Poking a hole in that pesky firewall.

Poking a hole in that pesky firewall.

There are more than a few ways to access a firewall.  I will be giving a brief tutorial for one of the more common methods. Called “poking a hole”, or professionally called an SSH back door.  Please, please be careful with this, any script kiddy with 30 lines of code can exploit an SSH server.

This is a great post by IBM detailing it pretty well. If you have any question feel free to leave a comment and I will assist you.

  1. SSH from ginger to blackbox.example.com with the -R flag. I’ll assume that you’re the root user on ginger and that tech will need the root user ID to help you with the system. With the -R flag, you’ll forward instructions of port 2222 on blackbox to port 22 on ginger. This is how you set up an SSH tunnel. Note that only SSH traffic can come into ginger: You’re not putting ginger out on the Internet naked.You can do this with the following syntax: ~# ssh -R 2222:localhost:22 thedude@blackbox.example.com

    Once you are into blackbox, you just need to stay logged in. I usually enter a command like:

    thedude@blackbox:~$ while [ 1 ]; do date; sleep 300; done

    to keep the machine busy. And minimize the window.

  2. Now instruct your friends at tech to SSH as thedude into blackbox without using any special SSH flags. You’ll have to give them your password: root@tech:~# ssh thedude@blackbox.example.com .
  3. Once tech is on the blackbox, they can SSH to ginger using the following command: thedude@blackbox:~$: ssh -p 2222 root@localhost
  4. Tech will then be prompted for a password. They should enter the root password of ginger.

Thanks IBM.

How To: Use Dump to back up a full filesystem

How To: Use Dump to back up a full filesystem

Way back in the day when tape drives first started being heavily used to do backups of Unix machines, the dump command was created. In typical Unix simplicity the dump command “dumps” files from one device to another device. This can be a tape drive, a hard drive, even a network share. rsync does a similar process but is meant for immediate use of those files.

First step is to be sure dump is installed. If not use, rpm, yum, port, apt-get, or your local repository method to install dump on your system.

The quickest command to get started is: dump -0 -j9 -f /pathtosavebackup /pathtobackup

This would give us a down and dirty dump of the requested path, or if / is used in the second part of the command, the full file system starting at the root.

-j9 tells the command to compress (using tar) the file as much as possible.

-f defines the device (or filesystem path) to dump too. Keep in mind that this command could not be used to dump files from the local filesystem back to the local filesystem.

The bad news is that this will take quite a while depending on how much data needs to be dumped, how fast the hard drives (or tape drive) is, and if backing up to a network share, how fast the ethernet connection is. In my tests 100gb filesystem got compressed down to 23gb, and took about fives hours across a 10/100 connection.

After the dump is done, tar can be used to unarchive the file to a new file system.

Home Network Setup

Home Network Setup

Originally Posted 11/20/2000. Ironically a lot of this is still useful.

 

Home Networking

 

 

            In the day and age of Multi-computer families, a frequent argument is, who gets to be online? The answer is simple, Modem Sharing or networking. Modem Sharing can be done one of several ways, using a regular Analog Modem (300 baud to 56.6K,) DSL or ADSL, ISDN and Cable modems. You could also be on a T-1 (or greater!) network connection, but then why are you reading this? J

           

 

Which one is right for me?

 

            Analog Modems

 

            Pros: Can be used anywhere a telephone is located.

            Cons: Limited to an upper bandwidth of 53K due to telephone regulations in the US. May be slightly higher in other countries. Modems also suffer greatly from phone line quality, crosstalk (where two or more wires touch each other in the wrong place therefore mixing the signal,) and any line noise at all. More then two low-bandwidth applications can easily make this almost worse then nothing. Ties up the phone line if you only have one.

 

            ISDN:

            Pros: Very fast, two 64K channels giving 128K total. Even one channel at 64K is cleaner and noticeably faster then 56k.

            Cons: Still only 128K, costs the same as DSL. In addition, totally against ISDN specs, some companies charge you for the 2nd line to automatically drop when an incoming or outgoing phone call is detected, so your phone is still tied up.

 

            ADSL/DSL:

 

            Pros: Very fast… minimum 265K maximum 7 megabits, makes this very, very fast. Phone lines do not get tied up at all. Can easily support multiple high-bandwidth applications (web browsers, games, large downloads, etc.) Can get a Static IP, which is very useful if you wish to run servers at home.

            Cons: Suffers slightly at the phone companies end due to misconfiguration. Such things as dropped carriers, being able to see other people’s computers (in Network Neighborhood.) and depending on the carrier, a slight slow down in bandwidth due to the phone company over selling it. Remember, at this point the phone company does not have to guarantee a certain amount of bandwidth… you simply have speeds up what ever your limit is.

 

            Cable:

 

            Pros: As above, very, very fast

            Cons: Suffers greatly from overselling of bandwidth. If other cable subscribers are all using it at the same time as you, they effect your speed. If you’re the only one in the area then it’s not a big deal. But frequently this slows down to speeds that are little better then a regular modem. Can’t get a Static IP number,  you’ll never be able to run a server, at least not very effectively.

