Snort setup in pFsense details

Posted: November 10th, 2016 | Author: | Filed under: FreeBSD, pfSense, Snort | Tags: , , , | No Comments »

Snort is an open source intrusion detection system that is available as a package on pFsense. What this means is a lot of aspects from rules to system tuning can be easily configure via the pFsense GUI.

What is Snort does? Once you have defined the networks (eg your local LAN, WAN); Snort will scan the segments the network packets with rules that you have given it. Once the packets rules are met eg I get “ET SHELLCODE Possible Backslash Escaped UTF-8 0c0c Heap Spray” while using git, Snort will put out an alert in the logs and (optionally) blocks the ip address from further compromise.

What Snort doesn’t do? It is not a firewall. The rules I mentioned here are separate from the firewall. Snort in this case works in conjunction with pFsense. You can seperately install it on OpenWRT etc or have Snort installed seperately on another computer / bridge.

While the setup is straight forward via pFsense, There are a few gotchas I would like to point out, so people would avoid:

  1. Make sure your Snort computer has enough horsepower. I know a lot of readers on this blog is from openwrt world. I won’t recommend running snort with anything slower than a second generation Core processor. I said this because I ran it via pfSense on a Thinkpad T410, which has a first generation Core and it overheated and shutdown at 85C. Memory doesn’t matter (4Gb should be more than enough) but CPU horsepower does. The second generation stabilizes around 47C at ambient network connection but have been cranked up to 60-70C, when the whole family are at use.
  2. For the first little while, be prepared to check the Alerts and Blocked lists. The canned rules save you but they will also give you false alarms, so you have to be prepared to spend time (at least initially) to monitor things. When sites you used to be able to access stopped working, check the Alerts log. Snort might have blocked the site. eg Snort would block 213.230.210.230 and report “ET CNC Feodo Tracker Reported CnC Server TCP group 13”. It turns out that 213.230.210.230 is the site for one of the Ad-list repositories. So some care must be spent to monitor the traffic at least initially.
  3. Pick only the rules you need when you are sure. Under Categories section for each interface, you can pick and choose which rules you want Snort to investigate for each packet. If you are using a Linux machine with Chrome only, you can disable the ie rules and so on.
  4. Adding and / suppressing ip address and rules takes a few seconds, so be patient.

Useful References:
pFsense forum has a great section on IDS.
They also have a “crowd fueled” Suppress list which is extremely handly for new comers to get rid of most common false positives.


0x8024800c error after Windows 7 restore for Lenovo machines

Posted: July 9th, 2016 | Author: | Filed under: Windows, Windows 10, Windows 7 | No Comments »

I always find doing a clean restore to a computer is important when upgrading to a new OS. Since Windows 10’s free upgrade deadline is near. I thought I would document the work around for the 0x8024800c error when restoring Windows 7. This usually happens with a clean install and Windows Update (or installing .msu) won’t work.

  1. Use the Lenovo discs to restore Windows 7.
  2. Do the initial setup.
  3. Go to Administrative Tools -> Services
  4. Find Windows Update service Right click -> Select Stop
  5. Go to Windows Explorer, find Windows\SoftwareDistribution and delete that directory (I empty the Recycle Bin too)
  6. Go back to Windows Update service and Restart the service
  7. I would restart the machine.

Now Windows Update etc will work fine.


ByPass Lost EFI Password for Post 2010 MacBooks

Posted: June 26th, 2016 | Author: | Filed under: EFI, Mac | Tags: , , , | No Comments »

Recently one of my friends encountered a problem (albeit a self inflicted one). My friend has a Macbook Air (late 2010) that was bought used. Unbeknownst to the purchaser, the EFI password had been set and wasn’t given at the time of purchase. Now the problem arises when my friend wants to sell the Macbook Air after years of service to upgrade to something better. You can’t wipe and reinstall the OS with the EFI password set (it won’t boot without the password even the USB or Recovery option) and yes, swapping out the SSD or reinstall MacOS on another machine won’t work either. Apple Store would not reset the EFI password without a proof of purchase (which is reasonable). So I investigated what other possible solutions.

EFI stores the password along with the system settings (e.g. SSD id etc) on a memory chip, which is on the Macbook board. It is probably one of the most out of place chip on the whole board, it is rather big, with 8 thick pins, vs other sleek BGA low profile chips on the Macbook board.

