Server Security Tips

Whenever I deploy a new server I always ensure that any flaws which I’ve picked up from my few years of server experience are fixed, leaving the new server as secure as can be and ready for use.

Below are a few tips for keeping your server as secure as can be:

  • Have a secure root password – Use something random and at least 8 characters long
  • Use non-default ports – Change the default port for services commonly targeted by bots or attackers such as SSH
  • Check your logs – Look for authentication failures and put the related IPs in a block or reject rule using iptables
  • Process users – Make sure processes have their own users and aren’t ran as root

More tips will be added once I remember them!

Unstick a LinkStation Disk Backup

Imagine this… you have two decent network attach storage boxes which regularly backup one to the other using a built in Disk Backup tool –  Brilliant huh, sounds almost like a nerdy dream! Now imagine part way through a backup you get a power cut or you just trip over the power cable ripping the plug out the wall… not to worry, things will pick up where they left off… unless those decent boxes are Buffalo LinkStations!

I first discovered this flaw a few weeks back when one of my nightly backups seemed to be taking longer than usual. I gave the box about a day or so to try and fix itself but it still kept saying that the disk backup was in progress and in the admin interface and I was unable to cancel or remove the backup, so it was pretty much stuck as you can see below:

stuck-backup

I headed to the official Buffalo support website which seemed to have a fix for this common problem – See for yourself below:

buffalo-stuck-disk-backup
Okay so you have to restore the box to factory defaults… no thanks! I can only assume that because the HS-DHGL is one of their older discontinued products they just can’t be bothered to make a firmware update as it’s not worth their time or effort, but the other option is to use SSH to edit a file which will force the backup to complete.

Getting Unstuck

The following guide will assume you have already enabled SSH and are logged in ready to go, if you haven’t yet enabled SSH see this post here.

  • First of all we need to locate the backup configuration file and this depends on the job number specified on the admin interface, in my case it was number 1 so we need to type in the following command to open the file in a text editor:
    • "vi /etc/melco/backup1"
  • You will now see the configuration file open, hit I (for indigo) on your keyboard to allow inserting of new text and change the line status=running to status=done
  • Hit the Escape key and then type :wq to save your changes and quit
  • Head back to the admin interface to the Disk Backup section and you’ll now see the backup showing as complete as seen below:
    job-complete
  • That’s it – The backup is unstuck, and we haven’t had to restore anything to factory defaults!

Notes

  • This has been tried and tested on the following models/firmware: HS-DHGL/v2.1
  • Finally, if you could let me know if you encounter any problems or can confirm if this works for other models I’d be grateful

Encrypted AES VPN tunnel between pfSense 2.3 and Ubiquiti EdgeRouter Lite

I recently retired my Draytek 2830 following a serious security flaw I discovered (that’s another post, stay tuned!) and took the plunge with a rather impressive looking Ubiquiti EdgeRouter Lite.

The other option was a rack mountable TP-Link TL-ER6020 although the maximum NAT throughput was only 180Mbps and it only had 128MB  DDR2 memory and no clear CPU specs, also the web interface looked tired and very restricted. Pound for pound the EdgeRouter was cheaper and has a better spec of anywhere up to and over 600Mbps, 512MB DDR2 memory and Dual‑Core 500 MHz, although it wasn’t rack mountable it was a no brainer with its modern web interface, also did I mention it can process 1 million packets per second?

The EdgeRouter also appeals to my inner nerd  (you can no doubt tell) as you can program it via web interface, command line or console connection and you can remove features you don’t need to boost performance. For example, it may only have 3 gigabit ports, but you can do whatever you like with them! In my case I have it configured as 1 WAN port and the other 2 ports are linked to two seperate LAN’s. I will write a full review when I get chance, but for now just take my word that it is the best router I have ever owned.

Anyway, to business!

Home Network

As before with the Draytek guide my home network is still double NAT’d but there isn’t a speed issue anymore. I do plan to eventually run everything via the EdgeRouter but first I need to install a few additional access points (I’m thinking a couple of airGateway-LR’s hidden in roof spaces will do, powered by PoE obviously!).

In the example below the home network subnet will be 192.168.100.x
and WAN address will be 1.2.3.4

Remote Network

The remote network is the same as before too – a pfSense machine sits at x.1 and deals with traffic to the local network.

In the example below the remote subnet will be 192.168.150.x and WAN address will be 5.6.7.8

Important

  • Each local area network must be on a seperate subnet, otherwise things can quickly get messy and conflict!
  • Make sure you use a secure pre-shared key, anything above 32 characters will do nicely and under no circumstances use the example key!
  • The example details below are fake, replace them with your own details if you want this to work

Configuring pfSense

The guide below lists only the parts you need to change, if the option isn’t listed then leave it as is. Anything to do with double NATing is in red, ignore this if your router is WAN facing.

