Thursday, August 20, 2009
Citrix XenApp Web Interface running on Linux
I have successfully implemented the Citrix XenApp web interface on Linux. I have taken the liberty to develop an install script for Red Hat Enterprise Linux 5, if you're in need of help, please contact me VIA email.
Saturday, September 27, 2008
Lian Li F1b
I have submitted a review inquiry with Lian Li, hopefully I get a response, if so I'll have a nice review for all of you. I am currently preparing reviews for 5 Razer products coming soon.
Monday, October 1, 2007
Properly securing SSH.
If you are like me you work in a corporate environment and SSH is needed not just by you but several other Administrators or Application Administrators so shutting down or changing the SSH port isn't applicable. You're in luck, after much research and a lot of brain storming I think I've came up with a very good result. If you've ever checked your system logs (/var/log/secure) you may have noticed copious amounts of SSH failed login attempts this may be why you're searching for new tactics to circumvent the SSH brute-force attempts.
The first thing we'll do is setup iptables rules, if you're running a Red Hat box; vi /etc/sysconfig/iptables and insert the following. Don't forget to add/remove the services you need to be opened.
# resides in /etc/sysconfig/iptables
# Written by Nate Dobbs for NS1 and NS2
# If tables need to be flushed execute
# /usr/sbin/iptables_flush.pl
# Firewall Rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
# Handle loopback addresses
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Disallow ICMP requests from the world
-A INPUT -p icmp -j DROP
# Allow ICMP pings to the world, drop all others
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outbound packets if state related, and inbound if established
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop stealth scans
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,FIN FIN -j DROP
-A INPUT -i eth0 -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
# open ports for some services
# open ssh
-A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
# open DNS
-A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 53 -j ACCEPT
# Open Webmin
-A INPUT -p tcp -i eth0 --dport 10000 -j ACCEPT
-A INPUT -p udp -i eth0 --dport 10000 -j ACCEPT
# Define policy - DROP
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
COMMIT
You may have noticed the iptables flush script I have defined in the comment section of the code I will include this as well.
#!/usr/bin/perl -w
# This is a IPTABLES flushing script
# Written by Nate Dobbs
# Feel free to redistribute and or modify at-will
# Please give all props to original author/s!
# Declare Vars
print "Welcome to the IPTABLES-Flush script!\n"
$_ = ;
chomp $_;
$_ = "Y" if (length($_) == 0);
if ($_ =~ /[Yy]/) {
print "Starting the IPTABLES-FLUSHING process!\n";
}
else {
print "Aborting script..\n";
}
$iptables = "/sbin/iptables";
%iptables_hash = (
reset_policy => "
$IPTABLES -P INPUT ACCEPT;
$IPTABLES -P FORWARD ACCEPT;
$IPTABLES -P OUTPUT ACCEPT",
reset_policy_mangle => "
$IPTABLES -t mangle -P PREROUTING ACCEPT;
$IPTABLES -t mangle -P POSTROUTING ACCEPT;
$IPTABLES -t mangle -P INPUT ACCEPT;
$IPTABLES -t mangle -P OUTPUT ACCEPT;
$IPTABLES -t mangle -P FORWARD ACCEPT",
reset_policy_nat => "
$IPTABLES -F;
$IPTABLES -t nat -F;
$IPTABLES -t mangle -F",
reset_all_non_default_chains => "
$IPTABLES -X;
$IPTABLES -t nat -X;
$IPTABLES -t mangle -X"
);
print "Resetting policies\n\n";
system (%iptables_hash {'reset_policy'});
sleep 5
print "done!\n";
print "Resetting mangle policy's\n\n";
system (%iptables_hash {'reset_policy_mangle'});
sleep 5
print "done!\n";
print "Resetting NAT policy's\n";
system (%iptables_hash {'reset_policy_nat'});
sleep 5
print "done...\n";
print "And finally flushing all non-default chains\n";
system (%iptables_hash {'reset_all_non_default_chains'});
print "Script is completed\n";
exit
Now that we've got proper iptables rules it's time to edit /etc/hosts.deny; add the following.
