IPv6 Static Address on Ubuntu

So – I have blogged about how to enable IPv6 on your firewall & setup your tunnel, and how to manually add addresses to an ubuntu server, but what about the server you are sticking on the end of the tunnel permanently – you want it up every reboot.

I have an Ubuntu box sitting on 2001:470:489e::100. This hosts http://public6.blackundertone.com & also my mail host mail.blackundertone.com

Most modern distro’s will have IPv6 enabled out of the box & it will do its best to grab an address. I didnt want autoconfiguration to hand any old address to it (even with SLAAC using the MAC address) to this host – so I could properly setup inbound & outbound FW rules.

You can turn it off by entering the following in /etc/sysctl.conf & reboot

- Disable the autoconf / SLAAC capability for all interfaces

net.ipv6.conf.eth0.autoconf=0

- Ignore the RA messages from your router

net.ipv6.conf.eth0.accept_ra=0

If you just want to test it out – or dont want to reboot your machine

sudo sysctl -w net.ipv6.conf.eth0.autoconf=0 sudo sysctl -w net.ipv6.conf.eth0.accept_ra=0

–BEFORE with autoconfigured Global IPv6 address–

eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: 2001:470:489e:0:250:56ff:fea1:70d1/64 Scope:Global
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:56 errors:0 dropped:12 overruns:0 frame:0
          TX packets:47 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:6219 (6.2 KB)  TX bytes:7140 (7.1 KB)

–AFTER only link-local address remains–

eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:254 errors:0 dropped:12 overruns:0 frame:0
          TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:24646 (24.6 KB)  TX bytes:33280 (33.2 KB)

Now – its simply another couple of lines in your /etc/network/interfaces file & a quick network restart

iface eth0 inet6 static
        address 2001:470:489e::100
        netmask 64
        gateway 2001:470:489e::1

and your shiny new STATIC ASSIGNED IPv6 address is active

eth0      Link encap:Ethernet  HWaddr 00:50:56:a1:70:d1
          inet addr:10.0.1.100  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fea1:70d1/64 Scope:Link
          inet6 addr: 2001:470:489e::100/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:806 errors:0 dropped:116 overruns:0 frame:0
          TX packets:716 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:71814 (71.8 KB)  TX bytes:110482 (110.4 KB)

Apache & Postfix should already listen on any IPv6 addresses – so simply restart the services.

IPv6 rebooted – web & smtp server

Now that I had a new IPv6 allocation from tunnelbroker.net – it was time to get the server re-addressed & reachable from the outside world.

Apache was already configured to listen on all IPv4 & IPv6 addresses so all I needed to do was change the address, test connectivity & restart apache

sudo ip addr add 2001:470:489e::100/64 dev eth0
sudo route –inet6 add default gateway 2001:470:489e::1
ping6 2001:470:489e::1

Dont forget to update your nameserver

sudo vi /etc/resolv.conf
ping6 ipv6.google.com

Restart apache & postfix services

sudo /etc/init.d/apache2 stop
sudo /etc/init.d/apache2 start
sudo /etc/init.d/postfix stop
sudo /etc/init.d/postfix start

Update your DNS record with the new address & test connection.
You can either test from another IPv6 connected host (like a VPS)

ash@vertex:~$ dig aaaa public.blackundertone.com +short
2001:470:489e::100
ash@vertex:~$ curl public.blackundertone.com

Or use one of the many publicly available test servers – like http://ipv6-test.com/validate.php

Its as simple as that. Now my server was once again reachable via IPv6 – all this effort to get back to where I was.

Next time – I cover the DNS forward & reverse fun as well as why I needed to transfer my domain from namecheap.com free DNS hosting to the free DNS hosting provided by Hurricane Electric @ dns.he.net

bigger, better, faster, more VMware

No, before we even start, this is not a blog post about the 4 Non Blondes album.

This is a documentation of my mind numbing, soul destroying search for the best performing configuration with the hardware I have in my lab.

I have spent countless hours / days / weeks building, breaking & rebuilding my VM Lab (thankfully I have an understanding wife & daughter).