Fairly straight forward, go to VPN > IPSec > Click Add P1

  • Enter the Remote Gateway as the WAN IP address of the EdgeRouter (or the Superhub in my case) 1.2.3.4
  • Enter a brieft description in the Description box – VPN to pfSense LAN
  • Select Peer identifer as KeyID tag then enter the WAN address of EdgeRouter (192.168.100.1) else leave as Peer IP address
  • Enter your pre-shared key in the Pre-Shared Key box – testing123
  • Set the DH Group to 14
  • Press Save

That’s your Phase 1 entry configured, now for Phase 2:

Go to VPN > IPSec > Click on Show Phase 2 Entries for Home

  • Enter Remote Network as the home network subnet – 192.168.100.0/24
  • Put a brief description in the Description box – Home
  • Set PSF Key Group to 14
  • Press Save and then hit Apply Changes

Finally, we need to create a firewall rule to allow traffic to pass over the VPN:

  • Go to Firewall > Rules > IPSec and click Add
  • Change Protocol to any
  • Enter a brief description in the Description box – Allow VPN Traffic
  • Press Save any hit Apply Changes

Configuring the EdgeRouter

First of all make sure you are running the latest firmware otherwise options may be missing and this may not go smoothly! Currently (March 2017) I’m running EdgeRouter Lite v1.9.1.

Configuring the EdgeRouter is pretty straight forward, you don’t need to do anything via command line or console (unless you really want to, knock yourself out!) – Go to VPN > IPSec Site-to-Site

  • First tick the box Show advanced options to show the encryption options
  • Under Global Options leave Automatically open firewall and exclude from NAT unless you want greater control over who can connect in
  • Under Site-to-site peers enter the Peer as the home WAN address – 5.6.7.8
  • Put a brief description in the Description box – Remote
  • In local IP enter any
  • For Encryption set AES-256
  • In Pre-shared secret enter the key set previously – testing123
  • Enter the Local subnet as 192.168.100.0/24
  • Enter the Remote subnet as 192.168.150.0/24

All being well you should end up with something like below:

Once everything is saved, head over to the pfSense IPSec Status page and hit connect if it hasn’t already established and  there you have it!

At this point you may be asking why did you uncheck the option to Automatically open firewall…, this is because I like to have greater control over what IP addresses are allowed access to my network.

To substitute this option I created a rule in the NAT section translating UDP port 4500 to the routers local IP address (192.168.100.1). In turn I set the Src Address Group of this rule to a list of predefined IP addresses, thus only allowing access to my networks and blocking the rest of the world.

 

 

 

My experience with KGUARD and the Mars Home NVR Combo Kit

I’ve had a KGUARD Mars Home NVR Kit installed at my house for just over a year now, I bought it from eBuyer and paid a little more than I should have thinking it was a great investment and should last a good few year… it has been okay but unfortunatley the NVR side of it recently gave up the ghost.

The NVR initially started complaining about hard disk errors, randomly rebooted and is now just stuck on the boot up screen. Being familiar with embedded devices it ended up looking pretty bricked but unfortunatley there’s no obvious way to reflash the firmware. After a long email conversation with Danny Wu at KGUARD support, he wished me good luck at trying to reflash the firmware and has ignored me ever since, it would be okay but never actually told me how to get the box into recovery mode despite asking a fair few times… I’ll try fix the NVR at some point and if I have any joy I’ll write another post.

It’s not so bad right, you can still use the cameras?

In the meantime I installed iSpy connect – recommended by my friend Chris at work – on my home computer and thought that if I nipped out to Maplins and bought a slightly over priced TP Link PoE switch I could simply swap cables over and have some sort of CCTV system working in no time… was I wrong! Turns out the cameras aren’t 802.3af compliant so it won’t work without a little adjustment.

I didn’t want to go buy more kit without knowing the cameras would actually work, so I got an extension lead and a 12v 2A adapter trailing out the window at 2am, after a bit of tinkering I managed to get a stream from one of the cameras – annoyingly the cameras have their own static IP addresses which are own a different subnet to my home network and on reboot the settings revert back to default… adding a second IP to my network card sorted that.

The next day I nipped back to Maplins and got some PoE splitters, I popped into B&Q as well and got some IP rated junction boxes to cram everything into. After a bit of creativity the end result is that I can now use the KGUARD cameras but I have to have a slightly ugly looking box alongside them to shelter the PoE splitter, its not too bad but I’ve taken the opportunity to upgrade to some Trendnet TV-IP310PI’s and you can really tell the difference.

