Category: Linux

Hacking the Linksys WRT54G

Hacking the Linksys WRT54G

Recently, my Dad purchased the Linksys WRT54G. If you follow tech news, you probably know that more or less, the device (as well as at least one other Linksys device) was hacked.

All that I have so far is a couple of links, here they are:

Seattle Wireless
Shaneo
I-hacked article (good)
Openwrt
Hyperwrt
Wifi-Box
Ewrt
Sveasoft

The last one looks the most promising.

I’ll be working on this over spring break (next week), so keep an eye out for a little ‘howto’ on this.

Later,
Jon Howe

Howto: Kernel Building in Debian Sarge (3.1)

Howto: Kernel Building in Debian Sarge (3.1)

I’ve tried and tried to build my own custom kernel over the past year or so, usually only to stop in frustration because of some small part of the process not working.

This is all different now.

I found out that using the took make-kpkg makes things way easier. In fact I configured, compiled, and installed kernel 2.6.15 in about 30 minutes including the time that it took me to build it.

Here’s the process that I followed to achieve this:

  1. Get required packages apt-get install libncurses5-dev fakeroot bzip2 kernel-package
  2. Get latest kernel package from Kernel.org. The latest one at the time of this post is linux-2.6.15.tar.bz2.
  3. Decompress the kernel archive (tar -xjvf linux-2.6.15.tar.bz2)
  4. Start the kernel configuration tool (make menuconfig)
  5. I should mention that it was way easier for me to load my existing kernel configuration, which was located at /boot/config-(kernel version here).

  6. make-kpkg clean
  7. fakeroot make-kpkg –initrd –revision=myfirstkernelbuild_v.0.1 kernel_image
  8. This runs make-kpkg as root, while making it so that initrd can load the kernekl. –revision is just the revision of the kernel, and kernel_image is just the name of the kernel that you’re building.

    The output of this command is kernel-image-2.6.15_myfirstkernelbuild_v.0.1.deb

  9. Install the kernel (dpkg -i kernel-image-2.6.15_myfirstkernelbuild_v.0.1.deb)
  10. Restart the computer (init 6)
  11. If this process worked the output of uname -r should be 2.6.15.

    Let me know if you have any problems.

    Later,
    Jon Howe

Great Iptables Tool

Great Iptables Tool

I’ve been messing around with iptables a bit more than usual the past week or so. Through this process, I decided that it wasn’t worth it for me to keep creating / tweaking all of my rules by hand. So.. I found an Excellent (with a capital ‘E’) frontend to iptables.

For me the frontend had to meet some strict requirements.

  1. It must have a curses graphical user interface
  2. It must be easy to use

Something called Jay’s Iptables Fits these requirements perfectly.

You can find all of the details at it’s website.

Check it out!

Later,
Jon Howe

Convert RPM to Deb + News

Convert RPM to Deb + News

I found a few cool things this morning.

The first being a way to install a rpm file in Debian. You do this using the alien command (apt-get install alien).

To convert a package from an rpm to a deb run the following command:
alias --to-deb

To just install a rpm use the following command:
alias -i

It's that easy.

Also, I was looking at some stories on the front page of Digg, and found a Great New Library for use with Google Maps. It has the features of the one that I was messing around with earlier (I forgot the name of it). It even includes the features that I had to add inot the other library.

Who knows, you might be getting a little tutorial on how to use this library soon.

Later,
Jon Howe

How To Cache Apt Packages On A Network Using Apt-Cacher

How To Cache Apt Packages On A Network Using Apt-Cacher

If you’ve got more than one computer running Debian that packages are downloaded through apt, then apt-cacher should help you a lot.

Apt-cacher is actually a cgi script that is run by apache. Using apt-cacher is very easy, and installing it is even easier.

Step 1: Install apt-cacher.
(Run this on the proxy computer)

apt-get install apt-cacher

Enter the webpage : http://localhost/apt-cacher
to see that the proxy is running.

Step 2: Backup and Convert Clients sources.list.
(Do this on the computers that you want to access the cache.)

cp /etc/apt/sources.list /etc/apt/sources.list.backup

vi /etc/apt/sources.list

Press ‘:’ while in vi.

Enter “%s/http:///http://[Your Proxy IP]/apt-cacher?//g

This searches through your sources and adds http://[Your Proxy IP]/apt-cacher?/ before every repository.

An example from my sources.list looks like this:

deb http://192.168.3.2/apt-cacher?/www.backports.org/debian/ sarge-backports main

Step 3: Update Clients

apt-get update

Optional Step 4: Import Existing packages into the apt-cacher cache

Copy the desired packages to the proxy directory /var/cache/apt-cacher/import

Run the import script to make it so that apt-cacher can use them.
perl /usr/share/apt-cacher/apt-cacher-import.pl

Step 5: Use apt-get

If the required previous steps completed successfully you should now be able to use apt with it’s connection proxied through your apt-cacher proxy.