ALL: ALL
Now edit /etc/hosts.allow and allow each IP or a entire subnet of allowed "trusted users" you will have to literally allow access to each service that is open with the iptables such as named, httpd etc. You can use ALL: ALL if you need unlimited access to a particular server. I would just recommend allowing access to your services such as ssh on a domain-trusted basis.
named: ALL
httpd: ALL
ssh: .yourdomain.com # the period in front of the domain is ESSENTIAL!
Don't forget to setup iptables for boot-time init
chkconfig --level 345 iptables on
Now restart your services
service iptables restart
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,RST/FIN,RST
DROP tcp -- anywhere anywhere tcp flags:FIN,ACK/FIN
DROP tcp -- anywhere anywhere tcp flags:ACK,URG/URG
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
ACCEPT udp -- anywhere anywhere udp dpt:10000
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
Thursday, May 10, 2007
Installing Citrix on Linux (Ubuntu)
I've recently installed Citrix v10.0 on my laptop running Ubuntu Feisty 7.4. I've heard this was a very daunting task, I only experienced one issue and this was resolved very quickly after a google search. I'm going to spare the screenshots for security purposes, I think it'd be pretty taboo to post pictures of me logging into a secure site, eh?
1.) Download Citrix v10.0
2.)You can choose to enter different folder. I choose: /usr/lib/ICAClient
1.) cd /usr/lib/ICAClient/keystore/cacerts
2.) sudo wget www2.slac.stanford.edu/computing/windows/services/citrix/
downloads/ThawteRoot.crt
2.)
$sudo apt-get install libxaw6 libmotif3
3.)$sudo tar xvfz en.linuxx86.tar.gz
4.)$sudo ./setupwfc
# Now we're at the Citrix Installation
Citrix Presentation Server Client 10.0 setup.
Select a setup option:
1. Install Citrix Presentation Server Client 10.0
2. Remove Citrix Presentation Server Client 10.0
3. Quit Citrix Presentation Server Client 10.0 setup
Enter option number 1-3 [1]:1
- Enter 1. Install Citrix Presentation Server Client 10.0
Please enter the directory in which Citrix
Presentation Server Client is to be installed.
[default /usr/lib/ICAClient] or type "quit"
to abandon the installation: /usr/lib/ICAClientYou have chosen to install Citrix Presentation Server
Client 10.0 in /usr/lib/ICAClient
Proceed with installation? [default n]: y- Enter: Y to continue
CITRIX(R) LICENSE AGREEMENT
Use of this component is subject to the Citrix license
covering the Citrix product(s) with which you will be
using this component. This component is only
licensed for use with such Citrix product(s).
CTX_code EP_T_A34320
Select an option:
1. I accept
2. I do not accept
Enter option number 1-2 [2]: 1
Installation proceeding...
Checking available disk space ...
Disk space available 588136 K
Disk space required 4964 K
Continuing ...
Creating directory /usr/lib/ICAClient
Core package...
Setting file permissions...
Integrating with browsers...
Browsers found.
Found entries in browser configuration(s) from an earlier
installation. Do you want these entries to point to the
new installation? [default y]: y
- Enter: y to integrate with your Mozilla Firefox browser
Integration complete.
Found KDE or GNOME desktop entries from an earlier
installation. Do you want these entries to point to
the new installation? [default y]: y
- Run
$chmod +x citrix-icaclient-10-ubuntu export ICAROOT=/usr/lib/ICAClientsudo bash citrix-icaclient-10-ubuntu
citrix.sh Version 0.7
Patching Citrix ICAClient 10.0 on Ubuntu 7.04,
continue [y/N] ?: y
Using ICAROOT=/usr/lib/ICAClient
patching file nls/en/UTF-8/Wfcmgr
patching file nls/en/Wfcmgr
DONE
- Close and open your Mozilla Firefox browser to make sure it loads the proper Citrix plugins.
