Brute Networking

Building brute networks

* * * * *
Router
brutenet

How to block yourself from running some programs
Router
brutenet
Goal:
- Block yourself from running some particular programs (for example, games) on Windows 7 using Software Restriction Policy (SRP) without  Domain (AD)
- Keep yourself in Administrators group for everyday tasks

How to do it (images are clickable):
1. Create second administrative account named "Supervisor", add it to Local Administrators


2. Add programs that you want to block into the local computer policy (start gpedit.msc):




3. Open Supervisor user policy (run mmc) and enable (allow) security options, administrative templates (users)
 and local users and computers. Then open gpedit.msc and disable all these options for all other users.





4. Reboot for SRP to take effect.

5. Now change password for Supervisor and give password to a person you trust. Now you cannot run programs that you blocked until you login with Supervisor and change Software Restriction Policy.

P.S. There are still some ways to overcome this protection, but most of them begin with changing the password for Supervisor. If you change this password, the owner of the password will not be able to login to computer and will notice that password was changed.

Ideal home storage
Router
brutenet
Hi! In this article I will describe some problems of home data storage and my approach to them.

* Storage choosing *


There are plenty of devices on the market.
Today I believe good home storage need to have:

- Transfer speed at least 30 Mbytes/sec to and from over SMB (or your main protocol) or greater
- Support at least RAID1, can use at least 2 disks
- Support Ethernet RJ-45 connection
- Support SMB and HTTP protocols (can access all data using both)
- Support automatic backup to external disk
- Debugging capabilities (who is using my storage? what are disks, processor and memory doing?)
- Reliable notifications via sound and email (hardware failures, backup failures, low free space and other)
- Reliable disaster recovery, good technical support and well-discussed on the internet (forums etc.)

So I chose QNAP TS-239 Pro II+

* Choosing disks *


When choosing disks you should:

- Plan needed capacity for 3-8 years ahead
- If you want to use disk actively, if you information is important - use server disks, else use consumer disks.
- Check disks officially compatible with your storage. This is vital. For QNAP use http://www.qnap.com/pro_compatibility.asp
- Check forums for issues with the disk chosen

So I chose two Hitachi Ultrastar 7K3000 HUA723030ALA640 server disks

* Network devices *


If you want to get more than 8 Mbytes/sec, choose gigabit switch. In general model it is not very important. You usually do not need Jumbo frames or some management capabilities for home usage.

Better minimise the number of network devices between your computers and Storage.

* Initial setup *


Important notice:

- Download latest firmware
- Follow other vendor recommendations for initial setup. For QNAP it is in the current manual http://www.qnap.com/download.asp?pl=1&p_mn=179
- Better insert both disks at once and create your RAID1 from scratch
- I do not recommend putting NAS outdoors, in a box, cupboard, closet, or any other cold/hot/wet environment.

* Advanced setup *


When your RAID is up and running, begin tuning your NAS. I recommend that you enter web interface and check all the pages and tabs. These are most important:

- Setup NTP. This will help you understand, what is NAS doing looking at your PC clock and understand time in logs



- Setup at least minimal password strength. This will help you if you or you friend forgets about security.



- When setting up DNS servers, I recommend that you use some public DNS server (e.g. I use Google 8.8.8.8) AND your provider's DNS server. This gives maximum reliability.



- If provider does not give you static IP-address and you want to access your NAS from Internet (your friends or your vacations), set up DDNS. I use no-ip. Note that User name must be with domain.



- I recommend the following hardware settings



(these are optimal. If you have problems, you may need to disable Write cache)
(I recommend to turn standby mode off, increasing you HDD life. If you have noise or hot problems, turn it on)

- I do not recommend using QNAP High Security Level, because the system is already pretty secure. If you will need in future, you can block some hosts using Medium Security Level.



- I recommend that you turn on Network Access Protection for all protocols that you use.



- I recommend these power settings if you are not sure:



* Disk management *


I recommend that you enable temperature alarm at 50 degrees C. Researches show that best temperature for HDD is 35-45 degrees C and minimal spindowns.