Hardware primarily consists of:

2x HP Proliant N36L Microservers (Athlon II Neo Dual Core 1.3) (8GB RAM in one box / 2GB in the other).
2x HP DC7100 Desktops (P4 2.8 / 2GB RAM)
1x Dell Precision 370 (P4 3.0 / 4GB RAM)
Cisco 2950 (24×10/100 + 2×1000)

Add to this an assortment of older F5′s / dual P3 pizza boxes & other no name kit – and I have a playground full of toys.

I have been using unRAID for the past few years on various hardware platforms. This has been mainly for storing media, ISO’s & providing a backup target for the various laptops & workstations around the house.

Recently I picked up the two HP N36L Microservers, the 8GB one is my primary VMware ESXi 4.1 host and the 2GB server is running unRAID. Just having the second box sitting there running unRAID seems a little under-utilised to me, the disks are in standby most of the time (thanks to netflix) – and it just hasnt been getting the workout I think it deserves.

So – enter the newest project – whats the best solution for storing media / ISO’s / Backups / VMs etc – I want to be able to use either iSCSI or NFS to play with vMotion of VMs when I finish building my VMware test lab to finish my VCP – I want it fast, but I want it protected in case a disk fails.

I have tested & played with the following in my quest:

Storage Systems:
FreeNAS 7 & 8 (Physical & Virtual)
Openfiler (Physical & Virtual)
Nexenta (Physical & Virtual)
unRAID Physical (Virtual not supported due to USB GUID licensing)

Presentation to Client Machines:
Local storage in the ESXi host presented to Windows 7 VM
iSCSI Raw Device Mappings presented to Windows 7 VM
iSCSI Presented to ESXi -> VMFS-3 filesystem -> VMDK presented to Windows 7 VM
iSCSI Presented to Physical Windows 7 Client
NFS Presented to ESXi -> VMDK presented to Windows 7 VM
CIFS/SMB Presented to Physical Windows 7 Client

I have been using a single test scenario on each config – using Iometer – with the file & results formatted from http://vmktree.org/iometer/

First I want to benchtest them for performance, then to setup the best solution that is a mix of performance & redundancy.

Sounds impossible – im gonna try.

For the performance benchtesting – I decided to go with a 2 spindle ZFS striped config, tested from Windows 7 Clients
Physical Client: HP DC7100
Physical FreeNAS: HP N36L(2GBRAM / 1TB WD Green / 2TB WD Green )

I have mismatched sizes as thats the hardware I have free at the moment. If I find a compelling reason why this wont work, then I may get a second 2TB disk to match. I am using WD Green disks for their low power / cooler running – comodity hardware.

Scenario 1 – Physical FreeNAS 7 with iSCSI
Physical Client -> iSCSI on Physical NAS
Virtual Client -> VMDK on ESXi -> iSCSI Physical NAS

Scenario 2 – Physical FreeNAS 7 with NFS & CIFS/SMB
Physical Client -> CIFS/SMB on Physical NAS (Usual windows sharing type scenario)
Virtual Client -> VMDK on ESXi -> NFS Physical NAS

Scenario 3 – Virtualised FreeNAS 7 with iSCSI
* Physical Disks formatted with VMFS-3, with VMDK presented to FreeNAS VM
Physical Client -> iSCSI on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

Scenario 4 – Virtualised FreeNAS 7 with NFS & CIFS/SMB
* Physical Disks formatted with VMFS-3, with VMDK presented to FreeNAS VM
Physical Client -> CIFS/SMB on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

Scenario 5 – Virtualised FreeNAS 7 with iSCSI
* Physical Disks presented via Physical RDM passthrough to FreeNAS VM
* RDM Config thanks to http://www.vm-help.com/esx40i/SATA_RDMs.php
* RDM passthrough used to enable SMART monitoring from the FreeNAS VM – very cool
Physical Client -> iSCSI on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

Scenario 6 – Virtualised FreeNAS 7 with NFS & CIFS/SMB
* Physical Disks presented via Physical RDM passthrough to FreeNAS VM
* RDM Config thanks to http://www.vm-help.com/esx40i/SATA_RDMs.php
* RDM passthrough used to enable SMART monitoring from the FreeNAS VM – very cool
Physical Client -> CIFS/SMB on Virtual NAS
Virtual Client -> VMDK on ESXi -> iSCSI Virtual NAS