IMG_20160605_121000
PoE bodge

At least you won’t need to run new network cables?

Pah – Initially I wasn’t going to run new network cables as I thought the existing KGUARD ones would be good enough, unfortuantley not. When I went to put the new cameras waterproof connector in place I discovered that the existing KGUARD network cables only had 6 cores and just felt incredibly cheap, not wanting to take risks and to make things future proof I ended up spending the best part of a day feeding new cables through roof and under floors.

KGUARD network cable
KGUARD network cable

Where’s the happy ending?

It does come eventually, along the way I’ve ate a “cheddar and ham toasty”, got Chris up a ladder, learnt how to run and terminate my own network cables and recycled the KGUARD cameras to cover blind spots that weren’t covered before – those two both with the help of Chris one Saturday – and learnt that ultimatley you are always better building your own system as once you are past the year warranty neither the retailer nor manufacturer could care less!

I was torn between iSpy or BlueIris for software – I ended up going with iSpy which is opensource but should really be classed as freemium. If you want to do anything useful (playback footage, watch remotely or recieve email alerts) you have to upgrade to a premium version which is a monthly cost – not to worry though, I’m currently working on a VB program which will allow both live and pre-recoded playback of files possible and Chris is working on an alternative mobile ap.

I can’t thank KGUARD enough for this valuable learning experience and I would strongly recommend that if you are thinking about getting a KGUARD system then look elsewhere! If I hadn’t have had such good knowledge of network and computing then I’d have ended up with one very expensive set of paper weights.

Fix TRENDnet TV-IP310pi Corroded PoE Connector

Following Storm Doris back in February 2017, one of my cameras at the back of my house stopped working. Part of the roof had been blown off (only a plastic cover, thankfully nothing more serious) which exposed the cable and allowed things to get a little damp.

On closer inspection the 3 far pins in the connector had corroded as seen below, click any picture below to see a bigger version:

I’m presuming the corrosion had been going on some time and the storm was the icing on the cake. I tried a mixture of WD40 contact cleaner followed by a strong acid based electrical cleaner and the pins had cleaned up nicely but it still wasn’t working.

I was really trying to avoid was chopping the connector off completely as after all it is over £100 worth of camera, but that happened…

As you can see from above I opted for jelly crimps (scotch locks) as these are waterproof, the alternative was either a  surface mounted punch-down box or RJ45 coupler both which would have corroded over time and eventually left me with a broken camera again.

After making sure everything was working I wrapped the jellys in a fair amount of electric tape followed by a healthy dose of vaseline.

I would have exposed more of the camera cable which would have made things look neater and given me more room to position each jelly connector but ultimately I wanted to cut as little as possible, and the fact it was now working again was a good enough excuse to leave it alone!

Colour Combinations

It came as no suprise that the camera didn’t use standard 568B colours but here is the combination I used:

Key: 568B Standard Cable / TRENDnet Cable

  • Orange WhiteOrange
  • OrangeYellow
  • Green WhiteGreen
  • BlueGrey
  • Blue WhitePurple
  • GreenBlue
  • Brown WhiteBrown
  • BrownWhite

I found the colours by refering to this guide here. I did manage to get the green and green white cables mixed up, however this hasn’t affected the camera in any way that I can tell. If it does ever cause a problem I will swap the cables around at the patch panel to avoid having to tamper any further.

A Sticky Problem with Glue Records and 1&1 Internet

Recently I had a tidy up with my hosting infrastructure which involved moving a slave DNS server from one IP address to another. The easy part was setting up the server and changing the existing DNS A record to point to the new IP address, the fun started when it came to updating the Glue record held with 1&1.

If you weren’t already aware a Glue record is something set by the domain registrar (1&1 in this case) that points directly to the server where the domains DNS records are kept. This makes it possible  to have domain names with nameservers that are a subdomain of itself, for example nerdkey.co.uk could point to ns1.nerdkey.co.uk and ns2.nerdkey.co.uk.

The last time I’d update Glue records with 1&1 was a good few years ago, but it was a simple case of logging into the control panel, searching for the domain and then heading to the record for subdomain, hitting an edit button and then changing the existing A record IP address for a new one but it wasn’t that easy this time round.

After a little trial and error and a lot of head scratching it seems that since they rolled out their new control panel it just isn’t possible anymore to set or update Glue records – you could see the records don’t get me wrong, just not update them. Not to worry though, their technical support team will be able to update the records, right? WRONG! I emailed them several times, making things as clear as possible whilst at the same time thinking that their support advisers would be savvy enough to understand terms used within the industry they work in, didn’t go too well.