If the Macbook had been purchased second hand with EFI password set and the owner doesn’t have any Apple Store records here are some sensible ways* to bypass it. I am describing the procedure in general as each specific models have their own peculiarities and some not all methods work for all models:
1. Buy an adaptor that allows you to reprogram the EFI chip via the SPI debug port. There are plenty of youtube video demonstrating that. The problem is accessing the chip during the writing process might cook the whole board. I find this solution messy, as you sometimes have to flip over the board to proceed.
2. If you have access to a SMT rework tool, you can desolder the offending chip, dump its content, reprogram a new chip without the password and pop in a new one. It will leave chemical marks on the motherboard. In Canada, the service costs $120&up. That’s the most physically invasive method.
3. Purchase a bypass tool (called a Matt Card by the manufacturer). It is basically a compatible chip that piggy backs off the original EFI chip via the SPI port. It copies the original EFI content when first plugged in, removes the password in that copy and set the chip on the board to read only (via a fuse). The downside is the chip needs to be forever paired to the Macbook in order for the Macbook to boot. Not the most elegant solution, but installing it takes only 10 minutes and most of the time is unscrewing the pentalobe screws of the Macbook Air. It costs roughly $90CAD.

I went with method 3, since it is not my Macbook; I don’t want to be the person to explain to my friend that the Macbook got toasted during repair. As you can see from the picture, The card is a tight fit, but it seems to work well.

Conclusion: The best solution is prevention. If budget allows, always purchase your MacOS devices directly from Apple so your account information is on their system. If your budget is limited and you have to purchase any MacOS devices via non authorized Apple channels (second hand etc), make sure you check to see if EFI password is enabled by pressing Option key during boot up (or any of the combinations listed by Apple). If the screen is like the first picture below, then EFI password is enabled. I recommend not buy the item with the EFI password set.

Here are the pictures of the problem, chip pictures, installation and final results.

Link to Chipmunk International, the manufacturer of the Matt card.

* sensible as in not brute forcing the password, which I don’t think is worth while especially for EFI passwords that are not iCloud PIN locked.


pfSense & Snort

Posted: June 21st, 2016 | Author: | Filed under: FreeBSD, pfSense, Snort | No Comments »

pFsense has an option to have Snort installed via the package manager. Snort tells you what kind of attack is coming, it can be a bit of information overload. However pfSense’s Snort GUI is quite intuitive and you can pick and choose what kind of rules interest you.

To setup Snort, I discover that pfSense’s default size for /tmp and /var directories are too small for Snort’s various rule sources. So what happens is while you are downloading the Snort rules, it will fail (Snort tar.gz can be over 32MB).

To fix that is really simple:

Go to: System -> Advanced -> Miscellaneous and change the /tmp and /var settings, for me, I have set it to 64MB, the default is 32MB. Click “Save” It will restart. Now try, downloading the Snort rules, it will work great!

Simple! 🙂


Realtek RTL8111 ExpressCard works well with FreeBSD / pfSense

Posted: May 4th, 2016 | Author: | Filed under: Expresscard NIC, FreeBSD, pfSense, Realtek 8111 | No Comments »

With the price of older Intel Core iseries laptops plummeting to ~$100 levels. I have decided to abandon OpenWRT and move to pfSense. I am not too comfortable with OpenWRT’s update mechanism, which requires a wholesale reflash every time for major updates. Not to mention due to different SoCs’ inconsistencies when a new model comes out there are weird tweaks you need to make. I think pfSense is more flexible in the software sense (built in FreeRADIUS, Cert management and Captive Portal are handy for guest wifi), of course it requires more robust hardware. Downside is Thinkpad’s Centrino network adaptor card does not support HostAP mode due to power requirements, so I guess the old router is still good for something 😉

The obvious problem with laptops is most of them only come with a single Ethernet NIC. I am using a Thinkpad T420 as a test bed, so I found a Realtek RTL8111 ExpressCARD to be the second NIC. It wasn’t listed on any FreeBSD compatibility lists, but I would like to report that a generic one works just fine. I find the Thinkpad’s card slot not seating the card properly, it slip the card in and out few times to get seated, once that’s done it works great.


