AllowTcpForwarding yes

Again, restart SSHD.

Thats it - a pretty secure SSH system, which is usually the first point of attack for UNIX Hackers.

Thursday, June 11, 2009

Tool of the Day: Running Multiple versions of Internet Explorer

For testing websites/software on older versions of IE can be a pain in the posterier, but with this tool, you can run multiple versions from 3.0 to 6.0. This is for Windows XP ONLY !!! But its helped me with some dodgy client complaints in the past.

Link is here: http://tredosoft.com/Multiple_IE

Wednesday, June 10, 2009

Load Balanced SSL based Internet Casino Client System

My personally designed SSL-offloaded load-balanced casino system went live today across 49 Internet Casinos, it has increased performance immensely and is able to add multiple servers on the fly to alleviate stress on existing servers.

The SSL Offload does SSL encryption calculations on the Layer4 switch, using onboard floating-point processors, meaning NO SSL encode/decode on the servers themselves. The switches can handle 115,000 concurrent connections, so plenty space to grow.

I designed and implemented the entire system, barring the existing MSSQL implementation. Casino is now handling 200,000 spins per day.

Just cant say "which" casinos....

See my System Diagram here:

Squid Proxy server, Ads blocking

I added an ad-blocking component to squid, not a third-party product, just a few configs of my own. The way I've implemented it, you don't see any "AD BLOCKED" crap on your webpages, you just have a clear block where the ad was, with no error message, increasing the "look/feel" experience for your users.

First, in the ACL section, create the ACL for ads:

acl ads_block_list dstdomain -i "/usr/local/etc/squid/blocks/ads_block.list"

Above all your normal http_access/http_deny rules, place this one:

deny_info ERR_BLOCKED_ADS ads_block_list
http_access deny ads_block_list

Now, create the file /usr/local/etc/squid/blocks/ads_block.list and populate it (I've just shown a head from my file):

[root@nas /usr/local/etc/squid/blocks]# head ads_block.list
101com.com
101order.com
103bees.com
1100i.com
123banners.com
123found.com
123pagerank.com
180hits.de
180searchassistant.com
180solutions.com

You can get anti-ads lists such as mine from various locations, use google to search.

Now edit the custom error message for the ads_block_list ACL, which is: ERR_BLOCKED_ADS

[root@nas /usr/local/etc/squid/errors/English]# cat ERR_BLOCKED_ADS



That last line, you'll notice the ! character which means don't display the standard squid error message.

once all is complete, reload your configs with "squid - k reconfigure" and try access pages now. Ads are blocked, and all you see is the page background. This way you can save large amounts of bandwidth on your internet lines, without creating errors or graphical problems on user viewed pages.

Tool of the Day: pkg-get for Solaris 10

Package management in Solaris 10 is less than stellar, with no automated system such as apt-get, ports, portage or yum like linux distro's, but I found a FreeBSD-like portinstall package called pkg-get. It allows installation of packages from a web repository and is compatible with the Solaris pkgadd system.

To install pkg-get use the folowing command.

"pkgadd -d http://www.opencsw.org/pkg_get.pkg".

edit the mirror url using.

"vi /opt/csw/etc/pkg-get.conf" and changing the default site url to.

url=ftp://ftp.heanet.ie/pub/opencsw/stable (This is Ireland's repository - closest one for SA)

run "pkg-get -U" to update catalog.

pkg-get is now ready.

"pkg-get -a |grep package" to find the desired packages, then:

"pkg-get -i packagename" to install it.

Very simple and powerful, even allows upgrading of the complete CSW subsystem in Solaris.

Monday, June 8, 2009

Tool of the Day: DGTeam firmware for Netgear DG834 series routers

keywords: netgear, dg834, firmware, dgteam

Found a great tool which increased stability on my router (DG834PN), as well as including about 100 features not seen on the standard firmware - even SNR increase/reduction to affect speed/stability.

You can grab the firmware for most of the 834 series routers here: http://dgteam.ilbello.com

Update:

I did this on a DG834 straight router, connection speeds (synchronised ADSL) went from 2908Kbps to 3824Kbps - On the SAME LINE !! No connection drops - 34 hours on the same PPPoE session.

Highly Recommended

Hacked my XBOX 360

Microsoft say their new Lite-On DVD Rom is unhackable due to firmguard protection.

Well I hacked mine to the latest iXtreme firmware v1.6 - I'm now able to play the 65 XBOX backups I have. Quite a convaluted procedure involving drive door positioning, soldering the PCB to unlock the developer mode on the drive, then extracting the DVD keys and re-inserting them into the hacked firmware, erasing the drive (scary) and then flashing the hacked firmware back.

Been enjoying "Battlestations Pacific" over the weekend :)

Wednesday, June 3, 2009

Update

Been off having my Jaw broken to have some Wisdom teeth extracted, so I'll be back to posting articles in no time !

For personal note, i'll be firmware updating my XBOX360 tonight, as well as doing the technical drawings for my "PC in and XBOX 360" project...More on that later.

Seems I'm missed at work, 8 days off and systems crashing in flames always ensures job security when you're away :D