Etikettarkiv: configuration

Setting up MSMTP for Protonmail

This is the config that worked for me.

First generate an SMTP token and a separate address for the system to use within Protonmail, otherwise this is not going to work without installing mail-bridge or something similar.

This will be special@domain.com

MSMTP Configuration file

Configuration file is /etc/msmtprc
File owner should be root:msmtp
File permissions 0660

defaults
tls on

account default
  host smtp.protonmail.ch
  port 587
  from special@domain.org
  set_from_header on
  auth on
  user special@domain.org
  password SMTP_TOKEN_GOES_HERE
  auth plain

Installation

Install the following components:

sudo apt install msmtp msmtp-mta mailutils bsd-mailx

Configuration

Edit the configuration file for mail /etc/mail.rc and add the following line to it:

set mta=/usr/bin/msmtp

You may also set up aliases if you like in the file /etc/aliases where you can add lines such as:

root: master@domain.org
caroline: caroline@example.com
defaul: admin@domain.org

Ubuntu persistent network interface names

In Ubuntu 16.x the systemd is used more than in the previous versions. This also means it is now responsible for setting up your network cards. Many people have been sort of surprised that their eth0 have changed to something like enp0s25. This is of course an improvement from before, there was no real telling in which order NICs would be assigned names so potentially a hardware change could offset eth0 and eth1 and so on.

The new way is actually not too bad but if you like me do a lot of manual configurations on the fly to the network interfaces their names can be tedious to type and also remember. But of course there is a rather simple mechanism to change this so you can select your own names for the interfaces such as lan0 and dmz1 or why not wifi plain and simple if there is never to be any more than one wifi card in the computer.

This is a step-by step guide that was tested under Ubuntu 16.10 and worked for me. Please leave your comments if you have problems, improvements or any such things to add.

Getting the names

First of all we need to find out what the names of the NICs we have in the system actually are. Here is a dump from my laptop using the ifconfig command to list all interfaces:

root@kraken:~# ifconfig -a
enp0s25: flags=4098<BROADCAST,MULTICAST> mtu 1500
 ether f0:de:f1:8d:89:fe txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 device interrupt 20 memory 0xf2a00000-f2a20000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
 inet 127.0.0.1 netmask 255.0.0.0
 inet6 ::1 prefixlen 128 scopeid 0x10<host>
 loop txqueuelen 1 (Local Loopback)
 RX packets 3143 bytes 204307 (204.3 KB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 3143 bytes 204307 (204.3 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255
 inet6 fe80::846f:cc3d:2984:d240 prefixlen 64 scopeid 0x20<link>
 ether 00:24:d7:f0:a3:a4 txqueuelen 1000 (Ethernet)
 RX packets 4600 bytes 5069857 (5.0 MB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 3348 bytes 592050 (592.0 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wwp0s29u1u4i6: flags=4098<BROADCAST,MULTICAST> mtu 1500
 ether 02:80:37:ec:02:00 txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

We are looking for two things in the above, the MAC address and the name of the network interface card we want to rename. The NICs we have here are named after the type of card, the bus it is attached to etc. What used to be called eth0 is now referred to as enp0s25 and wlan0 is wlp3s0 and there is also a WAN card in the machine called wwp0s29u1u4i6 which definitely is a mouthful.

Okay, so we would like to rename these to more sensible names. First we pick the names such as eth0, wlan0, wan0 etc. Then we note down the MAC address of each card. You find this highlighted in red in the above dump next to the keywork ”ether”. Once we have that we can tell the systemd to rename the cards in the way we want. By connecting the name to the MAC address it should also be persistent and not affected by inserting a new card into the computer system.

