Lana4408's Weblog

Virus Conficker April 1st? is this new or what ?

lana4408 — Wed, 08 Apr 2009 16:40:03 +0000

I have NOD32 on my Windows XP, in this day i have three times that conficker running his schedule task and my AV running his popup window that tell me this virus has deleted from his task.
Very disgusting don’t you ? so i have try to find how to remove it forever.

Try to search with google web searcher and i found this link Worried about the Conficker worm threat from April 1st? A few simple steps can protect you.
If you’re still worried about the Conficker threat from April 1st, here is some additional information. On April 1st the Conficker worm was potentially going to take steps to protect itself. Beginning on April 1st, the worm would have used a communications system that would have been more difficult for security researchers to interrupt.
The Conficker worm, sometimes called Downadup or Kido has managed to infect a large number of computers. Specifics are hard to come by, but some researchers estimate that millions of computers have been infected with this threat since January. In that case you will need to get to a computer that is not infected, download a specialized Conficker removal tool and run it on the infected machine before installing new antivirus software. Symantec has a detailed technical analysis of the threat here.

What does the Conficker worm do?
The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?
The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?
Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected
If you are reading this page, your computer is probably not infected with Conficker as the worm blocks access to most security web sites.

If you have a computer that is infected, you will need to use an uninfected computer to download a specialized Conficker removal tool.

Advice to Stay Safe from the Downadup Worm:

1. Run a good security suite.
2. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
3. Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
4. Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
5. Be smart with your passwords. This includes

1. Change your passwords periodically
2. Use complex passwords – no simple names or words, use special characters and numbers
3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.

6. Use a passwords management system

Setup Transparent Squid Proxy Server in Ubuntu

lana4408 — Mon, 02 Mar 2009 18:10:44 +0000

Squid is a fully-featured HTTP/1.0 proxy which is almost (but not quite – we’re getting there!) HTTP/1.1 compliant. Squid offers a rich access control, authorization and logging environment to develop web proxy and content serving applications.

This is a short guide on how to set up a transparent squid proxy server. Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator.

Install Squid

Install squid and squid-common
sudo aptitude install squid squid-common
Edit the squid config file.
sudo vi /etc/squid/squid.conf
Set the allowed hosts.
acl internal_network src 192.168.0.0/24 (Where 192.168.0.0/24 is your IP range.)http_access allow internal_network

Set the correct permissions.

sudo chown -R proxy:proxy /var/log/squid/ sudo chown proxy:proxy /etc/squid/squid.conf

You will need to restart squid for the changes to take affect.
sudo /etc/init.d/squid restart

Now open up your browser and set your proxy to point to your new squid server on port 3128

Authentication

If you wish to use authentication with your proxy you will need to install apache2 utilities

sudo aptitude install squid squid-common apache2-utils

To add your first user you will need to specify -c
sudo htpasswd -c /etc/squid.passwd first_user

Thereafter you add new users with

sudo htpasswd /etc/squid.passwd another_user

Edit the squid config file
sudo vi /etc/squid/squid.conf
Set the the authentication parameters and the acl

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid.passwd auth_param basic children 5 auth_param basic realm NFYE Squid proxy-caching web server auth_param basic credentialsttl 3 hours auth_param basic casesensitive off

acl users proxy_auth REQUIRED

acl sectionx proxy_auth REQUIRED

http_access allow users

So this is what your squid.conf should look like.
acl all src 0.0.0.0/0.0.0.0 aclinternal_networksrc 192.168.0.0/24 acl users proxy_auth REQUIRED acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 # https, snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl sectionx proxy_auth REQUIRED acl purge method PURGE acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow users
http_access allow internal_networkhttp_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access deny all http_reply_access allow all icp_access allow all

Redirect the all HTTP traffic.

If you would like to redirect the all HTTP traffic through the proxy without needing to set up a proxy manually in all your applications you will need to add some rules
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp--dport 80 -j DNAT --to-destination 192.168.0.1:3128
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp –dport 80 -j REDIRECT --to-ports 3128

Where eth1,eth0 are the LAN, WAN devices and 192.168.0.1 is the IP address of your LAN device.

