Blocking Network Attackers

In Using Odroid as IP Router I wrote about using my Odroid as router and firewall. Additionally I inspect who tries to log-in to my machines using the lastb command. Sample output is below:

$ lastb
admin    ssh:notty    202.166.220.10   Mon Oct  1 09:51 - 09:51  (00:00)
admin    ssh:notty    202.166.220.10   Mon Oct  1 09:50 - 09:50  (00:00)
admin    ssh:notty    14.162.42.98     Mon Oct  1 09:50 - 09:50  (00:00)
admin    ssh:notty    14.162.42.98     Mon Oct  1 09:50 - 09:50  (00:00)
telecoma ssh:notty    197.46.98.211    Mon Oct  1 09:50 - 09:50  (00:00)
telecoma ssh:notty    197.46.98.211    Mon Oct  1 09:50 - 09:50  (00:00)
ubnt     ssh:notty    2.235.144.121    Mon Oct  1 09:50 - 09:50  (00:00)
ubnt     ssh:notty    2.235.144.121    Mon Oct  1 09:50 - 09:50  (00:00)
root     ssh:notty    78.111.43.138    Mon Oct  1 09:50 - 09:50  (00:00)
admin    ssh:notty    96.89.181.5      Mon Oct  1 09:50 - 09:50  (00:00)
admin    ssh:notty    96.89.181.5      Mon Oct  1 09:50 - 09:50  (00:00)
Admin    ssh:notty    139.5.159.74     Mon Oct  1 09:50 - 09:50  (00:00)
Admin    ssh:notty    139.5.159.74     Mon Oct  1 09:50 - 09:50  (00:00)
admin    ssh:notty    183.89.73.176    Mon Oct  1 09:50 - 09:50  (00:00)
user     ssh:notty    115.178.98.57    Mon Oct  1 09:50 - 09:50  (00:00)
user     ssh:notty    115.178.98.57    Mon Oct  1 09:50 - 09:50  (00:00)
auxiliar ssh:notty    118.221.123.81   Mon Oct  1 06:53 - 06:53  (00:00)
auxiliar ssh:notty    118.221.123.81   Mon Oct  1 06:53 - 06:53  (00:00)
debian   ssh:notty    180.76.162.111   Mon Oct  1 02:39 - 02:39  (00:00)
debian   ssh:notty    180.76.162.111   Mon Oct  1 02:39 - 02:39  (00:00)
admin    ssh:notty    123.21.175.214   Mon Oct  1 02:24 - 02:24  (00:00)
admin    ssh:notty    123.21.175.214   Mon Oct  1 02:24 - 02:24  (00:00)
admin    ssh:notty    183.157.189.232  Mon Oct  1 02:24 - 02:24  (00:00)
admin    ssh:notty    183.157.189.232  Mon Oct  1 02:24 - 02:24  (00:00)
admin    ssh:notty    181.211.61.234   Mon Oct  1 02:23 - 02:23  (00:00)
admin    ssh:notty    181.211.61.234   Mon Oct  1 02:23 - 02:23  (00:00)
user1    ssh:notty    186.149.47.141   Mon Oct  1 00:34 - 00:34  (00:00)
user1    ssh:notty    186.149.47.141   Mon Oct  1 00:34 - 00:34  (00:00)
support  ssh:notty    42.61.24.202     Mon Oct  1 00:08 - 00:08  (00:00)
support  ssh:notty    42.61.24.202     Mon Oct  1 00:08 - 00:08  (00:00)
support  ssh:notty    42.61.24.202     Mon Oct  1 00:08 - 00:08  (00:00)
support  ssh:notty    42.61.24.202     Mon Oct  1 00:08 - 00:08  (00:00)

Furthermore I use Fail2ban. This way I gather a number of suspicious IP addresses which apparently do not have best intentions, so I better block them completely. Using

$ lastb > L
$ perl -ne 'if (/\s+(\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}\s+/) { printf("-A PREROUTING -s %s.0/24 -i ethusb0 -j DROP\n",$1); }' L 

Below is my list of addresses which I block. This list is somewhat similar to the list of hosts given in Suppressing Advertisement on Web-Pages a.k.a. Ad-Blocking.
Continue reading

Advertisements

Passing HashMap from Java to Java Nashorn

Java Nashorn is the JavaScript engine shipped since Java 8. You can therefore use JavaScript wherever you have at least Java 8. Java 8 also has a standalone interpreter, called jjs.

