Dynamic ssh tunneling with putty to secure web traffic

Sometimes you might want to tunnel traffic over ssh to protect it from prying eyes on wireless/untrusted networks.

You can use an ssh tunnel to a Linux server to encrypt all of your browsing traffic. However, after it leaves the ssh server, it will no longer be encrypted.

Launch putty and head to Connection > SSH > Tunnels

In the Source port field, enter a port number that your computer will listen for traffic on. Be sure to pick one that isn’t being used by another program. (8910 should be a safe bet)

Then select Dynamic and Auto as the port type and then click Add.

The window should look like this.

Dynamic Port in Putty

Then scroll back up and click on Session.

Enter the IP address of the machine running the SSH server in the Host Name (or IP address) field.

Then type a name in the Saved Sessions box and click Save for future usage.

Now you can double click on the name of the saved session to start up the tunnel.

You will have to enter your username and password before the tunnel will work correctly, unless the server is configured for anonymous logins.

You may also use key based authentication to bypass the need to enter a username and password for each login. See this article for details.

Once the SSH session is open and the tunnel is up. Your browser needs to be configured to use the tunnel.

Firefox

Click Tools > Options…

Head to the Advanced tab and then the Network sub-tab and click Settings…

Change the setting to Manual proxy configuration:

In theĀ SOCKS Host: field, type 127.0.0.1 and enter the port number you chose earlier (8910 for the example)

All of the other fields should be blank other than the No Proxy for: field. This tells firefox to skip the proxy server when visiting these addresses.

Mozilla Proxy Config

Click OK and then OK to return to the browser. Your web traffic through Firefox will now be tunneled.

When you are don’t want to use the proxy any more, head back to this configuration window and set it back to No proxy

Google Chrome & Internet Explorer

Google Chrome uses Internet Explorer’s proxy settings, so changing the configuration for Internet Explorer will apply to Chrome as well.

Go to Start > Run and type inetcpl.cpl and then hit enter. (In Vista/7, just type that command in the Search programs and files box in the start menu and hit enter.)

Click on the Connections tab and then click LAN settings.

Check the Use a proxy server for your LAN option and then click Advanced.

In the Socks: field, enter 127.0.0.1 and then enter the port you chose earlier in the Port field. (8910 in the example)

IE/Chrome Proxy Settings

Click OK, then OK, and then OK.

Your traffic for IE and Chrome will now be tunneled through the SSH server.

To disable it, just clear the Use a proxy server for your LAN option. The Advanced settings don’t have to be cleared out.


Dynamic ARP Protection in an HP Procurve Network

ARP Poisoning is a problem on Ethernet based networks.

If you have HP Procurve switches and a DHCP enabled network, you have the option of enabling ARP Protection.

In order for ARP Protection to work, DHCP Snooping also has to be enabled. This is because the switch builds a table of MAC to IP pairs based on the address that the DHCP server allocates to clients. Once the switch has this table, it knows which MAC addresses should be allowed to communicate using certain IP addresses.

Configuring ARP Protection is simple, just trust your uplink ports and protect a VLAN. Protection can also be enabled on a port-by-port basis.

First enable DHCP snooping if it already hasn’t been enabled.

switch# config t

Enable it globally

switch(config)# dchp-snooping

Trust inter-switch links

switch(config)# interface 51

switch(eth-51)# dhcp-snooping trust

switch(eth-51)# exit

switch(config)# interface 52

switch(eth-52)# dhcp-snooping trust

switch(eth-52)# exit

Then protect the specific VLAN that needs to be protected.

switch(config)# dchp-snooping vlan 2222

Once DHCP-snooping has been configured, arp protection can be enabled.

Enable it globally

switch(config)# arp-protect

Trust inter-switch links

switch(config)# arp-protect trust 51-52

Then protect the specific VLAN that needs to be protected.

switch(config)# arp-protect vlan 2222.

This is a very basic overview of dynamic ARP protection. Here are some diagrams to help explain what arp poisoning is, and what arp protection does to protect against it. arp poisoning


arp protection

Determine the groups you are a member of in active directory

Issue these commands to determine what groups you are a member of in an active directory environment. These will only be groups in active directory.
First determine your FQDN.
dsquery user -name username
Then use that to get group membership info.
dsget user outputfromabove -memberof -expand

You must have the adminpak from Microsoft installed on your computer, but you don’t need to be a Domain Administrator to do this.

