VPS for rent

December 21, 2009

VPS

You need a server connected to Internet? You don’t want a shared server but you don’t want to pay for a dedicated server? exp-NETWORKS can rent you a Virtual Private Server (VPS). A VPS runs its own Linux OS with its own packages, users administration, configuration on a shared hardware. The VPS running on the same hardware are isolated from each other.

The VPS proposed by exp-NETWORKS comes with a minimal Debian 5 install and ssh access. Should you want another Linux distribution, please contact us.

VPS I	memory disk	512 Mo 10 Go
VPS II	memory disk	1024 Mo 20 Go
VPS III	memory disk	2048 Mo 30 Go

Filed Under Company news, Systems · Leave a Comment

ClamXav differential update

November 29, 2009

ClamXav ClamXav is a free virus checker for Mac OS X. It uses the tried, tested and very popular ClamAV open source antivirus engine as a back end.

The default install of ClamXav does not enable the automatic virus definition update. When a user enables those automatic updates, a ‘good old cron job’ is created for that user. Three minor concerns with that method are:

Each users on the system can enable the automatic updates leading to multiple redundant checks for new virus definitions
The users do not have write access to ClamXav directories and are not able to create a temporary directory required for differential updates. Fortunately ClamXav fall back to a standard update where the entire virus definition file is downloaded.
All the users who enable the automatic updates will get e-mails containing an error message like this one :
```
clamxav ERROR: chdir_tmp: Can't create directory ./clamav-97e66bd7fbb
```

Only the _clamav user has write access to his directories. I’ve found several workarounds for this by googling but most of them were either not secure like setting the _clamav user’s directories world wide writable, either not elegant like putting the cron job in the root’s crontab…

The only elegant workaround I’ve found so far is still requiring some manual configuration but at least it uses Apple’s vision of daemon and recurrent tasks; it uses launchd. I won’t explain launchd here but Apple website or AFP548 website are very good start to understand its philosophy.

We will configure a launchd daemon to start the virus definition update every day at 21:30 as _clamav user. Launchd is configured via property list files (.plist) placed in appropriate directories. In this case we want the daemon to be started as long as the system is started (i.e. regardless if a user is logged or not). We will place our plist file in /Library/LaunchDaemons/.

 1. <?xml version="1.0" encoding="UTF-8"?>
 2. <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3. <plist version="1.0">
 4.   <dict>
 5.     <key>Label</key>
 6.     <string>com.clamxav.freshclam</string>
 7.     <key>UserName</key>
 8.     <string>_clamav</string>
 9.     <key>LowPriorityIO</key>
10.     <true/>
11.     <key>Nice</key>
12.     <integer>1</integer>
13.     <key>Program</key>
14.     <string>/usr/local/clamXav/bin/freshclam</string>
15.     <key>ProgramArguments</key>
16.     <array>
17.       <string>/usr/local/clamXav/bin/freshclam</string>
18.       <string>--quiet</string>
19.       <string>--log=/usr/local/clamXav/share/clamav/freshclam.log</string>
20.     </array>
21.     <key>StartCalendarInterval</key>
22.     <dict>
23.       <key>Hour</key>
24.       <integer>21</integer>
25.       <key>Minute</key>
26.       <integer>30</integer>
27.     </dict>
28.   </dict>
29. </plist>

Lines 5-6 : define the daemon’s name
Lines 7-8 : define the user the daemon will run as
Lines 9-12 : reduce the update process priority as it is not required to run fast
Lines 13-20 : define the daemon’s executable and its parameters
Lines 21- 27 : schedule when the daemon must run

That plist file must be placed in /Library/LaunchDaemons/. It will be automatically loaded after each reboot but you can manually load it with launchctl if you don’t want to restart your computer.

$ sudo launchctl load /Library/LaunchDaemons/com.clamxav.freshclam.plist
$ sudo launchctl list | grep com.clamxav.freshclam
-	0	com.clamxav.freshclam

Now you can check in the log file (/usr/local/clamXav/share/clamav/freshclam.log) the error message has disappeared and differential update is now working fine…

ClamAV update process started at Sat Nov 28 21:30:09 2009
main.cvd is up to date (version: 51, sigs: 545035, f-level: 42, builder: sven)
Downloading daily-10091.cdiff [100%]
daily.cld updated (version: 10091, sigs: 115838, f-level: 44, builder: ccordes)
Database updated (660873 signatures) from database.clamav.net (IP: 193.1.193.64)
Clamd successfully notified about the update.