If you wish to monitor the performance of your proxy you can look as some log parser’s (sarg, calamaris, ect.)

Source from here

Shorewall Configuration in Debian

lana4408 — Mon, 02 Mar 2009 11:09:12 +0000

What is Shorewall?

The Shoreline Firewall, more commonly known as “Shorewall”, is a high-level tool for configuring Netfilter. You describe your firewall/gateway requirements using entries in a set of configuration files. Shorewall reads those configuration files and with the help of the iptables utility, Shorewall configures Netfilter to match your requirements. Shorewall can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system. Shorewall does not use Netfilter’s ipchains compatibility mode and can thus take advantage of Netfilter’s connection state tracking capabilities.

Download, Features and Documentation Shorewall

http://www.shorewall.net/

Note:- Before installing shorewall we need to uninstall “ipchains” if you installed in your machine by running this command

# apt-get remove ipchains

Install shorewall in Debian

#apt-get install shorewall

At this point apt may tell you it has to install a couple extra supporting package along with shorewall. This is normal and you should accept the prompt to allow it to install everything.

You probably noticed a warning message at the end of the Shorewall installation telling you the program will not start unless you change the /etc/default/shorewall file.You can do this in following way

# vi /etc/default/shorewall

Now simply change

startup = 0

startup = 1

save, and exit.

Shorewall configuration files are stored in two separate places

/etc/shorewall stores all the program configuration files.

/usr/share/shorewall stores supporting files and action files.

Configuring Shorewall in Debian

If you want to configure shorewall you need to copy the sample configuration file from
/usr/share/doc/shorewall/default-config.You can do this by the following command

#cp /usr/share/doc/shorewall/default-config/* /etc/shorewall/

Now you have configuration files located at /etc/shorewall

Zones Configuration

First edit the zones file to specify the different network zones, these are just labels that you will use in the other files. Consider the Internet as one zone, and a private network as another zone. If you have this then the zones file would look like this:

#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Private net

There is another zone that is not put in this zones file, called the “firewall zone” or “fw”. This is already defined in /etc/shorewall.conf

If you want more information about Zones check here

Interfaces Configuration

The next file to edit is the interfaces file to specify the interfaces on your machine. Here you will connect the zones that you defined in the previous step with an actual interface. The third field is the broadcast address for the network attached to the interface (“detect” will figure this out for you). Finally the last fields are options for the interface. The options listed below are a good starting point,

net eth0 detect routefilter,norfc1918,logmartians,nosmurfs,tcpflags,blacklist
loc eth1 detect tcpflags

If you want more information about interfaces check here

Policy Configuration

The next file defines your firewall default policy. The default policy is used if no other rules apply. Often you will set the default policy to REJECT or DROP as the default, and then configure specifically what ports/services are allowed in the next step, and any that you do not configure are by default rejected or dropped according to this policy. An example policy (based on the zones and interfaces we used above) would be:

fw net ACCEPT
fw loc ACCEPT
net all DROP info
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info

This policy says: by default accept any traffic originating from the machine (fw) to the internet and to the local network. Anything that comes in from the internet destined to either the machine or the local network should be dropped and logged to the syslog level “info”. The last line closes everything else off, and probably wont ever be touched. Note: DROP rules are dropped quietly, and REJECTs send something back letting the originator know they’ve been rejected.

If you want more information about policy check here

Rules Configuration

The most important file is the rules. This is where you set what is allowed or not. Any new connection that comes into your firewall passes over these rules, if none of these apply, then the default policy will apply. Note: This is only for new connections, existing connections are automatically accepted. The comments in the file give you a good idea of how things work, but the following will provided an example that can give you a head-start:

#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
# PORT PORT(S) DEST LIMIT GROUP
ACCEPT net fw icmp 8
ACCEPT fw net icmp
ACCEPT net fw tcp ssh,www,https,smtp,pop3,pop3s,imap2,imaps,submission
ACCEPT net fw udp https
ACCEPT net:216.162.217.194 fw tcp munin

This example can be written in long-hand as, “Accept any pings (icmp) from the internet to the machine, accept any tcp connections from the internet that are on any of the ports referenced in /etc/services for the services
ssh(22),www(80),https(443), etc. Also accept from the internet the udp connections to https(443). While you are at it, accept only tcp connections from the IP 216.162.217.194 coming from the internet to the munin port (1040).