It is possible to create a Java HashMap and use this structure directly in JavaScript. Here is the code:

import java.util.*;
import java.io.*;
import javax.script.*;


public class HashMapDemo {

        public static void main(String[] args) {
                HashMap<String, Double> hm = new HashMap<String, Double>();

                hm.put("A", new Double(3434.34));
                hm.put("B", new Double(123.22));
                hm.put("C", new Double(1200.34));
                hm.put("D", new Double(99.34));
                hm.put("E", new Double(-19.34));

                for( String name: hm.keySet() )
                        System.out.println(name + ": "+ hm.get(name));

                // Increase A's balance by 1000
                double balance = ((Double)hm.get("A")).doubleValue();
                hm.put("A", new Double(balance + 1000));
                System.out.println("A's new account balance : " + hm.get("A"));

                // Call JavaScript from Java
                try {   
                        ScriptEngine engine = new ScriptEngineManager().getEngineByName("nashorn");
                        engine.eval("print('Hello World');");
                        engine.eval(new FileReader("example.js"));
                        Invocable invocable = (Invocable) engine;
                        Object result = invocable.invokeFunction("sayHello", "John Doe");
                        System.out.println(result);
                        System.out.println(result.getClass());

                        result = invocable.invokeFunction("prtHash", hm);
                        System.out.println(result);
                } catch (FileNotFoundException | NoSuchMethodException | ScriptException e) {
                        e.printStackTrace();
                        System.out.println(e);
                }

        }
}

And here is the corresponding JavaScript file example.js:

var sayHello = function(name) {
        print('Hello, ' + name + '!');
        return 'hello from javascript';
};

var prtHash = function(h) {
        print('h.A = ' + h.A);
        print('h.B = ' + h["B"]);
        print('h.C = ' + h.C);
        print('h.D = ' + h["D"]);
        print('h.E = ' + h.E);
};

Output is:

$ java HashMapDemo
A: 3434.34
B: 123.22
C: 1200.34
D: 99.34
E: -19.34
A's new account balance : 4434.34
Hello World
Hello, John Doe!
hello from javascript
class java.lang.String
h.A = 4434.34
h.B = 123.22
h.C = 1200.34
h.D = 99.34
h.E = -19.34
null

Above example uses sample code from

  1. Riding the Nashorn: Programming JavaScript on the JVM
  2. Simple example for Java HashMap
  3. Nashorn: Run JavaScript on the JVM

Decisive was the statement in https://winterbe.com/posts/2014/04/05/java8-nashorn-tutorial/:

Java objects can be passed without loosing any type information on the javascript side. Since the script runs natively on the JVM we can utilize the full power of the Java API or external libraries on nashorn.

Above program works the same if one changes HashMap<String, Double> to HashMap<String, Object> and populating accordingly, e.g.:

                HashMap<String, Object> hm = new HashMap<String, Object>();

                hm.put("A", new Double(3434.34));
                hm.put("B", new String("Test"));
                hm.put("C", new Date(5000));
                hm.put("D", new Integer(99));
                hm.put("E", new Boolean(Boolean.TRUE));

Output from JavaScript would be

h.A = 4434.34
h.B = Test
h.C = Thu Jan 01 01:00:05 CET 1970
h.D = 99
h.E = true

Entries changed in JavaScript can be returned back to Java. Assume JavaScript program changes values:

var prtHash = function(h,hret) {
        hret.U = 57;
        hret.V = "Some text";
        hret.W = false;
};

Then these changed arguments can be used back in Java program:

