Version

• Requires 2.x
• freeradius2-2.1.12-5.el5

1
2
3
4
5
6
7
8

#centos 5.x (must specify freeradius2 otherwrite 1.1.x will be installed)
yum install freeradius2 freeradius2-utils

#centos 6.x (2.x branch is default)
yum install freeradius freeradius-utils

# ubuntu
apt-get install freeradius freeradius-utils

Reason

• To allow an offsite vendor control of radius, but limit their ability to supply bad radius attribuites.
• MAIN issue: ”’Protect your network”’ from disallowing the vendor to supply a misconfigured ”’FRAMED-IP-ADDRESS”’ and/or ”’FRAMED-ROUTE”’ that could be injected into OSPF or whatever routing protocol you might use.

This is accomplished with the rlm_attr_filter FreeRADIUS Module

The rlm_attr_filter module exists for filtering certain attributes and values in received ( or transmitted ) radius packets. It gives the server a flexible framework to filter the attributes we send to or receive from home servers or NASes. This makes sense, for example, in an out-sourced dialup situation to various policy decisions, such as restricting a client to certain ranges of Idle-Timeout or Session-Timeout.

Config files

• Vendor Name: ”’rarforge.com”’ (we’ll use that for the realm)
• Allowed Framed-IP-Address: ”’10.0.0.x”’ and ”’192.168.5.x”’
• Allowed Framed-Netmask: ”’255.255.255.255”’
• Allowed Framed-Route: ”’NONE”’
• Framed-Filter-ID: ”’NONE”’ – login will fail if access-list doesn’t exist.

/etc/raddb/clients.conf

• Update your clients secret - for now we will just be testing from localhost.

1
2
3
4
5

client localhost {
...
secret = badsecret
...
}

This example works for anyone running ISC BIND

dns attack isc.org any query

I normally do not work with windows too much, but being on call this week I ended up having to fix a problem on a Windows 2008 server. I didn’t find any documentation online, so I figured I’d add this post.

For anyone running Parallels Plesk (unknown version, but I know our web admin always keeps these up to date) make sure you lock down your ISC BIND instance. If not, you will probably run into a DNS amplification attack which will cause named.exe to used ALL your memory and probably even crash.

2013-04-22 Update: Plesk was set to only allow localnets recursion, however the built in localnets acl seems to be broken.

"localnets" - matches all the IP address(es) and subnetmasks of the server on which BIND is running. For example, if the server has a single interface with an IP address of 192.168.2.3 and a netmask of 255.255.255.0 (or 192.168.2.2/24) then localnets will match 192.168.2.0 to 192.168.2.255 and 127.0.0.1 (the loopback is always present and has a single address, that is a netmask of 255.255.255.255). Some systems do not provide a way to determine the prefix lengths of local IPv6 addresses. In such a case, localnets only matches the local IP addresses, just like localhost though in this case it will apply to external and internal (same host) requests.

Are you affected?

tcpdump:

1

12:28:00.121351 IP x.x.x.x.19135 > x.x.x.x.53: 10809+ [1au] ANY? isc.org. (36)

bind logs:

1
2
3
4
5

12:28:00.643 client x.x.x.x#49046: query: isc.org IN ANY +ED (x.x.x.x)
12:28:00.644 client x.x.x.x#25135: query: isc.org IN ANY +ED (x.x.x.x)
12:28:00.645 client x.x.x.x#19771: query: isc.org IN ANY +ED (x.x.x.x)
12:28:00.646 client x.x.x.x#44031: query: isc.org IN ANY +ED (x.x.x.x)
12:28:00.647 client x.x.x.x#31518: query: isc.org IN ANY +ED (x.x.x.x)

I finally gave up on wordpress and switched to octopress. I wanted something simple and clean. There are so many other reasons, but it’s the weekend and I don’t feel like working.

I also rolled out a wiki recently which I started to use a month ago. It will probably have more detailed information about the posts here.

Some of the errors I ran into

• DISPLAY is not set
• Failed to allocate internet-domain X11 display socket
• X11 forwarding request failed on channel 0

1) Make sure you have the X11forwarding enabled.

Server: /etc/ssh/sshd_config

1
2
3

X11Forwarding yes
X11DisplayOffset 10
AllowTcpForwarding yes`

Solution: bash alias - alias ssh="( ssh-add -l > /dev/null || ssh-add ) && ssh"

Normally one would put this in their ~/.bash_profile. However with Ubuntu 11.10, at least with my install,~/.bash_profile is not included. The file to add this line to is:

~/.bash_aliases

1

alias ssh="( ssh-add -l > /dev/null || ssh-add ) && ssh"

More Info: Ubuntu does state if ~/.bash_profile does exists, then ~/.profile will not be read, so I am using what has been setup to work by default.

These changes are stilled needed as of Linux 3.0.0-17. The driver in use is iwlagn and I have seen other posts using the iwlwifi driver (untested).

Turn off Power Managment for wireless
Info: This should already be off when using AC, however we will want to turn this feature off for battery use.

To check you status run the command below and look for Power Management
- check this output on AC and Battery to verify it’s off.

info: : slow ssh authentication, pings slow/timeout when using fqdn

issue: SSH just sits here for a while when trying to connect.

1
2
3

strace ssh myhostname ...
write(5, "RESOLVE-ADDRESS 192.168.1.1n", 27) = 27
...

Reason: mdns listed in nsswitch.conf doesn’t allow reverse dns to return failure immeditately when DNS lookup return NXDOMAIN.

Resolution: modify /etc/nsswitch.conf

1
2

- hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
  hosts: files mdns4_minimal [NOTFOUND=return] dns [NOTFOUND=return] mdns4

Here is a good XBMC stable and unstable/nightly PPA for Ubuntu 11.04 or 11.10

https://launchpad.net/~nathan-renniewaldock/ archive/xbmc-stable

https://launchpad.net/~nathan-renniewaldock/ archive/xbmc-nightly

Quick guide how to use VINO server and install x11vnc…

1
2
3
4

sudo apt-get purge vino
sudo killall -9 vino-server
sudo apt-get install x11vnc
x11vnc -storepasswd

• edit file /etc/gdm/custom.conf

1
2

## add right below [daemon]
KillInitClients=false`

• edit file /etc/gdm//Init/Default

1
2

# add right before the end of the file "exit 0"
/usr/bin/x11vnc -rfbauth  -o /var/log/x11vnc.log -shared -forever -bg -rfbport 5900`

First of all. This is for a Asus P5Q-EM motherboard with Intel G45 onboard. This doc could work for others, but of course I have no clue!

You can verify the hardware first by running :  aplay -l

1
2
3
4
5
6
7
8
9
10
11

 aplay -l
**** List of PLAYBACK Hardware Devices ****
card 0: Intel [HDA Intel], device 0: ALC1200 Analog [ALC1200 Analog]
Subdevices: 1/1
Subdevice #0: subdevice #0
card 0: Intel [HDA Intel], device 1: ALC1200 Digital [ALC1200 Digital]
Subdevices: 1/1
Subdevice #0: subdevice #0
card 0: Intel [HDA Intel], device 3: INTEL HDMI 0 [INTEL HDMI 0]
Subdevices: 0/1
Subdevice #0: subdevice #0