Hello everyone. It’s been a while, almost a year. I have an updated blog that I have written for my company I work for, BE Networks. The link is below. Please enjoy and please share and comment.
Thanks!
How to Build NVMe over TCP Storage Networks with BE Networks Verity
Hello Everyone! Hope you’re doing well!
So for the last few weeks, I have been dealing with a DoS attack happening against me. After spending a couple days with Comcast Network Engineers we finally figured out that my mail server was being attacked. Once we disabled the NIC on the server, Internet service would start up immediately and everything appeared to be working properly. Looking at the auth logs, I noticed that port 80 and port 22 were getting bombarded by the DoS attacks.
Since the Comcast gateway has a poor firewall, I looked in to getting an upgraded PAN to meet my demand, but unfortunatly, that was going to set me back about $4k, and I looked at Untangle, but ran into configuration issues with the Comcast Gateway and my static IP’s.
So, until I save my pennies to get the upgraded PAN I had to use ufw to block my attacks.
UFW, or Uncomplicated Firewall, is the default Firewall for Ubuntu. Since my mail server is running Ubuntu, I decided to use this. And it is fairly easy to setup and use.
First thing I noticed when being attacked is that specific Chinese IP addresses were attacking the server on port 22 and port 80, which are the SSH port and the unencrypted default web server port. So these were going to be the first ones that I setup, however, one thing to note is that when you enabled ufw, it blocks all traffic, which is a good thing really, however, when you rely on email for your job, blocking it all is not good. so I needed to find out what external ports I needed to have open to the public so that it would still work, and which ones I could have just available internally so that I can still work on the servers if I need to.
First thing I did was look at what ports my server was sharing outside. I did this with the netstat command:
netstat -an | more
This command outputs all the interfaces and ports that the server is listening and communicating on. This also tells you who is connected to what service if they have an open session, so this command is pretty important if you are wanting to get into security.
To make it easy, I needed imap, pop, smtp, ssh, http, https, and ldap.
I also needed to know what can be internal only and what needs to be exposed to the public so that my email server can still get email.
Here is what I came up with:
| Ports | Visibility |
|---|---|
| 22 (SSH) | Internal |
| 25 (SMTP) | public |
| 443 (HTTPS) | public |
| 993 IMAP | public |
| 465 (SMTPS) | public |
| 587 (SMTP Submission) | public |
| 80 (HTTP) | Internal |
| 110 (POP3) | Internal |
| 143 IMAP | Internal |
| 389 (LDAP) | Internal |
| 995 (IMAPS) | Public |
So, now that I have the required information, I can create the rules. They are as simple as doing the following command:
sudo ufw allow from x.x.x.x/24 to any port 22
This rule allowed only my internal IPv4 network to connect to the server. I did this for all internal addresses. I also added the specific email external IP address with a /32 to specify only the server could talk to itself on the internal ports. Might have been overkill, but better safe than sorry. For my public rules I did the following command:
sudo ufw allow from any to any port 443
This will also create IPv6 rules as well.
If you accidently create a rule and it isn’t working properly, you can remove the rule by first looking up its number:
sudo ufw status numbered
and then:
sudo ufw delete [rule #]
Once everything is done, enable the firewall so that the rules will be applied:
sudo ufw enable
If you every need to stop the firewall, you can disable it by sudo ufw disable and it will go back to being unsecured.
I still had to reboot the server after creating the rules and enabling the firewall since sessions were still open but after the reboot, I haven’t had any more issues and email still works. You can look at the syslog to see all the blocks, which is somewhat fullfilling.
If you have any questions, or if you have any comments, please leave them below!
Thanks!
Hello everyone! This blog entry is mostly for those of you that want to play with Ubuntu-Touch on the BQ Aquaris M10. You can actually purchase this tablet from BQ directly, but they have been sold out for a while, and I really wanted to have one.
So, I bought the Android version, which isn’t too different in specs. However, it comes running Android Marshmallow. I played around with it for a day just because I haven’t played with Android in a while, and realized a lot has changed since Froyo, which was the last version I played with. After the nostalgia ran off, I decided to start trying to install Ubuntu on my device.