I recommend that you enable automatic rapid tests once a month. If your disk is older that 5 years, you may enable tests every week.



I recommend that you enable Bitmap on the RAID. This may help you in a disaster and does not require much performance or disk space. Best choise is to enable Bitmap after you initially write all the main data on the disks.



I recommend that you don't use iSCSI at home. This protocol does not support sharing and has little benefits over standard ones (SMB, AFP, HTTP). iSCSI may be used for special purposes like virtual machines.

* Setup notifications *


I recommend that you setup notifications, so that you know when something is wrong with your NAS and you are not at home. I use email notifications, because I check email often.

To setup email notifications you can create a google account for your NAS and send mail through it. This keeps your main email password secure:



(Note, that you need to check authentication and SSL/TLS boxes)
(Note, that you can use any Sender, even non-existent)

Do not forget to enter your real email address on Alert Notification page:



* Setup protocols *


Microsoft networking: usually standalone + local master browser for home.





For others use default settings.

* Security *


Recommendations:

- Disable all services that you are not going to really need (usually FTP, NFS, Telnet, SFTP is not needed. Also turn off Apple Networking if you use Windows)
- Divide all your data into Public and Private folders. This will help you to grow.
- Use group permissions instead of user permissions even if you have little users for now. This will help you to grow.
- Always passwords where you can use them. Use SNMP community (not public).

* Data protection *


Usually home users have 3 types of data:

+ Not important data (movies, downloads, games etc.) - this data can be stored on cheap desktop drives in a PC

+ Important data. You do not want to loose this data, but it is not a catastrophy. This data can be stored on a NAS RAID1 (or RAID5) and also you can make a tree of the data and put it in a "very important" data location.

+ Very important data. You do not want to loose this data and it is a catastrophy. This data can be stored on a NAS RAID1 (or RAID5) and be automatically backed up to an external USB-drive. Usually this data is less then 10% of Important data and 2.5 inch drive is enough for backup.



To use external backup I connected 2.5 inch usb disk to QNAP, created Critic folders in both Public and Private and set up backup in web interface (I also backup Cacti scripts folder):



Also I:

- periodically backup QNAP settings to Private/Critic folder
- automatically backup all configurations (/mnt/HDA_ROOT and /mnt/ext) to Private/Critic folder using the following cron job:
- backup Gmail, Google documents, ICQ and Skype logs, mobile phone address book (online data) yearly to this folder Private/Critic/Backup.
15 3 1 * * /share/Main/Private/Critic/Backup/QNAP/backup.sh

[/] # cat /share/Main/Private/Critic/Backup/QNAP/backup.sh
/bin/tar -czf mntext.tgz /mnt/ext
/bin/tar -czf HDA_ROOT.tgz /mnt/HDA_ROOT


To make trees of my data I use the following windows bat script yearly (it resides in Private/Critic/Backup/tree):

SET mycd=%cd%
SET par=/F /A
mkdir %date%
x:
cd x:\
tree %par% > %mycd%\%date%\tree-x-%date%.txt
z:
cd z:\
tree %par% > %mycd%\%date%\tree-z-%date%.txt
n:
cd n:\public
tree %par% > %mycd%\%date%\tree-npu-%date%.txt
n:
cd n:\private
tree %par% > %mycd%\%date%\tree-npr-%date%.txt


Trees help me to remember, which files (software versions or movies) I used and download them again if needed, when my PC disks fail.

Also, I greatly recommend that you enable Network Recycle Bin. This will help you to recover files that you or your friends deleted by mistake.



* Monitoring *


Latest QNAP firmware (I use 3.4.4) has new features for monitoring: better CPU/memory monitoring with TOP processes, good logs of System events and Connections (does not include SMB and HTTP connections on Web server, only Administration and Web File Manager)

I recommend that you turn on System Connection Logs, so that if somebody tries to hack you, you can go there and see, what happened:



To further extend monitoring and debugging capabilities I use the following:

- Cacti for monitoring resources
- Awstat for monitoring web server access
- Ntop for detailed information about traffic (usually disabled, I enable it when needed)
- Additional console applications (iotop to know what processes are using disks, sysstat for detailed information about resources, tcpdump for sniffing traffic when needed, iptraf for online traffic statistics)

Most of these are installed with Optware IPKG (), some are directly downloaded with wget.