In directory /etc/systemd/network we will create the following files:

root@kraken:/etc/systemd/network# ll
 total 20
 drwxr-xr-x 2 root root 4096 Dec 11 04:28 ./
 drwxr-xr-x 5 root root 4096 Nov 24 15:03 ../
 -rw-r--r-- 1 root root 55 Dec 6 23:44 01-eth0.link
 -rw-r--r-- 1 root root 56 Dec 6 23:39 02-wifi.link
 -rw-r--r-- 1 root root 55 Dec 6 23:40 03-wan.link

These link files can be used to match a device and then change its parameters. So they consists of a matching section and then a link section. The first one called 01-eth0.link contains the following lines:

[Match]
  MACAddress=f0:de:f1:8d:89:fe

[Link]
  Name=eth0

We can then create the other ones in the same way. When we are done with that we need to do two things. First we need to update the initial ram file system in boot because some of these may already be up during boot time (such as eth0). This is done with the following command:

root@kraken:/etc/systemd/network# update-initramfs -u
 update-initramfs: Generating /boot/initrd.img-4.8.0-30-generic
 W: Possible missing firmware /lib/firmware/i915/kbl_guc_ver9_14.bin for module i915
 W: Possible missing firmware /lib/firmware/i915/bxt_guc_ver8_7.bin for module i915
 W: mdadm: /etc/mdadm/mdadm.conf defines no arrays.

Once we have done this we can reboot our computer.

When up again we can check the network names again:

anders@kraken:~$ ifconfig -a
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
 ether f0:de:f1:8d:89:fe txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
 device interrupt 20 memory 0xf2a00000-f2a20000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
 inet 127.0.0.1 netmask 255.0.0.0
 inet6 ::1 prefixlen 128 scopeid 0x10<host>
 loop txqueuelen 1 (Local Loopback)
 RX packets 1732 bytes 110296 (110.2 KB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 1732 bytes 110296 (110.2 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wan0: flags=4098<BROADCAST,MULTICAST> mtu 1500
 ether 02:80:37:ec:02:00 txqueuelen 1000 (Ethernet)
 RX packets 0 bytes 0 (0.0 B)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 0 bytes 0 (0.0 B)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
 inet 192.168.1.3 netmask 255.255.255.0 broadcast 192.168.1.255
 inet6 fe80::1ed7:d5ac:433d:70c5 prefixlen 64 scopeid 0x20<link>
 ether 00:24:d7:f0:a3:a4 txqueuelen 1000 (Ethernet)
 RX packets 93 bytes 71048 (71.0 KB)
 RX errors 0 dropped 0 overruns 0 frame 0
 TX packets 137 bytes 18113 (18.1 KB)
 TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

As you can see we now have eth0, wlan0 and wan0 instead of the default names. So if you like me work from the command line mainly you will be happy that ifconfig eth0 now works just like it did before the systemd entered the scene and if you have firewall scripts you can of course rename your interface to something that is useful to you such as lan, wan and dmz or whatever makes sense.

IP-Tables control of traffic by Country

Recently I have had quite a few bouts with people trying all sorts of nefarious things with my VPS from various places in the world. I realized the best way is to take whole countries out of the equation and I wanted to make this a nice easy way of doing this.

First of all, I soon realized that I needed to be a little bit restrictive but since some of the domains that runs on the server is probably legitimately accessed I wanted to divide all countries up in three categories:

0 – No restrictions
1 – Restricted access, basically just allowing ICMP and http on port 80
2 – Complete blocking, drop all packets

So countries in the 0 class would be Sweden and all countries where there is a reasonable legal system and where I have not yet seen too many attempts on the security from. Class 1 would be places like Russia, where there are legit traffic but also a lot of crap coming from and Class 2 would be china where there is likely no legit traffic and still a lot of attempts on the security.

First of all, you need to get hold of a zone file divided on country by country. This is also called a CIDR file (Classless Internet Domain Routing) where all the IP blocks assigned on an international level are put in the right file. You can find this here. Just download the file with all the blocks in and keep it somewhere. You may want to refresh this now and then, say on a montly basis or so.