Thanks for leaving a comment if you found this useful

Filed Under Security, Systems · 2 Comments

Label eTIC

September 24, 2009

exp-NETWORKS is proud to announce it has just signed the eTIC charter. That charter constrains exp-NETWORKS to address with his customer, upon the establishment of the offer, the key points that could be a source of future litigation if not clarified, such as control of costs and time, the intellectual property rights or continuity / portability of the solution, and urged it to ensure the adequacy of service in relation to customer needs and ensure good coordination with any subcontractors. By pushing for this dialogue, this code of ethics led to the establishment of contracts more balanced, better passing the test of time and especially with the two parties having a clear view on the scope.

You can have a look to the complete charter text in french.

Filed Under Company news · Leave a Comment

Dynamic Multipoint VPN

September 22, 2009

Ever wonder how to provision several hundreds of VPNs from remote offices with dynamic IP to a central site with minimal configuration? Cisco offer an elegant solution called Dynamic Multipoint VPN. With DMVPN the central site does not need to know the remote site IP in advance, it will learn it via NHRP protocol when the remote router will come up.

First we will create IP connectivity via GRE tunnels and NHRP then we will secure the GRE tunnels with IPSec.

The hub router will use a multipoint GRE interface for ease of management. That way we do not need to provision a new tunnel interface per remote office. In fact, the central router will not need to be reconfigured at all for any additional remote site.

Hub router R1:

interface Tunnel0 ip address 10.10.10.1 255.255.255.0 ip nhrp network-id 1 tunnel source FastEthernet0/0 tunnel mode gre multipoint tunnel key 1

interface Fa0/0 ip address 1.1.1.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1

Spoke routers (R2 and R3 in this example) will use point-to-point GRE tunnel pointing to central site’s hub router R1. NHRP will be configured to use R1 as next-hop server. With this setup, spoke-to-spoke traffic will flow through the hub making the hub a central point where you can enforce security…

Spoke router R2:

interface Tunnel0 ip address 10.10.10.2 255.255.255.0 ip nhrp map 10.10.10.1 1.1.1.2 ip nhrp network-id 1 ip nhrp nhs 10.10.10.1 tunnel source FastEthernet0/0 tunnel destination 1.1.1.2 tunnel key 1
interface Fa0/0 ip address 2.2.2.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 2.2.2.1

Spoke router R3

interface Tunnel0 ip address 10.10.10.3 255.255.255.0 ip nhrp map 10.10.10.1 1.1.1.2 ip nhrp network-id 1 ip nhrp nhs 10.10.10.1 tunnel source FastEthernet0/0 tunnel destination 1.1.1.2 tunnel key 1
interface Fa0/0 ip address 3.3.3.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 3.3.3.1

At this stage, if the router can communicate with each others via their Fa0/0 interface then the GRE tunnels are usable. In this example, “Internet” router is directly connected to all the routers and the routers R1, R2 and R3 simply have a default route pointing to the “Internet” router.

To check the GRE tunnels are operational, we only have to ping the tunnels’ internal IP from one router to the others two.

R2#ping 10.10.10.1

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 272/313/420 ms R2#ping 10.10.10.3

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 312/564/876 ms

If we check the NHRP entries on the hub R1, we can see the two entries have been learned dynamically and the public IP used by the remote routers.

R1#sh ip nhrp 10.10.10.2/32 via 10.10.10.2, Tunnel0 created 00:11:31, expire 01:48:28 Type: dynamic, Flags: authoritative unique registered used NBMA address: 2.2.2.2 10.10.10.3/32 via 10.10.10.3, Tunnel0 created 00:08:19, expire 01:51:52 Type: dynamic, Flags: authoritative unique registered used NBMA address: 3.3.3.2

Same info without the timers…

R1#sh ip nhrp brief Target Via NBMA Mode Intfc Claimed 10.10.10.2/32 10.10.10.2 2.2.2.2 dynamic Tu0 < > 10.10.10.3/32 10.10.10.3 3.3.3.2 dynamic Tu0 < >

Statistics about the NHRP protocol itself

R1#sh ip nhrp traffic Tunnel0 Sent: Total 3 0 Resolution Request 0 Resolution Reply 0 Registration Request 3 Registration Reply 0 Purge Request 0 Purge Reply 0 Error Indication Rcvd: Total 3 0 Resolution Request 0 Resolution Reply 3 Registration Request 0 Registration Reply 0 Purge Request 0 Purge Reply 0 Error Indication
R1#sh ip nhrp summary IP NHRP cache 2 entries, 496 bytes 0 static 2 dynamic 0 incomplete

On the spoke routers we can check the same… Here we can see the NHRP entry is statically defined

R3#sh ip nhrp 10.10.10.1/32 via 10.10.10.1, Tunnel0 created 00:13:31, never expire Type: static, Flags: authoritative NBMA address: 1.1.1.2

R3#sh ip nhrp summary IP NHRP cache 1 entry, 248 bytes 1 static 0 dynamic 0 incomplete

And we can check the NHRP’s next-hop server used.