If you want more information about rules check here

Now you need to restart your shorewall to take your new changes effect by running this command

#/etc/init.d/shorewall start

If there was a syntax error in your configuration you will get an error saying so and you should have a read of
/var/log/shorewall-init.log to figure out why.

If everything does start up, you should make sure that you aren’t blocking something that you don’t mean to, you can do that by looking at your firewall logs.

If you want to know more about the shorewall log files click here

Shorewall Web interface or GUI tool

We have a webmin interface for shorewall to configure through GUI.You can download from here.

http://www.webmin.com/download/modules/shorewall.wbm.gz

If you want to configure shorewall through webmin interface click here

References

http://www.cyberdogtech.com/firewalls/firewall/

DHCP Server using Slackware

lana4408 — Mon, 02 Mar 2009 11:07:32 +0000

The Dynamic Host Configuration Protocol (DHCP) allows you to specify network parameters on a server and have client computers query the server for their information such as IP, netmask, gateway, DNS, etc. In addition to not having to statically assign network information to numerous clients, you also do not need to specify the IP of the DHCP server as this discovery is done via broadcast packets; the caveat to this is that you must have one DHCP server per broadcast domain. In case it’s not blatantly obvious, the power of DHCP is that if anything changes on your network such as the IP of a DNS server, you only need to edit one configuration file even if you have hundreds of clients.

The DHCP server I am using is called ‘dhcpd’ (oddly enough) and my current version is dhcp-3.0pl2-i386-1. This howto is not meant to be in-depth but rather just a general overview of some of the common features for the dhcpd server. If you need to do more esoteric configurations please man dhcpd.conf for detailed information.

The following is a common dhcpd.conf file. Below I will dissect this file and explain what each line does. Keeping with the convention of my other Linux Answers, all computer-specific information will be highlighted in blue and will most likely need to be changed.

code:

ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0
{
       range 192.168.1.100 192.168.1.200;
       option subnet-mask 255.255.255.0;
       option broadcast-address 192.168.1.255;
       option domain-name-servers 123.123.123.10, 123.123.123.20;
       option routers 192.168.1.1;

       host slackbox
       {
               hardware ethernet 00:50:AB:AB:AB:AB;
               fixed-address 192.168.1.7;
       }

       host winbox
       {
               hardware ethernet 00:06:CD:CD:CD:CD;
               fixed-address 192.168.1.8;
       }
}

The first thing we need to do is set a Dynamic DNS update style. Since DynDNS is beyond the scope of this howto, I am going to set the style to none but if this is something you want to do, then the man pages have tons of info on it.

Code:

ddns-update-style none;

Next we must specify what subnet and netmask we will be working on. Note that you can have many subnet configurations within the single dhcpd.conf file. Each subnet group is bound together by curly braces { }

Code:

subnet 192.168.1.0 netmask 255.255.255.0

Note that every command from here on will only pertain to the subnet specified above. This will be true until we reach the closing curly brace } as noted above.

Now we will specify what range of IP addresses we want to be made available for clients using DHCP. This option is very handy when used in conjunction with a firewall because you know exactly what IP addresses came from a client using DHCP and you can exercise restrictions upon them as necessary.

Code:

range 192.168.1.100 192.168.1.200;

This next line is going to look a bit redundant because we are setting the netmask again even though we set it in the subnet declaration above, but it’s recommended in the man pages so we are going to do it.