HashMap<String, Object> hret = new HashMap<String, Object>();

result = invocable.invokeFunction("prtHash", hm, hret);
System.out.println(result);
System.out.println("hret.U = " + hret.get("U"));
System.out.println("hret.V = " + hret.get("V"));
System.out.println("hret.W = " + hret.get("W"));

Output is then

hret.U = 57
hret.V = Some text
hret.W = false

Balking ARM ArchLinux Update

Had an issue with update of ARM ArchLinux which I use here. Error messages like:

(95/95) checking keys in keyring                                                          [####################################################] 100%
(95/95) checking package integrity                                                        [####################################################] 100%
error: readline: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is unknown trust
:: File /var/cache/pacman/pkg/readline-7.0.005-1-armv7h.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] n
error: bash: signature from "Arch Linux ARM Build System <builder@archlinuxarm.org>" is unknown trust
:: File /var/cache/pacman/pkg/bash-4.4.023-1-armv7h.pkg.tar.xz is corrupted (invalid or corrupted package (PGP signature)).
Do you want to delete it? [Y/n] ^C

Found forum post: many corrupted packages/invalid PGP signatures for aarch64? Suggestion there:

pacman-key --init
pacman-key --populate archlinuxarm

This helped, so could proceed with pacman -Syu.

Using Scooter Software Beyond Compare

Beyond Compare is a graphical file comparison tool sold by Scooter Software. Its open-source competitors are mainly vimdiff, and kdiff3. Its advantage is ease-of-use. While comparing files they can be edited instantly. You can diff complete directory trees.

It is written in Delphi Object Pascal, the source code is not open-source. It runs on Windows, x86 Linux, and OS X. It does not run on ARM, like Raspberry Pi or Odroid, see support for arm processors – like the raspberry pi. The “Standard Edition” costs $30, the “Pro Edition” costs $60. The software is in AUR.

1. Root User Problem. When using it as root-user you must use:

export QT_GRAPHICSSYSTEM=native
bcompare

When running

DIFFPROG=bcompare pacdiff

the screen looks like this:

2. Git Usage. To use Beyond Compare with git difftool you have to do two things: First you must create an alias bc3 for bcompare.

[root /bin]# ln -s bcompare bc3

Second add the following lines to your ~/.gitconfig file:

[diff]
        tool = bc3
[difftool]
        prompt = false
        bc3 = trustExitCode
[merge]
        tool = bc3
[mergetool]
        bc3 = trustExitCode

Alternatively to above changes in the ~/.gitconfig file, use the following commands:

git config --global diff.tool bc3
git config --global difftool.bc3.trustExitCode true
git config --global merge.tool bc3
git config --global mergetool.bc3.trustExitCode true

Instant Messaging Client Pidgin and Skype / Lync

One can use the instant messaging client Pidgin and Skype. Skype for Business was previously called Lync.

Install Pidgin

pacman -S pidgin

and install the SIP/Simple protocol for Skype for Business/Office 365/Lync

pacman -S pidgin-sipe

Setting up the account: Use your company mail-address. Protocol is: Office communicator.

In Set up Pidgin messenger and Office 365 Lync one finds the crucial hint that one has to use a special user-agent information string

User Agent :  UCCAPI/15.0.4420.1017 OC/15.0.4420.1017

In Pidgin configuration this looks like this:

The post from Gary Woodfine from above states that you also have to specify server, port, and authentification scheme. But you don’t have to. You can simply leave these entries empty, or having their default values.

Remote Unlocking of Encrypted Disks

1. Problem statement. You have an encrypted disk and want to decrypt the disk during boot while not sitting in front of your computer.

Solution is sketched and indicated in dm-crypt/Specialties. Below is a little bit more explanation. For the following you must be root.

2. Required software packages. Install the following packages: dropbear from repo “Community”. Then install the following AUR-packages:

  1. mkinitcpio-netconf
  2. mkinitcpio-utils
  3. mkinitcpio-dropbear

3. Populate root_key. First mkdir /etc/dropbear and populate root_key file with public ssh keys which should be able to log into your machine, similar to authorized_keys for OpenSSH. I.e., you must know the private keys on the corresponding machines you intend to use for unlocking.