I am assuming you already have an iptables script file and that you are just looking at adding this functionality. Open the script file and add the following to it

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!
echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
  echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

This script should be placed before any rules that will allow any traffic what so ever!

After this part you place the rules that allows any traffic you wish to allow from the restricted countries and then you place this after those rules:

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries
echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
  echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

Now you should create the following directories:

sudo mkdir /etc/iptables
sudo mkdir /etc/iptables/banned-hosts/
sudo mkdir /etc/iptables/restricted-hosts/

Explode the file you downloaded with all the IP Blocks in country by country into the /etc/iptables/banned-hosts/ directory and you should get a bunch of files called af.zone, al.zone and so on. Each of these referrs to a ISO 2 letter country code.

Do not run the iptables script at this point. Start by removing the file for your own country. In my case that would be se.zone for Sweden. Your mileage may vary here. Refer to this page if you do not know the country codes (which are the same as these countries internet domains).

Delete the files that you do not wish to impose any restrictions on.

Move the files for the countries you want to restrict to the /etc/iptables/restricted-hosts/ dir.

Anything remaining when you are done in the /etc/iptables/banned-hosts/ will be denied access when you run your iptables script.

So run the script now, it may take some time.

When you are done run the command iptables-save > /etc/iptables/tables to save your iptables then add the line in /etc/rc.local or some other similar place iptables-restore < /etc/iptables/tables in order to automatically load your tables on boot time.

Full example

echo "### IP-tables ###"

IPTABLES=/sbin/iptables

echo "Default policies."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

echo "Flushing old rules"
$IPTABLES -F
$IPTABLES -X

echo "Create LOGDROP chain"
$IPTABLES -N LOGDROP
$IPTABLES -A LOGDROP -j LOG --log-prefix "IPT: DROP " --log-level 7
$IPTABLES -A LOGDROP -j DROP

echo "Create LOGACCEPT chain"
$IPTABLES -N LOGACCEPT
$IPTABLES -A LOGACCEPT -j LOG --log-prefix "IPT: ACCEPT " --log-level 7
$IPTABLES -A LOGACCEPT -j ACCEPT

echo "Create INVALIDDROP chain"
$IPTABLES -N INVALIDDROP
$IPTABLES -A INVALIDDROP -j LOG --log-prefix "IPT: INVALID " --log-level 7
$IPTABLES -A INVALIDDROP -j DROP

echo "Killfile certain IP chain"
$IPTABLES -N BANNED
$IPTABLES -A BANNED -j LOG --log-prefix "IPT: BANNED " --log-level 7
$IPTABLES -A BANNED -j DROP

echo "Create a country block chain"
$IPTABLES -N CBLK
$IPTABLES -A CBLK -j LOG --log-prefix "IPT: CBLK " --log-level 7
$IPTABLES -A CBLK -j DROP

# Loop over all lists of banned networks
# Any rules below this will not work on these ranges as they will
# drop before they reach any other rule. If you want to open some ports
# even for banned countries, then you need to put those rules in front
# of this rule!

echo "Kill line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/banned-hosts/*
do
 echo "Processing k-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Enabling ICMP"
$IPTABLES -A INPUT  -p icmp -j LOGACCEPT
$IPTABLES -A OUTPUT -p icmp -j LOGACCEPT

echo "Enabling http on standard port"
$IPTABLES -A INPUT  -p tcp --dport http -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport http -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport http -m state --state ESTABLISHED -j ACCEPT

# Restricted hosts here from CIDR files in the restricted session
# these guys will only be able to do ICMP and http, nothing else
# and that should be quite a few countries

echo "Restrict line certain CIDR, one way of blocking suspect countries!"
for f in /etc/iptables/restricted-hosts/*
do
 echo "Processing r-line file $f..."
  while read p
  do
    $IPTABLES -A INPUT -s $p -j CBLK
  done < $f
done

echo "Dropping invalid packets"
$IPTABLES -A INPUT -m state --state INVALID -j INVALIDDROP

echo "Enabling DNS server connections."
$IPTABLES -A INPUT  -p tcp --sport domain -j ACCEPT
$IPTABLES -A INPUT  -p udp --sport domain -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport domain -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport domain -j ACCEPT

echo "Enabling NTP server connections."
$IPTABLES -A INPUT  -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -m state --state NEW         -j LOGACCEPT

echo "Applying rules for inbound and outbound ssh"
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A INPUT  -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT

