Implementing Wireless Intrusion Detection System

Posted in Networking, Security with tags , on September 28, 2014 by muhrizky

NTP on Linux

Posted in Networking, Security with tags , on September 28, 2014 by muhrizky

A couple of months ago I have some task to create an environment of all network devices in order to be synchronize with differentiation of maximum 2 seconds. Which is impossible to set manually beside of using a Network Time Protocol (NTP) synchronization. This protocol works on Stratum number hierarchy where the lowest number should be the most reliable. NTP need TCP port 123 in order to communicate, do a further check on an exclusion inside the iptables script.

For those who wants a straight-forward setup, NTP can also run on Windows environment which is out-of-scope discussion within this blog. It was easy task anyway by using a left click of a mouse within a Windows interface.

Packages that we need to get from the repository are ntp and ntpdate.
Within Debian derivative run the command #apt-get install ntp ntpdatentp_install

In Slackware there is no automation for each installation, so that we exactly need to know those packages dependencies.

Next step is the most interesting computing experience for anyone who loves Linux environment, which is script editing in order to configure the synchronizing server. The script was located on /etc/ntp.conf then find a line that starts with:

# maps to about 1000 low-stratum NTP servers.
# Your server will pick a different set every time
# it starts up.  Please consider joining the
# pool
server iburst
server iburst
server iburst
server iburst

The security part was to restrict synchronization locally for a loopback adapter and for the primary host do a broadcasting.

# Local users may interrogate the ntp
# server more closely.
restrict ::1

# If you want to provide time to your
# local subnet, change the next line.
# (Again, the address is an example only.)

Restart the service where currently this is pre-configured as an Init script, including for the setup of IP config (static IP, gateway, DNS) by run command #service ntp restartntp_services

The last one is to monitor the synchronization between the public Stratum which is only possible to be done after all the configuration script and command was good. Run the command #ntpq -pntp_query

The local Clients synchronization can be determine by run command #ntpdc -c monlist

Update!!! This command was vulnerable of DoS attack as it was mention by this CVE-2013-5211

Below is the propose script modification to be applied and very recommended to create the egress filtering on each data packet flow on your firewall in order to prevent any further DoS attack inside of the network.

# By default, exchange time with everybody, but don't allow configuration.
restrict default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict mask notrust

Report: Statistics on 2012

Posted in Database with tags on December 31, 2012 by muhrizky

The stats helper prepared a 2012 annual report for this blog.

Here’s an excerpt:

The new Boeing 787 Dreamliner can carry about 250 passengers. This blog was viewed about 1,500 times in 2012. If it were a Dreamliner, it would take about 6 trips to carry that many people.

Click here to see the complete report.

Cisco NAT Overload with CBAC

Posted in Operating System, Security with tags , , on June 4, 2012 by muhrizky

The reason behind this note that there is not many resource someone’s able to find by navigating Google, on how-to configure Network Address Translation (NAT) using Cisco routers. I do reread Todd Lammle book that i used to get my CCNA certification a couple of years ago, digging through Google tying to find a simple NAT configuration with dynamic IP address allocation from the ISP, and found several site (including which was wrote in the CCNA book) have configured it on the Cisco PIX firewall. I have that firewall in my personal lab so maybe i will write on that later.

Topology shown above is a simple diagram i draw it on Gliffy since they have sleek cloud-based drawing tools. The cable modem is getting a digital signal from the ISP, carried by a single coaxial cable which also have configured to be the DHCP relay in order to push IP address to consumer premises device. Cisco 2621XM modular access router came with 2 FastEthernet interface, 2 WIC, and 1 NM supporting up to 256 MB of RAM, mine is upgraded from 64 MB to 128 MB for CCNA Security certification requirements (Cisco SDM). I installed IOS version 12.2 with Advanced Security into this router so that it can be deploy as a router-based firewall supporting AAA, Radius, TACACS, SSH, Audit, CBAC, ZBF, IPS, IDS, and so on. Finally for daily internet usage, i used Linksys WAP610N dual-band access point. Actually we can expand this topology to create VLAN, Voice over IP (VoIP), secure them with PIX/ASA firewall for greater security for instance.

