Behind the Eyes

Tag: 16.04

  • Using UFW to secure a server

    Using UFW to secure a server

    Hello Everyone! Hope you’re doing well!

    So for the last few weeks, I have been dealing with a DoS attack happening against me. After spending a couple days with Comcast Network Engineers we finally figured out that my mail server was being attacked. Once we disabled the NIC on the server, Internet service would start up immediately and everything appeared to be working properly. Looking at the auth logs, I noticed that port 80 and port 22 were getting bombarded by the DoS attacks.

    Since the Comcast gateway has a poor firewall, I looked in to getting an upgraded PAN to meet my demand, but unfortunatly, that was going to set me back about $4k, and I looked at Untangle, but ran into configuration issues with the Comcast Gateway and my static IP’s.

    So, until I save my pennies to get the upgraded PAN I had to use ufw to block my attacks.

    UFW, or Uncomplicated Firewall, is the default Firewall for Ubuntu. Since my mail server is running Ubuntu, I decided to use this. And it is fairly easy to setup and use.

    First thing I noticed when being attacked is that specific Chinese IP addresses were attacking the server on port 22 and port 80, which are the SSH port and the unencrypted default web server port. So these were going to be the first ones that I setup, however, one thing to note is that when you enabled ufw, it blocks all traffic, which is a good thing really, however, when you rely on email for your job, blocking it all is not good. so I needed to find out what external ports I needed to have open to the public so that it would still work, and which ones I could have just available internally so that I can still work on the servers if I need to.

    First thing I did was look at what ports my server was sharing outside. I did this with the netstat command:

    netstat -an | more

    This command outputs all the interfaces and ports that the server is listening and communicating on. This also tells you who is connected to what service if they have an open session, so this command is pretty important if you are wanting to get into security.

    To make it easy, I needed imap, pop, smtp, ssh, http, https, and ldap.

    I also needed to know what can be internal only and what needs to be exposed to the public so that my email server can still get email.

    Here is what I came up with:

    PortsVisibility
    22 (SSH)Internal
    25 (SMTP)public
    443 (HTTPS)public
    993 IMAPpublic
    465 (SMTPS)public
    587 (SMTP Submission)public
    80 (HTTP)Internal
    110 (POP3)Internal
    143 IMAPInternal
    389 (LDAP)Internal
    995 (IMAPS)Public

    So, now that I have the required information, I can create the rules. They are as simple as doing the following command:

    sudo ufw allow from x.x.x.x/24 to any port 22

    This rule allowed only my internal IPv4 network to connect to the server. I did this for all internal addresses. I also added the specific email external IP address with a /32 to specify only the server could talk to itself on the internal ports. Might have been overkill, but better safe than sorry. For my public rules I did the following command:

    sudo ufw allow from any to any port 443

    This will also create IPv6 rules as well.

    If you accidently create a rule and it isn’t working properly, you can remove the rule by first looking up its number:

    sudo ufw status numbered

    and then:

    sudo ufw delete [rule #]

    Once everything is done, enable the firewall so that the rules will be applied:

    sudo ufw enable

    If you every need to stop the firewall, you can disable it by sudo ufw disable and it will go back to being unsecured.
    I still had to reboot the server after creating the rules and enabling the firewall since sessions were still open but after the reboot, I haven’t had any more issues and email still works. You can look at the syslog to see all the blocks, which is somewhat fullfilling.

    If you have any questions, or if you have any comments, please leave them below!
    Thanks!

  • Setting up Unreal Tournament 2004 Game server on Ubuntu 16.04

    Hey everybody.

    Been a while since I wrote here. Figured I would write up a howto to setting up a Unreal Tournament 2004 server. I really love this game. It brings back tons of memories, playing this when I was in the Navy with my friends on the sub.

    My boys have some break time off from school, and they played a little bit back in the day, so I decided to spin up a server so that we could play. I looked for a way to do this online, and couldn’t find anything so I figured I would write something up, so here you go.

    So, the good thing is that because the game is pretty old now, over 13 years old now, it doesn’t really require a lot of CPU or memory or storage. I deployed a KVM with 2 cores and 4GB of RAM and 20GB storage server running Ubuntu 16.04.3, and got all the updates installed. I then spent the next few hours searching for the ut2004 dedicated server package. Never could find it. Luckily, I had a backup copy, which I have uploaded to this server so you can download it here. You’ll also need the patch, which you can download here.