To save changes on reboot I use my script /etc/config/autorun.sh, which is run from flash disk /tmp/config/autorun.sh (see http://wiki.qnap.com/wiki/Autorun.sh):

ln -sf /etc/config/profile /etc
ln -sf /share/Public/Critic/System/awstats/db /var/lib/awstats
ln -sf /etc/config/awstats /etc
ln -sf /share/Public/Critic/System/awstats /usr/local
ln -s /opt/bin/perl /usr/bin/
/share/MD0_DATA/Private/Critic/Backup/QNAP/ramdisk-load.sh


To prevent Cacti disk access every 5 minutes I moved all RRA, Cacti mysql database and some scripts to ramdisk (using ln -s).

ln -s /var/cacti/mysql /share/Main/.@mysql/cacti
ln -s /var/cacti/site/include /share/Web/cacti/
ln -s /var/cacti/site/cli /share/Web/cacti/
ln -s /var/cacti/site/lib /share/Web/cacti/
ln -s /var/cacti/site/resource /share/Web/cacti/
ln -s /var/cacti/site/rra /share/Web/cacti/

[/var/cacti] # du -ch
1.1M ./mysql
7.0K ./site/resource/script_queries
5.0K ./site/resource/script_server
19K ./site/resource/snmp_queries
32K ./site/resource
132K ./site/cli
40K ./site/lib/adodb/lang
59K ./site/lib/adodb/datadict
392K ./site/lib/adodb/drivers
835K ./site/lib/adodb
1.7M ./site/lib
152K ./site/include/jscalendar/lang
212K ./site/include/jscalendar
74K ./site/include/treeview
471K ./site/include
61K ./site/scripts
7.2M ./site/rra
9.5M ./site
11M .
11M total


To avoid problems you also have to copy several files to /var/cacti/site:

cp /share/Web/cacti/cmd.php /var/cacti/site/
cp /share/Web/cacti/script_server.php /var/cacti/site/


They are backed up from ramdisk to disk every hour and loaded in autorun.sh (see above):

47 1-21 * * * /share/Main/Private/Critic/Backup/QNAP/ramdisk-save.sh

[/] # cat /share/Main/Private/Critic/Backup/QNAP/ramdisk-save.sh
cd /share/MD0_DATA/Private/Critic/Backup/QNAP/
/bin/tar -czf ramdisk-cacti.tgz /var/cacti


Storing something on ramdisk is not generally recommended, but I wanted to avoid excessive noise and disk wear. I also disabled mysql binary logs for cacti in /etc/my.cnf, which prevents mysql from constantly writing to binary log:

log-bin=mysql-bin
binlog-ignore-db=cacti


Awstats setup guide can be seen here: http://wiki.qnap.com/wiki/AWStats



Do not forget to move log files from /mnt/ext to your big disk. Also, I use logrotate for apache logs:

[/] # cat /opt/etc/logrotate.conf
compress

"/usr/local/apache/logs/access_log" /usr/local/apache/logs/error_log {
rotate 5
size=200k
sharedscripts
postrotate
/usr/local/apache/bin/apachectl restart
endscript
}


I run cacti and awstat only when I am not going to sleep, because they make a little noise, although cacti mainly uses ramdisk:

*/5 7-21 * * * /mnt/ext/opt/apache/bin/php /share/Web/cacti/poller.php >/dev/null 2>&1
57 1-21 * * * /usr/local/awstats/tools/awstats_updateall.pl now


Do not forget to copy all your crontab to /etc/config/crontab. I usually edit with "crontab -e", then copy everything to /etc/config/crontab and then update cron with "/etc/init.d/crond.sh restart".