First thing I did was go to Installing Ubuntu on Devices website. I found all the details of setting up my build machine to handle this.
First thing I did was install the ppa for the Ubuntu SDK and for the phablet-tools package.
sudo add-apt-repository ppa:ubuntu-sdk-team/ppa
Then run sudo apt update to get my repo locations updated to use the ppa.
It than install the ubuntu-device-flash which is what does all the heavy lifting and getting the image on the device. I also install adb, which is Android Debug Bridge application which is needed to manage the device and get access to the internal bits of the device, and fastboot which manages the device when its in the bootloader.
sudo apt install ubuntu-device-flash phablet-tools
After I had all the required tools on my laptop, I was ready to start. First thing I did was I had to put my M10 into Developer Mode. To do this, Click on System and go to About. Click the Build seven times. It will start a countdown on the screen saying “Press x time to enable Developer Mode.” Once done, go back and you will see Developer Options on the screen next to About. Select it and enabled OEM Unlock Bootloader, which it will bring up a prompt asking if you are sure since this does void the warranty, and it warms you every time you reboot the device saying it is in Orange State and can’t be protected and delays the boot by five seconds. Select Yes and then Enable USB Debug and turn off Protect ADB APK uploads. Probably isn’t necessary, but I did it anyways.
Now, plug your USB cable into your laptop and your device, You will get a prompt on the tablet asking if you trust this device, click the check to always trust and say Yes. You can now use the adb command on the laptop to control the tablet.
First, check that your laptop sees everything:
adb devices
You should get a return of the M10’s serial number and the word device next to it. We are now ready to go into the Bootloader. Do this from adb:
adb reboot bootloader
The device will reboot, give you the warning that I mentioned above about being Unlocked and unprotected, and then a blank screen with Fastboot Loader on the bottom. This is the fastboot bootloader. We now have to unlock the device:
Make sure you can communicate with the device with fastboot:
fastboot devices
You should get a return of the M10’s serial Number and fastboot on the same line.
You unlock the device by typing:
fastboot oem unlock
You will get a prompt on the device saying Press Volume + to Unlock and Volume – to cancel. Press Volume + on the device and you will get a confirmation saying device unlocked and on your Laptop it will say OKAY and exit. Now we can reboot the device again.
fastboot reboot
Now, it will start back up in Android, after about 10 minutes. You will have to reconfigure the device, basically I skip everything until I can get to the point where I can turn the device off. I turn it off and then I turn it back on, but when I press the power button, I also hold down the Volume + button at the same time. This will cause the M10 to go into Recovery Mode. Once The Screen comes up saying Powered by Android and you get the Unlocked Warning again, you can release the power button, but keep pressing the Volume + button until you get the Fastboot screen. Verify you can communicate to the device:
fastboot devices
You should get the serial number and fastboot on the same line. Now we can install Ubuntu….kind of.
First, you need to download the recovery image from Ubuntu since the built in one on the device does not allow adb. Depending if you have the M10 FHD or just the M10, you need a specific image. Since I was using the FHD, I need the frieza image. You can download them by clicking the appropriate link from this page.
Run the following to start the process:
ubuntu-device-flash -v touch \
--channel=ubuntu-touch/stable/bq-aquaris-pd.en \
--device=frieza --bootstrap \
--recovery-image=recovery-frieza.imgIt will download and start copying all the required files for the device. Unfortunately, it will fail. The Android partition layout is way to small for Ubuntu recovery. So, after it fails, you can wipe the cache from the device. Next, you will use adb to manage the partitions.
First, you need to download parted for Android. Luckly, I have a version here you can use. Download this and untar it and then move it to the /sbin directory on your device:
tar xf parted-android-32.tgz
adb push parted /sbin
adb shell chmod +x /sbin/partedNow we are ready to do some “damage” to the device.
NOTE: Word of caution here. We are going to delete and grow 3 file systems on the device. Please follow these directions closely and watch out for typos. You don’t want that otherwise we have to start all over again.
