Thursday, October 20, 2016

Denial of Service on detection of Intrusion event

The following iptables rules should be adequate to lower the change an intruder to continuously try to login to our server.

#!/bin/bash

### BLOCKING INTRUDERS TO OUR SSH SERVICE ####

VERBOSE=1

execandprint() {
 cmd="${1}"
 [[ $VERBOSE -eq 1 ]] && echo "$cmd"
 ${cmd}
}

# create properREJECT chain that does different rejects for tcp/udp
rjchain="properREJECT"
echo "Creating chain $rjchain in filter table..."
iptables -N $rjchain
iptables -A $rjchain -m limit --limit 2/min -j LOG --log-prefix "REJECTED: " --log-level 4
iptables -A $rjchain -p tcp -j REJECT --reject-with tcp-reset
iptables -A $rjchain -j REJECT --reject-with icmp-port-unreachable

#
blchain="blacklistdrop"
echo "Creating chain $blchain in filter table..."
iptables -N $blchain
iptables -A $blchain -m limit --limit 2/second -j LOG --log-prefix "adding to BLACKLIST: " --log-level 6
iptables -A $blchain -m recent --name BLACKLIST --set -j DROP

# block this baukdeh in Shenzhen, China
iptables -A INPUT -s 221.229.172.71 -j $rjchain

#
# if the src address of packet is currently in the list BLACKLIST within the last 120 seconds, drop it
# see /proc/net/xt_recent/BLACKLIST
execandprint "iptables -A INPUT -m recent --name BLACKLIST --update --seconds 120 -j DROP"
#
# all *established* ssh connections simply continue
# see /proc/net/nf_conntrack and /proc/net/xt_recent/sshconn
execandprint "iptables -A INPUT  -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
#
# *new* ssh connections are all put into a list 'sshconn', and if there are 3 such packets in 30 seconds
# we send the package to chain 'blacklistdrop' which puts the IP in the blacklist
execandprint "iptables -A INPUT  -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --name sshconn --rcheck --seconds 30 --hitcount 3 -j $blchain"

#
# if we have seen less then 3 such packets in the last 30 seconds we accept
execandprint "iptables -A INPUT  -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --name sshconn --set -j ACCEPT"

#
# if the destination address is in the blacklist, we REJECT *any* packet
execandprint "iptables -A OUTPUT -m recent --name BLACKLIST --rdest --rcheck --seconds 30 -j $rjchain"

#
# outgoing we accept all ssh traffic, with connection tracking
execandprint "iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED,NEW,RELATED -j ACCEPT"




Friday, September 30, 2016

ZMODEM file transfer between Windows VM on VirtualBox and Linux

This is to show an alternative to transfer a file between host (Linux) and Windows XP running over VirtualBox on the same machine.


  1. On VirtualBox configuration, enable serial communication on port COM1, select "Host Pipe"  for Port Mode, and in "Path/Address" input box type "/tmp/WINCOM1".
  2. Start Windows VM
  3. From Windows VM, start Hyper Terminal, set speed to 115200 and no Flow control
  4. On Linux, open a terminal and type: sudo socat unix-connect /tmp/WINCOM1 TCP4-LISTEN:telnet
  5. To transfer file using ZMODEM, open another terminal and type: sz --tcp-client localhost:23 <file to transfer>


To connect to Windows' serial terminal, we simply telnet to localhost: telnet localhost, and amything we type on the telnet terminal will echo back on Windows' HyperTerminal and vice versa.

Thursday, September 22, 2016

Some VirtualBox Interesting internal features

As documented:

Usage: VBoxManage internalcommands <command> [command arguments]

Commands:

  loadmap <vmname|uuid> <symfile> <address> [module] [subtrahend] [segment]
      This will instruct DBGF to load the given map file
      during initialization.  (See also loadmap in the debugger.)

  loadsyms <vmname|uuid> <symfile> [delta] [module] [module address]
      This will instruct DBGF to load the given symbol file
      during initialization.

  sethduuid <filepath> [<uuid>]
       Assigns a new UUID to the given image file. This way, multiple copies
       of a container can be registered.

  sethdparentuuid <filepath> <uuid>
       Assigns a new parent UUID to the given image file.

  dumphdinfo <filepath>
       Prints information about the image at the given location.

  listpartitions -rawdisk <diskname>
       Lists all partitions on <diskname>.

  createrawvmdk -filename <filename> -rawdisk <diskname>
                [-partitions <list of partition numbers> [-mbr <filename>] ]
                [-relative]
       Creates a new VMDK image which gives access to an entire host disk (if
       the parameter -partitions is not specified) or some partitions of a
       host disk. If access to individual partitions is granted, then the
       parameter -mbr can be used to specify an alternative MBR to be used
       (the partitioning information in the MBR file is ignored).
       The diskname is on Linux e.g. /dev/sda, and on Windows e.g.
       \\.\PhysicalDrive0).
       On Linux or FreeBSD host the parameter -relative causes a VMDK file to
       be created which refers to individual partitions instead to the entire
       disk.
       The necessary partition numbers can be queried with
         VBoxManage internalcommands listpartitions

  renamevmdk -from <filename> -to <filename>
       Renames an existing VMDK image, including the base file and all its extents.

  converttoraw [-format <fileformat>] <filename> <outputfile>
       Convert image to raw, writing to file.

  converthd [-srcformat VDI|VMDK|VHD|RAW]
            [-dstformat VDI|VMDK|VHD|RAW]
            <inputfile> <outputfile>
       converts hard disk images between formats

  repairhd [-dry-run]
           [-format VDI|VMDK|VHD|...]
           <filename>
       Tries to repair corrupted disk images

  debuglog <vmname|uuid> [--enable|--disable] [--flags todo]
           [--groups todo] [--destinations todo]
       Controls debug logging.

  passwordhash <passsword>
       Generates a password hash.

  gueststats <vmname|uuid> [--interval <seconds>]
       Obtains and prints internal guest statistics.
       Sets the update interval if specified.

WARNING: This is a development tool and shall only be used to analyse
         problems. It is completely unsupported and will change in
         incompatible ways without warning.

I think some of the most useful ones are:
repairhd
converthd

So, if we want to convert Qemu's virtual-disk format (QCow) to VDI/VMDK/VHD, the steps are as follow (assume the qemu' image file is called home.qcow):

qemu-img convert -f qcow home.qcow -O raw home_raw.img
vboxmanage internalcommands converthd -srcformat RAW -dstformat VDI home_raw.img home.vdi

or
VBoxManage convertfromraw --format VDI home_raw.img home.vdi

Another interesting one, if we want to create and boot a virtual machine from a USB device.  Steps are:


  1. Verify which device the usb drive is attached to (e.g, /dev/sdd)
  2. Do:  VBoxManage internalcommands createrawvmdk -filename usb.vmdk  -rawdisk /dev/sdd
  3. Start VirtualBox and mount the file usb.vmdk in the storage (or, create a new Virtual Machine and attach the file usb.vmdk as the first storage)