Jon, Author at VirtJunkie

Author: Jon

Holy Smokes Batman!!

Posted on January 5, 2006 by Jon

Well that was close.

As you can probably tell, my server’s been down for about a day. A day during which almost all of my time was spent getting this server back up.

I decided to switch from Redhat based Centos 4.1 to Debian Sarge (3.1). The operating system install was extremely easy as well as the *first round* of server app installs.

I have to finish up getting the rest of this site working, but I’ll definitely post more later.

OH, and if you caught the single post that I did on the wordpress install, disregard the whole thing about the database backup script. It works great, and I couldn’t be more happy with it.

More later,
Jon

How to Use the Tor Network for Application Anonymity

Posted on January 2, 2006 by Jon

The Tor Network uses something called Onion Routing. Tor’s functionality is pretty simple. You run a daemon on a computer on your network (the tor client) and it connects to a server inside the tor network. Once your transmitted packets are inside the tor network they are routed through the different servers in a way so that no server knows the complete path that a packet takes. On top of this, all transmission inside the tor network is encrypted in order to prevent Man in the Middle Attacks.

The network is not easily accessed directly though. The easiest way to utilize tor as a functional service for your network is to use something called Privoxy. Privoxy acts as a middleman between tor and the computers on your network.

We’ll talk more about the configuration of these later, but first we need to install them.

I’m going to assume, as usual, that you’re Debian as your distribution.

Note: I had some problems getting tor to install properly with apt. In order to fix this I needed to add the following lines to my /etc/apt/sources.list file:
testing

deb http://ftp.egr.msu.edu/debian/ testing main non-free contrib

deb-src http://ftp.egr.msu.edu/debian testing main non-free contrib

I also added the following lines to my /etc/apt/prefrences file to make it so that apt doesn’t try to get packages from the testing branch all of the time:

Package: *
Pin: release a=testing
Pin-Priority: 999

Stay tuned for a tutorial on how to use the previous process, which is called apt pinning.

Next we install Privoxy and Tor using the following command:
apt-get -t testing tor privoxy

Now add the following line to your /etc/privoxy/config:
forward-socks4a / localhost:9050 .

If you’re installing this on your own computer then you can leave this as it is. Otherwise change the listen-address from 127.0.0.1 to the ip address that the interface that goes to the network uses. This line reads: listen-address 192.168.3.2:8118 in my config file.

Now just start the daemons:
/etc/init.d/tor start
/etc/init.d/privoxy start

All that’s left is configuring your applications to use the proxy. Every app has different methods of using a proxy, and some don’t even have a way to access a proxy. If you’re trying to run something like firefox anonymously, then just go to connection settings and change the Http Proxy and the Https Proxy to the IP address and the port that privoxy is running on. If you want to use something like Aol Instant Messenger you can use tor directly by going into the settings and changing the Socks 4 proxy to the IP address that tor is running on and the port number 9050.

After doing this all connections will be running through the anonymous tor network. If you have any questions feel free to leave me a comment, and I will answer.

Later,
Jon Howe

How to Set up a Complete Transparent Filtering Proxy

Posted on January 1, 2006 by Jon

This tutorial works with squid versions < 2.6

Many companies find proxy servers useful for a number of reasons. For example, if a company has fairly low bandwidth and needs a cheap way to streamline the distribution of frequently accessed content, a proxy server, such as squid will help a lot. Another use of a proxy server in the business world is for what I like to call, “Employee Management”. In other words, this is for companies that want to see what their employees are viewing on the internet. They can also be used by companies that have less than perfect infrastructures and need to have a way to take one connection to the internet and spread it to many computers.

Squid is great for the uses above and for other unmentioned uses, but when combined with a content filter called dansguardian the results are awesome.

Dansguardian is a content filtering proxy that integrates itself with squid. You can find information about Dansguardian here, and here.

These two things combined into something called a Transparent Proxy allow for much greater flexibility for administrators and end users. With a non-transparent proxy everything that accesses the internet needs to have HTTP proxy support, and needs to be configured by hand before it can be used. With transparent proxying the connections to port 80 (http) are automatically redirected from their original path and routed through the proxy. Don’t worry if this sounds confusing, the details aren’t really that important.

