Hack Netgear WG602 access point to run dd-wrt
We have two Access Points, both Netgear WG602EE v4. According a review about the devide, it has a limitation of 20 simultaneous sessions, so I started to look some kind of limit breaking. (Yes, we did have problems like this.)
Fortunately, these devices are on the list of the ones able to run dd-wrt. But how to hack?
The steps:
- download the version for netgear from the dd-wrt page
- install tftp
( I use ubuntu, so apt-get install tftp) - add an IP address from 192.168.0.1/24 to your existing addresses, and one from 192.168.1.1/24
The first is because the access point’s default is 192.168.0.227, the second is because dd-wrt default is 192.168.1.1.
This is always the default. - Login with the tftp session and enter the following.
(the best is to enter these at the location, where you downloaded the dd-wrt binary)
tftp 192.168.0.227
verbose
trace
put dd-wrt.v24_micro_generic.bin image.idts334
The tftp only send/recieve data when put or get is entered, so you can log in without the other IP even exists. - On the device, press the reset button and hold for at least 10 seconds, than pull the power cord. Insert the power cord back while still holding the reset button and hold it for 5 seconds more.
- 1 second after press enter at the tftp session. Attention! At this point, there’s no return, because no original firmware is available from Netgear.
- You sould see a lot of send/recieve messages.
- If the transmission was correct, you should be able to login to dd-wrt at the address 192.168.1.1
VMWare ESXi and promiscuous mode
The problem: I had a XenServer guest, serving as our gateway, and I needed to convert it to VmWare. The only error was, that no bridged network work: the gateway saw both, but the networks could not communicate.
After searching for a while, I’d found the keyword: promiscuous mode. But where can I enable it in VMWare ESXi 4.1?
The solution: select the server (the host server) from the list on the left, goto “configuration” tab, search for Virtual Switch: (), and click on Properties of the Virtual Switch.
The you’ll see the networks configured with the virtual switch. Selecting on network, click on Edit down, and select security tab. You’ll find promiscuous mode there.
SSL status check problems with Pound and apache
We have a high-available system, with the following architecture:
- the main gate: HAProxy on port 80 on the public interface
- all webservers: nginx on port 80, if the content is not static (regex list)
- proxied to localhost, port 81, to apache2
But this architecture cannot be used for ssl connections, therefore on port 443, pound is listening on the HA cluster, and forwards every connection to the HA proxy without SSL.
The problem, is that when a request arrives to one of the apache servers, I cannot force SSL connection, because it will slip into an endless loop.
The solution is:
- add a special HTTP header with pound
- insted of HTTPS check in apache, check this
pound.conf:
######################################################################
## global options:
User "www-data"
Group "www-data"
LogLevel 0
Alive 2
Control "/var/run/poundctl.socket"
######################################################################
ListenHTTPS
Address [IP]
Port 443
Cert "/etc/pound/[cert].pem"
AddHeader "XHTTPS: on"
Service
Backend
Address [IP]
Port 80
End
End
End
The check in apache (inside virtualhost):
RewriteCond %{HTTP:XHTTPS} !on
RewriteRule ^(.*) https://[domain]/$1 [R,L]
Leaving the beloved GD and moving towards Imagick
PHP has a mostly undocumented part, php5-imagick. It is available in Ubuntu from Hardy, so I thought, I could woth to take a look into. The introduction says, that “Imagick is a native php extension to create and modify images using the ImageMagick API”.
I started working with PHP a long time ago, so I started image manipulation with GD because this was the easiest native way. But as the times changed, I needed to use a lot of additional scripts like unsharp_mask for better resizing, PEL to keep exif data, and so on. This was sloooooow.
Imagick extension is a lot different. First, it works on the opened image – no need for a second copy, for example on resizing. Second, it always keeps meta information by default.
I looked into some comparison and some tutorial, and I found that even imagick is a littlebit slower, for image manupilation this tool is a lot more useful, than GD.