Install FreeRadius2 on a OpenWRT router for EAP authentication

Posted: January 8th, 2015 | Author: | Filed under: freeRADIUS, OpenWRT | Tags: , , , , , , , , , | No Comments »

This tutorial requires an OpenWRT based router (obviously). It is based from my experience installing FreeRadius2 on a Netgear WNDR3800. At the end of this, you get a router with built in FreeRADIUS server, PEAP encryption over wifi and user storage. I have had good experience with routers that are based on the Atheros AR7161 chip set. They are plenty quick and have plenty of RAM and Flash (usually at least 64MB – 128MB) and have 8 – 16MB of flash memory.
Prerequisites:
I recommend you do a few things first before you install FreeRADIUS2 and start configuring:

  • Login to the web interface of OpenWRT, go under System -> Startup and disable telnet. It is just good practice.
  • Unless you like to edit files using vi OpenWRT, install a text editor.
  • Install openssh-sftp-server, so you can transfer the key certificates and related files easily via sftp
  • ssh into your router and install OpenSSL utility by issuing:
    > opkg install openssl-util
  • Stay in the shell and create the CA & server certificates you are going use with freeRADIUS, skip this step if you already have an authenticated certificate. Just upload it to a directory you can remember in the router
  • Create the OpenSSL ca.cert and server.pem certificates:
    1. Create the directory structure: (if you store it in your etc directory, it will get backed up by the stock backup utility)

      > mkdir ~/CA && chmod 700 ~/CA && cd ~/CA
      > mkdir certs
      > mkdir newcerts
      > mkdir private
      > mkdir crl
      > touch index.txt
      > echo "01" > serial
      > echo "00" > crlnumber
    2. Copy openssl.cnf from the /etc/ssl/openssl.cnf to the /CA directory above. Also edit it to your satisfaction (note the directory name). Directory variables should match the ones above.
    3. Create a file called xpextensions with the following content and leave it in the directory where you put openssl.cnf.

      [xpclient_ext]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.2
      [xpserver_ext]
      extendedKeyUsage = 1.3.6.1.5.5.7.3.1
    4. Create the CA key and link it symbolically to the private dir:

      > openssl req -new -x509 -days 7300 -keyout cakey.pem -out cacert.pem -config openssl.cnf
      > ln -s cakey.pem /CA/private/cakey.pem
    5. Create the certificates (make sure you keep track of all the passwords! especially the in/out passwords at the last step, you need that for freeRADIUS’s config.)

      > openssl req -config openssl.cnf -newkey rsa:4096 -keyout serverkey.pem -out servercert.req
      > openssl ca -config openssl.cnf -out servercert.pem -extensions xpserver_ext -extfile xpextensions -keyfile cakey.pem -infiles servercert.req
      > openssl pkcs12 -export -in servercert.pem -inkey serverkey.pem -out server.p12 -clcerts
      > openssl pkcs12 -in server.p12 -out server.pem
    6. Create the Certificate Revocation List, DH and Random

      > openssl ca -config openssl.cnf -gencrl -out crl.pem
      > openssl dhparam -text -5 1024 -out dh
      > dd if=/dev/random of=random bs=1M count=2
  • The default wpa drivers (wpad-mini) doesn’t support 802.1x enterprise encryption, so we need to install the full version of wpad.
    The step below is specific to routers that are based on the Atheros chip set. So consult OpenWRT Hardware list to make sure.
    Uninstall wpad-mini and install the full wpad. Some older instructions will say install hostpadap but that has been deprecated since OpenWRT 7.0.3 (see here)

    > opkg remove wpad-mini
    > opkg install wpad
  • Optionally install SQLite3, in case you have quite a few users and want to do accounting etc.

    > opkg install sqlite3-cli libsqlite3

Installation:
Copy and paste the following into the ssh shell.

> opkg install freeradius2 freeradius2-common freeradius2-mod-chap freeradius2-mod-detail freeradius2-mod-eap freeradius2-mod-eap-md5 freeradius2-mod-eap-mschapv2 freeradius2-mod-eap-peap freeradius2-mod-eap-tls freeradius2-mod-eap-ttls freeradius2-mod-exec freeradius2-mod-files freeradius2-mod-logintime freeradius2-mod-mschap freeradius2-mod-pap freeradius2-mod-passwd freeradius2-mod-preprocess freeradius2-mod-radutmp freeradius2-utils

Also the following if you want to use SQLite (I recommend this for test purposes for now).