Questions / Comments, leave me a comment, and I’ll reply.

Later,
Jon Howe

How to Set up a Complete Transparent Filtering Proxy

How to Set up a Complete Transparent Filtering Proxy

This tutorial works with squid versions < 2.6

Many companies find proxy servers useful for a number of reasons. For example, if a company has fairly low bandwidth and needs a cheap way to streamline the distribution of frequently accessed content, a proxy server, such as squid will help a lot. Another use of a proxy server in the business world is for what I like to call, “Employee Management”. In other words, this is for companies that want to see what their employees are viewing on the internet. They can also be used by companies that have less than perfect infrastructures and need to have a way to take one connection to the internet and spread it to many computers.

Squid is great for the uses above and for other unmentioned uses, but when combined with a content filter called dansguardian the results are awesome.

Dansguardian is a content filtering proxy that integrates itself with squid. You can find information about Dansguardian here, and here.

These two things combined into something called a Transparent Proxy allow for much greater flexibility for administrators and end users. With a non-transparent proxy everything that accesses the internet needs to have HTTP proxy support, and needs to be configured by hand before it can be used. With transparent proxying the connections to port 80 (http) are automatically redirected from their original path and routed through the proxy. Don’t worry if this sounds confusing, the details aren’t really that important.

Now for the good part: How to install and configure this in Debian.

  1. Do a Base Install of Debian:
  2. This means that when you get into aptitude
    just hit ‘q’ and exit out, becuase we’ll be installing everything manually
  3. Install the packages using apt-get: 'apt-get install squid dansguardian vim ssh'

  • That should take a little while but should download everything that you’ll need.
  • Now we have to make it so that the proxy works in non-transparent mode.

    1. To do this we have to edit the dansguardian configuration file located at '/etc/dansguardian/dansguardian.conf'.
    2. Navigate to the section labeled ‘Network Settings’ and change ‘filterip’ to the ip address that’s on the network that you’re clients will be listening on.
    3. At the top of the file comment out the word “UNCONFIGURED”
    4. Save and quit the file by typing: wq (if you’re using vi)
    5. Do some final configuration on dansguardian by entering the command 'dpkg-reconfigure dansguardian'

    Now we have dansguardian all set. All that’s left is getting squid set up for transparent proxying, entering the iptables rules, and setting it up to all be set up correctly each time that you restart your proxy server.

    In the squid configuration file, which is located at '/etc/squid/squid.conf' add and/or edit the following lines to enable transparent proxying.
    '
    httpd_accel_host virtual
    httpd_accel_port 80
    httpd_accel_with_proxy on
    httpd_accel_uses_host_header on
    '

    Do a search in the squid config file for 'http_access deny all' and change it to http_access allow all. This file should be customized more in the future. This configuration tells squid to use no discretion as to who uses the proxy. Setting this up is beyond the scope of this tutorial.

    That finishes the configuration of Squid. Now just enter the following commands and you should be set on the firewall rules. Create this file in the directory '/etc/init.d'. We’ll assume that eth0 is the interface going to the internet and eth1 is the interface leading to the client network.


    #! /bin/sh

    # Set up IP FORWARDing and Masquerading
    echo “Setting up forwarding”
    iptables –table nat –append POSTROUTING –out-interface eth0 -j MASQUERADE
    iptables –append FORWARD –in-interface eth1 -j ACCEPT
    echo 1 > /proc/sys/net/ipv4/ip_forward

    #enable transparent proxying
    echo “Enabling Transparent Proxying”
    iptables -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j REDIRECT –to-port 8080
    The first group of commands tells your system to take all of the packets that are going to the internet (eth0) and move them from the local interface (eth1) through the proxy server and on to the internet.

    The second command does the transparent proxying. It listens for connections going to port 80 and redirects them to port 8080 (the dansguardian port) which in turn checks to see if the website is authorized. If it is the request is forwarded to squid, and then to the destination website. The process is pretty much the same, but opposite on the way back to the client.

    The files in the script that we created need to be executed for the proxy to work, so what we’ll do is have it run on startup.

    1. Make it executable: 'chmod +x /etc/init.d/local'
    2. Then make it run when the system starts up: ' update-rc.d local defaults 80'

    After that whole process you should have a fully functioning transparent content filtering proxy. If you have any comments / corrections / or suggestions feel free to leave a comment and I will answer.

    Later,
    Jon Howe

    Craaaazy Stuff

    Craaaazy Stuff

    So last night I decided to take windows off of my laptop. This probably should have been easy. However, when is anything ever easy? When I woke up this morning I found out that in the middle of the night, during my net-install, the network cord came unplugged.