First, run adb shell. You are now on the console of the device as root. If you run df -h you’ll notice that /cache is out of space, and it’s only a little over 400MB in size. No where near the size we need since we have a little over 870MB of files we need to upload before we can install Ubuntu. The other thing you’ll notice once we get into the partitioning, is that the /system directory is only 1.5GB in size, and Ubuntu needs at least 4GB for the installation. However, the userdata partition is 15GB in size, so we are going to steal from there to repurpose to these other partitions.
First thing to do is run parted /dev/block/mmcblk0
Type p to list the partitions, there are 24 partitions. We are only concerned with 21, 22, and 23. First change the unit to bytes, unit b and then run p again to get that readout:
p
Model: MMC 016G70 (sd/mmc)
Disk /dev/block/mmcblk0: 15758000128B
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Number Start End Size File system Name Flags
1 524288B 3670015B 3145728B proinfo
2 3670016B 8912895B 5242880B nvram
3 8912896B 19398655B 10485760B protect1
4 19398656B 29884415B 10485760B protect2
5 29884416B 80216063B 50331648B persist
6 80216064B 80478207B 262144B seccfg
7 80478208B 80871423B 393216B lk
8 80871424B 97648639B 16777216B boot
9 97648640B 114425855B 16777216B recovery
10 114425856B 120717311B 6291456B secro
11 120717312B 121241599B 524288B para
12 121241600B 129630207B 8388608B logo
13 129630208B 140115967B 10485760B expdb
14 140115968B 141164543B 1048576B frp
15 141164544B 146407423B 5242880B tee1
16 146407424B 151650303B 5242880B tee2
17 151650304B 153747455B 2097152B kb
18 153747456B 155844607B 2097152B dkb
19 155844608B 189399039B 33554432B metadata
20 189399040B 201326591B 11927552B custram
21 201326592B 1811939327B 1610612736B ext4 system
22 1811939328B 2256535551B 444596224B ext4 cache
23 2256535552B 15616966655B 13360431104B userdata
24 15616966656B 15757983231B 141016576B flashinfo
Note the start and ends for the partitions 20 and 24. Partition 21 will start with 201326592 which is +1 from the end of the previous partition. We need to do this for each partition we are growing so that they are uniform and not overlapping and cause problems.
First we need to delete the three partitions:
rm 21
rm 22
rm 23Now we are ready to recreate them, only larger in size. Since we are using bytes, the numbers are quite large, and need to equal logical sizes. Basically, do the math of starting byte, add the amount of more space you want, make that the end byte, then the next partition starts on the +1 of the last end byte until you get to partition 23, which you will end -1 byte of where partition 24 starts. So partition 23 will end with 15616966655. If you use the values that I did, you will end up with a system partition of 4.3GB, cache of 1.07GB, and a userdata of 9.6GB:
mkpart primary 201326592 4496294399
mkpart primary 4496294400 5570036224
mkpart primary 5570036736 15616966655
name 21 system
name 22 cache
name 23 userdata
quitWe now need to format the volumes:
mke2fs -t ext4 /dev/block/mmcblk0p21
mke2fs -t ext4 /dev/block/mmcblk0p22
mke2fs -t ext4 /dev/block/mmcblk0p23Now, on the device, use the Volume – to select reboot into bootloader and press the Power button to select it. The device will reboot and you will be brought back to the screen where it just says FASTBOOT on the bottom.
Now we can start the flash again, and this time it will work:
ubuntu-device-flash -v touch \
--channel=ubuntu-touch/stable/bq-aquaris-pd.en \
--device=frieza --bootloader \
--recovery-image=~/frieza-recovery.imgOnce the installation is done, you will have Ubuntu running on your device. It takes about 10 minutes to install, but after the reboot, the initial splash screen will have the BQ logo but say powered by Ubuntu and you won’t have the annoying Unlocked Device unprotected alert any more.
Let me know in the comments if you have any issues! Happy Hacking!
Hello everyone and Happy New Year! I hope 2017 has started great for everyone out there.