I will be adding follow up posts with the performance results, the PRO’s & CON’s (in my view) with each of these scenarios. Feel free to add comments & kick off discussions about this project.

macbook4,1 – ubuntu & wireless woes (fixed)

I have a newish (couple of years) macbook 4,1

Model Name:    MacBook
Model Identifier:    MacBook4,1
Processor Name:    Intel Core 2 Duo
Processor Speed:    2.4 GHz
Number Of Processors:    1
Total Number Of Cores:    2
L2 Cache:    3 MB
Memory:    4 GB
Bus Speed:    800 MHz

Recently I decided I had had enough of OSX and threw Ubuntu 10.10 on it – all has been reasonably smooth sailing (minus the dying HDD, the repartitioning & GRUB woes …)

I pulled the Airport Extreme out of the cupboard the other day (I had been tethering with my Android HTC Desire while we were building a house) – and lo & behold I had dramas connecting to it. Wireless N WPA2/TKIP.

Anyway, a bit of googling time later, I found a great couple of lines to fix the issue. Wireless has been rock solid (so far) since making this change. Changing the ifupdown to managed & adding config for ifup & ifdown did the trick.

sudo gedit /etc/NetworkManage/nm-system-settings.conf

[ifupdown]
managed=true
#managed=false

[ifup]
managed=true

[ifdown]
managed=true

Reboot & wireless is golden again.

Portable Linux Apps Which Work With Any Linux Distro

I have to admit, I am on the portable apps bandwagon – I cant live without my portable windows apps, meaning I dont have to install software onto restrictive machines – but still be able to do what I want to do (putty / portable firefox with foxproxy etc etc). Now that I have started using DropBox – I have my various Windows machines pretty well sorted with Apps & Data from anywhere. I was curious about other portable apps for Linux / MAC etc and stumbled across this one for Linux Portable Apps from my MakeUseOf feed – its worth a read.

Portable Apps for Windows and Mac have been around for a long time, but are less common in the Linux world. Due to the complexity of Linux dependencies, and the different way different distributions locate these dependencies, the portable Linux application long seemed like a pipe dream.

Until now.

New website PortableLinuxApps features a number of portable Linux applications, which will work on any Linux distribution. These can run off your flash drive or from a folder in your home directory; it doesn’t matter. Best of all, there’s documentation out there to help you make your own program, should you not be able to find what you’re looking for.

via Portable Linux Apps Which Work With Any Linux Distro.

image extraction from packet capture

Some very interesting tools used in this vid, showing that you dont need to be watching live streams to catch interesting fish

Great video on using ettercap to capture traffic & a selection of tools to extract data (mainly images) from the traffic.

ettercap
foremost
tcpxtract (can be installed from the backtrack repos)
tcpreplay
urlsnarf/driftnet –> dsniff suite

Linked from the following post from “adaywithtape“

knock knock knock

Ok, so in the last one, we found out that NETGEAR is open

00:09:5B:1C:AA:1D 11 16 10 0 0 11 54. OPN NETGEAR

Following on from the last post, we want to drop our interface back out of monitor mode

root@bt:~# airmon-ng stop wlan0

Interface       Chipset         Driver

wlan0           ZyDAS 1211      zd1211rw - [phy0]
                                (monitor mode disabled)
mon0            ZyDAS 1211      zd1211rw - [phy0]

make sure the interface is up with the usual

root@bt:~# ifconfig wlan0 up

once the interface up, its time to associate with the access point

root@bt:~# iwconfig wlan0 essid NETGEAR
root@bt:~# iwconfig
wlan0     IEEE 802.11bg  ESSID:"NETGEAR"
          Mode:Managed  Frequency:2.437 GHz  Access Point: 00:09:5B:1C:AA:1D
          Bit Rate=1 Mb/s   Tx-Power=27 dBm
          Retry min limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:off
          Link Quality=17/100  Signal level=17/100
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

all things being equal, we should be associated with the wireless network NETGEAR through the access point we saw in the beginning 00:09:5B:1C:AA:1D. Now what … IP address of course

oot@bt:~# dhclient wlan0
There is already a pid file /var/run/dhclient.pid with pid 9985
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/