$IPTABLES -A INPUT  -p tcp --sport gopher -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport gopher -m state --state ESTABLISHED -j ACCEPT

echo "Applying rules for outbound ssh standard port"
$IPTABLES -A INPUT  -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT

echo "Enabling https traffic out from this machine"
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT  -p tcp --sport 443  -m state --state NEW         -j LOGACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443  -m state --state NEW         -j LOGACCEPT

echo "Dropping all other input packets."
$IPTABLES -A INPUT -j LOGDROP

echo "Done."

echo "IPV6 setting policy"

/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P OUTPUT DROP
/sbin/ip6tables -P FORWARD DROP

echo "IPV6 flushing tables"

/sbin/ip6tables -F

echo "IPV6 Done."

Make your XP installation SSD-flavoured

Many people are considering SSD (Solid State Drive)  in their laptops. There are of course many reasons for this, the SSD is silent and less heat generating, in many cases less power consuming and above all else, not susceptible to shock or sudden movements of the laptop.

Field engineers love SSD it has extended battery time, made laptops that are quickly closed and shoved in a bag much less prone to overheating and they can be used in harsh electro-magnetic evironments such as in the vincinity of radio trasmitters without risking that the hard disk loses data.

The problem with XP and SSD is that most drives made with this technology requires an erase operation on an entire block before it can be written back to the drive. This means that things like disk caching and so on works different from with standard disk drives and needs to be tweaked in order to get maximum performance out of it.

Most SSD manufacturers also guarantees only 10 000 writes to a cell and although most SSD uses techniques such as wear leveling where the cells are written to in a fashion to spread the wear on them over the whole disk eventually they will start to fail. An SSD is a rather expensive item still so people would like to maximise the life spand of their drive. Hence the following tweaks.

Disable windows XP prefetcher

Change the following registry keys:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\Memory Management\PrefetchParameters]
”EnablePrefetcher”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOpt imizeFunction]
”Enable”=”N”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\OptimalLayout]
”EnableAutoLayout”=dword:00000000

You must reboot after the changes have been made.

Restore original setting

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager\Memory Management\PrefetchParameters]
”EnablePrefetcher”=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Schedule]
”Start”=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Dfrg\BootOpt imizeFunction]
”Enable”=”Y”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\OptimalLayout]
”EnableAutoLayout”=dword:00000001

You must reboot after changes has been applied.

Change the disk cache behaviour

Start Device Manager

  • Select the drive for which you wish to administer the caching policy (your SSD)
  • Select Properties
  • Click on the Policies tab
  • Look for the option ”Enable write caching on the disk” and make sure it is selected
  • Look for a second option ”Enable advanced performance” and select it.

This option favors throughput/speed at the potential risk of data corruption. Since this is to protect removable drives from suffering data corruption if they are removed while a write operation is in progress — you may safely change this option on your internal SSD.

This trick can also be used to increase performance about 10-fold on USB-attached disks, but then you should be very careful when removing them from your system, use the device manager to disconnect before you remove them.

Other tweaks

Hibernation

Turning off hibernation can mean a better performance and longer life for the SSD because then Windows will not have to update the page file constantly in anticipation of a hibernation order.

  • Go to the control panel
  • Open the Power Options
  • Select the Hibernate tab
  • Uncheck Enable Hibernation box to disable
  • Click Ok

Reboot your system and the hibernation option is gone (but you can still use sleep mode of course which is brilliant in combination with SSD.