The RoarinPenguin Techiezone

Mikrotik OpenVPN with OSX, iOS and Vodafone Station Revolution

Sep 292016

*** UPDATED ON 26 NOV 2019 ***

As time goes by and as social sites becomes more and more pervasive in our life, I’ve decided to make fewer posts on my own blogs but keeping them relevant (at least to me).

This new one is about my recent home network improvement:

Vodafone Fiber Link (with Vodafone Station Revolution)
Firewall replacement from my old glorious Stonesoft hardware+PFSense with a brand new shining Mikrotik RouterBoard RB2011UiAS

I needed to build VPN access from outer space to my own network, mainly using my two preferred tools: iOS device and OS X on my Mac.

It took me a while to find the right combination of configurations, given the constraints of what I was aiming to. Which was this (naturally IP info has been sanitized 😎 ):

Python 2.7.11 on El Capitan with TLS 1.2 support

Mac, openssl, shell scripting 3 Responses »

Mar 202016

Hello World!

It’s been a while since my last post, so I’ve decided to make a magnificent one 🙂

Jokes apart, this setup took me a full sunday hence I thought to recap for future references.

The whole story started with a Python script on my Mac OS X unable to retrieve a JSON response from a specific https site, whereas the exact same script run like a champ in Kali Linux.

And to make things even more complicated, the same URL was working fine using cURL or wget on OS X!

Comparing two network packet captures, I’ve found that the issue was in the Client Hello part of the SSL handshake: the Python script was proposing a TLSv1.0 encrypted communication that the server was not available to accept. The correctly working commands and scripts were all using TLSv1.2.

This led me to discover that OS X El Capitan includes by default an old (and vulnerable) version of OpenSSL: 0.9.8zg, not supporting TLSv1.2 I needed. Consequently, also Python 2.7.10 included in El Capitan was having issues with TLS since the bundled pyOpenSSL module was linked to that OpenSSL version.

To upgrade, I did the following:

Upgrade OpenSSL
Not that easy, since you have first to install latest OpenSSL via http://brew.sh install (this is the easy part, go brew update and brew install openssl).
But then you need to rename the system openssl (/usr/bin/openssl) into something else and sudo ln -s <your brew openssl executable> /usr/bin/openssl
Before you can do it, you need to reboot your Mac in recovery mode (CMD+R when you hear the chimes at boot), then select the Terminal from the Utilities menu and type in csrutil disable. With this command you will disable the System Integrity Protection and lowering your system security level until you reverse the change.
Type also the command reboot to restart your machine, open a Terminal and proceed with the linking described above.
Reboot again, access to Recovery Mode and restore the System Protection Utility with the commands:
csrutil enable
reboot
Upgrade Python to 2.7.11
This is trivial… just grab your version here and install from DMG image.
Upgrade pyOpenSSL module to one linked with TLSv1.2 support
It took me a while to find the right command, since you need to issue it with the proper user indication:
pip install –upgrade pyopenssl==0.15.1 –user python

That should give you an OS X environment fully enable with upgraded OpenSSL (at the time of writing mine is 1.0.2g) and your python environment correctly supporting TLSv1.2

Happy encryption!

CLI stuff in Linux to monitor networking

linux No Responses »

Jun 212015

It was a while I did not post anything on this blog, so I will engage into something cool now 🙂

And into something I will need one day or another: a collection of very, very useful networking commands available for Linux.

Let’s start with an easy one: iperf and its variant with more options, netperf.
Very useful to measure TCP/UDP performances between two hosts by pumping traffic either mono or bidirectionally.
In the simplest usage, on one server you run iperf -s and get the following output:

$ iperf -s

------------------------------------------------------------

Server listening on TCP port 5001

TCP window size:  128 KByte (default)

————————————————————

On the client, you run iperf -c <destination_host) -f m (this option is to get output in Mbps) and after few seconds you’ll see:

root@facchina:~# iperf -c 172.16.30.1 -f m

------------------------------------------------------------

Client connecting to 172.16.30.1, TCP port 5001

TCP window size: 0.02 MByte (default)