 

Initial Setup

 

            First you need to get the network equipment. Your best bet for ease of configuration and portability is to get a couple of  mid-priced range network cards, (Kingston is a good bet) and a decent 100Base hub. (NetGear, Bay Networks, Intel.) You can buy cheaper cards such as SMC but they will effect your speed. If you can afford it, a switch is even better, giving you more bandwidth and speed. You’ll also want several lengths of networking cables too. J

            Second, your modem or router should be hooked up to one of the computers. In the case of some DSL routers, these can be directly hooked up to your hub. Other products have a DSL router and hub built in to the same unit. In my opinion this is unncessecary and could cause problems down the road. Remember to install the 2nd network card if it’s an external unit. (Cable and DSL only.)

            The third step is to setup the modem/router itself to connect to the network. This changes from different brands of Cable modems and routers. If you’re using a regular 56k modem, connect as you usually would.

            The last step is to make sure you know what your IP Address, DHCP Server (if needed,) DNS Server, Gateway and Netmask numbers are. You may or many not have all of these options. These have four numbers or “octets” like 255.255.255.0 or 192.168.1.0 Each of these numbers or octets can be anything between 0 to 255, with some exceptions.

            Your network should look something like this when you’re done:

            ISP -> Modem/Routers -> Computer -> Hub <-> Other computers

            One thing to point out, the computer plugged into the modem/router needs to be running an Operating system capable of doing routing. Windows 95 is not capable of doing this.  Windows 98 sorta does it, while Windows NT, ME, 2000, FreeBSD and Linux are all capable of doing so. Mac OS X being based off of FreeBSD can also do this. Windows 95 is capable of doing so with the help of a third party commercial piece of software. I personally run FreeBSD on  a 486 SX-25, recently upgraded to a Intel P-166 to do this. (BTW, it runs quicker and more efficiently then Windows NT or 2000 on a AMD –450 with 128 megs of RAM!)

 

Network Setup

 

            The Network hardware is pretty straightforward. One cable from each computer plugs into the hub or the switch. Each port should have a LED saying the port is active. Usually there is a 2nd LED that shows network traffic on that port of the hub.

            Start with the computer connected to the modem/router. The protocol that you wish to run is TCP/IP, make sure IPX/SPX and Netbui are both disabled unless you need them. Most games these days don’t care what protocol you’re running, but some of the older ones need IPX/SPX (Duke Nukem 3D, Warcraft, early Diablo releases, etc.) Having Netbui disabled helps keep people from hacking into your computer, there are hundreds of security holes in Windows with this protocol.

            After adding TCP/IP in the Network option under Control Panel Add in your network settings as provided by your ISP. Usually your ISP gives you instructions on how to do this, you’ll want to follow them. Test your dial-up and networking. The computer should run perfect.

            Now comes the tricky part, configuring the other computers. The easiest configuration is the dual network card and external modem/router option. The first NIC connected to the modem/router is configured exactly as it should be. The 2nd NIC’s TCP/IP Address should be one that is assigned by you. For ease you should pick something like 192.168.1.1 You can pick any number, but make sure the first three octets are all the same. Do not pick the same first three octets as the IP assigned to your 1st NIC… it will cause problems.

            Your Netmask is always 255.255.255.0 do not ever change this unless you know what you’re doing, your network will become unreachable. The Gateway address is the same as the IP address of the 1st network card. Keep in mind this is only for this card. Certain operating system will not accept this option either, but most Windows systems should.

            In addition some operating systems will need a flag set to make it a gateway or router machine. For instance, in FreeBSD and Mac OS X /etc/rc.conf needs the line “gateway=enable” This also invokes the NAT or “Name Address Translation” program. NT and 2000 should both give you a similar option.

            The 2nd (and all subsequent computers) will have an IP address of 192.168.1.x (where x is any number between 2 and 254, do not use 1 as it’s already used, 0 and 255 should also be reserved, Just in case.) Their Gateway address will be the IP of the 2nd network card in the first computer! DNS or Name Server address will be the same across all computers, unless you setup a nameserver, which for a small network I recommend against doing.

            For computer with a single network card, and a modem, the theory is the same. Use the gateway to be the IP number of the modem/router. Remember that IP numbers are assigned to Network interfaces, not to the computer. A computer can theoretically have an infinite amount of IP addresses, in reality it’s whatever number the operating system is capable of handling, at least 254 though, and more then most people will ever need.

            If you have a large amount of computers, say more then 5 or 6, you may want to look into assigning these IP numbers via DHCP, it’s initial setup is harder, but more robust with large networks, it also makes the client machines virtually Plug and Play.

 

            Security

           

            Now that your network is running, it’s time to turn your eye towards security. The best way is a firewall. Windows NT, 2000, FreeBSD and Linux can all do this. Linux has more security holes fixed then Windows NT or 2000, and FreeBSD even more. If you’re really serious about security and wish to really learn, OpenBSD is the best of all. FreeBSD offers the best choice of security and ease of setup.

            A Firewall is simply that, it keeps the bad stuff from coming in, and if you wish, keeps stuff from going out. It works by stopping or dropping traffic if it does not adhere to the rules that you define.

            The first step in building effective firewalls is to block everything. Then step by step you want to unblock stuff you want. Port 80 (http requests,) 21 and 22 (FTP) are good starts. Some programs will want other ports open, PCAnywhere needs 186 & 187 open. Remember, it’s easier to block stuff before it’s broken, then to block if after somebody has hacked into your computer.

 

            Conclusion

 

            These are really some very basic instructions. Unluckily due to the sheer amount of different configurations out there, I can’t give step by step instructions like I’d like too. If you have specific questions though, post to the Hardware and Software forums and somebody can help! J Even then you should have a working network configuration in no time at all!