Archive for the Operating System Category

Cisco NAT Overload with CBAC

Posted in Operating System, Security with tags , , on June 4, 2012 by muhrizky

The reason behind this note that there is not many resource someone’s able to find by navigating Google, on how-to configure Network Address Translation (NAT) using Cisco routers. I do reread Todd Lammle book that i used to get my CCNA certification a couple of years ago, digging through Google tying to find a simple NAT configuration with dynamic IP address allocation from the ISP, and found several site (including which was wrote in the CCNA book) have configured it on the Cisco PIX firewall. I have that firewall in my personal lab so maybe i will write on that later.

Topology shown above is a simple diagram i draw it on Gliffy since they have sleek cloud-based drawing tools. The cable modem is getting a digital signal from the ISP, carried by a single coaxial cable which also have configured to be the DHCP relay in order to push IP address to consumer premises device. Cisco 2621XM modular access router came with 2 FastEthernet interface, 2 WIC, and 1 NM supporting up to 256 MB of RAM, mine is upgraded from 64 MB to 128 MB for CCNA Security certification requirements (Cisco SDM). I installed IOS version 12.2 with Advanced Security into this router so that it can be deploy as a router-based firewall supporting AAA, Radius, TACACS, SSH, Audit, CBAC, ZBF, IPS, IDS, and so on. Finally for daily internet usage, i used Linksys WAP610N dual-band access point. Actually we can expand this topology to create VLAN, Voice over IP (VoIP), secure them with PIX/ASA firewall for greater security for instance.

I mention a lot of terms above that i cannot explain this time, so everyone needs to find by ownself about what exactly is NAT and how it works, what is triple A, IPS, IDS, ZBF, and so on. So i assume that you are already know the basic if you want to continue reading. But here i will explain a brief on what is Cisco CBAC. Context-Based Access Control (CBAC) is Cisco stateful inspection firewall technology based on its Access List (ACL) configuration which will inspect TCP, UDP, and ICMP protocol up to OSI layer 7 and can prevent DDoS attacks. But since CBAC rely on the ACL, it can creates human error if we do not planning it well. Currently CBAC is been improved by Cisco Zone Based Firewall (ZBF).

Now for the configuration, first we need to configure the basic of Cisco router, i assume you are configuring from the scratch. We can start it by doing cables, set the router hostname, and IP addressing for each interfaces. For security, apply the console password, do password encryption, set username and privilege level for SSH or AAA or Radius, turn off HTTP/HTTPS service if you don’t do SDM or Cisco Network Assistant (CNA), and so forth. My suggestion: do this config accordingly to avoid your headache in further steps!

This following section is the main purpose for this article; to configure NAT and CBAC. Below is the NAT configuration, untrusted interface as the DHCP client and trusted interface resides as the DHCP server:

R18(config)#ip dhcp pool dhcp18
R18(dhcp-config)#default router 172.16.1.1
R18(dhcp-config)#network 172.16.1.0 255.255.255.224
R18(dhcp-config)#dns-servers 8.8.8.8 8.8.4.4
R18(dhcp-config)#exit
!---
set this to exclude router and wireless AP address.
R18(config)#ip dhcp excluded-address 172.16.1.1
R18(config)#ip dhcp excluded-address 172.16.1.7
!---
must be match on IP we get from the ISP
R18(config)#ip nat pool nat18 118.137.37.7 118.137.37.7 netmask 255.255.255.0
!---
ACL for NAT
R18(config)#ip access-list extended nat18-ol
R18(config)#permit ip 172.16.1.0 0.0.0.31 any
R18(config)#ip nat inside source list nat18-ol pool nat18 overload
R18(config)#interface fastethernet0/0
R18(config-if)#ip nat outside
R18(config-if)#interface fastethernet0/1
R18(config-if)#ip nat inside
R18(config-if)#do write memory

For CBAC auto secure firewall:

R18#auto secure firewall
--- AutoSecure Configuration ---
*** AutoSecure configuration enhances the security of the router but it will not make router absolutely secure from all security attacks ***
All the configuration done as part of AutoSecure will be shown here. For more details of why and how this configuration is useful, and any possible side effects, please refer to Cisco documentation of AutoSecure.
At any prompt you may enter '?' for help.
Use ctrl-c to abort this session at any prompt.
Gathering information about the router for AutoSecure
Is this router connected to internet? [no]:yes
Enter the number of interfaces facing internet [1]:1
Interface IP-Address OK? Method Status
Protocol
FastEthernet0/0 118.137.37.7 YES DHCP up down
FastEthernet0/1 172.16.1.1 YES NVRAM up down
Enter the interface name that is facing internet:FastEthernet0/0
Configure CBAC Firewall feature? [yes/no]:yes
This is configuration generated:
ip inspect audit-trail
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect udp idle-time 1800
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
interface FastEthernet0/0
ip inspect autosec_inspect out
ip access-group autosec_firewall_acl in
!
end
Apply this configuration to running-config? [yes]:<strong>yes</strong>
Applying the config generated to running-config

I will not guarantee that the auto secure firewall will be running smoothly and trouble free since it depends on Cisco IOS and our exact configuration, this is why i mentioned before that you must configure it appropriately. AutoSecure can be a doom by locking all of your access to the router, including console access. Then of course we can configure CBAC manually but hence i do not want to explain it here, at least not for this part of note.