In a nutshell, here is the correspondence between us:

  • [Me] – Outlined the domain, that I wanted Glue records updating and the exact subdomains and IP addresses
  • [Them] – Asked me to confirm if these changes has already been made as my website was working fine (not what I asked?)
  • [Me] – Sent a slightly reworded version of the first, again outlining the essential details and that it hadn’t been updated
  • [Them] – Confirmed that website was working fine again, asked me to clear my cache and reply with any error messages (did they even read the email?)
  • [Me] – Sent a similar email along the lings of the first and second stating that they are the domain registrar and this is something they need to do, again included essential details
  • [Me] – Emailed them to see if any updates available
  • [Them] – Replied asking me to confirm that I wanted the NS2 record updated as well (because the last emails didn’t state that?)
  • [Them] – Responded saying the nameservers may possibly need to be reverted back to them for this to work, but they used a special “tool” instead and said to wait up to 48 hours
  • [Them] – Replied this morning (after the domain was transferred and Glue set correctly with a different provider) saying that everything is now set correctly

Enough was enough, it got to a point where I’d given them over a weeks worth of my time and they’d done little more then send me a few standard responses and ask for confirmation which was already given. My last attempt to gain faith in them involved changing the nameservers back to them to see if it would work and allow me to set the records, it partly did – I managed to set the NS1-4 subdomains to the correct A records then updated the domains nameservers to another provider temporarily straight after to avoid any downtime and left it a few hours. I came back a few hours later and tried to set the nameservers back to ns1-4.koserver.co.uk but got an error message saying the nameservers weren’t registered and found out that the update to the temporary nameservers hadn’t taken affect, slowly grinding my entire hosting network to a halt – great!

I know I hadn’t waited the standard propagation times, but given the past experience and useless support and the fact that everything was slowly grinding to a halt, it was time to transfer. After research I’d narrowed things down to two providers – I wanted to give Name.com a try, but as their system for transferring in .UK’s wasn’t automated I abandoned that plan and went for NameCheap. Within an hour the domain was with them and Glue records were set through the control panel and things are slowly coming back online.

In all my years of website hosting I have never had such a catastrophic outage, aside from looking into a second domain to host nameservers all my domains with 1&1 will be transferred elsewhere.

So in summary, if you know what you’re doing don’t go with 1&1. You’ll be treated like an idiot and just wasting your time throwing emails back and forth with them. They don’t really read your emails and the fact they removed such a critical feature without telling anyone speaks volumes in my opinion, I mean they still have an old support article on how to set Glue records, obviously doesn’t work though. It is a shame, but that’s life.

 

Connect Directly to SunLuxy Camera Streams

For a while now I’ve used a cheap SunLuxy H.264 DVR as the heart of the CoopCam project and initially couldn’t get a direct link to the camera stream so had to screen captured the bog standard web interface using VLC and break the feed down into separate streams but recently after a fair bit of trial and error I discovered a much easier solution!

I had researched on and off for months, went through masses of trial and error with various software and ultimately found no solution but after being inspired again I headed to the DVR’s web interface to start from scratch. I stumbled across source code in a file called /js/view2.js that constructs an RTMP:// address to show live camera feeds through the web interfaces flash player – See snippet of code below:

dvr_viewer.ConnectRTMP(index, "rtmp://" + location.host, "ch" + index + "_" + (dvr_type=="main"?"0":"1") + ".264");

After removing the jargon the link came out as rtmp://dvraddress:port/ch#_#.264 with the first number being the channel you want to connect to (starting at 0) and the second being the stream (substream being 1 and main being 0)

I headed to VLC player, selected Open Network Stream and entered the following:

rtmp://192.168.0.100:81/ch0_0.264

Broken down you can see my DVR is on the local network as 192.168.0.100 at port 81  and that I wanted to view channel 1’s main stream, low and behold after a few seconds the camera started to play!

Notes

  • To convert the stream to something more useful you could use rtmpdump and ffmpeg on Linux systems – I’ll write another guide about that shortly
  • If you do something wrong and overload the DVR then you’ll hear a beep as the box reboots
  • If this works for you please comment your DVR make and model

Review of Oak Tree Dental Practice in Stourbridge

I became a patient at Oak Tree Dental Practice after my current dental practice at the time was going through some major changes and didn’t seem to be offering a good enough service. As part of a management change I was given a checkup and told I would need 6 fillings (3 existing and 3 new that needed redoing) but I couldn’t get an appointment for months, meanwhile I was still paying a monthly Denplan fee and worrying that I would eventually have no teeth and no one seemed to be taking it seriously.