R3#sh ip nhrp nhs Legend: E=Expecting replies R=Responding
Tunnel0: 10.10.10.1 RE

Should you want to allow spoke-to-spoke tunnels to be built dynamically, you only need to replace the tunnel destination 1.1.1.2 command on the spokes by tunnel mode gre multipoint making the spokes’ tunnel interface an mGRE interface. For the remaining of this article, we won’t use mGRE interfaces on the spokes.

Now that we have IP connectivity, we still have to secure those dynamically created GRE tunnels with IPSec. Here for simplicity we will use pre-shared key as authentication method which is not recommended for production deployment…

On the hub and spoke routers, just configure ISAKMP/IPSec parameters and enable IPSec on the tunnel insterfaces.

crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set mySet esp-aes esp-sha-hmac ! crypto ipsec profile myDMVPN set security-association lifetime seconds 120 set transform-set mySet set pfs group2

interface Tunnel0 tunnel protection ipsec profile myDMVPN

Check IPSec SA are well negotiated

R1#sh crypto ipsec sa
interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 1.1.1.2
protected vrf: (none) local ident (addr/mask/prot/port): (1.1.1.2/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0) current_peer 2.2.2.2 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 121, #pkts encrypt: 121, #pkts digest: 121 #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 2.2.2.2 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0 current outbound spi: 0xA2BC2FED(2730242029)
inbound esp sas: spi: 0x2884EDEA(679800298) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2005, flow_id: SW:5, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4463708/83) IV size: 16 bytes replay detection support: Y Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas: spi: 0xA2BC2FED(2730242029) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2004, flow_id: SW:4, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4463708/82) IV size: 16 bytes replay detection support: Y Status: ACTIVE
outbound ah sas:
outbound pcp sas:

That’s it! The DMVPN setup is ready for wide deployment… Of course central hub router should be duplicated for redundancy, it will exposed in a future post.

Thanks for leaving a comment if you found this useful

Filed Under Networking, Security · Leave a Comment

IPv6 Firewall with Linux

September 17, 2009

More and more server hoster have configured IPv6 on their network. And most of their Linux based servers come with a basic IPv6 configuration. Even if IPv6 is not used, it is there and widely open as the netfilter/iptables default policy is ACCEPT.

If you don’t use IPv6 at all, disable it. On Debian, the interfaces configuration is located in /etc/network/interfaces. Remove all the inet6 configuration looking like this :

iface eth0 inet6 static
  address 2001:db8:4:fe34::3ea1
  netmask 64

If you plan to use IPv6, first you have to know ICMPv6 should be filtered carefully. In IPv6, ICMPv6 is widely used. It replaces IPv4′s ARP with neighbour-solicitation and neighbour-advertisement ICMPv6 messages. It is used for router discovery via router-solicitation and router-advertisement ICMPv6 messages. It replaces IPv4′s IGMP with group-membership-query, group-membership-report and group-membership-reduction ICMPv6 messages.

Here is a small script to activate IPv6 filtering with netfilter/ip6tables. The script has been test on Debian but it should work on other Linux flavor.

#!/bin/sh -e
#
# Simple example IPv6 Firewall configuration.
#
# Caveats:
# - This configuration applies to all network interfaces
# if you want to restrict this to only a given interface use
# '-i INTERFACE' in the ip6tables calls.
# - Remote access for TCP/UDP services is granted to any host,
# you probably will want to restrict this using '--source'.
#
# description: Activates/Deactivates the firewall at boot time
#
# You should test this script before applying with safe-restart option
#

IP6TABLES=/sbin/ip6tables
#IP6TABLES="/sbin/ip6tables -i eth0"