News and Guides: Slackware-stable Kernel Upgrade

Posted in Operating System with tags , , on August 20, 2009 by muhrizky

Yesterday, i read an email from [Slackware-security] which said that they found a serious bug inside Slackware-stable release. The team informed by Google® security team on this security bug. I use Slackware Linux since 2003 where in that year is quite hard to find community, especially from where i lived, can give an information when I encountered problems in Linux. In that year, I was using Slackware 9 with kernel 2.4 and I have succeed to upgrade the kernel (not officially) into 2.6 version. Kernel 2.6 was a brand-new interesting things back in the early year of 2K.

Then yesterday after I read the email, I even think about not to respond for the patches. Because I completely forgot about how to upgrade the kernel. But now in 2K9 it is quite easy to find guide about kernel upgrading. Actually I only need two pages from Google® search. Ok now here’s the guide:

1. Download all the kernel packages you need and put them inside one directory, I recommend you to put them inside /usr/src/linux-2.6.27.31 directory. The packages itself including: kernel-generic-smp, kernel-headers, kernel-modules-smp, and kernel-source in order to compile your 3D graphic drivers. Also don’t forget to grab the kernel-mmap_min_addr_4096 package from the FTP site. FYI, this is the one that has been reported as the bug because of the kernel map addressing size.

2. Deploy all of the kernel packages by using command:
#installpkg kernel*
Be careful when you execute command with star (*) wildcard and be sure that all of the packages is served.

3. Install the kernel patch in terms of the map addressing size:
#installpkg kernel_mmap-min-addr-4096.tgz

4. Reconfigure mkinitrd, read about another articles that explains about Linux system init at my blog:
#cd /boot
#mkinitrd -k 2.6.27.31-smp -m ext3 -f ext3 -r /dev/sda2

Wait, what is -m, -f, -r functions for? Refer to the mkinitrd man pages.

5. Modify lilo bootloader configuration by using vi editor:
#vi /etc/lilo.conf
Find the line that starts with:

#Linux bootable partition config begins
image = /boot/vmlinuz-generic-smp-2.6.27.31-smp
initrd = /boot/initrd.gz
root = /dev/sda2
label = Slackware
read-only
#Linux bootable partition config ends

6. Reinstall lilo by running command:
#lilo -v

7. Restart your machine. Wait and see if all of our system init is working normally and not shows you Kernel panic!!! message.

8. Download the new svgalib_helper package, recompile it for this new kernel subversion, then do install.
#installpkg svgalib_helper-1.9.2_2.6.27.31.tgz

9. Reinstall your 3D graphic drivers. It will be better if you have the latest version.

NB. If you find an error related to alsa sound, so it’s need to be reconfigure. Run this command:
#alsaconf
Next:
#alsamixer
Finally:
#alsactl store

Understanding Linux File Permissions

Posted in Operating System with tags , on May 8, 2009 by muhrizky

This post will explain the concept of file permissions so we can get more understanding and after that I will give an instruction to modify it. Operating systems have more than one type of accounts where every single of account can be a member from one or more groups. I will describe this by a simple example. Bob is a single person that in this case Bob is an accounts, but Bob also a members of graduate student from local University and he work as a journalist. This two society members called as a groups in terms of operating systems. There are very lot of groups in Linux that can be build and assign depends on the system services. By this post, I will take only two of Linux default groups that will often needs to modify which are root and users groups.

terminal

The third and fourth column above told us about accounts owner and groups. As we can see file notepad is belong to muhrizky from users group.

Below is the command line syntax to take file ownership:
chown owner[.group] file

In case to change the file notepad ownership into root for example, you can execute:
#chown root.root notepad.txt

I will continue about permissions in more details. The first column from the image above is the specific file and directory permissions applied, where the first character show the type of object which are:

– for files
d for directories
l for file/directory symbolic links
c for character objects
b for block of objects
n for network objects

The next three sets of character defines an access permissions:

r for read
w for write
x for execute

So the file notepad have it’s permissions to read and write for the owner, read-only for users group members, and also for everyone else.

