How to List the Contents of a Web Directory

Any good web host will secure the contents of website directories which don’t have an index page by not allowing the  files or folders to be listed, instead you’ll get a 403 error page saying access is forbidden. Whilst this is good in practice, sometimes you might actually need to list the contents – and its simple to enable on an Apache web server – add one line to your .htaccess file and you’re done!

How it’s done

Options +Indexes

Notes

  • If you have access you can edit your web server configuration and make it global

Setup your own live pet webcam for free using Yawcam

I’ve been experimenting for a while with different ways to stream live to the Internet from webcams, IP cameras and capture cards for the Coop Cam project, here is a basic guide on how to setup a simple live stream using a basic webcam.

What is required?

You will need a couple of things, including:

  • A computer with a webcam
  • An Internet connection with decent upload speed
  • Router access to port forward

Software

To create the stream we will use a free piece of opensource software called Yawcam, you can download it directly from here or learn more about the software here.

Installation is pretty simple, download and launch the installer then follow the on screen instructions.

Configuration

After the installation has finished open your newly installed software, you will see a screen like below:

1

The first thing we need to do is set the stream type, to do this go to Settings > Edit Settings…

2

Under Output select Stream and change the Stream type to MJPEG and hit OK

3

Next we need to select your webcam, head to Settings > Device > Change to and select your webcam from the list

4

Finally, back on the main screen hit enable on the Stream option – we are ready to go!

5

Previewing your stream

Here is the exciting part, previewing your live stream! On the same computer open up your browser and head to http://127.0.0.1:8081/video.mjpg

If everything is configured correctly you should see your webcam displayed live.

Here is my example of Spirit our pet quail:



What next?

The next thing you need to do is configure port forwarding in your router to allow people to connect in and view  your stream. I can’t really go into specific detail as there are many different types of router with different configuration options but basically what you want to do is forward port 8081 to your computer so anyone that connects to your-public-ip:8081/video.mjpg can see your stream.

You will also want to make sure that your computer has a static IP address or DHCP reservation to make sure the local IP address doesn’t change.

If you need help with that part let me know and I’ll give you a hand.

Will my Internet connection be able to cope?

This depends entirely on your upload speed, by default Yawcam only allows 10 concurrent connections.

For added security and to take the strain off your Internet connection I can relay your stream via Coop Cam’s powerful relay servers. They are able to take the single stream from your camera and amplify it allowing hundreds of users to connect at once.

The upside to this is that you will only have one connection being uploaded to the relay server, the server then handles everything else and even hides your public IP address – If you would like to know more please get in touch.

Notes

  • If you want Yawcam to start streaming automatically when you login to your computer then head to Settings > Edit Settings… > Startup and tick Start Stream output
  • You can check that port forwarding has been setup correctly by using the NerdTools Port Scanner, if it isn’t working double check your firewall settings
  • If your Internet connection has a dynamic IP address you’ll want to look into a Dynamic DNS service

Add a NAS drive to your Livedrive account for free

I used to be a customer of popular cloud backup service Livedrive. The upload and download speeds were nothing to shout about and one annoyance was having to pay extra to add a NAS drive to your account, but there is a workaround!

How so?

All you need to do is add a symbolic link to your NAS drive from your computer. Think of a symbolic link as a fancy shortcut, the only difference being it masks the destination instead of taking you straight there – you’ll see what I mean when you read on.

Imagine you have a Windows computer with your NAS drive with the root of the drive already mapped to Z:, you have a folder on your NAS called MyFiles and would be able to browse to Z:\MyFiles to see whatever is stored there. Next imagine we have a folder called C:\Backup which is already uploading to your Livedrive account, using  the following command we will make C:\Backup\MyFiles lead to your NAS and in turn be included with your Livedrive backup.

mklink /d "C:\Backup\MyFiles" "Z:\MyFiles"

For me, this worked absolutely fine and I had a couple of TB uploaded without ever being caught out. I’ve since jumped ship to Amazon Drive, whilst it is more expensive per year I’ve got it running from multiple computers and the upload and download speed always tops out my connection, so I can’t complain!