Now for the good part: How to install and configure this in Debian.

Do a Base Install of Debian:
This means that when you get into aptitude
just hit ‘q’ and exit out, becuase we’ll be installing everything manually

Install the packages using apt-get: 'apt-get install squid dansguardian vim ssh'

That should take a little while but should download everything that you’ll need.

Now we have to make it so that the proxy works in non-transparent mode.

To do this we have to edit the dansguardian configuration file located at '/etc/dansguardian/dansguardian.conf'.
Navigate to the section labeled ‘Network Settings’ and change ‘filterip’ to the ip address that’s on the network that you’re clients will be listening on.
At the top of the file comment out the word “UNCONFIGURED”
Save and quit the file by typing: wq (if you’re using vi)
Do some final configuration on dansguardian by entering the command 'dpkg-reconfigure dansguardian'

Now we have dansguardian all set. All that’s left is getting squid set up for transparent proxying, entering the iptables rules, and setting it up to all be set up correctly each time that you restart your proxy server.

In the squid configuration file, which is located at '/etc/squid/squid.conf' add and/or edit the following lines to enable transparent proxying.
' httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on '
Do a search in the squid config file for 'http_access deny all' and change it to http_access allow all. This file should be customized more in the future. This configuration tells squid to use no discretion as to who uses the proxy. Setting this up is beyond the scope of this tutorial.

That finishes the configuration of Squid. Now just enter the following commands and you should be set on the firewall rules. Create this file in the directory '/etc/init.d'. We’ll assume that eth0 is the interface going to the internet and eth1 is the interface leading to the client network.

#! /bin/sh

# Set up IP FORWARDing and Masquerading
echo “Setting up forwarding”
iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
iptables –append FORWARD –in-interface eth1 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

#enable transparent proxying
echo “Enabling Transparent Proxying”
iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j REDIRECT –to-port 8080
The first group of commands tells your system to take all of the packets that are going to the internet (eth0) and move them from the local interface (eth1) through the proxy server and on to the internet.

The second command does the transparent proxying. It listens for connections going to port 80 and redirects them to port 8080 (the dansguardian port) which in turn checks to see if the website is authorized. If it is the request is forwarded to squid, and then to the destination website. The process is pretty much the same, but opposite on the way back to the client.

The files in the script that we created need to be executed for the proxy to work, so what we’ll do is have it run on startup.

Make it executable: 'chmod +x /etc/init.d/local'
Then make it run when the system starts up: ' update-rc.d local defaults 80'

After that whole process you should have a fully functioning transparent content filtering proxy. If you have any comments / corrections / or suggestions feel free to leave a comment and I will answer.

Later,
Jon Howe

Craaaazy Stuff

Posted on December 20, 2005 by Jon

So last night I decided to take windows off of my laptop. This probably should have been easy. However, when is anything ever easy? When I woke up this morning I found out that in the middle of the night, during my net-install, the network cord came unplugged.

Apparently when you unplug the network cable during a Debian Netinstall the installer stops downloading the remaining packages and sets up what you have.

As you can probably guess, this is a little problem. When I tried to start up KDE I got an X11 error. Trying to figure out what the deal was here was a pain, but I was able to fix it by uninstalling X11, KDE, and Gnome ( apt-get remove x11r6-6), kdm, and gdm. My goal here was to start with as fresh of a slate as I could.

After that I needed to get X11 and KDE back installed. To do this I just ran the follwing command (this takes a while, because it’s re-installing a lot of your operating system again.

apt-get install x-server-xfree86 x-window-system x-window-system-core kdm

That should work, but if you have problems leave a comment and I’ll get back to you ASAP.

Later,
Jon Howe

How to Script the Unattended Retrieval of Remote Files using SCP

Posted on December 19, 2005 by Jon

In one of my previous posts I told how to create a package that’s contents is dumped from the database, archived, encrypted, and put into a public directory.

I also mentioned that a potential security flaw on this system was that someone with enough time and processing power could decrypt your package and get all of it’s contents.