- Connect to your Citrix Server and choose your application.
- Once prompted enter “/usr/lib/wfica” to open your application if required Chose "always use this app for this type of file".
1.) cd /usr/lib/ICAClient/keystore/cacerts
2.) sudo wget www2.slac.stanford.edu/computing/windows/services/citrix/
downloads/ThawteRoot.crt
Friday, May 4, 2007
Peer-to-peer and Bit-Torrent Security concerns.
I was inspired to write this blog when a friend emailed me asking questions about his safety when using Bit-torrent clients. This really depends on what type of security you're asking about, there are several different ways. By the way, this friend is a VERY tech-savy person and a pure genius for that matter, the reason I was compelled to write this is because it's a very common question that most people don't bother researching or take into consideration.
Q: Am I safe from Virus'?
A: BitTorrent is a much safer service than other peer-to-peer networks because of how it functions. While other peer-to-peer services allow a certain degree of access to a shared folder or someone’s hard drive, BitTorrent users cannot share anything outside of the desired file type that is in an open BitTorrent window.
Q: Is using Bit-torrent software Illegal?
A: No, you can infact make it illegal by downloading pirated software/movies/music. Many software developers prefer Bit-Torrent because seeders can share it's bandwidth to lessen the load on their servers. Thus increasing download speeds for everyone.
Q: How do I protect myself from the MPAA/RIAA?
A: This is a very interested question, for one the best way is NOT TO DOWNLOAD ILLEGAL FILES. But of course there are some ways of protecting yourself. The main thing I recommend is the installation/use of Peer Guardian, this application is only available for Windows' Platform ATM. If you're a *NIX user I recommend checking out MoBlock.
Link to PeerGuardian
Link to MoBlock
Please note that MoBlock actually ties in/initiates new IPTABLES rules, so make sure you have access to your terminal (especially if you want to put this on your Linux router the new rules could flush your existing NAT rules).
There are ways to keep yourself safe, support the cause and never violate your own morals, * I DO NOT CONDONE ILLEGAL ACTIVITIES*
Q: Am I safe from Virus'?
A: BitTorrent is a much safer service than other peer-to-peer networks because of how it functions. While other peer-to-peer services allow a certain degree of access to a shared folder or someone’s hard drive, BitTorrent users cannot share anything outside of the desired file type that is in an open BitTorrent window.
Due to the fact that you are only downloading segments of the file as opposed to the full thing, it also makes it incredibly difficult (if not impossible) to transmit viruses through the BitTorrent system. There are a number of people who are opposed to peer-to-peer technologies because of possible security concerns, however, virtually none of these concerns are found in the BitTorrent service.
Q: Is using Bit-torrent software Illegal?
A: No, you can infact make it illegal by downloading pirated software/movies/music. Many software developers prefer Bit-Torrent because seeders can share it's bandwidth to lessen the load on their servers. Thus increasing download speeds for everyone.
Q: How do I protect myself from the MPAA/RIAA?
A: This is a very interested question, for one the best way is NOT TO DOWNLOAD ILLEGAL FILES. But of course there are some ways of protecting yourself. The main thing I recommend is the installation/use of Peer Guardian, this application is only available for Windows' Platform ATM. If you're a *NIX user I recommend checking out MoBlock.
Link to PeerGuardian
Link to MoBlock
Please note that MoBlock actually ties in/initiates new IPTABLES rules, so make sure you have access to your terminal (especially if you want to put this on your Linux router the new rules could flush your existing NAT rules).
There are ways to keep yourself safe, support the cause and never violate your own morals, * I DO NOT CONDONE ILLEGAL ACTIVITIES*
Monday, April 30, 2007
Beryl - More than just eye candy!