Code:

option subnet-mask 255.255.255.0;

Next we specify the broadcast address for our subnet. This address always ends in 255

Code:

option broadcast-address 192.168.1.255;

We will definitely want to tell our clients what servers to use for DNS in order to resolve hostnames to IP addresses

Code:

option domain-name-servers 123.123.123.10, 123.123.123.20;

The next option tells our clients what IP address to use for their gateway. This IP address generally ends in .1 but does not have to. The box with this IP should be configured as a router and be able to forward packets accordingly.

Code:

option routers 192.168.1.1;

If you wanted you could stop here but I thought I would show you a cool little feature that I like to use. Even though DHCP gives out IP address dynamically, it also has the ability to reserve an IP address for a certain computer. In this sense it’s almost as if the client computer has a static IP even though it uses DHCP to get it. This is useful if you want to be able to put entries in your /etc/hosts file and not have to worry about the entry becoming invalid over time.

The first thing we must do is to specify a name for the computer as a helpful identifier

Code:

host slackbox

Note that similarly to the subnet grouping, we are now starting a sub-group as seen by the addition of the curly braces. This allows us to have multiple host definitions within one subnet group.

This next line is what allows us to uniquely identify one computer from another. The hardware ethernet address is the same as the MAC address. This information can be found by running the command ifconfig | grep HWaddr on a client computer for linux and ipconfig /all for a client computer running windows.

Code:

hardware ethernet 00:50:AB:AB:AB:AB;

And finally this next line tells the dhcpd server what IP address you always want to be assigned to this computer. Note that I intentionally make all IP’s assigned this way outside of the DHCP range we specified earlier. This is not a must as the dhcp server is smart enough to not give out two IP’s simultaneously but it helps in being able to quickly recognize which clients used this feature.

Code:

fixed-address 192.168.1.7;

This concludes this DHCP howto. As an added bonus I have included the init script I made for my Slackware box, however this script should work on many other distros. Please make sure you edit the 4 configuration options between the hashmark lines accordingly.

Code:

#!/bin/sh
#
# /etc/rc.d/rc.dhcpd
#
# Start/stop/restart the DHCP daemon.
#
# To make dhcpd start automatically at boot, make this
# file executable:  chmod 755 /etc/rc.d/rc.dhcpd
#
#############################################

CONFIGFILE="/etc/dhcpd.conf"
LEASEFILE="/var/state/dhcp/dhcpd.leases"
INTERFACES="eth1"
OPTIONS="-q"

#############################################

dhcpd_start() {
 if [ -x /usr/sbin/dhcpd -a -r $CONFIGFILE ]; then
   echo "Starting DHCPD..."
    /usr/sbin/dhcpd -cf $CONFIGFILE -lf $LEASEFILE $OPTIONS $INTERFACES
#     /usr/sbin/dhcpd -q $INTERFACES
 fi
}

dhcpd_stop() {
 killall dhcpd
}

dhcpd_restart() {
 dhcpd_stop
 sleep 2
 dhcpd_start
}

case "$1" in
'start')
 dhcpd_start
 ;;
'stop')
 dhcpd_stop
 ;;
'restart')
 dhcpd_restart
 ;;
*)
 # Default is "start", for backwards compatibility with previous
 # Slackware versions.  This may change to a 'usage' error someday.
 dhcpd_start
esac

To start up your brand new dhcpd server simply run the command

Code:

/etc/rc.d/rc.dhcpd start

Setup a Linux VPN Server

lana4408 — Mon, 02 Mar 2009 11:04:10 +0000

I am assuming you are using a Redhat or Redhat-like distribution. Some of these packages can be grabbed via yum. However, I’m going to have you install them via RPM as you cannot get all of them via yum. If you are not, you will need to get the proper packages. For Debian you can use aptget or search for the .deb. For SuSe you can use Yast or find the distro specific RPMs.

1) Install the DKMS package

rpm –install dkms-1.12-2.noarch.rpm

http://prdownloads.sourceforge.net/poptop/dkms-1.12-2.noarch.rpm

This is dynamic kernel module support. You need this to simplify setup and configuration at the kernel level. This will make almost everything transparent to the user during setup.

