Help! SSH attack on Ubuntu 14.04.2 LTS – use sshdfilter with ufw

If you’ve got a *Nix machine on the public Internet, you will experience this at one time or another. If you run sshd on its’ known port 22, some script kiddie out there will attack it. With that, you’ll see that you’ll have a bunch of connections that probably and hopefully will never succeed. I saw these messages in my /var/log/auth.log:

Nov 15 06:44:26 chunli sshd[20634]: Failed password for root from 43.229.53.13 port 41751 ssh2
Nov 15 06:44:26 chunli sshd[20636]: Failed password for root from 43.229.53.13 port 41921 ssh2
Nov 15 06:44:26 chunli sshd[20638]: Failed password for root from 43.229.53.13 port 42948 ssh2
Nov 15 06:44:26 chunli sshd[20546]: message repeated 2 times: [ Failed password for root from 43.229.53.13 port 27586 ssh2]

I’ve experienced this before and to alleviate this problem, I used sshdfilter in the past. I know that there are others out there like sshblack that can do blacklisting of attackers or one of the easiest ways to alleviate this problem is just to run ‘sudo ufw limit ssh’. This is a way to block them from coming back for a while.

To get started, first stop SSH:

sudo initctl stop ssh

Then move /etc/init/ssh.conf out. We’ll start SSH with sshdfilter instead.

You’ll get a message in the auth.log here:
auth.log:Nov 16 19:54:36 chunli sshd[1150]: Missing privilege separation directory: /var/run/sshd

Because of this, we’ll just add a line in the /etc/init.d/sshdfilter file like this:

start() {
 echo -n $"Starting sshdfilter: "
 export PATH=$PATH:/usr/local/sbin
 mkdir /var/run/sshd
 sshdfilter
 RETVAL=$?
 return $RETVAL

In /etc/sshdfilterrc, I changed the chain from:

#chain=’SSHD’ to

chain='ufw-reject-input'

Under the “Add a block rule” section, I changed some iptables commands to ufw commands. You can see the comments ones here:

#firewalladd='iptables -A $chain -p tcp -s $ip --dport 22 -j DROP'
#firewalladd='iptables -A $chain -p tcp -s $ip --dport 22 -j DROP'
firewalladd='ufw insert 1 reject proto tcp from $ip to any port 22'
# Delete a block rule:
firewalldel='ufw delete reject proto tcp from $ip to any port 22'
#firewalldel='iptables -D $chain -p tcp -s $ip --dport 22 -j DROP'

That’s about it! With that, my machine started to grow a big list of IP addresses to block from failed logins.

 

DNS server not resolving external addresses – bind9 Ubuntu 16.

I ran into issues with Bind 9 on Ubuntu 16 very recently. I use an internal caching DNS server for a few reasons – try to protect myself from malware, log DNS requests on my network to have an idea of where all hosts are going – mainly searching for malware or bad websites, block some domains i.e. ad blocking and some others that I might not want to visit, even by accident, etc. Suddenly at some point, I could no longer resolve any addresses that were not in my zones. My forwarders were no longer working, etc. It turned out to be:

dnssec-validation auto;

This line is default in Ubuntu 16’s Bind 9. Why it worked before, I don’t know. I changed it to

dnssec-validation no;

Then everything magically started working again. Hope this saves someone else’s time. ūüôā

Protect your home network using TomatoUSB – how to only allow only HTTP/S out!