Installing PHP 5.3 on Ubuntu 9.10 Karmic Koala
In production, we use Ubuntu 9.10, because of the need of the newer kernel. Now we also need 5.3 PHP, because of Symfony, so I started searching.
I’ve found a post on JMOZ blog, about installing 5.3 PHP from dotdeb packages, but when I tried, I recieved some more errors over the one libicu38 mentioned in the post, so I decided to write them down.
The needed additional apt sources:
# for PHP 5.3 deb http://php53.dotdeb.org stable all deb-src http://php53.dotdeb.org stable all # for libicu38 deb http://security.ubuntu.com/ubuntu jaunty-security main deb-src http://security.ubuntu.com/ubuntu jaunty-security main # for libltdl3 deb http://archive.ubuntu.com/ubuntu hardy main deb-src http://archive.ubuntu.com/ubuntu hardy main deb http://archive.ubuntu.com/ubuntu hardy-updates main deb-src http://archive.ubuntu.com/ubuntu hardy-updates main
A usable theme for Ubuntu Desktop: Shiki
I never liked Ubuntu’s Humanity theme, New Wave theme in 9.10 crashes some applications, like F-Spot, and both are brown. Now Lucid is about to make purple (sic!) it’s default colour, so that’s not for me as well.
When I used to work with Windows XP, I used a theme named NeogenX, from a deviantart publisher, dobee, and I simply loved it. So I wanted to find something similar to that for Ubuntu.
I’ve searched throught deviantart’s customization part for this, and I’ve found nothing. Fortunatelly, I came across with Ubuntu Tweak, some kind of system management software for Ubuntu. It has a third party repository list from ppa, and there was a theme repository, named gnome-colors. Inside of it, there’s a pack, shiki-colors.
This is exactly what I was looking for.
Changing postfix’s incoming smtp port
This is one of the most simple tasks, yet I had to Google around for hours: change the incoming port of postfix’s SMTP, without iptables prerouting.
Open /etc/postfix/master.cf, and search for the following line (usually the first uncommented line):
smtp inet n - - - - smtpd
To change the port, simply write the number instead of smtp in the begining.
For example:
2525 inet n - - - - smtpd
Restart postfix
/etc/init.d/postfix restart
and the system can not accept messages on the port you added. Don’t forget to enable the port on your firewall, if you have one!
Changing to policyd-weight from postfix’s built-in reject_rbl_client
Last week my own server – hosting some sites from old and relatively close client – had been hijacked, and got listed on some RBL lists.
Using apache2-mpm-itk it was quite easy to trace it back, because the spamsender process was running with a user’s id, not with simple www-data. Someone managed to log in with an FTP account, placed some scripts in the www directory, and started it from a web request. The real beauty was that the script removed itself after loading. It also sent the mails from the domain’s default name, so, unfortunately it wasn’t forged, and a lot of lists added my IP.
Using the help of mxtoolbox.com, a site for monitoring mailservers, a lot of hours and at least 10 apologizing mails I managed to remove myself. This reminded me, that I use the same method: RBL blockings right inside postfix’s main.conf.
So if anyone got listed on one the lists I use, I reject their mail just like it happened to me. I clearly feel now, that this is not the good approach. So I looked for some kind of weighted possibility, like spamassassin for spam, and I met policyd-weight. It is the perfect tool I was looking for, and the best, Ubuntu has it as package.
# apt-get install policyd-weight
The only thing: it doest not provide a default conf file, you need to create it with a build-in feature:
# policyd-weight defaults > /etc/policyd-weight.conf
You also need to add it to postfix’s main.conf, right into smtp_recipient_restrictions
# check_policy_service inet:127.0.0.1:12525,
You can also remove every RBL entry from here after this is enabled.
Reload postfix
# /etc/init.d/postfix reload
and your system is ready to use policyd-weight, a lot more sophisticated solution for RBL listings, than built-in version of postfix.
