Wednesday, June 24, 2015

HOWTO : Use NightHawk More Safety

I developed NightHawk which allows users to use Tor Network in transparent mode. NightHawk has more advantage than Tor Browser. You not only can surfing the internet via Tor Network with your favorite browser but also can use any application software to connection to internet via Tor Network.

However, there are some restrictions to use NightHawk (or even Tor) safety in order to prevent your IP address from being leaked. First of all, you need to prevent DNS leaking by not using your ISP DNS. Secondary, you are advised not to install Flash on your browser as it has potential to leak your IP address when you visit a malicious website. Thirdly, make sure you do not use Google Search Engine as you may be banned by Google. Fourthly, make sure you disable javascript when possible. However, it is not possible to do so in modern websites. Javascript web pages are heavily implemented. Lastly, do not download as well as do not reverse connect back to your box via the Tor Network.

I think that there are only five restrictions to use Tor Network. When I seeing Chloe's research, I realized that there is one more restriction. It is, you make sure do not login to any website via Tor Network. According to the research, some exit nodes are sniffing traffic even some exit nodes are running for a very long time that granted "Guard" flag in the Tor Network.

In my opinion, HTTPS is also not safe for surfing via Tor Network with bad exit nodes. Chloe's project - BADONIONS - Honeypot the Honeypot can find exit nodes that sniffing traffic. I am waiting for the final result of the project and hope Chloe can release the bad exit nodes list to the public.

That's all! See you.


Monday, June 22, 2015

HOWTO : Flush IP Address From Network Interface On Ubuntu 14.04.2 LTS Server

I am running Croissants - Intrusion Detection and Prevention System on Ubuntu 14.04.2 LTS Server. Recently Ubuntu update kills the networking features that making no IP address interface to fetch IP address. Even making the interface in promiscuous mode still fetches IP address on that mode. That would drop the performance of the Croissants with more than one IP address with the same subnet in the same system. After try and error, the workaround is as the following.

sudo nano /etc/network/flush-ip

ip addr flush dev p2p1
ip addr flush dev p4p1
ip -6 addr flush dev p2p1
ip -6 addr flush dev p4p1


* where p2p1 and p4p1 are the incoming and outgoing interfaces for Croissants

sudo chmod +x /etc/network/flush-ip

Create a cron job to flush the ipv4 and ipv6 address on every 15 minutes interval :

sudo crontab -e

Append the following line to the file :

*/5 * * * * /etc/network/flush-ip

To double check the cron job entry :

sudo crontab -l

The interfaces should be looking like this :



The ipv4 and ipv6 addresses of p2p1 and p4p1 have been deleted.

That's all! See you.

Saturday, June 20, 2015

HOWTO : Fix Device Not Managed on Kali Linux 1.1.0a

When the Kali cannot ping the internet on every boot up in VirtualBox, or the network interfaces is "Device Not Managed", or you cannot connect to PPTP VPN or similar, you can :

cp /etc/network/interfaces /etc/network/interfaces-original

nano /etc/network/interfaces

Make it looks like the following, yes, only loopback interface :

# This file decribes the network interfaces available on you system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interace
auto lo
iface lo inet loopback


Then reboot the Kali or run the following command :

service networking restart

That's all! See you.

Monday, June 15, 2015

REVIEW : Shield - Intrusion Prevention System for Home Users






What is Shield?

Shield is a very small device that can protect your home and small business network from being attack by malicious hackers. The attacks include viruses, scams, phishing, website and browser exploits as well as operating system and application exploits. Shield protects your incoming and outgoing traffic. Even your system or network is compromised before using Shield, malicious hackers cannot control and access your system or network any further when Shield is implemented. Shield is also protecting your system or network from being scanning of vulnerabilities. That is excellent for preventing your system or network from being attack.

Shield acts as Intrusion Prevention System (IPS) or Unified Threat Management System (UTM). When it acts as IPS, the core engine is Suricata (Intrusion Detection and Prevention System). It is the simplest way to implement the device and its throughput is more than 1 Gbps. When it acts as UTM, its core engine is Snort (Intrusion Detection and Prevention System). This mode has a lot of features, such as web content filtering, anti-virus, VPN, QoS and etc. However, the slower throughput is the drawback for UTM mode.

Suricata and Snort are using Emerging Threats Open Rules for the operation. Emerging Threats Open Rules include malicious IP addresses, virus signatures, exploit signatures and attack signatures. It also include scanner signatures. According to Suricata developers, the maximum throughput of Suricata is more then 30 Gbps.

Shield includes a free lifetime subscription to stay up-to-date against the latest threats with automatic essential security updates. There is no number of user limitation in the device. It is designed for general users with no professional training in Information Security. It is very easy to setup and use. Plug, Play and Forget!