While we continue to see the WannaCry and other malware around, I thought I would secure my own network. Since I allow visitors onto their networks, I figured I would configure all new DHCP’d hosts to access the Internet only via HTTP and HTTPs and not allow them to use any DNS servers other than OpenDNS. Here’s how to do it:

The first thing I did was create an access restriction. I did this just to see what chain would be created and I would put subsequent rules into that chain.

access restriction screenshot

The previous screenshot created this chain:

Chain rdev07 (1 references)
target prot opt source destination
DROP all -- 192.168.0.15 anywhere

With this chain, I can add additional rules. The first thing I want to do is allow only DNS access to OpenDNS servers and none other. For this, I would run the following commands:

iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 208.67.222.222/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 208.67.222.222/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 208.67.220.220/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 208.67.220.220/32 --dport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0/0 --dport 53 -j REJECT
iptables -A rdev07 -4 -p udp -s 192.168.0.0/24 -d 0.0.0.0/0/0 --dport 53 -j REJECT

These rules basically allow DNS queries from my network to the 2 OpenDNS servers. The last 2 rules mean that no other DNS servers outside of those 2 servers can be queried. The reason I do this is because there is some malware out there that will change the DNS servers to query on Windows, effectively overriding the DHCP setting. An alternative to this would be to configure Tomato to intercept DNS requests, but I would rather do it this way.

I added the following rules because I had noticed for some reason that some connections coming back from OpenDNS were dropped. I think they’re optional, but I put them in.

iptables -A rdev07 -4 -p tcp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 208.67.222.222/32 -d 192.168.0.0/24 --sport 53 -j ACCEPT

Next, I go to create my whitelist – this would be my iPhone, iPad, android, etc – any hosts that I trust. I’m going to allow these host to go out to any host with TCP and UDP.

 

iptables -A rdev07 -4 -p tcp -s 192.168.0.3/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.11/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.31/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.3/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.11/32 -d 0.0.0.0/0 -j ACCEPT
iptables -A rdev07 -4 -p udp -s 192.168.0.31/32 -d 0.0.0.0/0 -j ACCEPT
I know that they can still get viruses. I hope they don’t. They can only use OpenDNS for DNS services, but they can access basically anything outside on any port.
Lastly, I configure the rules to allow only HTTP and HTTPs out.
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 80 -j ACCEPT
iptables -A rdev07 -4 -p tcp -s 192.168.0.0/24 -d 0.0.0.0/0 --dport 443 -j ACCEPT
iptables -A rdev07 -4 -p all -s 192.168.0.0/24 -d 0.0.0.0/0 -j DROP
With this, anyone else on the network can connect to port 80 and 443 of any host on the Internet. Then, any traffic going out to any other port is dropped.
After testing all commands and seeing that they worked for me, I put them all into Administration/Scripts/Firewall.
Inserting custom firewall rules
Have fun and be safe! Please post any comments below.

How to send tweets at random times with a *NIX CLI …

Twitter CLI is a wonderful tool for automatically sending tweets. Very simply, after installation, you just need to run ‘t update “message”‘ and it would tweet your message. I wanted to do some tweeting randomly via cron, but since cron runs regularly at an interval, it’s not very random. Just adding a couple of lines to the script will make it random.

Here’s how to do it.

First, download and install Twitter CLI from here: https://github.com/sferik/t

Afterwards, make a copy of the t script and call it what you want. I call it randomt:

cp /usr/local/bin/t /usr/local/bin/randomt

Finally, just make a change to the script. Here, I’m setting a variable called time and making it a random number between 1 and 1000. From there, I’m multiplying it by 60 to convert it to minutes.

#!/usr/bin/ruby2.0
#
# This file was generated by RubyGems.
#
# The application 't' is installed as part of a gem, and
# this file is here to facilitate running it.
#

require 'rubygems'

version = ">= 0"

time = 1 + rand(1000) * 60
sleep(time)

if ARGV.first
 str = ARGV.first
 str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
 if str =~ /\A_(.*)_\z/
 version = $1
 ARGV.shift
 end
end

gem 't', version
load Gem.bin_path('t', 't', version)

Now, my tweets go out at some random time between 1 and 1000 minutes later. Thanks for reading!

 

 

esxtop shows a bunch of stuff … what’s up with this!?