To see more, visit Ubuntu manpage of policyd-weight, or the poject’s website.
Quick installing eBox 1.2 with managesieve and custom spam filtering under Ubuntu 8.04
eBox platform is a Perl-based web administration console for a linux small business server. When you own one or not too many servers, and not only redneck linux sysadmins for the tasks, eBox is a free choice over Microsoft solution.
You can read a lot more about it in forum, on it’s site or Wikipedia.
Although eBox has it’s own distribution, I wanted to get it work on Ubuntu 8.04 – but the version in the repo is only 1.0, and I really needed 1.2. Fortunatelly, eBox has a PPA site, so it can be inserted into Hardy. Open /etc/apt/sources.list with your favourite editor (mcedit, vim, emacs, etc.) and add the following lines:
deb http://ppa.launchpad.net/ebox/1.2/ubuntu hardy main
deb-src http://ppa.launchpad.net/ebox/1.2/ubuntu hardy main
You’ll also need an apt-key for this to get it work:
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 342D17AC
There’s another PPA, published by Molnár Károly, a fellow Hungarian. It’s very important to put it in the begining of the file, before the ubuntu standards! That is because the installed version by apt is the first possibility on the list.
deb http://ppa.launchpad.net/karoly-molnar/dovecot-managesieve/ubuntu hardy main
deb-src http://ppa.launchpad.net/karoly-molnar/dovecot-managesieve/ubuntu hardy main
and the key:
# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B498A2C
We’re going to need this for Dovecot with Sieve, read on.
Updates repos,
apt-get update
and eBox is ready for install.
I didn’t need everything, so I just gave the following command:
# apt-get install ebox-antivirus ebox-firewall ebox-mail ebox-network ebox-objects ebox-services ebox-usersandgroups
This is going to install a lot of software, so be patient, and prepare with enough bandwidth. After all, you can access your eBox platform on https://[your ip].
I didn’t install ebox-mailfilter for reason. First of all, I don’t really like amavisd, and second, it is going to fail, and the whole mail system will going to stop because of an error in the eBox stub naming related to amavisd: amavisd does not read /etc/amavisd/amavisd.conf as it’s conf file. If you rename it, it’ll work, but eBox keeps naming it back.
So I looked for something else as a solution. I needed to:
- install spamassassin
- add clamav plugin to it
- get a version of dovecot with sieve patch for local delivery
- change ebox settings about to use all of this.
We already added Károly Molnár’s dovecot with sieve and a security patch, so Dovecot with Managsieve is installed. The next thing is spamassassin and it’s clamav plugin.
# apt-get install spamassassin spamc
# cpan
CPAN will ask some questions at first run, just hit Enter, usually that’s enough. When the promt is ready, install
cpan> install File::Scan::ClamAV
cpan> exit
When it is complete, save the two files (clamav.cf, clamav.pm) from http://wiki.apache.org/spamassassin/ClamAVPlugin into /etc/mail/spamassassin
Now, nearly everything is complete, the last step is to modify the stubs of eBox. This is not the best solution; an update could overwrite all changes, the perfect solution would be to place regex patterned scripts into /etc/ebox/, but that was too much for my taste.
So I opened the configuration templates from /usr/share/ebox/stubs/mail/and modified what I needed.
# mcedit /usr/share/ebox/stubs/mail/dovecot.conf.mas
Find the line started with protocols = and add managesieve after %>
Managesieve listens on port 2000, you’ll have to open this in eBox firewall.