    I created a directory for the game in /usr/local/games/UT2004 and extracted the .zip here:

    sudo unzip -d /usr/local/games/UT2004 dedicatedserver3339-bonuspack.zip

    Once that was complete, I then untarred the patch and had to manually install it, since it creates a directory called UT2004-Patch so I had to actually go into each directory and move the files into their respective directories in the UT2004 directory. Once that was complete, you now have a system capable of running Unreal Tournament 2004 server. However, I needed to do a couple more things.

    Next, you need to install libstdc++5 package. This is required so that Unreal can run. Run the following command to install libstdc++5:

    sudo apt install libstdc++5

    One, I decided to start the web admin. In the /usr/local/games/UT2004/System/UT2004.ini. Find the UWeb.Webserver section and modify it:

    [UWeb.WebServer]
Applications[0]=xWebAdmin.UTServerAdmin
ApplicationPaths[0]=/ServerAdmin
Applications[1]=xWebAdmin.UTImageServer
ApplicationPaths[1]=/images
bEnabled=True
ListenPort=80

    You can change the ListenPort to what ever you want, you just need to change bEnabled=False to True to enable it.

    Next, I decided that I wanted this to run as a service using SystemD instead of just running in the background with me logged in to the server. Below is my UT2004-Server.service file:

    [Unit]
Description=Unreal 2004 Dedicated Server
After=network.target

[Service]
Type=simple
User=ut2004
WorkingDirectory=/usr/local/games/UT2004/System
ExecStart=/usr/local/games/UT2004/System/ucc-bin-linux-amd64 server CTF-BridgeOfFate?game=XGame.xCTFGame?AdminName=admin?AdminPassword=XXXXXXXX ini=UT2004.ini log=server.log -nohomedir
Restart=on-abort

    Just change the ?AdminPassword= to what you want I then copied the file into /lib/systemd/system and chmod 644 and chown root:root the ut2004-server.service file and now I can control the service with systemctl:

    systemctl start ut2004-server.service and I can get status with systemctl status ut2004-server.service

    One last thing I did as well is I included my cdkey from my game since I was getting errors about a missing cdkey, however, I have tested it, and it is not required. The game will still run, you just can’t advertise your server on the Internet and host Internet games without it, which means your stats also won’t work. You used to be able to download a CD-Key from Epic, but that service is no longer working. I emailed them about this on December 2, 2017 with no reply as to date.

    Happy gaming!

  • Quake3 Arena Dedicated Server on Ubuntu 16.04

    Hello everyone!!

    So I decided to blog this since I haven’t seen this documented anywhere else. All other HowTo’s explaining how to do this are so outdated that it pretty much would make your server obsolete. So I decided to write this blog post for anyone out there that wants to run this really old, but still really cool game as a dedicated server.

    The reason this came about is my boys today wanted to play online games with me, specifically on my XBOX One. I wanted to re-live my glory days when I was my oldest age and have a LAN party.  Like you, they were wondering what that was. Let me enlighten you. Back in the early to mid 90’s, before broadband Internet, if you wanted to play online games, it required either a dialup connection directly to your friend, or a massive network on a college campus with someone hosting the game and maintaining it. Neither worked in my small town I grew up in. So I would host LAN parties at my house. This meant, on Friday night, me and my friends would hang out at my house and play video games. We did this because on a typical Friday night, the girls of our town were too intimidated by our big….brains that they didn’t want anything to do with us. The Jocks were also just as intimidated so to prevent bloodshed, mostly ours, we played video games. We would all gather at my house, jam out and do a mini concert, and then hook all our machines up and play Doom or Quake or Duke Nukem 3D.

    My boys thought this was a great idea so we decided to do it at my house. I was on my Mac, running Windows 10 in bootcamp, and my boys were running Ubuntu 16.04. I installed Quake 3 Arena on all the systems because my boys absolutely LOVE this game. Unfortunately it’s only on Steam on Windows, so I had to download it there and then copy all the files to my Ubuntu machines, but that was simple enough. I also installed it on my boys computers by going to the Ubuntu Store on their machines, searching for Quake 3 and installing it. I then copied all the pk3 files to them and we were good to go and start playing. And it was epic!! It was like all of us were 13 and playing. We were all hopped up on pizza, beer (me) and Mountain Dew (or as my son’s call it, “gaming fuel.”)