It’s been a while since I’ve had to run esxtop, but when I did recently, I got a bunch of stuff on my screen like this:

o termcap entry for a `xterm-256color’ terminal”(PDH-CSV 4.0) (UTC)(0)”,”\\localhost.shocknetwork.com\Memory\Memory Overcommit (1 Minute Avg)”,”\\localhost.shocknetwork.com\Memory\Memory Overcommit (5 Minute Avg)”,”\\localhost.shocknetwork.com\Memory\Memory Overcommit (15 Minute Avg)”,”\\localhost.shocknetwork.com\Physical Cpu Load\Cpu Load (1 Minute Avg)”,”\\localhost.shocknetwork.com\Physical Cpu Load\Cpu Load (5 Minute Avg)”,”\\localhost.shocknetwork.com\Physical Cpu Load\Cpu Load (15 Minute Avg)”,”\\localhost.shocknetwork.com\Physical Cpu(0)\% Processor Time”,”\\localhost.shocknetwork.com\Physical Cpu(1)\% Processor Time”,”\\localhost.shocknetwork.com\Physical Cpu(2)\% Processor Time”,”\\localhost.shocknetwork.com\Physical Cpu(3)\% Processor Time”,”\\localhost.shocknetwork.com\Physical Cpu(_Total)\% Processor Time”,”\\localhost.shocknetwork.com\Physical Cpu(0)\% Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(1)\% Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(2)\% Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(3)\% Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(_Total)\% Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(0)\% Core Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(1)\% Core Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(2)\% Core Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(3)\% Core Util Time”,”\\localhost.shocknetwork.com\Physical Cpu(_Total)\% Core Util Time”,”\\localhost.shocknetwork.com\Memory\Machine MBytes”,”\\localhost.shocknetwork.com\Memory\Kernel MBytes”,”\\localhost.shocknetwork.com\Memory\NonKernel MBytes”,”\\localhost.shocknetwork.com\Memory\Free MBytes”,”\\localhost.shocknetwork.com\Memory\Kernel Managed MBytes”,”\\localhost.shocknetwork.com\Memory\Kernel MinFree MBytes”,”\\localhost.shocknetwork.com\Memory\Kernel Reserved MBytes”,”\\localhost.shocknetwork.com\Memory\Kernel Unreserved MBytes”,”\\localhost.shocknetwork.com\Memory\Kernel State”,”\\localhost.shocknetwork.com\Memory\PShare Shared MBytes”,”\\localhost.shocknetwork.com\Memory\PShare Common MBytes”,”\\localhost.shocknetwork.com\Memory\PShare Savings MBytes”,”\\localhost.shocknetwork.com\Memory\Swap Used MBytes”,”\\localhost.shocknetwork.com\Memory\Swap Target MBytes”,”\\localhost.shocknetwork.com\Memory\Swap MBytes Read/sec”,”\\localhost.shocknetwork.com\Memory\Swap MBytes Write/sec”,”\\localhost.shocknetwork.com\Memory\Total Compressed MBytes”,”\\localhost.shocknetwork.com\Memory\Total Saved By Compression MBytes”,”\\localhost.shocknetwork.com\Memory\Memctl Current MBytes”,”\\localhost.shocknetwork.com\Memory\Memctl Target MBytes”,”\\localhost.shocknetwork.com\Memory\Memctl Max MBytes”,”\\localhost.shocknetwork.com\Power\Power Usage Now Watts”,”\\localhost.shocknetwork.com\Power\Power Usage Cap Watts”,”\\localhost.shocknetwork.com\Power(0)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(1)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(2)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(3)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(4)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(5)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(6)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(7)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(8)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(9)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(10)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(11)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(12)\P-State MHZ”,”\\localhost.shocknetwork.com\Power(13)\P-State MHZ”,”\\localhost.shocknetwork.com\VSAN\Enabled?”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\Members”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Used”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Run”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% System”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Wait”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Ready”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Idle”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Overlap”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% CoStop”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Max Limited”,”\\localhost.shocknetwork.com\Group Cpu(1:idle)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Used”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Run”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% System”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32769:idle1)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Used”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Run”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% System”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32770:idle2)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Used”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Run”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% System”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32771:idle3)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Used”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Run”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% System”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(1:idle:32778:idle0)\% Swap Wait”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\Members”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Used”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Run”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% System”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Wait”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Ready”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Idle”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Overlap”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% CoStop”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Max Limited”,”\\localhost.shocknetwork.com\Group Cpu(2:system)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Used”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Run”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% System”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(2:system:32772:SVGAConsole)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Used”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Run”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% System”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(2:system:32773:debugtermlivedump)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Used”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Run”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% System”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(2:system:32774:logSysAlert)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Used”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Run”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% System”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Ready”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Idle”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Overlap”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% CoStop”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Max Limited”,”\\localhost.shocknetwork.com\Vcpu(2:system:32775:serialLogger)\% Swap Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32776:tlbflushcount)\% Used”,”\\localhost.shocknetwork.com\Vcpu(2:system:32776:tlbflushcount)\% Run”,”\\localhost.shocknetwork.com\Vcpu(2:system:32776:tlbflushcount)\% System”,”\\localhost.shocknetwork.com\Vcpu(2:system:32776:tlbflushcount)\% Wait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32776:tlbflushcount)\% VmWait”,”\\localhost.shocknetwork.com\Vcpu(2:system:32776:tlbflushcount)\% Ready

