All posts by ewook

“default” iptables-setup.

This is always something in progress – but, more or less this is (was) a basic fw-setup:

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# and some good stuff to have enabled..
#no spoofing
echo "net.ipv4.conf.default.rp.filter=1" >> /etc/sysconf.conf
echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysconf.conf
#no broadcasts
#echo "net.ipv4.icmp_echo_ignore_broadcasts" = 1 >> /etc/sysconf.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses" = 1 >> /etc/sysconf.conf
#more..
echo "net.ipv4.conf.all.secure_redirects = 1" >> /etc/sysconf.conf
#echo "net.ipv4.conf.all.send_redirects = 1" >> /etc/sysconf.conf

echo "net.ipv4.conf.all.accept_source_route = 1" >> /etc/sysconf.conf
#echo "net.ipv6.conf.all.accept_source_route = 1" >> /etc/sysconf.conf

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

#yes, you should have fail2ban ;)
#/etc/init.d/./fail2ban restart

#fix tap0 forwarding etc.
#clarify - eth1 internet
#clarify - eth0 lan

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth1 -j REJECT

iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# portforwarding-rules

#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport [port] -j DNAT --to [ip:port]

kernel: Neighbour table overflow

This issues is related to a bit too many arp-entries (in ie – a router).
If you’re for instance having bittorrent traffic doing all those arp’s, you’ll end up with a lot of
entries in your logs. Also, it’s a performance issue later on, since you’ll have problem flushing
and creating new connections to ip’s not listed in the arp already.

Example log:

 kernel: Neighbour table overflow.
  kernel: printk: 100 messages suppressed.
  kernel: Neighbour table overflow.
  kernel: printk: 151 messages suppressed.
  kernel: Neighbour table overflow.

To the solution:

start with doing a couple of arp -anv, or by someother means check your concurrent connections.

Next up (example)

echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 3072 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3 

By default, you will have (a guess) a value of 128 in gc_thresh1 and *2 for thresh2 (256) and *2 for thresh3 (512).

Set your limits with how many concurrent connections your hardware and software can handle.

Now, if you’re running something like zeroshell, add the echo-parts into your startup-scripts.
Otherwise, I’d recommend that this is added as a if-up.d script or it’s relevant counterpart.

openvas 3.1.x “bundle” on ubuntu 10.04

Two versions, one is the classic one, the other contains a bunch of ‘new stuff’.

#!/bin/bash
#make me as a [name.sh] and do me a chmod +x [name.sh]
#Ran on ubu 10.04
#Run as root (ie - sudo -i )

#classic
cd $HOME
wget http://wald.intevation.org/frs/download.php/767/openvas-libraries-3.1.2.tar.gz
wget http://wald.intevation.org/frs/download.php/754/openvas-scanner-3.1.0.tar.gz
wget http://wald.intevation.org/frs/download.php/757/openvas-client-3.0.1.tar.gz

gunzip -d $HOME/openvas*.gz
tar -xvvf $HOME/openvas-libraries-3.1.2.tar
tar -xvvf $HOME/openvas-scanner-3.1.0.tar
##tar -xvvf $HOME/openvas-client-3.0.1.tar

apt-get install -y build-essential libgtk2.0-dev libglib2.0-dev libssl-dev htmldoc libgnutls-dev libpcap0.8-dev bison libgpgme11-dev libsmbclient-dev snmp pnscan cmake uuid uuid-dev libgtk2.0-dev

#libraries --
$HOME/openvas-libraries-3.1.2/./configure 
$HOME/openvas-libraries-3.1.2/./make 
$HOME/openvas-libraries-3.1.2/./make install
echo "include /usr/local/lib" >> /etc/ld.so.conf && ldconfig

#scanner
$HOME/openvas-scanner-3.1.0/./configure  
$HOME/openvas-scanner-3.1.0/./make 
$HOME/openvas-scanner-3.1.0/./make install

##client
##$HOME/openvas-client-3.0.1/./configure 
##$HOME/openvas-client-3.0.1/./make 
##$HOME/openvas-client-3.0.1/./make install

// second full is wip. (or, just work it out yourself…);

#manual fix

#!/bin/bash
#full
wget http://wald.intevation.org/frs/download.php/767/openvas-libraries-3.1.2.tar.gz
wget http://wald.intevation.org/frs/download.php/754/openvas-scanner-3.1.0.tar.gz
wget http://wald.intevation.org/frs/download.php/757/openvas-client-3.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/773/openvas-manager-1.0.2.tar.gz
wget http://wald.intevation.org/frs/download.php/774/greenbone-security-assistant-1.0.2.tar.gz
wget http://wald.intevation.org/frs/download.php/766/openvas-cli-1.0.0.tar.gz
wget http://wald.intevation.org/frs/download.php/739/openvas-administrator-0.9.0.tar.gz
wget http://wald.intevation.org/frs/download.php/771/gsa-desktop-0.2.0.tar.gz

https://wald.intevation.org/tracker/index.php?func=detail&aid=1079&group_id=29&atid=exit
220

apt-get install uuid uuid-dev libgtk2.0-dev

after libs:
^? Be sure to add /usr/local/lib in /etc/ld.so.conf and type ‘ldconfig’
echo “include /usr/local/lib/*.conf” >> /etc/ld.so.conf
ldconfig

openvassd

OpenVas-Client

gsa-desktop 0.2.0
apt-get install libqt4-dev

md-raid

So, I keep forgetting how to rebuild my arrays with mdadm (since, it doesn’t break that often).

But, hereĀ“s some information:

mdadm -D /dev/md2
cat /proc/mdstat
#mdadm --stop /dev/md2
mdadm --assemble -v /dev/md2 /dev/sdd1 --run
fsck /dev/md2
mount /point

#example
 mdadm /dev/md0 --add /dev/sda1 --fail /dev/sdb1 --remove /dev/sdb1