I mention a lot of terms above that i cannot explain this time, so everyone needs to find by ownself about what exactly is NAT and how it works, what is triple A, IPS, IDS, ZBF, and so on. So i assume that you are already know the basic if you want to continue reading. But here i will explain a brief on what is Cisco CBAC. Context-Based Access Control (CBAC) is Cisco stateful inspection firewall technology based on its Access List (ACL) configuration which will inspect TCP, UDP, and ICMP protocol up to OSI layer 7 and can prevent DDoS attacks. But since CBAC rely on the ACL, it can creates human error if we do not planning it well. Currently CBAC is been improved by Cisco Zone Based Firewall (ZBF).

Now for the configuration, first we need to configure the basic of Cisco router, i assume you are configuring from the scratch. We can start it by doing cables, set the router hostname, and IP addressing for each interfaces. For security, apply the console password, do password encryption, set username and privilege level for SSH or AAA or Radius, turn off HTTP/HTTPS service if you don’t do SDM or Cisco Network Assistant (CNA), and so forth. My suggestion: do this config accordingly to avoid your headache in further steps!

This following section is the main purpose for this article; to configure NAT and CBAC. Below is the NAT configuration, untrusted interface as the DHCP client and trusted interface resides as the DHCP server:

R18(config)#ip dhcp pool dhcp18
R18(dhcp-config)#default router
set this to exclude router and wireless AP address.
R18(config)#ip dhcp excluded-address
R18(config)#ip dhcp excluded-address
must be match on IP we get from the ISP
R18(config)#ip nat pool nat18 netmask
R18(config)#ip access-list extended nat18-ol
R18(config)#permit ip any
R18(config)#ip nat inside source list nat18-ol pool nat18 overload
R18(config)#interface fastethernet0/0
R18(config-if)#ip nat outside
R18(config-if)#interface fastethernet0/1
R18(config-if)#ip nat inside
R18(config-if)#do write memory

For CBAC auto secure firewall:

R18#auto secure firewall
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***
All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:yes
Enter the number of interfaces facing internet [1]:1
Interface IP-Address OK? Method Status
FastEthernet0/0 YES DHCP up down
FastEthernet0/1 YES NVRAM up down
Enter the interface name that is facing internet:FastEthernet0/0
Configure CBAC Firewall feature? [yes/no]:yes
This is configuration generated:
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
Apply this configuration to running-config? [yes]:<strong>yes</strong>
Applying the config generated to running-config

I will not guarantee that the auto secure firewall will be running smoothly and trouble free since it depends on Cisco IOS and our exact configuration, this is why i mentioned before that you must configure it appropriately. AutoSecure can be a doom by locking all of your access to the router, including console access. Then of course we can configure CBAC manually but hence i do not want to explain it here, at least not for this part of note.

New Release!!! [ROM][WWE]O2 Xda Zinc

Posted in Mobile with tags , , on September 11, 2009 by muhrizky

This is the newest build Windows Mobile® 6.1 Professional for O2 Xda Zinc device that i ported by myself. This release is flat version of ROM without any 3rd party application. Why put something on the device that we can install or choose which and what is the best for individual?

System Information:
Windows Mobile® 6.1 Professional, Windows CE 5.2 Kernel
Build 21054 A.K.U. 1.6.7
RAM: 51.08 MB, Free 29.35 MB
ROM: 47.42 MB, Free 43.84 MB

News and Guides: Slackware-stable Kernel Upgrade

Posted in Operating System with tags , , on August 20, 2009 by muhrizky

Yesterday, i read an email from [Slackware-security] which said that they found a serious bug inside Slackware-stable release. The team informed by Google® security team on this security bug. I use Slackware Linux since 2003 where in that year is quite hard to find community, especially from where i lived, can give an information when I encountered problems in Linux. In that year, I was using Slackware 9 with kernel 2.4 and I have succeed to upgrade the kernel (not officially) into 2.6 version. Kernel 2.6 was a brand-new interesting things back in the early year of 2K.