Here are my cacti graphs. Note that I did not collect some parameters all the time and they have gaps:
































I also ping internet site for ping latency and collect information from my main PC into cacti.

You can download my QNAP cacti templates and scripts at http://dl.dropbox.com/u/1350128/qnap-review/qnap-cacti.rar

Анонсирование Loopback
Router
brutenet
При анонсировании Loopback в протокол маршрутизации (проверял на OSPF) он, независимо от маски установленной на интерфейсе, анонсируется с маской /32.

То ли мы невнимательно читаем документацию, то ли что, но для всех нас это было неожиданностью.

Пример конфигурацииCollapse )

Онлайн-хранилища файлов
Router
brutenet
Здесь находится неплохой обзор по онлайн-хранилищам: http://habrahabr.ru/blog/web_2_0/23523.html

Резюмирую его и личный опыт:

1. http://www.box.net - 1ГБ для хранения файлов, 10 Гб трафика в месяц, не позволяет скачивать целыми папками, позволяет размещать http-ссылки на файлы через видгеты. Размер файла ограничен 10 Мб. Подходит для выкладывания файлов в блоги.

2. http://www.xdrive.com - 5Гб для хранения файлов, объем трафикав месяц и максимальный размер файла не указан (возможно, неограничены - проверял заливая файл 101 Мб), позволяет скачивать целыми папками. Похоже, не позволяет делать http-ссылки для блогов. Подходит для передачи больших объемов файлов между ограниченным кругом людей.

3. http://www.esnips.com – 5Гб для хранения файлов, позволяет делать ссылки на файлы через видгеты, ограничений по размеру файлов и трафику в месяц не видно, но при попытке залить архив размером 78 мегов говорит что не поддерживает заливку больших архивов. Подходят для выкладывания в блоги.

4. http://www.mediamax.com - 25ГБ(!) для хранения файлов, размер файла до 10 Мб, трафик до 1 Гб в месяц, доступно приложение MediaMax XL Beta для синхронизации и резервного копирования; Интересный тариф для постепенного накопления информации.

5. http://www.omnidrive.com - 1ГБ для хранения файлов, трафик до 5 Гб в месяц, есть приложение для синхронизации данных локального компьютера с виртуальным хранилищем; позволяет редактировать документы в онлайне.

6. http://www.boxcloud.com – необычный проект обмена, не хранящий данные на сервере, а организующий передачу между компьютерами пользователей. Поэтому после того, как вы расшарите файл, он расшарится практически мгновенно, независимо от его размера, но скачиваться будет только пока ваш компьютер включен. Для бесплатного аккаунта разрешено создание одного рабочего пространства для 3 пользователей; свежий проект с багами.

[обзор] Hamachi
Router
brutenet
Совершенно гениальный проект Hamachi представила компания LogMeIN. Продукт позволяет очень быстро и легко создавать VPN-сети, включая компьютеры Windows и Linux.

Шокирующее преимущество продукта в том, что не требуется ни прямой IP-адрес, ни перенаправление портов. Более того, возможна работа даже через proxy-сервер (не проверял). Есть также много коварных фич вроде фиксации клиентских портов, по которым работает программа.

Бесплатная версия программы позволяет соединить до 16 компьютеров в каждой из 64 созданных сетей и к огромному сожалению, в отличие от платной ($40 в год), не имеет возможности запускаться в виде сервиса, то есть после перезагрузки компьютера необходимо в него залогиниться (или воспользоваться функцией автологина в Windows XP).

[технология] Монтирование разделов FreeBSD под Linux
Router
brutenet
mount -r -t ufs -o ufstype=XXX /dev/YYY /mnt/disk

XXX = 44bsd для FreeBSD 4.x
XXX = ufs2 для FreeBSD 5.x и выше
YYY = например hdaZ, где Z - номер раздела. Обычно в FreeBSD разделы логические (слайсы), в Linux они нумеруются с цифры 5. Таким образом напрмер при стандартной установке /dev/ad0s1a будет соответствовать в Linux /dev/hda5

Обратите внимание, что таким путем монтирование возможно только read-only. Для просмотра слайсов FreeBSD под Linux лучше использовать sfdisk, а не fdisk.