4. Set-up networking in Grub. Edit /etc/default/grub and set

GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=5a74247e-75e8-4c05-89a7-66454f96f974:cryptssd:allow-discards root=/dev/mapper/cryptssd ip=192.168.178.118:192.168.178.118:192.168.178.1:255.255.255.0:chieftec:eth0:none"

Then issue

grub-mkconfig -o /boot/grub/grub.cfg

to re-generate grub.cfg. The specification for “ip=” is given in Mounting the root filesystem via NFS (nfsroot). Its most important parts are:

  1. client-ip: IP address of the client
  2. server-ip: IP address of the NFS server
  3. gateway-ip: IP address of a gateway
  4. netmask: Netmask for local network interface
  5. hostname: Name of the client
  6. device: Name of network device to use
  7. autoconf: Method to use for autoconfiguration

5. Configure mkinitcpio. Finally, the main task. Edit /etc/mkinitcpio.conf and set

HOOKS="base udev block keymap keyboard autodetect modconf netconf dropbear encryptssh filesystems fsck"

Now call

mkinitcpio -p linux

See Arch Wiki mkinitcpio. Output of mkinitcpio looks something like this:

  -> Running build hook: [dropbear]
Key is a ssh-rsa key
Wrote key to '/etc/dropbear/dropbear_rsa_host_key'
Key is a ssh-dss key
Wrote key to '/etc/dropbear/dropbear_dss_host_key'
Key is a ecdsa-sha2-nistp256 key
Wrote key to '/etc/dropbear/dropbear_ecdsa_host_key'
dropbear_rsa_host_key : sha1!! e1:11:51:ce:0b:07:2b:c7:66:37:c0:b9:de:f3:80:56:64:69:cc:fd
dropbear_dss_host_key : sha1!! ca:75:42:85:f9:96:6d:db:fd:15:d1:7a:4a:ee:19:b1:ff:91:14:bb
dropbear_ecdsa_host_key : sha1!! b9:b3:c4:ee:c4:af:21:87:52:39:e8:b6:c2:a3:b7:53:0e:52:f1:85
   -P, --allpresets             Process all preset files in /etc/mkinitcpio.d
   -r, --moduleroot <dir>       Root directory for modules (default: /)
   -S, --skiphooks <hooks>      Skip specified hooks, comma-separated, during build
   -s, --save                   Save build directory. (default: no)
   -d, --generatedir <dir>      Write generated image into <dir>
   -t, --builddir <dir>         Use DIR as the temporary build directory
   -V, --version                Display version information and exit
   -v, --verbose                Verbose output (default: no)
   -z, --compress <program>     Use an alternate compressor on the image
  -> Running build hook: [encryptssh]
  -> Running build hook: [filesystems]
  -> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
==> Image generation successful

Content in /etc/dropbear is then

$ ls -l /etc/dropbear
total 16
-rw------- 1 root root  458 Apr  1 13:24 dropbear_dss_host_key
-rw------- 1 root root  140 Apr  1 13:24 dropbear_ecdsa_host_key
-rw------- 1 root root  806 Apr  1 13:24 dropbear_rsa_host_key
-rw------- 1 root root 1572 Apr  1 12:25 root_key

6. Usage. Use ssh root@YourComputer to connect to your previously configured dropbear server and type in the password for the encrypted disk. The connection will then close, and dropbear disappears. By the way, dropbear does not look at your configuration for OpenSSH, so if you block root access via OpenSSH, this is of no concern for dropbear.

7. Limitations. Above set-up just works for unlocking the root-device. If there are other encrypted devices, for example devices given in /etc/crypttab, these cannot be unlocked by above procedure.

8. Further reading. See LUKS encrypted devices remote über Dropbear SSH öffnen (in German), Remote unlocking LUKS encrypted LVM using Dropbear SSH in Ubuntu Server 14.04.1 (with Static IP).