------------------------------------------------------------

[  3] local 172.16.30.50 port 48643 connected with 172.16.30.1 port 5001

[ ID] Interval       Transfer     Bandwidth

[  3]  0.0-10.0 sec  1122 MBytes   941 Mbits/sec

Rather cool, huh? And there are countless options…

The second one I’m sharing with you is tcptrack. Fantastic tool to keep track of the tcp connections happening on your machine and how much they are active. When you type tcptrack -i <interface> here’s what you get:

Let’s continue with bmon, specifically conceived to monitor interface traffic while keeping historical info in the view:

Another great one to detect programs eating bandwidth is nethogs, shown here below in a running sample:

And then, a really cool one I use VERY frequenty: iftop, to chech the bandwidth used by every connection on the machine.

To conclude this list of tools I selected speedometer, a very nice and clean tool to display network traffic information with quite many options…

That’s all folks… enjoy!

RoarinPenguin

Remote Port Mirroring on HP Procurve/3Com switches

hardware, networking, ssh No Responses »

Dec 212014

That. Was. Easy.

These are the three words that a fancy button says whenever I press it. That button was gifted by an ex-colleague of mine and it says it all! Once you did it, that was easy 🙂

Exactly when you try to configure a remote port monitoring on an HP v1910 switch. Once upon a time (and I’m really speaking about 20 years ago) a company called 3Com had a slogan saying “the network that go the distance” Then they have been bought approx 4 years ago by HP, but that philosophy remained. A philosophy which says that it does not matter if you have a small switch, but the features you need must be there. Maybe a bit hidden… maybe only from CLI.

It happens that some good 3Com switched were rebranded HP around the second half 2010. All those switches, under the name of the v1910 series, are lifetime warranted!!! If you do not believe it, just click here and insert your switch serial number.

But beside the good policies, I’ve decided to write this nice post since today I reached the nirvana of my home network: two HP 1910v switches, respectively 16 and 24 ports, configured for remote port monitoring.

Accents galore

graphical interface, hardware No Responses »

Oct 142014

With a decent approximation, it is now well over 30 years that I use keyboard.

And there have been oh so many times I’ve cursed the difficulty to reproduce accented characters on US keyboards, forcing the user to find alternative ways like to write the accented vowel followed by an apostrophe (for example, a’ instead of à)… not correct, but still understandable.

Until today when my colleague SerKill (yes, that is his nickname) revealed to me the existence of US International Keyboard layout.

If you configure your laptop to use it (on a Mac, it is System Preferences – Keyboard – Input Sources…), when you want to make an accented vowel letter you simply press first the accent and then the letter.

The accent key you have to press depends if you want to have acute or grave accented vowel as shown in the keyboard layout below:

It is true that you never stop learning…

Thanks, SerKill!

Differentiated SSH access for root with strong authentication and chrooted user in sftp

linux, security, ssh, Various No Responses »

Oct 122014

Pretty long title for a pretty long work, which took me more than initially thought. And because I’ve sorted out blending multiple info from multiple sites, here we go with a unified post.

Let’s start with the goal.

I wanted to have root access to my home machine via SSH/SFTP with a strong authentication system; but I also wanted to offer to a friend of mine an access to an externally connected hard drive with a simple password.

And to keep everything more secure, I wanted to have this guy chrooted into the directory he can login.

I will not cover the strong authentication setup since there are very good instructions on their site.

To enable the strong authentication only for root, I had to modify a little bit my /etc/ssh/sshd_config file as shown below.

disable PAM integration, by putting a hash at the beginning of the line:
```
# UsePAM yes
```
This is needed since we’re going to use the Match Group directive
inserted the following lines below the Subsystem sftp /usr/lib/openssh/sftp-server section
```
Match Group root
```
```
ForceCommand /usr/sbin/login_duo
```

Save and exit, restart the ssh service and test that if you try to ssh the system, after you type in root username and the password something appears similar to what reported below:

$ ssh root@192.168.1.50
root@192.168.1.50's password: 
Duo two-factor login for root

Enter a passcode or select one of the following options:

1. Duo Push to +XX XXX XXX 1791
 2. Phone call to +XX XXX XXX 1791
 3. SMS passcodes to +XX XXX XXX 1791

Passcode or option (1-3):

Once you choose (for example) 1 and confirm on your authentication device, login will complete.