    After we finished, I started to think, I used to host this game about 8 years ago on Hardy (Ubuntu 8.04), so I figured I would try it again. I looked online to see if there was an easy “HowTo” on this, and all of them were dated and a pain since you needed files from id Software, and it just sucked. So, here we go, the way I did it, super simple and easy to follow.

    First thing I did, installed Ubuntu 16.04 on a Virtual Machine. Update, patch, ready to go.  After that, I installed quake3-server package from Ubuntu Xenial Universe.

    sudo apt install quake3-server

    When you install it, it will ask if you want to install the Quake 3 files. Say no. We’ll get to that in a few seconds. After that, I copied all my pk3 files from my commercial version of Quake 3. They were located on my Windows computer at <path where steam is installed>/steamapps/common/Quake 3 Arena/baseq3/

    I copied all these files to my Linux laptop so that I could use them to play Quake 3 there. I put them in the first search path that the executable looks:

    /usr/share/games/quake3/baseq3

    This directory doesn’t exist, so I had to create it:

    sudo mkdir -p /usr/share/games/quake3/baseq3

    I then moved the files there:

    sudo mv ~/*.pk3 /usr/share/games/quake3/baseq3/

    Once this is complete, restart the Quake 3 server:

    sudo systemctl restart quake3-server

    Now, we need to extract some config files for the server. There are sample configurations for all the game modes that you can modify for your needs in the pak0.pk3 file.

    sudo apt install unzip
sudo unzip /usr/share/games/quake3/baseq3/pak0.pk3 ctf.config ffa.config teamplay.config tourney.config gamecycle.config
sudo mv /usr/share/games/quake3/baseq3/*.config /var/games/quake3-server/server.q3a/baseq3/

    Now you need to modify those configs to match what you want. You can get details from doing a simple Google Search on Quake 3 Arena Dedicated Server parameters.

    Once you have everything set, all you need to do is change the main configuration of the system located in /etc/quake3-server/server.cfg.

    sudo vi /etc/quake3-server/server.cfg

    You can either set one of the configs you extracted here, or what I recommend is modifying the line with “exec ffa.config” and change it to the config you want. Save the file and then restart the service:

    sudo systemctl restart quake3-server

    Now you can connect to your server and you’re done.

    Hope this helps any of you out there. Please leave a comment if it helps or if you have any questions.

     

  • MAAS 2.0 and DNS

    Hello everyone! Been a while since I wrote a blog entry. I updated my network topology last night to accommodate for guest access and to separate my personal network from my work network to keep my video game consoles and my cell phones off of my external facing network and firewall them up better for more security. I decided during this time as well to revisit my DNS and Virtual Host machines.

    I was running ESXi 6 on one of my hosts that ran Ubuntu VM’s for this site, and my email server, and a couple other servers that I use to do my job. It became a hassle to keep it up and running on older hardware so I upgraded it to KVM and Ubuntu 16.04 and I decided that I would also upgrade my VM’s from 14.04 LTS to 16.04 LTS since I had the downtime.

    Anyways, I decided that I was going to use MAAS, or Canonical’s Metal-As-A-Service to provision my KVM’s and also get rid of my aging DHCP/DNS server that was running 12.04 and just move everything to MAAS. Sounds easy enough? Not so much.

    Building the KVM host was easy. I installed Ubuntu 16.04, selected OpenSSH server and Virtual Machine Host from the TaskSel and then after it was installed, ran sudo apt update && sudo apt upgrade, rebooted, and then ran sudo apt install ovmf qemu and modified my /etc/libvirt/qemu.conf to point to where ovmf was (basically just removed the comments from the file for those settings) and than ran systemctl restart libvirt-bin and was ready to go. I also modified my NIC interfaces to bridges.