After protocol POP3, add the following:
##
## MANAGESIEVE specific settings
##
protocol managesieve {
# Login executable location.
login_executable = /usr/lib/dovecot/managesieve-login
# MANAGESIEVE executable location. See IMAP's mail_executable above for
# examples how this could be changed.
mail_executable = /usr/lib/dovecot/managesieve
# Maximum MANAGESIEVE command line length in bytes. This setting is
# directly borrowed from IMAP. But, since long command lines are very
# unlikely with MANAGESIEVE, changing this will not be very useful.
#managesieve_max_line_length = 65536
# Specifies the location of the symlink pointing to the active script in
# the sieve storage directory. This must match the SIEVE setting used by
# deliver (refer to http://wiki.dovecot.org/LDA/Sieve#location for more
# info). Variable substitution with % is recognized.
sieve=~/.dovecot.sieve
# This specifies the path to the directory where the uploaded scripts must
# be stored. In terms of '%' variable substitution it is identical to
# dovecot's mail_location setting used by the mail protocol daemons.
sieve_storage=~/sieve
# If, for some inobvious reason, the sieve_storage remains unset, the
# managesieve daemon uses the specification of the mail_location to find out
# where to store the sieve files (see explaination in README.managesieve).
# The example below, when uncommented, overrides any global mail_location
# specification and stores all the scripts in '~/mail/sieve' if sieve_storage
# is unset. However, you should always use the sieve_storage setting.
# mail_location = mbox:~/mail
# To fool managesieve clients that are focused on timesieved you can
# specify the IMPLEMENTATION capability that the dovecot reports to clients
# (default: dovecot).
#managesieve_implementation_string = Cyrus timsieved v2.2.13
}
##
## LDA specific settings
##
protocol lda {
# Address to use when sending rejection mails.
# postmaster_address = mail@domain
log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot.log
# Hostname to use in various parts of sent mails, eg. in Message-Id.
# Default is the system's real hostname.
#hostname =
# Support for dynamically loadable plugins. mail_plugins is a space separated
# list of plugins to load.
#mail_plugins =
#mail_plugin_dir = /usr/lib/dovecot/modules/lda
# Binary to use for sending mails.
#sendmail_path = /usr/lib/sendmail
# UNIX socket path to master authentication server to find users.
#auth_socket_path = /var/run/dovecot/auth-master
# Enabling Sieve plugin for server-side mail filtering
mail_plugins = cmusieve
}
And in plugin {} part insert
# sieve sieve_global_path = [your path]
The given path should be writeable by dovecot.
Save the file, and open the next one:
# mcedit /usr/share/ebox/stubs/mail/main.cf.mas
Find the lines
virtual_transport = virtual mailbox_transport = virtual
and replace virtual with dovecot so it would look like this:
mailbox_transport = dovecot virtual_transport = dovecot
Save the file, and open the next:
# mcedit /usr/share/ebox/stubs/mail/master.cf.mas
Search for the line:
dovecot unix - n n - - pipe
and add this after:
flags=DRhu user=ebox:ebox argv=/usr/bin/spamc -e /usr/lib/dovecot/deliver -d ${recipient} -f {sendder}
If there’s something similar, replace it with this.
The system is now ready to use.
What we’ve done now: the mail is recieved by Postfix, than given to spamassassin (and clamav, with the plugin), which adds the X-Spam and X-Spam-Virus headers, and then Dovecot’s Local Delivery Agent delivers it to the users maildir.
The only thing left is to create a default sieve filter, so create a file named sieve.default, save it to the [path] you’ve given in the dovecot.conf.mas as global sieve path, and add the following content to it:
require "fileinto";
if header :contains "X-Spam-Virus" "Yes" {
fileinto "Virus";
stop;
}
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
stop;
}
Enjoy.
Roundcube has a perfect plugin to configure sieve filters per user.
UPDATE:
According to Dovecot Prebuild binaries page, all Ubuntu releases are built with managesieve, so the additional apt source can be skipped.
I tested it; I seems to be true.
Installing apache2-mpm-itk on a Virtualmin based Ubuntu 8.04
For a long time, I’ve been a fan of Virtualmin. Stable, quite secure, and really easy to use – of course, for a sysadmin, but it can be handy enough for those of willing to learn it.
While I only hosted my friends and well-known customers, I had no intention increase security over the defaults of virtualmin.