I took the plunge and went to see Mr Jonathan Edward Swinscoe for a “free” checkup. I ended up paying £35 for the apparently free checkup, but he comforted me and said he could get all the fillings done in one go. I transferred my Denplan contract to him which cost £15 and the plan was to wait until the next month when the transfer was complete so the work would be done at no extra cost.

The time came for my appointment and I have to be honest I was dreading it. I had a while to think back about what Jonathan said and it just felt too good to be true, but it was too late to back out now. It didn’t help that the receptionists were too busy gosipping and dancing away to the radio, they seemed frustrated that the whole waiting room wasn’t joining in with them.

The time came where Jonathan called me in, he sat me down on a damp dentist chair that had just been cleaned and then injected, no questions about what medication I was on, no explanation of what is going to happen or anything like that, literally pain killer was injected and I was sent back out to the waiting room. He didn’t seem in a talkative mood thinking back now.

After he saw another client I was taken back into the room to the yet again damp dentist chair. The nurse was out of the room but Jonathan started drilling out my teeth by himself. He had the drill in one hand and suction tube in the other and choked me several times as he wasn’t removing the water quick enough but luckily the nurse came back and took over.

It is worth mentioning at this point that he didn’t have any gloves on and he didn’t give me any protective eyeware meaning my £200 glasses were almost destroyed.

I thought things couldn’t get any worse but at this point but then he started being incredably rough, to the point where I had to keep stopping him because of the pain and was physically shaking. Each time he stopped he would start again straight away and it soon became obvious that he was rushing drilling out the teeth out to get them all done in time, I was really worried that he would drill to far and hit a nerve but luckily that didn’t happen!

After the drilling had finished he stopped and made a sexist comment infront of his female nurse and myself, he said “Not only women have bad days you know!” so now it felt like he was having a bad day and taking it out on me? Great!

He then started putting the fillings in place, again he was rough, applying a fair amount of pressure jolting my neck around for each filling. He put his palm flat on my head which wasn’t very comfortable but at this point I just wanted to get out of there. He just didn’t seem to care, but then again he was having a bad day, so that’s okay then?

After all the fillings were done he literally scooted off to his computer and ignored me, he didn’t explain any care instructions, what had been done or anything, I literally got blanked which was rude. The nurse then asked me to move off the chair so she could wipe it down and then whisked me (still shaking) to a small table in the corridor and offered to sign me up for Denplan. I explained with a numb mouth that I had already transferred to him and then went out the reception where I was told I would need to pay and again had to explain.

I finally got to the safety of my car still shaking and it is safe to say I will never ever be setting foot back in that practice ever again and I will never ever recommend it to anyone.

To add insult to injury I have been left with really sensitive teeth and can no longer drink really hot or really cold drinks. I have also had to have the fillings adjusted by another dentist as they were poorly fitted causing “the battery effect”.

To be clear, this review is about Review of Oak Tree Dental Practice 78 Bridgnorth Road, Wollaston , Stourbridge, DY8 3PA and is not to be confused with practices of a similar name.

Disable Virtualmin Two-factor Authentication

Virtualmin is constantly being developed and gaining ever useful features, and for a while now has featured two-factor authentication which is great, although what happens if you get locked out of your system? As long as you have SSH or console access then you can follow the steps below to easily get back in.

Disabling two-factor authentication for a single user

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.users, comment out the current line for the user then create a fresh copy above it
  • Remove any mention of “totp” and the long string of characters near the end and save, for example your file should now look like the following:
...
root:x::::::::0:0:::
#root:x::::::::0:0:totp:ZZZZZZZZZZZZZZZZ:
...
  • Restart Webmin and log back in normally

Disabling two-factor authentication entirely

  • Get root SSH or console access
  • Edit the file /etc/webmin/miniserv.conf and find the line “twofactor_provider=totp” and replace with “twofactor_provider=” and save
  • Edit the /etc/webmin/miniserv.users as mentioned above
  • Restart Webmin and log back in normally

Notes

  • I’ve had success with this on Webmin 1.760 running on CentOS 7.0

How to List the Contents of a Web Directory

Any good web host will secure the contents of website directories which don’t have an index page by not allowing the  files or folders to be listed, instead you’ll get a 403 error page saying access is forbidden. Whilst this is good in practice, sometimes you might actually need to list the contents – and its simple to enable on an Apache web server – add one line to your .htaccess file and you’re done!

How it’s done

Options +Indexes

Notes

  • If you have access you can edit your web server configuration and make it global