    Now I was ready to build my MAAS server. I build a KVM with 2GB of RAM and 2 processors and 60GB of storage and added 2 NIC’s, one for each of my networks, one for my servers and external network, and one for my internal guest network. I installed a clean 16.04 LTS server, added OpenSSH and configured the interfaces for static addresses and ran update/upgrade and now was ready to install MAAS. I ran sudo apt install maas and was off and running. After it was complete, I ran sudo maas createadmin to create the admin account. I then logged in to maas by opening Firefox and browsing to my maas servers IP address and logging in. I click on my account in the upper right corner and went to Account, and copied my API key to a file called maas.key in my home directory on MAAS so that when I need to use the CLI, I can just cat maas.key instead of having to type the whole damn thing in. I then copied all my SSH keys to my account so that I can access my new nodes with my SSH key, and I then went to the Images tab to make sure it was downloading the 16.04 image, and did some minor settings to make sure it seen all my networks and put in my DNS forwarders.

    Next, it was time to setup DHCP. I clicked on the Network tab and clicked on the subnet I wanted to have DHCP. I set a dynamic reservation for my internal network starting at .50 and going to .200. I then clicked my other subnet and did the same thing there. I then went back to the Network tab and clicked the VLAN for each of my fabrics. Under the Take Action button, I configured DHCP for this network and was ready to go.

    I built my webserver as a KVM, and told it to PXE boot and attach it to the server network bridge on my KVM host. I powered it up and boom! MAAS found it, and enlisted the node. I changed its name, but realized it was not using my DNS name, but instead the MAAS default of “maas.” According to Canonical’s documentation on MAAS, you can change this from the WebUI. That would be helpful to tell a user how, but I’m not going to go there. In 1.9, it was as easy as clicking the domain name on the Nodes tab, but in 2.0, not so much. I ended up changing it from the MAAS CLI by ssh’ing into my MAAS server and running the following command to login:

    maas login maas http://maas/MAAS `cat ~/maas.key`

    I then ran maas maas domain update name=lucaswilliams.net and verified that it was updated with maas maas domains read and in the MAAS WebUI, it updated it as well.

    I then clicked on my new node, and commissioned it. After 10 minutes, it was commissioned and ready for deployment. I deployed, which I have to say, is a huge improvement over 1.9. In the node tab, under Interfaces, I could statically set my IP address, which I did, and then I clicked deploy, and from the pull down said 16.04 and it was off. About 20 minutes go by, and it’s done. Now, I ssh into my new server and I can login with my SSH keys from my various workstations and it works. I then go through the process of installing LAMP on the server and getting WordPress configured and recovering my site from my backup. Then I notice that I don’t have my CNAME records to access my server via www or wordpress. I go into research mode. How do I add CNAME’s to MAAS 2.0 DNS? Great news, according to Canonical’s maas.io site, you can do this, but once again, they don’t tell you how. After spending hours doing Google-Fu and on freenode asking around, to no avail, I decided “Whats the worse that can happen?” I start poking through the MAAS source on the dnsresource flags and relize that there is an option in the MAAS CLI for dnsresource-records. I look into that and low and behold, it tells you there I can create A, AAA, CNAME, MX, SRV, NS and TXT records. So, through about 2 hours of trial and error, I finally figured it out:

    maas maas dnsresource-records create fqdn=www.lucaswilliams.net rrtype=cname rrdata=webserver

    It shown the record in the DNS tab in MAAS as well. I was able to ping the new CNAME and it responded properly. You are able to see this page as a result of it working as well.

    I did the exact same above steps for my mail server as well, however, I had to create a MX record for it since it was failing its install step doing an MX record lookup. Great, how do I do that? Luckily, after only an hour of trial and error, I figured it out:

    maas maas dnsresource-records create fqdn=lucaswilliams.net rrtype=mx rrdata='10 mail.lucaswilliams.net'

    It updated in the DNS tab in MAAS and I could see all of these with the MAAS CLI. I was also able to add static servers that were not commissioned by MAAS into DNS via the CLI with the following command:

    maas maas dnsresources create fqdn=hostname.lucaswilliams.net ip_addresses=ip.add.re.ss

    Anything that is DHCP assigned will populate DNS automagically.

    And there you have it, a way to add MX and CNAME records so that you don’t have to do the research, or if you Google search it, hopefully you fall here.

    Let me know in the comments if this helps you or not, and let me know what else you want to know about.