This is the command line format to change file or directory permissions:
chmod mode file

Where specific format for mode are:
[ugoa][+-=][rwx]

The first character bracket for mode defines as:

u for users
g for group
o for everyone else
a for All

The second bracket is a symbolic characters that can be modify to your needs whether to add (+), remove (-), or assign (=) permission.

Finally, the third bracket is to set access for read (r), write (w), or execute (x).

For example to modify notepad so it can be write by everyone, we can type:
$chmod a+w notepad

Besides doing that procedure, you can also modify file or directory by referring that to an octal codes for permissions. The codes are:

0 for no permissions
1 for execute-only
2 for write-only
3 for write and execute
4 for read-only
5 for read & execute
6 for read & write
7 for read, write & execute

In order to change the file permission into full-access for the owner, read-only for group, and also read-only access to everyone, you can type:
$chmod 744 notepad

How-To Install Gnome Slackbuilds on Slackware 12.2

Posted in Operating System with tags , , on April 8, 2009 by muhrizky

Gnome is one of the largest desktop environment besides KDE and Xfce that has dropped since the release of Slackware 10.2. According to the old 10.2 changelogs, Gnome Slackbuilds (gsb) is recommended to be the replacement of Gnome packages deployment because it has the minimal interference with Slackware base systems. With this post, I will give an instruction about how-to deploy gsb on Slackware 12.2 which at this time the packages itself are still on the development stages.

First, I must inform that gsb-packages size is large (approx. 1 GB) so I really recommend you to download all of the packages and place it inside your local hard drive. You can grab these stuff from the links below:

Next you need to remove Seamonkey application by using pkgtool. Stop. What is Seamonkey and why should I remove it? Seamonkey is a Mozilla-based suite browser that should be remove to avoid engine conflict with Firefox. Alright, now what is pkgtool and why should I used it? pkgtool is a text-based interface integrated into Slackware distribution, so every users can reconfigure the Slackware installation on their machines. But if you prefer removepkg command, so run it.

Next we need to install slapt-get from our local repositories. But before the installation, we need to make sure that the dependencies is already installed on your computer. The deps are: curl, glibc-solibs, gpgme, libgpg-error, libidn, and openssl-solibs. Once again i recommend you to use pkgtool. After the deps are completely installed, change your current working directory into where you put the repos path with slapt-get executable script. In case you do not know where exactly the script is located, search it by run this following command as root:

#find / -name slapt-get-*.tgz

After finds it, change the working directory and install slapt-get utility by running this command:

#upgradepkg --install-new slapt-get-*.tgz

Next find the slapt-getrc script and edit it by using your favorite text editor. For this time i use nano editor:

#nano /etc/slapt-get/slapt-getrc

I will separate this editing section into 2 parts. First, make sure there are 2 commenting lines that wrote:

# Working directory for local storage/cache
WORKINGDIR=/var/slapt-get
# Exclude package names and expressions
EXCLUDE=^kernel-.*,^glibc.*,.*-[0-9]+dl$,^devs$,^udev$,aaa_elflibs,x86_64

After we sure that the lines are in there and exactly the same as I type above, including every single wildcards, next for the second parts we must do is to add your local repositories into the lines below:

# Use a local path to a Slackware/GSB/other repo
#SOURCE=file:///path/to/repo/slackware/slackware-12.1/
SOURCE=file:///usr/local/src/gsb-current/

# Use a local mounted CDROM
SOURCE=file:///mnt/cdrom/

The first line section here told us whether to use Slackware installation media by link it to the ftp or http server. In this case you must modify the second line into:

SOURCE=ftp:///path/to/repo/slackware/slackware-12.2/

Or directly we can also use Slackware local media CD/DVD installation as same as I do with the script. Just don’t forget to mount your CD/DVD removable media by running this command as root:

#mount -t iso9660 /dev/cdrom /mnt/cdrom

Finish? Absolutely Not. But if you got frustrated now, smack your keyboard, but after that keep concentrate on learning. I already broke 2 of my keyboards since i learn Linux back at year 2003. Ok now i will continue and remember to keep your concentration.

Next slapt-get command will check for repositories packages that you had download into your local hard drive:

#slapt-get -c /etc/slapt-get/slapt-getrc --update

If there wasn’t any error in the process, we can continue to install the gsb-main packages into your machine:

#slapt-get -c /etc/slapt-get/slapt-getrc -y --retry 10 --upgrade

Here i can assume the installation will run correctly only if you successfully completed the previous local repos check process. Now it is time to deploy the complete gsb packages:

#slapt-get -c /etc/slapt-get/slapt-getrc -y --retry 10 --install gsb-complete

After all of this time consuming installation is completed, reboot your system Now.