So I have been playing around with Canonical’s Livepatch service on my Ubuntu 16.04 servers and I have to say, it is pretty slick. I run two KVM hosts that run various servers and containers so that I can do my job. In fact, this web server runs as a KVM on one of my hosts. Since I can’t typically run kernel updates and reboot when ever I feel like since I have other work loads running on these servers, Canonical Livepatch answers this problem for me.
How it works is pretty simple. When a security patch for the Kernel comes out, this service downloads the patch and installs it in the running kernel on my system WITHOUT HAVING TO REBOOT MY SERVER!!! That is amazing!! I get the security update to patch and make my system secure and I don’t have to schedule a maintenance window and bring down 20+ VM’s and 100+ containers, I can just update the host and BAM! All my containers and my hosts are updated, no reboot, no downtime. I still have to touch all my KVM’s, but that is the way when you run VM’s.
So you want to try this out? It’s pretty simple to setup. First, it only works on Ubuntu 16.04 LTS. This “should” change to be available in 14.04 but as of when I wrote this, it was still not yet available on 14.04.
The Kernel Livepatch is a snap application, making use of snaps on the system. This makes it even easier to install and update. To install on your system, it is as simple as:
sudo snap install canonical-livepatch
This will pull down the snap application and install and start it. Now, you have to enable the service. You need to go to https://auth.livepatch.canonical.com to sign up for the service. Regular Ubuntu users are authorized up to 3 machines to get Livepatches for. If you need more, you can purchase them via support for your systems. Once you are signed up, you will have a token that you use to add your systems.
You then run:
sudo canonical-livepatch enable <TOKEN>
This will setup livepatch. To see it work, simply run
canonical-livepatch status --verbose
and you will get the following output:
client-version: "6"
machine-id: --REMOVED--
machine-token: --REMOVED--
architecture: x86_64
cpu-model: Intel(R) Xeon(R) CPU E5645 @ 2.40GHz
last-check: 2017-01-11T15:21:36.477627539-08:00
boot-time: 2016-11-28T09:16:56-08:00
uptime: 1062h5m33s
status:
- kernel: 4.4.0-47.68-generic
running: true
livepatch:
checkState: checked
patchState: applied
version: "15.1"
fixes: |-
* CVE-2016-7425
* CVE-2016-8655
* CVE-2016-8658I have those CVE’s installed, and I didn’t have to reboot my system for them to be implemented. Now my KVM host is patched, and I had 0 downtime to do it.
There you have it. Let me know in the comments if you have any questions!
Hello everyone! Been a while since I wrote a blog entry. I updated my network topology last night to accommodate for guest access and to separate my personal network from my work network to keep my video game consoles and my cell phones off of my external facing network and firewall them up better for more security. I decided during this time as well to revisit my DNS and Virtual Host machines.
I was running ESXi 6 on one of my hosts that ran Ubuntu VM’s for this site, and my email server, and a couple other servers that I use to do my job. It became a hassle to keep it up and running on older hardware so I upgraded it to KVM and Ubuntu 16.04 and I decided that I would also upgrade my VM’s from 14.04 LTS to 16.04 LTS since I had the downtime.
Anyways, I decided that I was going to use MAAS, or Canonical’s Metal-As-A-Service to provision my KVM’s and also get rid of my aging DHCP/DNS server that was running 12.04 and just move everything to MAAS. Sounds easy enough? Not so much.
Building the KVM host was easy. I installed Ubuntu 16.04, selected OpenSSH server and Virtual Machine Host from the TaskSel and then after it was installed, ran sudo apt update && sudo apt upgrade, rebooted, and then ran sudo apt install ovmf qemu and modified my /etc/libvirt/qemu.conf to point to where ovmf was (basically just removed the comments from the file for those settings) and than ran systemctl restart libvirt-bin and was ready to go. I also modified my NIC interfaces to bridges.