Continue reading

SSH without a password using keys troubleshooting – use RSA instead?

I used a procedure from this: http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html

Basically, you just run ssh-keygen to generate a public key and put it on the server’s ~/.ssh/authorized_keys file and that’s about it. The issue I can into was that the server did not accept DSA keys, but accepted RSA keys.

If you suspect that you’re running into the same problem, you can add the “-v” argument to your ssh command and confirm. You should see something like this:
debug1: Skipping ssh-dss key /Users/altonyu/.ssh/id_dsa – not in PubkeyAcceptedKeyTypes

If that’s the case, try using rsa keys. You can generate the RSA key by running:

ssh-keygen -t rsa

Copy the key over to the server’s authorized_keys file and you should get in immediately!

Signing certificates for Apache or NGINX and Trusting them in your browser.

I know there are a ton of postings on how to sign your own SSL certificates.¬†I¬†just think there’s too much out there (including in my own blog) and none that are very simple.¬†Recently, I figured that I would do it myself (again).

Are you sick of seeing something like this Screen Shot 2016-05-17 at 5.36.16 PM in your browser bar?

Rather see something like this? Screen Shot 2016-05-17 at 5.36.32 PM

I’ll show you how to do it for free.

First off, We create a Certificate Authority. This is the guy that will vouch for your server to say that he is who he is.

You create the new CA by running:

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newca
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newca

Here’s the output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...................+++
...............................................................................................................+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ShocKNetworK
Organizational Unit Name (eg, section) []:Security
Common Name (e.g. server FQDN or YOUR name) []:alton-mbp.shocknetwork.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /opt/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 9449349124978877974 (0x8322d4f6e103a616)
 Validity
 Not Before: May 17 23:00:51 2016 GMT
 Not After : May 17 23:00:51 2019 GMT
 Subject:
 countryName = US
 stateOrProvinceName = California
 organizationName = ShocKNetworK
 organizationalUnitName = Security
 commonName = alton-mbp.shocknetwork.com
 emailAddress = [email protected]
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF
 X509v3 Authority Key Identifier:
 keyid:C5:5E:16:99:96:81:1F:1D:BE:D2:FE:81:B0:57:34:A1:19:24:D8:AF

X509v3 Basic Constraints:
 CA:TRUE
Certificate is to be certified until May 17 23:00:51 2019 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Next, you go and get the certificate request. With typical Linux applications, you would request a certificate with the following command:

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -newreq
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -newreq

Output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -newreq
Generating a 2048 bit RSA private key
.........................+++
........+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Riverbed
Organizational Unit Name (eg, section) []:Tech Marketing Lab
Common Name (e.g. server FQDN or YOUR name) []:alton-web-server.pod3.techmktg.lab
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

Now, let’s¬†sign the certificate you just requested.