If you have the adminpak, you can also use the Active Directory Users and Computers snap-in to locate your user and check it that way.

Scripts to Mount and search windows machines

Here are some scripts that I wrote to mount and search bulk windows machines.

mountmachines.sh

#!/bin/bash
cd /searchmachines
echo “Username please”
read username
echo “Password please”
read -s password
for machine in `cat machinelist.txt`
do
mkdir remote$machine
echo “Attempting to mount $machine…”
mount.cifs //$machine/c$ ./remote$machine -o username=$username,password=$password
done
exit

This next script searches the machines for NTUSER.DAT files to find users that were logged in during a specific time frame.

search.sh

#!/bin/bash
cd /searchmachines
echo “Enter number of days for oldest file. (4 for no older than 4 days)”
read old
echo “Enter number of days for newest file. (2 for at least 2 days old)”
read new
echo “Searching…”
find ./ -name NTUSER.DAT -mtime $new -mtime -$old -daystart


Script for a DHCP address renewal

Normally my Internet connection is pretty good; but, once every couple of months, the provider changes something and my current IP address no longer works. The lease doesn’t actually expire, which is set to last 48 hours. So, I lose internet connectivity until a new renewal. It’s easy to do this by hand, but that doesn’t work when I’m not at home.

This is a script that checks to see if I’m connected to the Internet, and if it fails three times in a row, it connects to the router (pfSense in this case) and performs a DHCP release and renew.

#!/bin/bash
#change to some writeable directory
cd /home/user

#check various sites
curl http://www.msn.com > internetchecksites
curl http://www.yahoo.com >> internetchecksites
curl http://www.google.com >> internetchecksites
curl http://www.cnn.com >> internetchecksites
curl http://www.cisco.com >> internetchecksites
curl http://www.hp.com >> internetchecksites

#count the number of lines received over http
#should be tons of crap from one of these alone
sizeofsites=`cat internetchecksites | wc -l`

#check to see if there are less than ten lines of HTML
if [ $sizeofsites -lt 10 ]; then
#mark a failure to the failure file
echo “strike” >> failedchecks
else

#reset the failure count
rm failedchecks
touch failedchecks
fi

#if check has failed 3 times run the dhcp renewal process
if [ `cat failedchecks | wc -l` -ge 3 ]; then
curl -su admin:somepassword http://192.168.x.x/status_interfaces.php -d interface=”wan” -d submit=”Release” >> pf
curl -su admin:somepassword http://192.168.x.x/status_interfaces.php -d interface=”wan” -d submit=”Renew” >> pf
rm pf
fi

exit

Now just stick this script in your crontab for every 5 minutes or so.

~$ crontab -e

Add this line

*/5 * * * * /home/user/checkinternetscript.sh

The */5 is for every five minutes.

Make sure the script is executable with a nice chmod +x

The hardest part is determining what commands need to be sent to the HTTP interface on your router for a renewal.

This can be done by viewing the source code on the web page. It can also be done using a packet capture as well.

Make sure other users aren’t adding to your failedchecks file or they can cause a DHCP release/renew.

Nice way to kill your unresponsive linux system

Sometimes when a Linux system is unresponsive it seems like your only option is to hold down the power button.

Follow these key combos for a less risky reboot.

Hold Down Alt + SysRq and press R (raw keyboard mode) S (syncs disks) E (terminates all processes) I (kills the stragglers) U (read-only remount file-systems) B (reboots)

Give it lots of time to Sync the Disks and do it one more time after killing the processes to play it safe.

There she be. Careful, it’s a lot of fun.

Reboot System Even If Utterly Broken

Living wild and free

So now you have key-based authentication setup for remote administration of your servers and you really want to crank up the laziness factor.

Remembering a password sucks, especially if you’ve eliminated them for logons. Now you only need it for sudo commands, right? NOT AFTER THIS DANDY!!

Every time you need to run something that requires root privileges, you have to type sudo and then your password if you haven’t used the command recently.

Lets quit beating around the bush and get some work done.

~$ sudo visudo

If your user name isn’t already in the config, scroll down and add this line at the bottom. If it is, just modify it to fit this format (specifically the NOPASSWD: )

username ALL=NOPASSWD: ALL

Then save it and quit. Now your good to go! No more pesky password.

This makes your private key very important to protect, especially if you didn’t put a passphrase on it.