Geek Freely: security

    Featured Post

    The whole point in this post is to run your own VPN service, and allow you to connect remote devices to your home network.

    To start off yo…

    Showing posts with label security.

    Showing posts with label security.

    Set the temporary directory for the packages, as well as the site to fetch packages from (if you are installing onto a 32 bit system change “amd64″ to “i386″):

    setenv PKG_TMPDIR /mnt/Data/Extensions/tmp/

    setenv PACKAGESITE “http://ftp6.us.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-9.0-release/Latest/”

    Install OpenVPN:

    pkg_add -rv openvpn

    Move openvpn file so it does not get executed every time when system is being started, otherwise your boot process will get stopped and you will be asked for a username/password.  NAS4Free executes all the files inside “rc.d” folder on startup.

    mv /usr/local/etc/rc.d/openvpn /usr/local/etc/openvpn/

    Install Certificates and .ovpn files.

    mkdir /usr/local/etc/openvpn

    Download your certificates *.crt as well as *.ovpn , rename them to *.crt->openvpn.crt and *.ovpn->openvpn.conf copy them using WinSCP to /usr/local/etc/openvpn/

    Once copied edit the openvpn.conf and you should see something like that:

    client

    dev tun

    proto udp

    remote 11.170.97.173 443 # – Your server IP and OpenVPN Port

    resolv-retry infinite

    nobind

    tun-mtu 1500

    tun-mtu-extra 32

    mssfix 1450

    persist-key

    persist-tun

    ca openvpn.crt

    auth-user-pass

    comp-lzo

    verb 3

    Add the following line to openvpn.conf, so passwords aren’t stored in memory:

    auth-nocache  Don’t use auth-nocache, as renegotiation after timeout will fail.

    Just make sure after “ca” there is openvpn.crt, also check the 2nd line if you have got dev tun or dev tap

    Test OpenVPN connection:

    /usr/local/etc/openvpn/openvpn onestart /usr/local/etc/openvpn/openvpn.conf

    Download the following torrent to make sure your legal torrents are downloaded privately:

    Edit rc.conf to enable OpenVPN.  Open up your NAS’ web interface and head to System > Advanced > rc.conf and add the following variables:P

    openvpn_enable with a value of YES

    openvpn_if with a value of tun or tap depending on the contents of openvpn.conf

    Now we need to make it autostart, so back to SSH:

    pkg_add -r expect

    nano /usr/local/etc/openvpn/autosignon

    In the file just insert:

    #!/usr/local/bin/expect -f

    set force_conservative 0

    spawn /usr/local/etc/openvpn/openvpn start /usr/local/etc/openvpn/openvpn.conf

    match_max 100000

    expect -exact “Enter Auth Username:”

    send — “YOUR USERNAME!\r”

    expect -exact “Enter Auth Password:”

    send — “YOUR PASSWORD!\r”

    expect eof

    Save your changes and make that script executable by running the following command:

    chmod +x autosignon

    AUTOSTART OPENVPN

    In NAS4Free webGUI, navigate to: “System|Advanced|Command scripts” and insert the following start-up command (PreInit):

    /usr/local/etc/openvpn/autosignon

    CONFIGURE FIREWALL

    So this is a bit hit or miss for me, I almost feel like I am having to restart my NAS4Free box before I see the changes from the firewall applied.

    My VPN provider doesn’t have a list anymore for which IPs they assign, so I just have to kinda guess.

    The purpose of the firewall is to provide detection if the event of the VPN service going down, and by protection we mean – no external connection.

    If you wish to test your NAS4Free box IP directly from command line, install curl.

    pkg_add -rv curl

    Then enter the following:

    curl ifconfig.me

    But you can also check your torrent client directly too!

    9/15/2014 Update:  CHange torrent IP tracking address.

    While this same setup can be used for retrieving/cracking WPA keys, I am going to focus on usage for retrieving lost WEP keys.  I state the word retrieving because you should never use this tool to crack a network that does not belong to you, you should use this tool to see how simply a hacker could access your network, and teach prove to yourself how useless WEP is as a form of security.