Business or DIY

There are some UTM or IDS/IPS available in the market. Those devices are developed for business and the prices are not reasonable for home or small business users. The cost will be over $1,000-USD. Meanwhile, the power consumption of those devices would be higher than Shield. Shield is only between 10W and 15W. Commercial UTM or IDS/IPS will have number of users restriction as well as cost for subscription annually of the rules and services.

On the other hand, we can build an UTM with Untangle; or, we can build a Suricata or Snort based IDS/IPS without paying for the software. However, the cost of hardware would be higher than the Shield for sure. For example, this motherboard costs about $399.99-USD. You also need to purchase hard drive, memory and computer case too. The power consumption for this hardware is between 35W to 80W. Shield would be cost around $300-USD only.

Recommended Setup

We suggest to plug Shield between your modem (if any) or Internet Service Provider (ISP) and router (wired or wireless) in Bridge Mode for excellent performance and protection.

If you do not have any router or you have a slower internet connection and the speed of the intranet is less than 1 Gbps, Router Mode can be implemented. The setup for Bridge and Router Modes are very easy and simple. No skill is required, believe me.

IPS (Bridge Mode)



UTM (Router Mode)




Technical Specifications
- 2 x 1.0 GHz MIPS64 CPU
- 1 GB DDR3 RAM
- 4 GB eMMC
- 3 x 1 GB Ethernet
- 1 x RJ45 Serial console port
- 5 x 3.5 x 1 inches
- between 10W and 15W power consumption


Features

Router Mode and Gateway Mode (UTM)
- Snort Engine
- Emerging Threats Rules
- Intrusion Prevention
- Network Anti-Virus
- NAT Firewall
- Content Filtering
- Web Proxying
- Dynamic DNS
- SSLVPN
- Quality of Service
- Graphical Web User Interface
- Realtime Traffic Monitor
- Realtime Connection Monitor
- Advanced and Basic Mode
- 10 Mbps throughput
- Plus More!

Bridge Mode (IPS)
- Suricata Engine
- Emerging Threats Rules
- Intrusion Prevention
- Graphical Web User Interface
- Realtime Traffic Monitor
- Realtime Connection Monitor
- Advanced and Basic Mode
- 40 Mbps throughput

Conclusion

Shield is well designed and the performance will not worse than other similar devices in the market. However, the price is rivalry. It is the first IDS/IPS/UTM for home users and small business. Being a Shield beta tester and developer of Croissants, I am fully satisfied with the performance, price, size and power consumption of Shield. It is really can be "Plug, Play and Forget!". Recommended!

That's all! See you.

Review in Chinese version

Friday, June 12, 2015

HOWTO : VirtualBox Headless with PHPVirtualBox

VirtualBox is a virtual machine which can be running on desktop and server. We can running VirtualBox as server (Headless mode) with PHPVirtualBox as front end. PHPVirutalBox can be running with Apache flawlessly. However, I would like it to be running on Hiawatha. There is no database required for the Headless mode.

Part A - Hardware

Motherboard : ASRock Rack C2750D4I server board
CPU : Intel Atom C2750
RAM : 4 x 8GB (32GB) DDR3-1600
Hard Drive : 2 x Western Digital 4TB WD4000F9YZ

Western Digital 4TB WD4000F9YZ is not certified by ASRock, so, it cannot boot from SATA3 ports. The SATA2 ports are used in this case.

The performance of C2750 is similar to Xeon E3-1220L. Please the comparison page at here.

The power consumption of this setup is between 30W to 80W.

Make sure you have enabled "Virtualization" (VT-x) in the BIOS.

Part B - Software

Operating System : Ubuntu Server 14.04.2 LTS
Virtual Machine : VirtualBox 4.3.28
Front End : PHPVirtualBox 4.3-3
Web Server : Hiawatha
RAID : Software RAID 1

Part C - Installation

Part C.1 - Operating System and Software RAID 1 Installation

RAID 1 requires two hard drivers for the installation. When you are installing Ubuntu Server 14.04.2 LTS, you are required to do the partitioning. Select "Automatically partitioning" for each drive. The partitions will be (1) 1MB for "biosgrub"; (2) Free Space for root directory; and (3) Free Space for SWAP.

Then select "Configure Software RAID" to configure the Software RAID 1 on Free Space for root directory and Free Space for SWAP partitions. Do not RAID the "biosgrub" partitions. Set the "Free Space for root directory" to be mount at "/" and use as "Ext4 jouraling file system". Set the "Free Space for SWAP" to be used as "SWAP".