I thought about this and decided that I wanted a better way. So, I found a way to script an unattended / secure connection between the remote computer and the client computer using SCP and SSH keys.

The first thing that you want to do to set this up is make sure that you have a way to use SCP without it prompting you for a password. You do this by using something called an ‘SSH key’. To generate an SSH key use the following command.

ssh-keygen -t rsa

What this does is:

Creates both a public and private key
Asks you where to put both of the generated keys (use the defaults)
Asks you if you want to use a passphrase (this isn’t neccessary, and I think that it messes up the unattended part of the command, so don’t do it)

After that you have to put the public key, which should be located at ‘~/.ssh/id_rsa.pub’ into the users .ssh directory which is inside their home directory (for example: /home/jhowe/.ssh).

After that you have to make sure that the client and server know that in the future they will be connecting to each other without a password. You do this by creating a file on the server in the server user’s .ssh directory called authorized_keys2 with the information about your private key in it. Fear not, this process is greatly simplified by SCP. Just enter the following command and it will be done for you automatically.

(Put this all on one line)
scp [Client_Username]/.ssh/id_rsa.pub [Server_Username]@[Server_Address}: /[Server_Username]/.ssh/authorized_keys2

…Then enter the server username’s password, and it will copy to the file on the server for you. If you want to make sure that it’s there, open ‘/[server_username]/.ssh/autohorized_keys2’, and see if it has a bunch of random looking charachters. If so, then it worked.

If all of the steps so far have been completed correctly you should be able to use SCP in a script to get your database archive in a directory that’s not web-readable, therefore eliminating the risk of some ruthless hacker decrypting your database package, and stealing all of your data.

Again, time for the downside. This isn’t a very big downside, but it needs to be mentioned. It’s important to note that the Private key, which was created at the same time as the public key (which was sent to your server) needs to be protected with your life. The reason that I say this is because if it’s stolen anyone that has it will be able to connect to your server if they get it. If there’s a posibility of someone else using the client computer that you enter chmod 400 ~/.ssh/id_rsa to make it that only root can read the file.

As always, if you have any problems or questions feel free to leave a comment and I’m be more than happy to help you in any way that I can.

Later,
Jon Howe

Wow

Posted on December 18, 2005 by Jon

So, as most people know, the Xbox360 was recently released. With this came the hope to upgrade from the Xbox to the newer version.

I’m not much of a gamer anymore, but I did always want an Xbox, (mainly for the opportunity to mod it). So, I went onto Ebay and found an Xbox in perfect working condition for under 100 dollars and purchased it.

We’ll see what happens with the modding part, because the Mod chip that I want to get runs around 75 bucks for a solder-less connection. I’m pretty sure that I could solder one on myself, but I don’t want to take the chance of messing up the first console that I’ve ever owned.

I’m a big fan of Netflix, and I was wondering if there was something similar for the gaming industry. Luckily there is one called Gamefly. I’m still looking into it, but it definitely looks good so far.

Later,
Jon Howe

Chkconfig like program in Debian

Posted on December 16, 2005 by Jon

I started out in Linux using Fedora, which is Redhat based. One of the indespensible tools that I used was called chkconfig. Basically what chkconfig does in Redhat based systems is allow the user to control what daemons start at boot time. This is useful for starting that annoying daemon that you always need or stopping the pesky one that always bothers you.

I used this a ton, and then I switched to Debian, and my whole world turned upside down. (some exaggeration intended)

Until recently I had no idea how to do this, until I found out about a little gem called ‘rcconf’.

Rcconf even has a little optional graphical display that you can use to manually select things to autostart or stop, which is helpful if you don’t know what it is you’re looking for.

If you’re on a pretty new installation of Debian you probably don’t have this yet, but you can get it by entering apt-get install rcconf into the console as root.

More Later,
Jon Howe

How to Back up a MYSql Database for Simple Offsite Storage

Posted on December 15, 2005 by Jon

For those of you who have been reading this blog for a while you that in the past I’ve had some problems keeping this server up and running for any amount of time.

This got old because every time that my server died, I’d loose all of my blog posts, which stinks because there’s usually a ton of them.