To enable chromed access for my friend without forcing him to enroll to strong auth, I have created an sftp group with the command:

groupadd sftp

Then I have him to this group with the command:

usermod -G sftp <login name>

I have also disabled his shell with the command:

usermod -s /bin/bash

and set his home directory to my external disk with the command:

usermod -d /media/external/friend

Finally I have created the following entries for sftp in /etc/ssh/sshd_config file under the Subsystem sftp /usr/lib/openssh/sftp-server section as shown below.

Match Group sftp
 ChrootDirectory /media/external/friend
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp

NOTABENE: the directory friend must be owned by root with 700 rights. Because my friend is part of the sftp group, to allow him to upload content I needed to create a directory upload below the directory friend and had to chown such directory to his login name as shown below:

If you want to have some more background info about why you need to change ownership and set rights are mentioned, check here.

Once you complete all the editing, remember to restart the ssh service with the command

service ssh restart

Enjoy!

DUO Security – enforce your authentication

authentication, wordpress No Responses »

Oct 072014

I’ve just activated a strong auth system to access this blog as Administrator.

It is a system we also use where I work and it is amazing for the simplicity and security blend that it adds to the authentication process.

They have huge integration with a number of systems and technologies, and you can find WordPress specific one here.

It is free up to ten users, but also paid versions have negligible prices (like 1$/user/month).

It really rocks for usability and strength of auth process.

Enjoy!

tshark zen scripting

networking No Responses »

Sep 272014

While reviewing a wireshark video, I have seen this awesome technique to use shark to get very good statistics on whats going on the network in terms of errors.

Hence I’ve decided to report the command here since it could be very useful to do network monitoring.

The command should go all in one line…

tshark -r <filename>.pcap -q -z io,stat,1,"COUNT(tcp.analysis.retransmission)tcp.analysis.retransmission","COUNT(tcp.analysis.duplicate_ack)tcp.analysis.duplicate_ack","COUNT(tcp.analysis.lost_segment)tcp.analysis.lost_segment","COUNT(tcp.analysis.fast_retransmission)tcp.analysis.fast_retransmission","COUNT(tcp.analysis.out_of_order)tcp.analysis.out_of_order”

The output should be something like this:

Enjoy.

RoarinPenguin

NFTS-3G and that nasty error Did not receive signals within 15 seconds

interoperability, Mac No Responses »

Sep 122014

This error, or more precisely

NTFS-3G
NTFS-3G could not mount /dev/disk#
at /Volumes/XXXXXXXX because the following problem occurred:

Did not receive a signal within 15.000000 seconds.
Exiting...
                                           [Close]

started to appear when I installed MacFuse and NTFS-3G on a new MacBookPro 2014 running Mavericks.

It is pretty harmful, since the NTFS volume would mount as well… but annoying.

Since I understand quite few people are experiencing this on the Net and I want to remember the solution I adopted, I have decided to report here the fix I’ve found.

HowTo Export a VM in OVA format in VMware Fusion for OS X

Mac, Virtualization, VMware 15 Responses »

Jul 142014

The main reason of almost every post on this blog is the same.

Need to do something, dig the Net, take a while to find stuff so I think to make a note on my… virtual hints book 😉

This time the need was to move a Windows 8.1 virtual machine from VMware Fusion for OS X 10.9.4 to VirtualBox on Linux.

The best option is to export and import the VM in OVA (Open Virtual Appliance) format, but there is no GUI option to export in Fusion. It took me a while to understand that Fusion comes with OVF Tool included, as a command line, and located in the default path “/Applications/VMware Fusion.app/Contents/Library/VMware OVF Tool”

A working example of a command line is:

./ovftool --acceptAllEulas /Users/marco/Documents/Virtual\ Machines.localized/Windows\ 8.1\ x64.vmwarevm/Windows\ 8.1\ x64.vmx /Users/marco/Desktop/Win81.ova

The green part of the command above refers to specific names I gave to the VM in Fusion and to the OVA file.

–acceptAllEulas is an option to make the command less interactive.

Enjoy.

Older Entries