On Mac OS X:
/System/Library/OpenSSL/misc/CA.sh -sign
or on an Ubuntu system:
/usr/lib/ssl/misc/CA.pl -sign

Output:

alyu1-mbpr:~ alyu$ /System/Library/OpenSSL/misc/CA.sh -sign
Using configuration from /opt/local/etc/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4)
 Validity
 Not Before: May 23 00:34:03 2016 GMT
 Not After : May 23 00:34:03 2017 GMT
 Subject:
 countryName = US
 stateOrProvinceName = California
 localityName = San Francisco
 organizationName = Riverbed
 organizationalUnitName = Tech Marketing Lab
 commonName = alton-web-server.pod3.techmktg.lab
 emailAddress = [email protected]
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E
 X509v3 Authority Key Identifier:
 keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67

Certificate is to be certified until May 23 00:34:03 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number: 10013577564278676468 (0x8af75fbd91a6dbf4)
 Signature Algorithm: sha256WithRSAEncryption
 Issuer: C=US, ST=California, O=Riverbed, OU=Security, CN=securityserver.riverbed.com/[email protected]
 Validity
 Not Before: May 23 00:34:03 2016 GMT
 Not After : May 23 00:34:03 2017 GMT
 Subject: C=US, ST=California, L=San Francisco, O=Riverbed, OU=Tech Marketing Lab, CN=alton-web-server.pod3.techmktg.lab/[email protected]
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (2048 bit)
 Modulus:
 00:9a:17:37:3b:68:4a:5c:60:73:c5:5f:bb:40:39:
 b0:ed:eb:df:76:f1:1c:37:c0:3a:71:82:5d:d6:1c:
 04:a1:24:1c:d6:26:c0:cc:f3:1f:51:f9:b8:d4:65:
 f2:fb:ec:6e:87:42:12:e5:ec:0c:38:53:91:62:8a:
 2e:1e:be:33:e9:f4:ce:8d:92:f8:81:cd:bd:52:67:
 85:c6:ec:85:d2:29:33:37:a2:fb:d9:23:0c:47:62:
 d8:8b:03:12:12:ff:9f:61:83:a7:9b:18:37:8c:37:
 87:f1:dc:66:bc:6c:2c:19:87:dc:29:c1:8e:ab:d3:
 cf:6d:d5:2c:a8:9e:11:ea:81:b9:c0:d0:5d:28:a0:
 d8:fe:dd:fe:e2:4d:ad:a5:74:9a:42:40:c8:e8:9e:
 92:37:c2:39:ec:4c:21:1c:88:69:ec:5c:77:1e:f0:
 48:0e:8a:df:69:4b:af:6e:c4:cb:4f:80:02:e4:38:
 ea:ee:ad:bd:82:df:ae:47:a5:e5:39:7e:6f:18:65:
 12:bd:a1:79:f7:f7:73:1a:8d:71:17:31:5b:f7:66:
 eb:e6:80:1e:4b:bf:65:33:7d:e7:2c:94:38:8c:13:
 ee:06:99:56:fd:f7:70:24:a0:4d:d5:c4:0f:df:48:
 84:88:83:4f:c3:59:50:d2:e9:9b:f4:bc:02:c1:c1:
 3f:ad
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 F1:A4:7E:2E:DA:2B:29:96:6C:B6:F1:2C:C5:CD:43:34:6D:2B:75:5E
 X509v3 Authority Key Identifier:
 keyid:43:52:6A:22:33:C4:67:E9:3B:17:DF:DD:20:5D:77:59:E1:C4:EC:67