I officially installed Beryl on my Ubuntu machine, I must say I'm pretty surprised by the sheer beauty of this window manager! It's much smoother than Vista's 'Aero' window manager, while moving things around, flipping 'cube' around rapidly and the wobbly screens I notice no lag at all. While on Vista I felt a lot of jerkiness and overall poor performance. Pretty sad IMHO
My machine is as follows (posted in another forum);
AMD FX-55 OC'd 2.9ghz
ASUS A8N-SLI Deluxe
Zalman 110mm Heatsink
2gb Corsair XMS TWINX DDR 400
74gb Seagate Barracuda 15kRPM U320 SCSI
eVA 7900 GTO -OC'd clock and RAM 700/800
20.1" Samsung widescreen LCD 205BW
Razer Copperhead 2k DPI gaming mouse
Razer Tarantula Gaming Keyboard
ThermalTake TSUNAMI DreamTower
ThermalTake 480w Purepower Silent PSU
Xfi 7.1 sound
Klipsh 5.1 pro-media speakers
18582 3dmarks with 3dmark05
Still need to OC my RAM, I will post the new 05 '06 scores.
CPU Idles at 35*C max load so far has reached 44*C
GPU idles at 38*C max 50*C
My machine is pretty beefy; but this isn't the reason the performance is so well, I had vista on this machine for a short time to give it a run. I had tremendous issues with drivers and overall system performance, shame on you Microsoft, XP is better than Vista ATM!
I upgraded to Ubuntu Feisty Fawn, after the first initial reboot GDM wouldn't start I checked dmesg and noticed that Feisty Fawn is shipped with older nvidia drivers, so I pointed to my previously installed (newer) drivers and BAM GDM is up again! Now for the install/configuration of Beryl.
Now it's up and running wo0t, added to the start menu and I'm good to go. One thing, You can't game while running the Beryl window manager, there is an option to switch back to your default window manager (I do this while gaming) then I switch back, it's pretty seamless and very rapid while changing.
Here are some screenshots of Beryl in action!
My machine is as follows (posted in another forum);
AMD FX-55 OC'd 2.9ghz
ASUS A8N-SLI Deluxe
Zalman 110mm Heatsink
2gb Corsair XMS TWINX DDR 400
74gb Seagate Barracuda 15kRPM U320 SCSI
eVA 7900 GTO -OC'd clock and RAM 700/800
20.1" Samsung widescreen LCD 205BW
Razer Copperhead 2k DPI gaming mouse
Razer Tarantula Gaming Keyboard
ThermalTake TSUNAMI DreamTower
ThermalTake 480w Purepower Silent PSU
Xfi 7.1 sound
Klipsh 5.1 pro-media speakers
18582 3dmarks with 3dmark05
Still need to OC my RAM, I will post the new 05 '06 scores.
CPU Idles at 35*C max load so far has reached 44*C
GPU idles at 38*C max 50*C
My machine is pretty beefy; but this isn't the reason the performance is so well, I had vista on this machine for a short time to give it a run. I had tremendous issues with drivers and overall system performance, shame on you Microsoft, XP is better than Vista ATM!
I upgraded to Ubuntu Feisty Fawn, after the first initial reboot GDM wouldn't start I checked dmesg and noticed that Feisty Fawn is shipped with older nvidia drivers, so I pointed to my previously installed (newer) drivers and BAM GDM is up again! Now for the install/configuration of Beryl.
Install Beryl in Ubuntu Feisty
sudo apt-get install beryl emerald-themes
Pressed ALT+F2 and typed beryl-managerNow it's up and running wo0t, added to the start menu and I'm good to go. One thing, You can't game while running the Beryl window manager, there is an option to switch back to your default window manager (I do this while gaming) then I switch back, it's pretty seamless and very rapid while changing.
Here are some screenshots of Beryl in action!
Tuesday, April 24, 2007
Putting Linux on my Linksys WRT54G V5 router.
I've been pondering about doing this for some time; putting Linux on my Linksys router. Some people may say I'm crazy with my recent all-out switch to Linux. I can't stress how much this means to me, just to get away from the proprietary chains, Microsoft products are crap; it takes years to get a platform that's decent, by the time it's actually stable and usable there is another platform that's being launched. Nothing like Vista, I don't think I've ever saw Microsoft this aggressive.