Notes

  • Use the above guide at your own risk – I won’t be held liable if anything happens to your Livedrive account, files or anything else because of this!
  • This doesn’t work with Dropbox or Google Drive  – sorry
  • You only need to run the command once, after that the link will be remembered
  • To remove the link just delete it as you would any other  file or folder

Install EPEL Repository on CentOS 7 (x64)

The simple one line command below will enable the EPEL repository on CentOS 7

rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm

Once ran you will see confirmation that it has been installed successfully, that’s it!

Notes

  • You can find out more about the EPEL repository here
  • If you don’t already have a server, I’d strongly recommend starting with DigitalOcean

Find Out Who Registered A Domain Name

The Internet is an amazing place where we can expand our knowledge – or – just look pictures of animals with funny captions, but have you ever wondered to yourself who owns that domain, who took the time to build that amazing website, see if a business is legit or maybe you just want to learn a new nerdy skill?

A domain name can be registered by anyone so long as its available and not registered to anyone else, and can be bought at anytime through hundreds, thousands or maybe millions of companies known as domain registrars. The job of a domain registrar is to take money and convert it into domain registrations as they are essentially the middle men between the domain registries (the top dogs of the domain world, the owners of the bit after the dot) and ourselves.

When a domain is registered, regardless of the registrar used, contact details will always need to be provided. These details form what’s known as the legal registrant and can be either a company or an individual who will legally own the name for however long it has been registered for.

That’s great but what next? Well here comes the juicy bit! All that information is kept in a global database known as the WHOIS database (pronounced “who is”) which is free to browse and will give an insight into any domain registration.

Querying WHOIS

The following guide will show you step by step how to query the WHOIS database for free with no special software required. To keep things simple I will be using a website that I created which has a built in WHOIS tool.

  • First things first we need to head to the WHOIS tool, click onto the following link or type it into your address bar directly: http://www.nerdtools.co.uk/whois/
  • Once the website loads you’ll see a box where it asks you to enter a domain name, enter the domain which you would like to query and press Enter or the “Let’s do this! >” button
    whois-query-1
  • After a few seconds you’ll be redirected to a new page that shows the domain details in a similar format to one shown below:
    whois-query-2
  • As  you can see from the screenshot above a lot of information is returned, so much that it doesn’t all fit on screen without scrolling but once you read through you will easily see who owns the domain, when it was registered, when it expires and other useful information

Notes

  • In the example above you can see no “Registrant’s address” is returned, this is because its a .UK domain and Nominet (the registry behind all .UK domains) allow the address to be hidden for any non-trading individuals, but with domains such as .COM, .NET, .ORG the information will always be available
  • Depending on the domain name things may look a little different to the one in the example
  • Any changes to a domains details can take up to 24 hours to show so things may not always be accurate
  • There are strict terms that need to be followed when it comes to using the information returned from a lookup and these can be found usually be found at the bottom – It’s not shown in the screenshot as it was so big, to see them click here and scroll down
  • Sometimes registrars offer a privacy package that will hide the registrants contact information and replace it with the registrars instead, if you see a domain like this that’s trading as a business stay well away as it could be up to no good!

Encrypted AES VPN tunnel between pfSense 2.3 and Draytek 2830

For a long time now I’ve managed several VMware ESXi servers and for easy management I’ve created a local area network on each making backups, monitoring and the usual sysad tasks a breeze.

The icing on the cake is that I recently swapped from m0n0walll to pfSense and went about setting up a lan to lan VPN tunnel to my home network, so now I can access everything locally as if I was on the same network.

Home Network

My home network uses a Draytek 2830 connected to a Virgin Media Superhub. Unfortunatley the Draytek is getting on a little bit now and doesn’t have the processing power to deal with my 100mbit connection speed, so I’ve had to double NAT the network using the Superhub in router mode and then DMZ everything towards the Draytek.

This isn’t a bad thing though as all the “dumb” wireless devices (mobile phones, Roku’s, Nest thermostat, etc) connect direct to the Superhub whilst my home server and everything crucial connect via the Draytek. All in all I get 70mbit through the Draytek on average and there’s plenty of bandwidth left for the devices connected to the Superhub.