Signature Algorithm: sha256WithRSAEncryption
 72:85:da:b3:57:f6:4d:49:df:33:ae:f3:bd:58:99:d2:fc:ca:
 af:03:63:07:3a:16:f9:69:ea:50:db:97:30:d5:fe:71:a8:90:
 4a:3c:88:04:49:b7:a3:14:6d:e1:14:8e:96:80:77:e8:6f:9c:
 26:07:35:75:fa:d2:e5:48:93:b7:0c:64:7f:d4:29:32:f8:da:
 f1:6f:12:1b:8f:50:d3:e8:79:e0:ff:f0:86:80:bc:14:73:52:
 21:c5:71:f2:70:ba:7b:db:11:4c:b7:9c:9e:b8:66:ed:4f:d8:
 9b:b6:c3:d1:18:c6:e7:a2:25:f6:80:3d:02:b8:98:56:9c:80:
 81:76:cb:f1:4a:c7:0d:4a:8b:7e:7b:41:e0:82:95:b5:bf:34:
 2f:6f:8e:91:cf:43:40:c0:91:4d:43:9c:4a:c6:2f:bf:69:de:
 5d:fa:a9:ed:1c:63:eb:85:a1:97:fa:53:95:f0:ac:a1:55:db:
 72:61:eb:3f:dc:ff:2b:77:38:f5:c2:9e:26:ca:41:b4:67:b2:
 9a:5d:b7:84:23:0d:89:b4:f3:f1:1b:e2:f5:55:f9:4b:bf:24:
 40:2d:77:55:4d:b8:b0:76:23:50:e2:bc:74:9f:38:4c:27:42:
 a2:4d:3f:67:dc:ea:b3:d3:69:ee:85:2c:eb:ab:a0:f1:d2:29:
 a5:45:c1:a1
-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgIJAIr3X72Rptv0MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD
VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTERMA8GA1UECgwIUml2ZXJiZWQx
ETAPBgNVBAsMCFNlY3VyaXR5MSQwIgYDVQQDDBtzZWN1cml0eXNlcnZlci5yaXZl
cmJlZC5jb20xJDAiBgkqhkiG9w0BCQEWFWFsdG9uLnl1QHJpdmVyYmVkLmNvbTAe
Fw0xNjA1MjMwMDM0MDNaFw0xNzA1MjMwMDM0MDNaMIG9MQswCQYDVQQGEwJVUzET
MBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzERMA8G
A1UECgwIUml2ZXJiZWQxGzAZBgNVBAsMElRlY2ggTWFya2V0aW5nIExhYjErMCkG
A1UEAwwiYWx0b24td2ViLXNlcnZlci5wb2QzLnRlY2hta3RnLmxhYjEkMCIGCSqG
SIb3DQEJARYVYWx0b24ueXVAcml2ZXJiZWQuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmhc3O2hKXGBzxV+7QDmw7evfdvEcN8A6cYJd1hwEoSQc
1ibAzPMfUfm41GXy++xuh0IS5ewMOFORYoouHr4z6fTOjZL4gc29UmeFxuyF0ikz
N6L72SMMR2LYiwMSEv+fYYOnmxg3jDeH8dxmvGwsGYfcKcGOq9PPbdUsqJ4R6oG5
wNBdKKDY/t3+4k2tpXSaQkDI6J6SN8I57EwhHIhp7Fx3HvBIDorfaUuvbsTLT4AC
5Djq7q29gt+uR6XlOX5vGGUSvaF59/dzGo1xFzFb92br5oAeS79lM33nLJQ4jBPu
BplW/fdwJKBN1cQP30iEiINPw1lQ0umb9LwCwcE/rQIDAQABo3sweTAJBgNVHRME
AjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU8aR+LtorKZZstvEsxc1DNG0rdV4wHwYDVR0jBBgwFoAUQ1Jq
IjPEZ+k7F9/dIF13WeHE7GcwDQYJKoZIhvcNAQELBQADggEBAHKF2rNX9k1J3zOu
871YmdL8yq8DYwc6Fvlp6lDblzDV/nGokEo8iARJt6MUbeEUjpaAd+hvnCYHNXX6
0uVIk7cMZH/UKTL42vFvEhuPUNPoeeD/8IaAvBRzUiHFcfJwunvbEUy3nJ64Zu1P
2Ju2w9EYxueiJfaAPQK4mFacgIF2y/FKxw1Ki357QeCClbW/NC9vjpHPQ0DAkU1D
nErGL79p3l36qe0cY+uFoZf6U5XwrKFV23Jh6z/c/yt3OPXCnibKQbRnsppdt4Qj
DYm08/Eb4vVV+Uu/JEAtd1VNuLB2I1DivHSfOEwnQqJNP2fc6rPTae6FLOuroPHS
KaVFwaE=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Now, you probably want to remove the passphrase from the certificate so that Apache or Nginx doesn’t ask you to input it each time you start the service. You can do this by running first backing up the key.pem and then running:

openssl rsa -in newkey.pem -out key.pem

alyu1-mbpr:~ alyu$ cp newkey.pem newkey.pem.orig
alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pem
Enter pass phrase for newkey.pem:
writing RSA key

Make sure you get the “writing RSA key” message. If you don’t, you’ll get a message like this:

alyu1-mbpr:~ alyu$ openssl rsa -in newkey.pem -out key.pemd
Enter pass phrase for newkey.pem:
unable to load Private Key
140735125303376:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
140735125303376:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
140735125303376:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
140735125303376:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

You now have the necessary files. You’ll want to protect the files in some directory on the system and make them readable only by the web server.

cacert.pem – in the demoCA folder. You can rename it to cacert.crt and just double click on it in Windows or open it with the keychain in Mac and add it to your trusted certificates list.

newcert.pem – this is your certificate. In Apache, it will go with the “SSLCertificateFile” line in the¬†/etc/apache2/sites-enabled/<site> file. In NGINX, it goes in the “ssl_certificate” line in the¬†/etc/nginx/sites-enabled/<site> file.

key.pem – this is your private key file.¬†In Apache, it will go with the¬†SSLCertificateKeyFile” line in the same file. In NGINX, it goes in the¬†ssl_certificate_key line.

Enable SSL on the web server and you should be all set!

 

 

 

 

Using 2 ISPs at home at the same time! Tomato MultiWAN – works great! (Video)

Why do you really need this? When Shibby first put out the firmware with MultiWAN support, I questioned why someone would pay for 2 service providers. Too much bandwidth utilization? If you need more bandwidth, just upgrade your line with your current ISP. It would be cheaper than getting a new line!

Do you need reliability? When you work from home and need to be connected to the Internet for your work and it’s not available, that’s when you might look into a¬†solution like this one! I have Comcast Business. Does that help? No, not really when the problems is with the infrastructure and not a misconfiguration or something internal. It just means that when you call, you talk to someone a little more competent and you can get a person quicker than going through the phone system. You can have someone come on-site a little faster too. That said, the service is the same as that of all other consumers. After a few rains and a couple of Comcast outages (not exactly outages, but huge degradations in service), I started to think about getting a second provider. Luckily, in San Francisco, we have a few options for service providers here. I happen to be lucky enough to have access to 2 different cable providers, Comcast and Wave Broadband (formerly Astound). I used Astound before. It was not bad. My experience was not nearly as bad as what the Yelp reviews say. I’ve now had them for a couple of weeks and still have the same opinion. They seem to be just fine.

So, moving onto the implementation. As you can see from the screenshot, Shibby makes it easy! First configuration the VLAN. It points to a link for where to do it – in advanced settings. You can look at the next screenshot to see an example of the VLAN being set up. I’m using LAN port 1 for the 2nd WAN port.