I don't know about you but I don't want to be a forced Beta Tester, especially when I'm not being paid. I recently got a laptop for free from a friend of mine, he purchased this laptop used about a year ago, since then it's been giving him nothing but trouble. I have tried several times to diagnose the issues, once I even formatted it, with no luck. Needless to say he bought a new Laptop with x64 XP, it's very nice.
I took this laptop home and attempted to install Gentoo, after 2 days of compiling I gained a lot of interest in Kubuntu. I currently have a Ubunutu gaming-box which serves as my main machine. Well I needed wireless, I have a few Linksys routers/ap's lying around the house these days so I whipped one out and attempted to install it on my domain. To my dismay Linksys doesn't make it so easy, the router isn't compatible with other routers, not even using uplink and disabling DHCP.
So what else to do, > INSTALL DD-WRT!! The v5 access points are not as friendly; the community refers to these as 'neutered' because they have half of the cache and RAM as their big brothers v4, 3, 2 and 1. I started to gather some information about which packages I need etc to get this working.
First I reset the routers' factory settings, then I joined the Administration tab > Firmware Upgrade. Proceeded with the upgrade, screen went white and I hard-rebooted the router. Now I connect to the routers' IP VIA HTTP once again and now I see I'm in management mode, I proceed with the install of the Linux Prep package.
Now the fun begins, after one more reboot the router is basically in a limbo mode; generally if I were using a Windows box I would just download the TFTP client that Linksys has available for download that would have saved a few quick steps, here is what I had to do;
# cd /home/misconfig/
tftp 192.168.1.1
tftp>binary
tftp>trace
tftp>rexmt 1
tftp>put dd-wrt.v23_micro_generic.bin
From this point on I saw the writing of these raw binary files VIA the shell so, I started to get pretty excited. After about 10 seconds nothing was moving so I hard-rebooted once more. Now I was able to c onnect to the web-interface and setup my n ew Access Point! LINUX FTW!! Now I'm not limited to any default settings, I now have full access to customize whatever I feel. 
I don't know about you but I don't want to be a forced Beta Tester, especially when I'm not being paid. I recently got a laptop for free from a friend of mine, he purchased this laptop used about a year ago, since then it's been giving him nothing but trouble. I have tried several times to diagnose the issues, once I even formatted it, with no luck. Needless to say he bought a new Laptop with x64 XP, it's very nice.
I took this laptop home and attempted to install Gentoo, after 2 days of compiling I gained a lot of interest in Kubuntu. I currently have a Ubunutu gaming-box which serves as my main machine. Well I needed wireless, I have a few Linksys routers/ap's lying around the house these days so I whipped one out and attempted to install it on my domain. To my dismay Linksys doesn't make it so easy, the router isn't compatible with other routers, not even using uplink and disabling DHCP.
So what else to do, > INSTALL DD-WRT!! The v5 access points are not as friendly; the community refers to these as 'neutered' because they have half of the cache and RAM as their big brothers v4, 3, 2 and 1. I started to gather some information about which packages I need etc to get this working.
First I reset the routers' factory settings, then I joined the Administration tab > Firmware Upgrade. Proceeded with the upgrade, screen went white and I hard-rebooted the router. Now I connect to the routers' IP VIA HTTP once again and now I see I'm in management mode, I proceed with the install of the Linux Prep package.
Now the fun begins, after one more reboot the router is basically in a limbo mode; generally if I were using a Windows box I would just download the TFTP client that Linksys has available for download that would have saved a few quick steps, here is what I had to do;
# cd /home/misconfig/
tftp 192.168.1.1
tftp>binary
tftp>trace
tftp>rexmt 1
tftp>put dd-wrt.v23_micro_generic.bin
From this point on I saw the writing of these raw binary files VIA the shell
Subscribe to:
Posts (Atom)