Finally, you should select to install "OpenSSH" when asked.

After the installation, your box can be booted up as expected. You can check the status of Software RAID 1 by the following commands :

cat /proc/mdstat

mdadm --detail /dev/md0
mdadm --detail /dev/md1


Make sure to change /etc/network/interfaces :

Add "allow-hotplug p119p1" just below "auto p119p1".

Part C.2 - VirtualBox Installation

After the Ubuntu Server 14.04.2 LTS is installed, you can install VirtualBox on it.

sudo nano /etc/apt/sources.list.d/vbox.list

Append the following line to it :

deb http://download.virtualbox.org/virtualbox/debian trusty contrib

Save it.

wget -q https://www.virtualbox.org/download/oracle_vbox.asc -O- | sudo apt-key add -

sudo apt-get update
sudo apt-get install dkms unzip
sudo apt-get install virtualbox-4.3


wget http://download.virtualbox.org/virtualbox/4.3.28/Oracle_VM_VirtualBox_Extension_Pack-4.3.28-100309.vbox-extpack

sudo VBoxManage extpack install Oracle_VM_VirtualBox_Extension_Pack-4.3.28-100309.vbox-extpack

To uninstall Extension Pack :

sudo VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"

Part C.3 - Hiawatha Web Server Installation

sudo apt-get install php5-cgi php5 php5-cli php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-xcache apache2-utils php5-fpm

sudo apt-get install libc6-dev libssl-dev dpkg-dev debhelper fakeroot libxml2-dev libxslt1-dev

wget http://www.cmake.org/files/v3.2/cmake-3.2.3.tar.gz
tar -xvzf cmake-3.2.3.tar.gz
cd cmake-3.2.3
./configure
make
sudo make install


wget http://www.hiawatha-webserver.org/files/hiawatha-9.13.tar.gz
tar -xzvf hiawatha-9.13.tar.gz
cd hiawatha-9.13/extra
./make_debian_package
cd ..
sudo dpkg -i hiawatha_9.13_amd64.deb


sudo nano /etc/php5/fpm/php.ini

Make changes as is.

zlib.output_compression = On
zlib.output_compression_level = 6


Append the following to the php-fpm.conf.

sudo nano /etc/php5/fpm/php-fpm.conf

[www]
user = www-data
group = www-data
listen.mode = 0666
listen = /var/run/php5-fpm.sock
pm = static
pm.max_children = 100
chdir = /


sudo nano /etc/hiawatha/hiawatha.conf



sudo mkdir /etc/hiawatha/enable-sites
sudo mkdir /etc/hiawatha/disable-sites


sudo nano /etc/hiawatha/enable-sites/vbox.local



Make sure to change the "Hostname" to your IP address.

Part C.4 - PHPVirtualBox Installation

sudo adduser --ingroup vboxusers vbox

Enter password when prompted.

wget "http://sourceforge.net/projects/phpvirtualbox/files/phpvirtualbox-4.3-3.zip/download" -O phpvirtualbox-4.3-3.zip
sudo unzip phpvirtualbox-4.3-3.zip -d /var/www/
sudo mv /var/www/phpvirtualbox-4.3-3 /var/www/vbox
cd /var/www/vbox
sudo cp config.php-example config.php
sudo nano config.php


Change "$username" to "vbox" and "$password" to the password you just entered.

Change "$consoleHost" to your IP address, such as "192.168.1.120"

Uncoment (remove "#" in the front) "$enableAdvancedConfig = true;" and "$startStopConfig = true;"

sudo nano /etc/default/virtualbox

Append the following line :

VBOXWEB_USER=vbox

sudo cp /var/log/vbox/vboxinit /etc/init.d/vboxinit
sudo update-rc.d vboxinit defaults


sudo /etc/init.d/vboxweb-service start

Now, you can browse to http://[your-server-ip]/index.html, e.g. http://192.168.1.120/index.html.

Log in with "admin' as username and 'admin" as password.

You can copy the iso files to /home/samiux/iso for example by scp command.

Make sure you have installed "Guest Additions" to the all virtual desktop guests. Meanwhile, you need Flash to run the guest VNC.



If you want to browse with http://[your-server-ip]/ only, you need to do the following :

sudo cp /var/www/vbox/index.html /var/www/vbox/index.php

If the network interface occasionally cannot be detected, you can :

sudo cp /etc/network/interfaces /etc/network/interfaces-original

sudo nano /etc/network/interfaces


Make sure only the interfaces are as below :

# This file describes the network interfaces available on you system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interace
auto lo
iface lo inet loopback

# The primary network interface
auto p119p1
allow-hotplug p119p1
iface p119p1 inet dhcp



That's all! See you.