In the example below the home network subnet will be 192.168.100.x

Remote Network

The remote network is pretty simple, they are all setup the same apart from x is a different number based on the virtual host name – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the Draytek (or the Superhub in my case)
  • Enter a brieft description in the Description box
  • If you are double NAT’d like me select Peer identifer as KeyID tag then enter the WAN2 address of Draytek else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box
  • Set PSF Key Group to 2
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box
  • Press Save any hit Apply Changes

Configuring the Draytek

Now it is time to configure the Draytek – Go to VPN and Remote Access > LAN to LAN

For Common Settings:

  • Enter a Profile Name
  • Tick Enable this profile
  • Make sure Call Direction is set to Both

For Dial-Out Settings:

  • Set type of server to IPSec Tunnel
  • Enter the Remote WAN IP in the Server IP/Hostname for VPN box
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method set it to High (ESP)AES with Authentication
  • Under Advanced set IKE phase 1 propsal to AES256_SHa1-G14 and IKE phase 2 proposal to AES256_SHA1 then press OK

For Dial-In Settings:

  • Set the Allowed Dial-In Type to IPSec Tunnel
  • Tick the box to Specify Remote VPN Gateway and enter the remote network WAN IP
  • Enter the pre-shared key set previously in the Pre-Shared Key box
  • For IPSec Security Method untick all apart from High (ESP) – AES

Under TCP/IP Netowrk Settings:

  • Set Remote Network IP as the remote network subnet – 192.168.150.0

Hit OK at the very bottom to save the profile, leave it a few seconds and it should connect. If it doesn’t connect automatically, head to the IPSec Status page in pfSense and hit Connect manually

Webmin 1.610 on CentOS 5.8 (x86)

The following commands can be used to install Webmin 1.610 on CentOS 5.8. Make sure you’re logged in as root and then follow the steps below.

Select a temporary directory to save the download to. We will only use the downloaded file once so it’s pointless keeping it.. free up space and put it in /tmp!

cd /tmp

Begin the download of Webmin using wget:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.610-1.noarch.rpm

Install Webmin by unpacking the archive:

rpm -Uvh webmin-1.610-1.noarch.rpm

Done! You can now login to your fresh installation of Webmin by heading to http://hostname-or-ipaddress:10000 using the root username and password.

Notes

  • You can download the file used in the example above by clicking here
  • If you don’t have a server to try this on I’d recommend DigitalOcean hands down – virtual servers start from $5 a month

WordPress & Spam: Key’s Solution

Recently I began to see an increase in malicious login attempts to my servers from bots (ie. automated attempts to login via FTP, POP/IMAP, SSH and so on) which gave me an idea for a new side-project on NerdTools known as the Bad Bots Intrusion & Spam Detection database.

After a few hours of developing a database was generating before my eyes of all the bad bots and their failed attempts, which then got me thinking, aside from using the database with a firewall can this be intergrated with WordPress to stop spam before its even posted?

A few more hours developing and I have now created two plugins which are listed in the WordPress extension directory. One is called NerdTools Bad Bots Spam Reporter which cleverly and annonymously reports the IP address of an author whenever a comment is classed as spam, and the other is called NerdTools Bad Bots Spam Defender which again annonymously screens every authors IP address against the database and if a match is found it won’t allow the comment to be saved.

Going a little deeper into the reporting plugin; when a comment is classed as spam the authors IP address is reported to the database but it won’t be entered straight away, our system will wait and see if any patterns form, if so it will then be entered and further comments will not be allowed.

It may seem madness having two seperate plugins to work as one but I didn’t want to force people into reporting comments if they don’t want to and vice versa with the defending plugin.

In terms of infrastructure the database is hosted on a high performance SSD server which has memcache enabled. Future plans include clustered servers for even greater performance.

Not bad for a few hours work!

 

 

 

 

Server Security Tips

Whenever I deploy a new server I always ensure that any flaws which I’ve picked up from my few years of server experience are fixed, leaving the new server as secure as can be and ready for use.

Below are a few tips for keeping your server as secure as can be:

  • Have a secure root password – Use something random and at least 8 characters long
  • Use non-default ports – Change the default port for services commonly targeted by bots or attackers such as SSH
  • Check your logs – Look for authentication failures and put the related IPs in a block or reject rule using iptables
  • Process users – Make sure processes have their own users and aren’t ran as root

More tips will be added once I remember them!