Soon as you back to text-based Slackware login, run the X Window initialization as root:

#xwmconfig

From the selection screen, choose Gnome or Compiz-Gnome to run in case if your hardware, especially your video card with recent driver, is good enough. Exit the utility.

Finally, we can execute startx like usually we do to run the X Window environment.

Enjoy your new Gnome desktop environment.

Brief Explanation on Linux Login Screens and How-To Change It

Posted in Operating System with tags , on February 22, 2009 by muhrizky

As we can see now, there are two types of login screen in Linux based machines.
What’s the meaning of login screen? I believe that to understand a thing, we must first understand the terms. Login screen is something that appears on the screen after system initialization. On Windows® machine login screen called as Welcome screen.
Basically on the Unix systems, there is only one type of login screen: text based login. But in the modern Linux (which was build from Unix to Minix) we know that there are two types of login screen.

img1. Graphical login screen

Fig.1. Graphical login screen

Fig.2. Text-based login screen

Fig.2. Text-based login screen

For anybody who prefer a “simplified” Linux distribution likes Fedora, Mandriva, OpenSUSE, and Ubuntu means that when the system loads, it will show you a graphical login screen similar to the Windows® environment. But there is also another type of distribution which serve a text-based login screen like on the Berkeley Software Distribution (BSD) family or Slackware Linux. Now for the practice, we can modify the boot screen by editing the /etc/inittab as root by using any favorite text editor, for example vi or vim, pico, and nano. Inside the script, find the line wrote id:3:initdefault and change the number 3 into:

0 = halt
1 = single user mode
2 = unused (but configured the same as runlevel 3)
3 = multiuser mode (default Slackware runlevel)
4 = X11 with KDM/GDM/XDM (session managers)
5 = unused (but configured the same as runlevel 3)
6 = reboot

The runlevel maybe different on your machine, so you must read also inside the preconfigured inittab script. Reboot the system then and see your modified login screen. Curious about how exactly Linux runs its boot sequence? I found a links that will explain you in clearly how the boot process runs from computer Basic Input-Output System (BIOS) initialization until the login screen appear. In my opinion, this kind of article will give everyone a clear understanding so I demand you to read it at IBM DeveloperWorks: Slackware Linux 101

How-To Install VirtualBox on Slackware 12.2

Posted in Operating System with tags , , on December 30, 2008 by muhrizky

VirtualBox is a virtualization software from Sun Microsystems. In easy words, it means that we can run one or more operating systems inside one machine. This notes will guide you to deploy VirtualBox on a Slackware 12.2 machine.

1. First, you need to prepare all package dependencies for VirtualBox, which are:

  • icu4c
  • xerces-c
  • xalan
  • acpica
  • libatomic_ops
  • libsamplerate
  • libsnd
  • pulseaudio

You can get all of this packages from SlackBuilds so it can be more simple and centralized. We also need to learn how-to compile the source with help of pre-defined SlackBuilds scripts by reading their documentation.

2.1. Get the appropriate installer from VirtualBox that we need to execute on Slackware platform. Looks for the one with .run file extention.

2.2. You can also grab VirtualBox OSE packages from SlackBuilds. This is including virtualbox-ose and virtualbox-kernel. Then compile and execute them in the same way as you did on previous packages dependencies. Read the instructions carefully. If you choose this method for installation, after this you can skip directly to step sixth.

Note: According to VirtualBox sites, they mention about Qt4 as another dependencies. So here you can compile Qt4 before virtualbox-ose, but this is optional. Warning!!! It tooks so long to compile Qt4. I do that for two and a half hour on my machine with Pentium D 805, 4 Gigs DDR-II, and SATA-AHCI.

3. Third, modify the installer permissions by running this command as root:

#chmod 755 VirtualBox-xxx-xxxxx-Linux_xxx.run

This will assign permissions so that only root can modify the installer and the others group can only read and execute.

4. Run the installer as root:

#./VirtualBox-xxx-xxxxx-Linux_xxx.run

5. Next, we need to create a symbolic link from a specific file:

#ln -s /lib/libcap.so.x.xx /lib/libcap.so.1

This fifth step is a problem that i discover from kernel message. But until this notes was published, i still don’t know from where this problem arise.

6. Sixth, insert your user account into vboxusers group:

#usermod -a -G vboxusers username

Here you can also use KUser an X application from KDE environment.

7. Seventh, assume everything is working well, we can find the VirtualBox launcher from KMenu>>System>>Sun xVM VirtualBox.

Finally, don’t forget to read the User Manual for instruction guides which locates at /opt/VirtualBox-xxx/