In this screen however, You might notice my “Load Balance Weight”. The problem with my service providers is that Comcast gives me unlimited bandwidth.¬†Wave Broadband does not. Because of this, I want more connections to go out of the first WAN link and Shibby gives us a couple of ways to do it. First is with “Load Balance Weight”. I’m just setting the 1st link to 2 and 2nd WAN link to 1. You can play with the numbers to try finding¬†your desired balance.

Screen Shot 2016-04-29 at 6.43.42 PM

Screen Shot 2016-04-29 at 6.43.01 PM

Another place to do load balancing is by pinning a particular host to a particular WAN link. For example, I have some traffic I want out of 1 WAN link and some out of another. This way, I can tell my highest traffic hosts to go through WAN1 while some others through WAN2.

Screen Shot 2016-04-29 at 6.47.37 PM

Here’s a status window to show that I have both WANs connected.

Screen Shot 2016-05-01 at 4.23.59 PM

Lastly, you can see from different searches of what’s my IP, that both WAN links are being utilized.

Screen Shot 2016-05-01 at 4.29.15 PM Screen Shot 2016-05-01 at 4.29.26 PM

Please post your comments and share!

How to set the NTP server on all ESX hosts in vCenter at the same time with PowerCLI

I was frustrated with a number of my lab hosts have the wrong times/timezones. Rather than going to each ESXi host to update the time servers, I ran a simple script to do it with PowerCLI.

As before running any script, you must authenticate with the vCenter or the host by running

Connect-VIServer <hostname>

Then, we’ll cycle through each of the ESXi hosts and add an ntp server. Obviously, use the time server you want i.e. time.apple.com or clock.redhat.com ūüôā

Get-VMHost | Add-VMHostNtpServer -ntpserver "0.ubuntu.pool.ntp.org"

With that set, you can then move on to punching the hole through the firewall to request the time from the servers.

get-vmhost | Get-VMHostFirewallException | where {$_.Name -eq "NTP client"} | Set-VMHostFirewallException -Enabled:$true

#Start NTP client service and set to automatic
get-vmhost | Get-VmHostService | Where-Object {$_.key -eq "ntpd"} | Start-VMHostService
get-vmhost | Get-VmHostService | Where-Object {$_.key -eq "ntpd"} | Set-VMHostService -policy "automatic"

How to use PowerCLI to register or unregister a bunch of templates at a time …

I recently resignatured a datastore that housed all of my templates and ran into an issue with a bunch of datastores that wouldn’t unmount and a slew orphaned templates. To get rid of them, I had to unregister them all and then register them, but had a ton, so I¬†didn’t want to do them one at a time.

Unregistering the VM templates is easy. Just select them all, right click and click “remove from inventory”. The registering part is harder – need to browse the datastore and then right click and add to inventory and give it a name.¬†So, I did it with PowerCLI.

The first thing we want to do is get a list of all of the vmtx files in the datastore that the templates reside in. I do it like this:

$vmtxs = gci vmstore:\$((Get-Datacenter -name "DCpod"))\templates -Recurse -Include *.vmtx | select -exp datastorefullpath

You can list it and you should see something like this:

PowerCLI C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> $vmtxs
[templates] Win8.1_Template/Win8.1_Template.vmtx
[templates] Windows 10 template/Windows 10 template.vmtx
[templates] Win2K8R2_Template_1/Win2K8R2_Template.vmtx
[templates] Ubuntu_Server_Template/Ubuntu_Server_Template.vmtx
[templates] Win2K12R2_Template/Win2K12R2_Template.vmtx
[templates] webservertemplate2/webservertemplate2.vmtx

With the list of files, you can loop through and register them all on a particular host like this:

PowerCLI C:\Program Files\VMware\Infrastructure\vSphere PowerCLI> foreach($vmtx in $vmtxs)
{
$currentname = ($vmtx -split "/|\.")[1]
$vm = new-template -name $currentname -templatefilepath $vmtx -vmhost esxhostname.domain.com
}