Определение версии Linux/Unix
Router
brutenet
Для этого во-первых служит команда (наиболее универсальная - есть во всех Unix и Linux)

uname -a

Во-вторых, можно поискать файлы содержащие в названии слова version или release в папке /etc :

ls /etc/*release*
ls /etc/*version*


В этих файлах содержится версия релиза.

На некоторых дистрибутивах присутствует также файл /proc/version , в котором можно найти информацию по версии ядра, gcc и дистрибутива (thx to bansheezm)

cat /proc/version

[технология] Установка Fedora 6 + VMware Server 1.0.3
Router
brutenet
(писал на английском, переводить очень не хочется)

Install Fedora (can be downloaded here http://mirrors.fedoraproject.org/publiclist):
Remove all graphic packages (gnome, x, administration...)
After such setup FC6 will use approx. 950 Mb of disk space + swap
FC6 uses about 100 Mb of RAM

Disable unneded services:

chkconfig bluetooth off
# printing
chkconfig cups off
# console mouse
chkconfig gpm off
# HID
chkconfig hidd off
chkconfig ip6tables off
chkconfig isdn off
chkconfig nfs off
chkconfig nfslock off
# PC/SC Smart Card Daemon
chkconfig pcscd off
chkconfig portmap off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig rpcidmapd off
chkconfig rpcsvcgssd off

yum -y install kernel kernel-devel

If different versions (or archs) installed like this, use the last kernels:

rpm -aq | grep kernel
rpm -e kernel-2.6.20-1.2948.fc6
wget http://download.fedora.redhat.com/pub/fedora/linux/core/updates/6/i386/kernel-2.6.20-1.2948.fc6.i686.rpm
rpm -i kernel-2.6.20-1.2948.fc6.i686.rpm

shutdown -r now

(Choose correct kernel on boot - usually not needed)

yum -y install mc gcc gcc-c++ xinetd

wget http://download3.vmware.com/software/vmserver/VMware-server-1.0.3-44356.i386.rpm
wget http://download3.vmware.com/software/vmserver/VMware-mui-1.0.3-44356.tar.gz

wget http://platan.vc.cvut.cz/ftp/pub/vmware/vmware-any-any-update110.tar.gz

rpm -i VMware-server-1.0.3-44356.i386.rpm
tar -xzf vmware-any-any-update110.tar.gz
cd vmware-any-any-update110
./runme.pl

ПодробнееCollapse )

tar -xzf VMware-mui-1.0.3-44356.tar.gz
cd ../vmware-mui-distrib/
./vmware-install.pl

ПодробнееCollapse )

Now you can test everything (but do not forget to disable or setup iptables).
Now installation uses 1.7 Gb

[технология] Fedora и загрузочный RAID1
Router
brutenet
В Fedora можно посадить раздел /boot на RAID1 так, как это написано в руководстве по RedHat. Однако там не написано, что для того, чтобы после этого система грузилась с обоих дисков нужно не только прописать в BIOS загрузку с обоих дисков, но и подготовить GRUB к загрузке со второго диска:

grub
grub>device (hd0) /dev/hdc
grub>root (hd0,0)
grub>setup (hd0)


Кроме того после первой загрузки необходимо активировать RAID:

# add second device to raid1
mdadm /dev/md0 -a /dev/hdc1
# monitor until recovery is complete (approx 80mb per hour):
cat /proc/mdstat
# make correct table
# FIRST LEAVE ONLY ONE LINE in mdadm.conf (that starts with DEVICE)
mdadm --detail --scan -v >> /etc/mdadm.conf


Еще при установке загрузочный раздел (/boot или /, если нет отдельного /boot) должен находиться на md0 (при использовании IDE). На SCSI вроде бы на md1 (не уверен).

?

Log in