A week ago, I had to install a server for hosting, with old, insecure sites, and for not too friendly, utterly unknow people, so the need came for a more secure solution.
One of my college advised suphp. It was really easy to install under Virtualmin, no errors.
But suphp was getting slow for my taste. The other problem with it is that opcode cacheing (APC, eAccelerator, Xcache) cannot be used with it, because it work just like CGI.
So, I started to look for a solution, and luckily, I came across with Stuart Herbert’s Blog, and with the post of apache mpm-itk.
The solution was in my hand, Virtualmin running on Ubuntu, itk is is package, so:
# apt-get install apache2-mpm-itk
And there came the errors:
The following packages have unmet dependencies:
apache2-mpm-itk: Depends: apache2.2-common (= 2.2.8-1ubuntu0.14) but 2.2.8-10vm is to be installed
E: Broken packages
How did that package, out of ubuntu, even get on my server?
I started to search for 2.2.8-10vm package of apache , and I’ve found it in the install script of virtualmin. I seems, that because of suexec is default enabled in Virtualmin, it needs a modified version of suexec module for apache, to use /home as root for suexec.
That clearly wouldn’t need a full apache, but I think, thats a lot more easy compared to recompiling for the distro’s apache.
Ok. Remove apache.
# apt-get remove apache2.2-common
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libneon27 irb1.8 libsasl2 clamav webmin-virtualmin-awstats libmail-spf-perl clamav-freshclam awstats dovecot-imapd libdb4.6-dev libdbd-pg-perl libsocket6-perl
libsqlite3-dev rdoc ri liberror-perl libnetaddr-ip-perl clamav-base subversion postgresql-client-8.3 libclamav5 spamassassin libapr1-dev libapache-ruby1.8 libsvn1
spamc clamav-testfiles dovecot-pop3d webmin-virtualmin-mailman webmin-virtualmin-htpasswd libgmp3c2 scponly webmin-security-updates libpg-perl irb clamav-daemon
clamav-docs libnet-ip-perl libnet-dns-perl postgresql rdoc1.8 procmail-wrapper webalizer webmin-virtual-server-theme webmin-virtualmin-dav uuid-dev libgeoip1
libpq-dev postgresql-client-common libhtml-tree-perl usermin-virtual-server-theme libwww-perl libdigest-hmac-perl libversion-perl libaprutil1-dev
libreadline-ruby1.8 postgresql-common dovecot-common postgresql-8.3 webmin-virtualmin-svn libsys-hostname-long-perl ri1.8 libdigest-sha1-perl
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
apache2-mpm-prefork apache2-threaded-dev apache2.2-common libapache2-mod-fcgid libapache2-mod-php5 libapache2-mod-ruby libapache2-svn mailman virtualmin-base
0 upgraded, 0 newly installed, 9 to remove and 11 not upgraded.
After this operation, 51.8MB disk space will be freed.
Do you want to continue [Y/n]?
Oh. So if I remove apache, I remove virtualmin, and that’s for sure, I don’t want.
At last, I finally found a solution: I have to get the original ubuntu package, install (technically downgrade the current apache) it, and then I can install mpm-itk without removing virtualmin.
What we need:
http://packages.ubuntu.com/hardy/apache2.2-common
http://packages.ubuntu.com/hardy/apache2
These could be needed too:
http://packages.ubuntu.com/hardy/apache2-threaded-dev
http://packages.ubuntu.com/hardy/any/apache2-mpm-prefork
if you used suphp:
http://packages.ubuntu.com/hardy/any/apache2-mpm-worker
Get them, install them with dpkg (# dpkg -i *.deb) and install apache2-mpm-itk. Voliá.
Of course, you’ll need to add the user directives to all virtualhost, but at Server Templates, you can insert it already. For example, add this to Virtualmin Server Templates:
<IfModule mpm_itk_module>
AssignUserId ${USER} ${USER}
</IfModule>