> opkg install freeradius2-mod-sql freeradius2-mod-sql-sqlite freeradius2-mod-sqlcounter freeradius2-mod-sqllog

Small steps before configuration

  1. Go under LuCi under System -> Startup click on the Enabled button to disable radiusd, if radiusd is running click on Stop
  2. ssh and edit /etc/init.d/radiusd replace or comment out radiusd -i $IPADDR -p 1812,1813 $OPTIONS replace it with radiusd $OPTIONS

The reasoning for step 1 is you would want to run radiusd -XX (debug mode), while you are configuring and testing. We need step 2 because radiusd will also be listening to localhost, we want to stop radiusd from just listening to our network ip address.

Configuration:
Unlike in FreeRADIUS documentation, our configuration files are stored in /etc/freeradius2 directory instead of /etc/raddb or /etc/freeradius/ directories.

Here are the list of files you will need to modify:

  1. radiusd.conf
    In this section you configure the listening ports and ip address

    listen {
            type = auth
            ipaddr = 127.0.0.1
            port = 0
            interface = br-lan
    }

    In the above example
    type is required, ipaddr and interface are recommended. If they are not there, radiusd will try to best guess.

    • type can be auth or acct, stands for authentication and accounting.
    • ipaddr is the ip address, since we are running a server locally, localhost is a must.
    • port is the port to listen for, 0 will tell radiusd to see what the system default is.
    • interface is the name of which network interface, you want radiusd to listen for OpenWRT, br-lan is the bridged lan virtual interface.

    If you want other AP on your network to authenticate using this server, make another listen instance and listen to this server’s network address.

  2. eap.conf
    Since we are going to use PEAP, you just have to go to tls {} section and fill in the relevant information ie:

    • certdir that’s the directory where the server certificate lives (see above)
    • cadir that’s the directory where the ca certificate lives
    • private_key_password that’s the “out” password used in the last step of the server.pem generation.
    • private_key_file location of server.pem

    Make sure the files referenced in the lines after the above make sense.

  3. clients.conf
    This file stores the information of other AP or devices might use this server for authentication. For our purposes, we will need localhost.

    client localhost {
            secret          = SomeSecretPhrase
            require_message_authenticator = no
            nastype     = other
    }

    You will need to enter the secret in the WiFi Security setup page.

    You can add other APs by their particular ip addresses.

  4. users
    This is the text file which stores users’ names and passwords in cleartext.

    "User name in quotes"       Cleartext-Password := "Password in quotes"
                     Reply-Message = "Hello, %{User-Name}",
                     Fall-Through = Yes

    Enable the Fall-Through option if you have other users after this one.

  5. sql.conf

    The setup is quite simple:

    sql {
      database = 'sqlite'
    }

    The default database always resides in /etc/freeradius2 and is called sqlite_radius_client_database

    I don’t think SQLite is production ready yet for version 2 of freeRADIUS. You can grab the scheme and sql files from the 3.0.x source tree particularly under the feeradius-server/raddb/mods-config/sql directory.

    Put the SQL files in a directory that you can access on OpenWRT. Use the .read command to read and execute the SQL files.

    Reference to SQLite CLI interface.

Configuring the Wifi interface:

    Go under Network -> Wifi in LuCi

  1. Select Wireless Security tab underneath Interface Configuration
  2. Select WPA2-EAP
  3. Enter the radiusd’s ip address in the Radius-Authentication-Server field
  4. Enter the secret (as you typed in clients.conf) in the Radius-Authentication-Secret field
  5. Click on Save and Apply

Test and Debug:
Open a ssh shell and type in radiusd -XX, if the configuration is correct. A whole bunch of text will fly by and ends up saying radiusd is listening and now you can try to get some of your wireless devices to connect, using new WPA2-EAP or WPA2-Enterprise settings.

When you are happy with the setting go back to System -> Startup and enable radiusd.

Backup:
A note about the Backup function under System-> Backup/Flash command. It only backs up the /etc directory. So do keep in mind of that, do backup your certificate directory.


Installing Parallel Tools 9 via CLI in Debian

Posted: September 16th, 2014 | Author: | Filed under: Debian | No Comments »

1. make sure CDROM is active and connected in Machine Configuration (without this Parallels cannot mount the parallel tools ISO).
2. su

apt-get install linux-headers-$(uname -r) build-essential

3.

mount -o exec /dev/cdrom /media/cdrom

4.

cd /media/cdrom

5.