2) Install the ppp kernel module

rpm –install kernel_ppp_mppe-0.0.4-2dkms.noarch.rpm

http://prdownloads.sourceforge.net/poptop/kernel_ppp_mppe-0.0.4-2dkms.noarch.rpm

Point to Point Protocol to setup your “modem” or whatever your connection consists of. This is the portion for your kernel.

3) Make sure ppp is working

modprobe ppp-compress-18 && echo James Garvin has saved me from a life of Windows

Ok, so that is a bit of fun, but what does that command mean? Well, if on success of the modprobe command, I execute the echo command. Modprobe adds the module to the Linux kernel, while echo simply writes what ever you say back to the terminal.

4) Upgrade ppp

rpm –upgrade ppp-2.4.3-0.cvs_20040527.4.fc2.i386.rpm

http://prdownloads.sourceforge.net/poptop/ppp-2.4.3-0.cvs_20040527.4.fc2.i386.rpm

This is the ppp for the user. The kernel module for ppp has been installed and this is for the user.

5) Get the PPTP client

rpm –install pptp-linux-1.5.0-1.i386.rpm

http://prdownloads.sourceforge.net/pptpclient/pptp-linux-1.5.0-1.i386.rpm

This is the “VPN Client,” so to speak. This is the GUI client in which you can setup VPN connections and various options.

6) Get phppcntl

rpm –install Getphp-pcntl php-pcntl-4.3.8-1.i386.rpm

http://prdownloads.sourceforge.net/pptpclient/php-pcntl-4.3.8-1.i386.rpm

This is to help the GUI work.

7) Get the phpgtkmodule

rpm –install php-gtk-pcntl-1.0.0-2.i386.rpm

http://prdownloads.sourceforge.net/pptpclient/php-gtk-pcntl-1.0.0-2.i386.rpm

This file also helps make the GUI work.

8) Get pptpconfig installed

rpm –install pptpconfig-20040722-0.noarch.rpm

http://prdownloads.sourceforge.net/pptpclient/pptpconfig-20040722-0.noarch.rpm

This command installs the Point to Point Tunneling Protocol. This is so the VPN can actually create the tunnel from A to B. VPNs can use two protocols, L2TP and PPTP. L2TP is Layer 2 Tunneling Protocol and does just what it says. It works at Layer 2 in the OSI model, the Data Link Layer.

9) Now at the command line type

pptpconfig

This command will popup a spiffy GUI for you to use.

Figure A

The spiffy pptconfig GUI

10) Configure your connection

In the Server Tab we need to configure some basics:

Name: The name of the connection. You can call it anything you want
Server: The server you are connecting to, either the IP or name of the server. eg: 64.233.187.99 or google.com
Domain: A domain, if any, that the VPN is connecting to
Username: Your login username for the VPN or the intranet
Password: The login password for the VPN or the intranet

In the Routing Tab we need to make sure it is setup properly. Typically we need to send All to Tunnel.However, this can and will vary from VPN to VPN. Check with you local administrator on what radio button you need to choose.

The DNS Tab is usually quite simple; it will be either automatic, or we will have to enter some basic DNS information and any optionswe may need to include.

The Encryption Tab is a sticky point. We have a number of choices:

Require Microsoft PointtoPoint Encryption
Refuse 40bit Encryption
Refuse 128bit Encryption
Refuse Stateless Encryption
Refuse to Authenticate with EAP

You need to talk to your administrator and understand what your VPN requires. A typical setup will check box Require Microsoft PointtoPoint Encryption (for MS VPNS), Refuse 40bit Encryption, and Refuse Stateless Encryption. However, talk to your administrator to be sure.

The Miscellaneous Tab is our final tab. We shouldn’t have anything to do here. The default setup should work just fine in many cases.

We now click the Addbutton and highlight our new connection and choose Start. We have now created a VPN connection to a remote host! Congratulations for using Linux and sticking with a slightly frustrating task.

From article : By James M. Garvin