Then yesterday after I read the email, I even think about not to respond for the patches. Because I completely forgot about how to upgrade the kernel. But now in 2K9 it is quite easy to find guide about kernel upgrading. Actually I only need two pages from Google® search. Ok now here’s the guide:

1. Download all the kernel packages you need and put them inside one directory, I recommend you to put them inside /usr/src/linux- directory. The packages itself including: kernel-generic-smp, kernel-headers, kernel-modules-smp, and kernel-source in order to compile your 3D graphic drivers. Also don’t forget to grab the kernel-mmap_min_addr_4096 package from the FTP site. FYI, this is the one that has been reported as the bug because of the kernel map addressing size.

2. Deploy all of the kernel packages by using command:
#installpkg kernel*
Be careful when you execute command with star (*) wildcard and be sure that all of the packages is served.

3. Install the kernel patch in terms of the map addressing size:
#installpkg kernel_mmap-min-addr-4096.tgz

4. Reconfigure mkinitrd, read about another articles that explains about Linux system init at my blog:
#cd /boot
#mkinitrd -k -m ext3 -f ext3 -r /dev/sda2

Wait, what is -m, -f, -r functions for? Refer to the mkinitrd man pages.

5. Modify lilo bootloader configuration by using vi editor:
#vi /etc/lilo.conf
Find the line that starts with:

#Linux bootable partition config begins
image = /boot/vmlinuz-generic-smp-
initrd = /boot/initrd.gz
root = /dev/sda2
label = Slackware
#Linux bootable partition config ends

6. Reinstall lilo by running command:
#lilo -v

7. Restart your machine. Wait and see if all of our system init is working normally and not shows you Kernel panic!!! message.

8. Download the new svgalib_helper package, recompile it for this new kernel subversion, then do install.
#installpkg svgalib_helper-1.9.2_2.6.27.31.tgz

9. Reinstall your 3D graphic drivers. It will be better if you have the latest version.

NB. If you find an error related to alsa sound, so it’s need to be reconfigure. Run this command:
#alsactl store

How 802.1x Authentication Works

Posted in Security with tags , on May 8, 2009 by muhrizky

If anyone ever visit HowStuffWorks there we can find a lot of information about how objects work. Furthermore, in relation to understanding, the site gave me a good example to inform or explain something technical. In this massive information era, definition of terms is often too simple. But in my view, a simple explanation is not enough to make someone understood. In my opinion, human can be truely understand about technical terms and not to be abandon the words from brain memory, can be happen only if we are not just know what is this or what is that but we also need to know how this or that works accordingly.

802.1x in term of computer technique is a method for authenticate client, whether the network transmission come from a valid sender. 802.1x authentication can be implement to secure wireless networking. Derived from several resources, sometimes this method is also known as RADIUS authentication. But actually RADIUS is a server that provide the authentication services. 802.1x is also can be merge with Active Directory or Lightweight Directory Access Protocol (LDAP) to increase the security. Explanation below will describes how 802.1x authentication works in procedural process:

  1. Wireless client sends a request to wireless access point,
  2. Access point requests wireless client for its identity information,
  3. Wireless client sends the identity information to wireless access point,
  4. Wireless access point sends wireless client identity information to the RADIUS server,
  5. The RADIUS server verifies its connection request policies to check whether the wireless access point is valid,
  6. If the access point is valid, the RADIUS server checks its remote access policies to verify whether the wireless client is authorized,
  7. The client identity forward to the domain controller for authentication,
  8. The domain controller returns the result to the RADIUS server,
  9. RADIUS server analyzes its policies to specify constraint in case the wireless client is authenticated by the domain controller,
  10. If the client still valid, then the RADIUS server sends an acknowledgement message to access point, indicating the acceptance of the request,
  11. Once the access point receives the message, it generates WEP keys and forward the keys to the wireless client,
  12. Client uses the WEP keys to access the network.

Types of authentication method for the RADIUS itself can be:

  • Protected Extensible Authentication Protocol (PEAP-EAP): Client authenticate by validating certificate supplied from the server and acquire the master key.
  • PEAP-EAP-Microsoft Challenge Handshake Authentication Protocol (MSCHAPv2): Same as PEAP-EAP but the authentication process must also passed the Active Directory validation from domain controller.
  • Secure Socket Layer/Secure Shell (SSL/SSH): Creates a tunnel in a separate network layer for authentication.