To combat this ever threatning possibility, I decided to write a bash script for linus that does a few things:

Backs up the entire database
Archives them
Encrypts them using CCRypt, although you can substitute that for whatever you want without bash knowledge
Places the encrypted archive in a directory. (I just stuck the archive in a public web directory.

I should clarity a little bit… Putting even a highly encrypted archive in a public directory is not 100% secure. It’s especially not recommended if you are storing sensitive data, and especially if you’re storing passwords in plaintext in your database. (Please don’t do that…). Consider yourself warned.

Unfortunately, there’s another security flaw here, although like the last one, it’s not a show-stopper (for me at least). The only way that I could do the entire process automatically is by storing the password in a plaintext file somewhere either in the script itself or some external file (which is how it’s being distributed now). I think that it’s possible to create a wrapper that contains the password in a compiled (much less human readable), and have that access ccrypt, but I don’t have the time or need for that right now, although it is a good idea :).

I should probably mention that this script is meant to be run by a cron script.

So, without further ado, here it is:

#!/bin/sh # backs up all databases # archives them # encrypts them # places them in a directory that you choose user=[database usename] pass=[database password] finaldir=[directory to store final encrypted archive] passpath=[path to a text file containing plaintext password] #======================================================= #You shouldn' have to edit anything below here #======================================================= workingdir=/root/dbback dumpname=db.sql pathtosql=/usr/bin/mysqldump arch=$dumpname.tar.gz crypto=$arch.cpt # Test to see if $workingdir exists [ -d $workingdir ] || mkdir $workingdir # Backs up all databases temporarily to $homedir/$dumpname $pathtosql -u $user --password=$pass -A > $workingdir/$dumpname # archives the database tar -czf $workingdir/$arch $workingdir/$dumpname # encrypts DB package ccrypt -e -fbrk $passpath $workingdir/$arch # copies the encrypted archive to $finaldir cp -Rf $workingdir/$crypto $finaldir/db@$(date +%F).tar.gz.cpt # make the encrypted database internet readable chmod 755 $finaldir/*.cpt # removes the files that were used in the creation of the encrypted archive rm -f $workingdir/*

If you have any qyestions, or comments feel free to leave a comment and I’ll get back to you ASAP.

Later,
Jon Howe

How to Mount a Samba share to your Computer in Linux

Posted on December 14, 2005 by Jon

This is something that I’ve been wanting to do for some time. It’s just this morning that I actually decided to do it. It’s pretty simple.

This small tutorial is based upon the assumption that you already have a samba share set up. However, if you don’t, then keep posted, because I’ll talk about that in a later tutorial. Also, It’s based upon the assumption that you have the samba client and sambafs installed. In debian all that you have to do to install this is type in the following line:
apt-get install smbfs smbclient

All that you have to do is type in the following command to have a non-permanent solution (on one line):
mount -t smbfs //[server ip or domain name]/[server directory] [place that you want to mount the directory] -o username=[samba username],password=[samba password]

If you go with this solution you’ll have to reenter this command each time that you start up your computer. To make this a permanent change, you need to edit your ‘/etc/fstab’ file by adding the following line at the bottom (on one line)
//[server name or ip]/[shrae name] [directory to mount share into] smbfs username=[samba username],password=[samba password] 0 0

This works for me, but if you have any problems feel free to leave a comment and I’ll help you out ASAP.

Later,
Jon Howe

Two Things

Posted on December 8, 2005 by Jon

First thing:

I just got Google adsense setup here. My contract forbids me from asking you to click on the links, so don’t click on the links if you don’t want to. Just know, I’m a poor college student and clicking a link is easy : ).

Second thing:

You HAVE to check out Pandora. It’s part of the Music Genome project, which was created to analyze music. I know, I know, sounds boring so far doesn’t it.

Fear not, more is on the way.

Pandora was designed as to utilize the research done in the Music Genome Project. This is done by you entering your favorite song or artist into a text box, and Pandora creates a “Station” for you to listen to with music that you most like will like. I was skeptical at first, but I was prooved wrong. Since I started writing this post, I’ve listened to 4 songs and they’ve all been really good songs of which two I have never heard.

Check it out,
Jon Howe