mon0: unknown hardware address type 803
mon0: unknown hardware address type 803
Listening on LPF/wlan0/00:07:d1:88:11:0f
Sending on   LPF/wlan0/00:07:d1:88:11:0f
Sending on   Socket/fallback
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 4
DHCPOFFER of 192.168.0.10 from 192.168.0.1
DHCPREQUEST of 192.168.0.10 on wlan0 to 255.255.255.255 port 67
DHCPACK of 192.168.0.10 from 192.168.0.1
bound to 192.168.0.10 -- renewal in 39170 seconds.
root@bt:~#
root@bt:~#
root@bt:~# ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 00:07:d1:88:11:0f
          inet addr:192.168.0.10  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
root@bt:~#
root@bt:~# cat /etc/resolv.conf
domain mydomain
search mydomain
nameserver 192.168.0.1
root@bt:~#
root@bt:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlan0

so there we have it, we connected to the wireless network, received an IP address, dns & default route from the DHCP server & still havent used any of the l33t fun tools in backtrack yet.

soft target selection

So for the first one, lets ease into things. I have called it soft target selection as this isnt anything too exciting, no cracking, no exploiting – just natural selection

So, hypothetically you are using a wifi sniffer & you stumble across a nice juicy open wifi …. so whats next …. ok – we jumped ahead a step there. How did we come to find a open wifi ? – well, there are several apps around – try here.

As with most things I will be posting, I will focus on using backtrack and in the examples, I am using a usb wifi dongle.

dmesg will hopefully show us the dongle attached

root@bt:~# dmesg
usb 1-1: new high speed USB device using ehci_hcd and address 3
usb 1-1: configuration #1 chosen from 1 choice
usb 1-1: reset high speed USB device using ehci_hcd and address 3
phy1: Selected rate control algorithm 'minstrel'
zd1211rw 1-1:1.0: phy1
usb 1-1: firmware: requesting zd1211/zd1211_ub
usb 1-1: firmware: requesting zd1211/zd1211_uphr
zd1211rw 1-1:1.0: firmware version 4605
zd1211rw 1-1:1.0: zd1211 chip 0ace:1211 v4330 high 00-03-6d RF2959_RF pa0 -----
ADDRCONF(NETDEV_UP): wlan0: link is not ready

ok, so backtrack sees our adaptor, now we need to get it up & running (dont forget the all important macchanger command)

root@bt:~# ifconfig -a
wlan0     Link encap:Ethernet  HWaddr 00:40:29:47:ca:fa
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
root@bt:~# macchanger -A wlan0
Current MAC: 00:40:29:47:ca:fa (Compex)
Faked MAC:   00:07:d1:88:11:0f (Spectrum Signal Processing Inc.)
root@bt:~# ifconfig wlan0 up

kick the card into monitor mode

root@bt:~# airmon-ng start wlan0

Interface       Chipset         Driver

wlan0           ZyDAS 1211      zd1211rw - [phy0]
                                (monitor mode enabled on mon0)

and check for the wireless nodes around you

root@bt:~# airodump-ng mon0

 CH  9 ][ Elapsed: 1 min ][ 2007-04-26 17:41 ][ WPA handshake: 00:14:6C:7E:40:80

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:09:5B:1C:AA:1D   11  16       10        0    0  11  54.  OPN              NETGEAR
 00:14:6C:7A:41:81   34 100       57       14    1   9  11e  WEP  WEP         bigbear
 00:14:6C:7E:40:80   32 100      752       73    2   9  54   WPA  TKIP   PSK  teddy                             

 BSSID              STATION            PWR   Rate   Lost  Packets  Probes

 00:14:6C:7A:41:81  00:0F:B5:32:31:31   51   36-24    2       14
 (not associated)   00:14:A4:3F:8D:13   19    0-0     0        4    mossy
 00:14:6C:7A:41:81  00:0C:41:52:D1:D1   -1   36-36    0        5
 00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35   54-54    0       99    teddy

BINGO!!
So, NETGEAR is OPEN – no encryption at all …. FAIL!

Well – I said it wasnt too exciting, we found an open wifi access point – tune in next time to see what we can do with it…