Linux Transparent Bridge + Firewall

I was called in to help secure a network in pinch. This called for some quick action, with very little resources. No time to purchase a firewall, or drastically redesign the network. We needed something now.

The clients network had their printers, desktops, servers, SANS, and switches all on one subnet, publicly accessible to the internet, with no hardware firewall. Hackers were exploiting NTP bugs, trying default accounts and passwords, and trying to brute force their way into everything. Without having a complete understanding of the infrastructure, and what renumbering and redesigning the entire network might impact, I decided to implement a quick fix while a firewall was ordered and careful redesign steps could be planned for.

This quick fix was to create a transparent bridge and move all the vulnerable devices onto a private VLAN, while allowing the transparent bridge to firewall and secure all of these devices.

First, I had to reclaim an old Dell R310 server. Nobody knows the BIOS passwords for any of the servers, so after a quick BIOS password clear and reboot, I installed Ubuntu 12.04LTS using basic settings, and updates. After consulting with my Cisco experts, we configured two ports:

interface gi 1/0/1
switchport mode access
switchport access vlan 24

interface gi 1/0/2
switchport mode access
switchport access vlan25

On the server I setup bridge networking by installing bridge-utils

apt-get install bridge-utils

and adding these lines to /etc/network/interfaces

auto br-vlan25
iface br-vlan25 inet dhcp
bridge_ports eth0 eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
up /sbin/ifconfig $IFACE up || /sbin/true

When I brought up the interfaces the bridge started forwarding Spanning Tree Protocol (STP) packets, and the switch immediately killed one of the interfaces to prevent a loop.

My solution was to install the ebtables package

sudo apt-get install ebtables

And add the following rules

ebtables -P INPUT DROP
ebtables -P FORWARD DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p arp -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p arp -j ACCEPT
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p arp -j ACCEPT

And then modify /etc/default/ebtables so that all the “no” settings were “yes”, that way the rules would preserve on reboot or interface reset

I now had a functioning bridge, but no firewall, so I added these rules to iptables to only allow locally sourced traffic through

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables  -I FORWARD -s X.Y.Z.o/24 -j ACCEPT
iptables -I FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

And then installed the iptables-persistent package to save iptables rules across reboots and interface resets

apt-get install iptables-persistent

The next step was to look at all the switch ports, identify all the devices that needed to be secured, and move them to the new private vlan.

show int status

find all the vulernable device ports

conf t
int gi 1/0/X
switchport access vlan 25

Then I went to the vCenter and looked at all the guests that needed to be secured, including the esxi hosts themselves, and changed them to the new private vlan.

Now an NMAP scan from on site has access to their equipment, and an NMAP scan from offsite shows just a collection of desktops, printers, and public facing servers. No more free access to esxi hosts, equallogic storage, video cameras, environmental sensors, etc…

Awesome mini wireless keyboard + trackpad

Looking at making a server crash kit and found this little gem…

A miniature keyboard and trackpad over at adafruit.com

Image

“Add a miniature wireless controller to your computer project with this combination keyboard and touchpad. We found the smallest wireless USB keyboard available, a mere 6″ x 2.4″ x 0.5” (152mm x 59mm x 12.5mm)! It’s small but usable to make a great accompaniment to a computer such as the Beagle Bone or Raspberry Pi. The keyboard itself is battery powered (there’s a rechargeable battery inside that you charge up via the included USB cable). The keyboard communicates back to the computer via 2.4 GHz wireless link (not Bluetooth) 

The keyboard can only be used with a USB-host such as a computer. Its not intended to be used with an Arduino or Basic Stamp, etc. We tested it with the Raspberry Pi and it works great: uses only one USB port for both mouse and keyboard.”

I’m not dead yet

I haven’t fully stopped trying to use Ubuntu as a desktop replacement yet. But, I am using Windows again right now because I found LibreOffice was not reading Office documents correctly, and embedded visio diagrams do not work. Which forced me into Windows to do some quick work.

I also have a VirtualBox image on my Windows box with a dev environment, and needed to use it for some quick work and did not have time to get it running under Ubuntu.

The reason I’m making this blog post is to point out where Windows is winning.

At least in a Windows vs Ubuntu test. At this point I may just buy myself a Mac and use this Dell laptop as a fishtank.

 

Dropbox wins over Google Drive

This isn’t really a fair fight. Google Drive doesn’t even have a Linux client.

My real preference is sshfs, though.

For work files, I use sshfs to mount a folder on our secure server to my laptop. Policies frown on sticking sensitive files in the cloud. I’d like to play with services like OwnCloud, or some others, but sshfs works fine for now.

Empathy wins over Pidgin

I tried installing Pidgin to connect to our jabber server. I had alternating trouble getting Pidgin to authenticate, and when I say alternating, I mean it. With no changes it would login, or it would fail. And when it would log in there would be an empty Pidgin buddy list. So empty that clicking on it registered as the desktop, and not the Pidgin app. Purging and reinstalling didn’t help.

Then I noticed that Empathy (the little envelope on Ubuntu’s system bar) had detected Pidgin was installed and was asking to import my Pidgin settings. I gave it a shot, and was able to log in with zero hassles. Yes, it imported my settings from a non function Pidgin, and Empathy worked.

I’m going to test out Empathy and see if there are any features that it doesn’t have that would warrant figuring out how to get Pidgin (or another client) to work.

Thunderbird instead of Outlook

It looks like Thunderbird has come a long way in the last couple of years. I was able to install Lightning 1.9.1 and the Exchange 2007/2010 Calendar and Tasks Provider 1.8.5, and have access to my email and calendar.

I ran into some issues with the email address not matching the account name, and Thunderbird keeping some settings locked away in its memory somewhere even though I had changed them in the GUI (the account name kept the gmail.com value I had type, before correcting it to my work address). I also had to delete the account several times before finally figuring out that it was defaulting to GSSAPI authentication, even though I am not doing GSSAPI authentication.

The address book was a snap to configure. At first I thought I’d have to know the OU and Bind DN, but just putting in the ldap server name was sufficient to search for people.

Calendaring was also a snap. After installing the Exchange 2007/2010 Calendar and Tasks Provider add on I spent some time trying to figure out how to access the calendar and finally figured out there was a teeny tiny calendar and task icon in the top right corner. Clicking on them opens a Calendar and Task tab, and they appear to work quite nicely.

So, now I won’t be late for meetings, and I can edit work documents.

Ubuntu Desktop LibreOffice

Compared to previous attempts at using an open source Office suite (such as KOffice, OpenOffice, and others), LibreOffice actually works enough to use it (sorry other guys).

Setting up the printer was as easy as hitting Add and Find, and then clicking on the awkwardly named “Forward” button. Slightly less awkward than naming the button “Progress”, but if we’re going to depart from the traditional “Next” button, I’d like to go with something more fun, like “Onward Ho!”, or “I Dare You”.

I was relieved to see LibreOffice was able to open most of my documents with a reasonable level of accuracy. The weirdest thing I saw was a Visio diagram saying it was in Portrait mode, but the page dimensions themselves were landscape oriented. When I went to print, the printer thought the page should have been portrait, so it was only going to print a corner of the diagram.

I do find bulk property editing flawed. For example, the font used on the Visio diagram did not exist in LibreOffice, but when I tried to change just the font, it changed all of the font properties, including font size, et al, so the whole document was a jumbled up mess.

But, I can work with this, at the moment.