Now I was ready to build my MAAS server. I build a KVM with 2GB of RAM and 2 processors and 60GB of storage and added 2 NIC’s, one for each of my networks, one for my servers and external network, and one for my internal guest network. I installed a clean 16.04 LTS server, added OpenSSH and configured the interfaces for static addresses and ran update/upgrade and now was ready to install MAAS. I ran sudo apt install maas and was off and running. After it was complete, I ran sudo maas createadmin to create the admin account. I then logged in to maas by opening Firefox and browsing to my maas servers IP address and logging in. I click on my account in the upper right corner and went to Account, and copied my API key to a file called maas.key in my home directory on MAAS so that when I need to use the CLI, I can just cat maas.key instead of having to type the whole damn thing in. I then copied all my SSH keys to my account so that I can access my new nodes with my SSH key, and I then went to the Images tab to make sure it was downloading the 16.04 image, and did some minor settings to make sure it seen all my networks and put in my DNS forwarders.
Next, it was time to setup DHCP. I clicked on the Network tab and clicked on the subnet I wanted to have DHCP. I set a dynamic reservation for my internal network starting at .50 and going to .200. I then clicked my other subnet and did the same thing there. I then went back to the Network tab and clicked the VLAN for each of my fabrics. Under the Take Action button, I configured DHCP for this network and was ready to go.
I built my webserver as a KVM, and told it to PXE boot and attach it to the server network bridge on my KVM host. I powered it up and boom! MAAS found it, and enlisted the node. I changed its name, but realized it was not using my DNS name, but instead the MAAS default of “maas.” According to Canonical’s documentation on MAAS, you can change this from the WebUI. That would be helpful to tell a user how, but I’m not going to go there. In 1.9, it was as easy as clicking the domain name on the Nodes tab, but in 2.0, not so much. I ended up changing it from the MAAS CLI by ssh’ing into my MAAS server and running the following command to login:
maas login maas http://maas/MAAS `cat ~/maas.key`
I then ran maas maas domain update name=lucaswilliams.net and verified that it was updated with maas maas domains read and in the MAAS WebUI, it updated it as well.
I then clicked on my new node, and commissioned it. After 10 minutes, it was commissioned and ready for deployment. I deployed, which I have to say, is a huge improvement over 1.9. In the node tab, under Interfaces, I could statically set my IP address, which I did, and then I clicked deploy, and from the pull down said 16.04 and it was off. About 20 minutes go by, and it’s done. Now, I ssh into my new server and I can login with my SSH keys from my various workstations and it works. I then go through the process of installing LAMP on the server and getting WordPress configured and recovering my site from my backup. Then I notice that I don’t have my CNAME records to access my server via www or wordpress. I go into research mode. How do I add CNAME’s to MAAS 2.0 DNS? Great news, according to Canonical’s maas.io site, you can do this, but once again, they don’t tell you how. After spending hours doing Google-Fu and on freenode asking around, to no avail, I decided “Whats the worse that can happen?” I start poking through the MAAS source on the dnsresource flags and relize that there is an option in the MAAS CLI for dnsresource-records. I look into that and low and behold, it tells you there I can create A, AAA, CNAME, MX, SRV, NS and TXT records. So, through about 2 hours of trial and error, I finally figured it out:
maas maas dnsresource-records create fqdn=www.lucaswilliams.net rrtype=cname rrdata=webserver
It shown the record in the DNS tab in MAAS as well. I was able to ping the new CNAME and it responded properly. You are able to see this page as a result of it working as well.
I did the exact same above steps for my mail server as well, however, I had to create a MX record for it since it was failing its install step doing an MX record lookup. Great, how do I do that? Luckily, after only an hour of trial and error, I figured it out:
maas maas dnsresource-records create fqdn=lucaswilliams.net rrtype=mx rrdata='10 mail.lucaswilliams.net'
It updated in the DNS tab in MAAS and I could see all of these with the MAAS CLI. I was also able to add static servers that were not commissioned by MAAS into DNS via the CLI with the following command:
maas maas dnsresources create fqdn=hostname.lucaswilliams.net ip_addresses=ip.add.re.ss
Anything that is DHCP assigned will populate DNS automagically.
And there you have it, a way to add MX and CNAME records so that you don’t have to do the research, or if you Google search it, hopefully you fall here.
Let me know in the comments if this helps you or not, and let me know what else you want to know about.