    The first thing you will want to do (this is on Ubuntu) is download wifite ().

    wget  http://code.google.com/p/wifite/downloads/detail?name=wifite-2.0r85.tar.gz&can=2&q=

    Here is a list of the current features on v2.0r85:

    Upon first running this application you will be instructed that aircrack-ng ()is required for use with this tool.  So next lets get that.

    sudo apt-get install aircrack-ng

    Some other applications you will want to install to aid in wireless key retreaval, a list of these are shown when running wifite:

    Witihin the directory that you downloaded wifite make sure you make the script executable:

    chmod +x wifite.py

    Then for me, I check I can access all my WEP networks with the following code:

    Hope this helps.

    Port forwarding is a bit of a necessity, because your only alternative is UPNP, which is a huge vulnerability.

    UPNP

    allows programs to automatically configure port redirection (NAT

    traversal) and therefore if you happen to get a malicious program on

    your computer it could reek havoc if UPNP is available.

    Port

    forwarding, as I discuss here, is the act of manually configuring your

    router to redirect ports to specific computers on your network.

    What is the point of port forwarding, you may ask?

    Lets

    take an simple example, imagine you have three computers on your

    network, and one of them has a web server, port redirection will allow

    all webpage requests coming to your WAN IP to be routed to the

    appropriate device.

    To expand.

    WAN IP: 72.67.180.4

    Internal Computer 1: 192.168.1.1

    Internal Computer 2: 192.168.1.2

    Internal Computer 3: 192.168.1.3

    If the web server is running on Internal Computer 2, you must forward all web request (assume HTTP, port 80 here) to it.

    The

    router will request ALL external requests from ANY source to port 80 to

    be redirected to port 80 at internal address 192.168.1.2.

    A

    more complex example would be Remote Desktop. Lets say you want to

    access any of your PCs from outside your home network, while at work

    possibly. If all computers are running Windows the RDP (Remote Desktop)

    port associated with this service is 3389. You can’t use the same

    external port redirection, that is to say you can’t redirect 3389 to

    multiple destinations – it’s just not possible.

    There

    are a couple of options to overcome the problem. One is to change the OS

    (Operating System) RDP port, the other much simpler method is to use a

    different external port.

    To expand.

    WAN IP: 72.67.180.4

    Internal Computer 1: 192.168.1.1

    Internal Computer 2: 192.168.1.2

    Internal Computer 3: 192.168.1.3

    Lets

    say you redirect port 1 to Internal Computer 1 port 3389, port 2 to

    Internal Computer port 3389, and port 3 to Internal Computer port 3389.

    Now,

    to access your PC from an external location all you need to do is start

    the Remote Desktop application and enter the following:

    72.67.180.4:1 to RDP to Internal Computer 1

    72.67.180.4:2 to RDP to Internal Computer 2

    72.67.180.4:3 to RDP to Internal Computer 3

    Using

    ports 1-3 are not recommended by ICANN.

    You should use anything above

    49151.

    See the following link for more information.

    As

    for actually configuring Port Forwarding on your router you can either

    check the manual, the manufacturers website, or the following web page:

    The following site will provide free SSL certificate, these can be used for securing a connection – but should not be considered ‘trusted’, as only the domain name and email are validated.

    This looks like it would probably minimize the hassle in creating your own self-signed certificates.

    I created my own self-signed certificate using OpenSSL (), I don’t remember the exact steps – and I wish I wrote them here, I thought I did???  The site will no doubt have all the information you need.

    So I am on the search, I need to find a good application for port

    triggering.

    I use uTorrent for getting various content/distributions, however I

    don’t want traffic hitting my router when I am not using the

    application.  To get the best out of uTorrent you need to open a port on

    your router (port forward), but I don’t want that port to be open when

    my application is not running, so what’s the solution – port triggering.

    There is an application out there that will work ,

    but it is not supported in Windows 7.  The basic idea is that when Port

    Trigger sees the application of choice (uTorrent) running, it will

    intermittently send a request to a port.  This port request can then be

    set up at your router to open the configured port for your application

    connection.  Then, when the application is not running Port Trigger no

    longer ‘pings’ the trigger port, and the router will not open the port

    for the application.

    If anyone has any suggestions for a Windows 7 supported application,

    please get in touch!

    My router running Tomato firmware:

    Subscribe to:

    Labels

    Blog Archive

    Links

    Leave a Reply

    Your email address will not be published.