[ -x "$IP6TABLES" ] || exit 1

# Inbound TCP ports
TCP_INPUT_PORTS="21 22 53 443"

# Inbound UDP ports
UDP_INPUT_PORTS="53"

# Allowed ICMP messages
ALLOWED_ICMP="\
packet-too-big \
destination-unreachable \
time-exceeded parameter-problem \
echo-request \
echo-reply \
router-advertisement \
neighbour-solicitation \
neighbour-advertisement"

fw_start () {
# Allow related and established connection.
$IP6TABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ICMP as defined in ALLOWED_ICMP
if [ -n "$ALLOWED_ICMP" ] ; then
 for ICMP_TYPE in $ALLOWED_ICMP; do
  $IP6TABLES -A INPUT -p icmpv6 --icmpv6-type ${ICMP_TYPE} -j ACCEPT
 done
fi

# Open allowed TCP ports if any
if [ -n "$TCP_INPUT_PORTS" ] ; then
 for PORT in $TCP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p tcp --dport ${PORT} \
  -j ACCEPT
 done
fi

# Open allowed UDP ports if any
if [ -n "$UDP_INPUT_PORTS" ] ; then
 for PORT in $UDP_INPUT_PORTS; do
  $IP6TABLES -A INPUT -m state --state NEW -p udp --dport ${PORT} \
  -j ACCEPT
 done
fi

# Allow traffic to the loopback (needed by some applications)
$IP6TABLES -A INPUT -i lo -j ACCEPT

# Log and drop all other packets.
$IP6TABLES -A INPUT -j LOG
$IP6TABLES -P INPUT DROP

# Los and drop all packet to be forwarded, we're not a router...
$IP6TABLES -A FORWARD -j LOG
$IP6TABLES -P FORWARD DROP

# We're not going to filter outgoing packets
# but you can if you're paranoid like I am...
$IP6TABLES -P OUTPUT ACCEPT
}

# fw_stop disables completely the firewall and reset all chains to
# the default policy ACCEPT
fw_stop () {
  $IP6TABLES -P INPUT ACCEPT
  $IP6TABLES -P FORWARD ACCEPT
  $IP6TABLES -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P PREROUTING ACCEPT
  $IP6TABLES -t mangle -P POSTROUTING ACCEPT
  $IP6TABLES -t mangle -P INPUT ACCEPT
  $IP6TABLES -t mangle -P OUTPUT ACCEPT
  $IP6TABLES -t mangle -P FORWARD ACCEPT
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

# fw_clear remove the rule set from the firewall and keep the
# current default policy
fw_clear () {
  $IP6TABLES -t mangle -F
  $IP6TABLES -t mangle -X
  $IP6TABLES -F
  $IP6TABLES -X
}

case "$1" in
  start|restart)
    echo -n "Starting IPv6 firewall.."
    fw_clear
    fw_start
    echo "done."
    ;;
  stop)
    echo -n "Stopping IPv6 firewall.."
    fw_stop
    echo "done."
    ;;
  clear)
    echo -n "Clearing IPv6 firewall rules.."
    fw_clear
    echo "done."
    ;;
  test|safe-restart)
    echo -n "Safely restarting IPv6 firewall..."
    fw_clear
    fw_start
    test=""; read -t 10 -p "Is it still OK? " test ; \
    [ -z "$test" ] && fw_stop
    echo "done."
    ;;
  *)
    echo "Usage: $0 {start|stop|restart|safe-restart|clear}"
    exit 1
    ;;
esac

exit 0

Now let’s make the ip6firewall to start at boot time :
update-rc.d ip6firewall start 41 S . stop 34 0 6 .

Now the server is only accepting packets on ports we have decided.

By the way, I’ve been certified ipv6 Guru by Hurricane Electric…

That’s all folks!

Thanks for leaving a comment if you found this useful

Filed Under Security, Systems · Leave a Comment

« Previous Page — Next Page »

Recent Posts

Recent Comments
- Kees: Thanks a lot, finally get of the can’t create ….. error Cheers
- Christophe Lemaire: Hi Melek, In order to take advantage of the redundant setup, I would go for HSRP or even GLBP if...
- Melek: Hi, Thank you for this post, it is really interesting. I am trying to implement the same design but I still...
- Matthew: Awesome post. This has been a thorn in my side for many months. I implemented this last night, told Clam not...

Categories
Archives

Cumulus

antivirus Cisco Company Firewall IPv6 Juniper Linux Mac OS X network Networks Security Systems VPN Company news (4)
Networking (4)
Security (4)
Systems (6)

WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.

-->

VPS for rent

ClamXav differential update

Label eTIC

Dynamic Multipoint VPN

IPv6 Firewall with Linux

Recent Posts

Recent Comments

Cumulus

Categories

Archives

Cumulus