    Apparently when you unplug the network cable during a Debian Netinstall the installer stops downloading the remaining packages and sets up what you have.

    As you can probably guess, this is a little problem. When I tried to start up KDE I got an X11 error. Trying to figure out what the deal was here was a pain, but I was able to fix it by uninstalling X11, KDE, and Gnome ( apt-get remove x11r6-6), kdm, and gdm. My goal here was to start with as fresh of a slate as I could.

    After that I needed to get X11 and KDE back installed. To do this I just ran the follwing command (this takes a while, because it’s re-installing a lot of your operating system again.

    apt-get install x-server-xfree86 x-window-system x-window-system-core kdm

    That should work, but if you have problems leave a comment and I’ll get back to you ASAP.

    Later,
    Jon Howe

    How to Script the Unattended Retrieval of Remote Files using SCP

    How to Script the Unattended Retrieval of Remote Files using SCP

    In one of my previous posts I told how to create a package that’s contents is dumped from the database, archived, encrypted, and put into a public directory.

    I also mentioned that a potential security flaw on this system was that someone with enough time and processing power could decrypt your package and get all of it’s contents.

    I thought about this and decided that I wanted a better way. So, I found a way to script an unattended / secure connection between the remote computer and the client computer using SCP and SSH keys.

    The first thing that you want to do to set this up is make sure that you have a way to use SCP without it prompting you for a password. You do this by using something called an ‘SSH key’. To generate an SSH key use the following command.

    ssh-keygen -t rsa

    What this does is:

    1. Creates both a public and private key
    2. Asks you where to put both of the generated keys (use the defaults)
    3. Asks you if you want to use a passphrase (this isn’t neccessary, and I think that it messes up the unattended part of the command, so don’t do it)

    After that you have to put the public key, which should be located at ‘~/.ssh/id_rsa.pub’ into the users .ssh directory which is inside their home directory (for example: /home/jhowe/.ssh).

    After that you have to make sure that the client and server know that in the future they will be connecting to each other without a password. You do this by creating a file on the server in the server user’s .ssh directory called authorized_keys2 with the information about your private key in it. Fear not, this process is greatly simplified by SCP. Just enter the following command and it will be done for you automatically.

    (Put this all on one line)
    scp
    [Client_Username]/.ssh/id_rsa.pub [Server_Username]@[Server_Address}: /[Server_Username]/.ssh/authorized_keys2

    …Then enter the server username’s password, and it will copy to the file on the server for you. If you want to make sure that it’s there, open ‘/[server_username]/.ssh/autohorized_keys2’, and see if it has a bunch of random looking charachters. If so, then it worked.

    If all of the steps so far have been completed correctly you should be able to use SCP in a script to get your database archive in a directory that’s not web-readable, therefore eliminating the risk of some ruthless hacker decrypting your database package, and stealing all of your data.

    Again, time for the downside. This isn’t a very big downside, but it needs to be mentioned. It’s important to note that the Private key, which was created at the same time as the public key (which was sent to your server) needs to be protected with your life. The reason that I say this is because if it’s stolen anyone that has it will be able to connect to your server if they get it. If there’s a posibility of someone else using the client computer that you enter chmod 400 ~/.ssh/id_rsa to make it that only root can read the file.

    As always, if you have any problems or questions feel free to leave a comment and I’m be more than happy to help you in any way that I can.

    Later,
    Jon Howe

    How to Mount a Samba share to your Computer in Linux

    How to Mount a Samba share to your Computer in Linux

    This is something that I’ve been wanting to do for some time. It’s just this morning that I actually decided to do it. It’s pretty simple.

    This small tutorial is based upon the assumption that you already have a samba share set up. However, if you don’t, then keep posted, because I’ll talk about that in a later tutorial. Also, It’s based upon the assumption that you have the samba client and sambafs installed. In debian all that you have to do to install this is type in the following line:
    apt-get install smbfs smbclient

    All that you have to do is type in the following command to have a non-permanent solution (on one line):
    mount -t smbfs //[server ip or domain name]/[server directory] [place that you want to mount the directory] -o username=[samba username],password=[samba password]

    If you go with this solution you’ll have to reenter this command each time that you start up your computer. To make this a permanent change, you need to edit your ‘/etc/fstab’ file by adding the following line at the bottom (on one line)
    //[server name or ip]/[shrae name] [directory to mount share into] smbfs username=[samba username],password=[samba password] 0 0

    This works for me, but if you have any problems feel free to leave a comment and I’ll help you out ASAP.

    Later,
    Jon Howe

    Copyright VirtJunkie.com © 2024