./install

6. Reboot then all the Parallels Tools extra features should be work.

References: Parallel’s own KB


Netatalk 2.2.2 updates UAM naming convention

Posted: July 3rd, 2012 | Author: | Filed under: Debian, Linux Mint, netatalk, Time Machine, Ubuntu | Tags: , , , | No Comments »

After one had upgraded to Netatalk 2.2.3 from a previous version, people who were using DHX method of authentication will experience uam: uam not found (status=-1) on the Netatalk server. On the MacOSX side, when one try to log in, it will display “The version of the server you are trying to connect to is not supported…” error messages. Before you mess with the settings etc, check your uams directory! The Netatalk team have renamed the uams dhx modules.The DHX2 and DHX modules now have _pam.so (which logs authentication information to auth.log) or _passwd.so suffixes. Check the files first in your uams directory, before you pull out your hair or try to reinstall etc. (The default directory is /usr/local/etc/netatalk/uams) Most of the instructions on the web have not been updated to reflect the name change. I have -uamlist uams_dhx2_pam.so,uams_dhx_pam.so in my afpd.conf (as a reminder no spaces between the commas!).

DHX2 is probably the best password authentication scheme to use for modern MacOSX right now. So if you are concerned about security, it is a good idea to use it.

uam: uam not found


Some tips on compiling NeoOffice 3.2.1 Intel for Mac OSX

Posted: June 19th, 2012 | Author: | Filed under: Mac, NeoOffice, Virtual Box | Tags: , , , | No Comments »

If you are following the NeoOffice’s build instructions.. Here are a few extra tips:

  1. Use 10.5 and old XCode 3.14. Yes, it will only generate 32bit binary.
  2. Replace “My_Untested_Office_Suite” and “My Untested Office Suite” strings in neojava/makefile.
  3. Make sure your networking is in Bridged mode.. instead of NAT. NAT will break cURL which the makefile needs for to grab Mozilla source.
  4. It helps if you update your PERL CPAN to the latest version. Use sudo cpan.
  5. Subversion is part of Macports now so you don’t need to install it separately (vs what they say).
  6. The Makefile is very long (about 20 hours on my i series imac to complete its run). If something stops and get stuck. eg for me, adiumapplescriptrunner kept dying when it was compiling language packs (it just freezes), just kill the process under Activity Monitor. Then the makefile itself will continue on. You will need to pay attention as you might be asked to authenticate sudo via CLI.

Once everything has been setup. It is a rather simple compile, so enjoy! You final product will be called rather unimaginatively My_Untested_Office_Suite-3.2.1-intel.dmg and can be found underneath the $neojava/install directory.


Using PHP SimpleXML to manipulate itunes compatible RSS/ Podcast XML (work around)

Posted: June 13th, 2012 | Author: | Filed under: PHP | Tags: , , , , , | No Comments »

PHP’s SimpleXML is very easy to use and is perfectly suited to generate and update mundane things like Postcast RSS.

To create an XML object from an RSS file in PHP. All you need is to do to use the simple_loadxml_file command. eg $xml = simple_loadxml_file('rss.xml');. To change attributes is very easy, you only need to typecast the variable name and point to the new value eg (string)$xml->channel->pubDate = date(DATE_RFC822);.

Everything is all fun and games until you get to the iTunes podcast specifications. For pocasts, Apple has added a few special tags that have the itunes: prefix. eg owner, name, email, category etc. The problem is not with the words but with the ‘:’. XML uses colon symbol to specify a namespace, which in turns causes SimpleXML to get confused when it is processing the iTunes specific tags. If you use a command like addChild to add an itunes:author tag eg $rssitem->addChild('itunes:author', $rssauthor); It will be rendered as <author>Joe Bob</author>.

For generating a Podcast feed, I am assuming you will be updating the feed from an existing file instead of generating it from scratch every time it needs updating. I suggest you save the XML file into 2 copies, one for internal / coding use and one for public podcast XML. In the private one, you will use SimpleXML as is and generate tags with iti_ prefix instead of itunes: prefix eg <iti_author> Bob</iti_author>instead of <itunes:author> Bob</itunes:author>. After you have processed and saved the XML object, use str_replace(‘iti_’, ‘itunes:’, $xmlfile) to replace the tags and that will be the public XML feed file.

After entering all the info into the XML file, you would need to run it through the DOM object to clean up the entry, it makes the XML readable. Here is the snippet of the code:

$dom = new DOMDocument('1.0');
$dom->preserveWhiteSpace = false;
$dom->formatOutput = true;
$dom->loadXML($xml->asXML());
$dom->save('yourfeedname.xml')

This way is much quicker than trying to get SimpleXML to work with not quite conforming specifications of iTune’s XML.

Reference(s):