Linux Transparent Bridge + Firewall

I was called in to help secure a network in pinch. This called for some quick action, with very little resources. No time to purchase a firewall, or drastically redesign the network. We needed something now.

The clients network had their printers, desktops, servers, SANS, and switches all on one subnet, publicly accessible to the internet, with no hardware firewall. Hackers were exploiting NTP bugs, trying default accounts and passwords, and trying to brute force their way into everything. Without having a complete understanding of the infrastructure, and what renumbering and redesigning the entire network might impact, I decided to implement a quick fix while a firewall was ordered and careful redesign steps could be planned for.

This quick fix was to create a transparent bridge and move all the vulnerable devices onto a private VLAN, while allowing the transparent bridge to firewall and secure all of these devices.

First, I had to reclaim an old Dell R310 server. Nobody knows the BIOS passwords for any of the servers, so after a quick BIOS password clear and reboot, I installed Ubuntu 12.04LTS using basic settings, and updates. After consulting with my Cisco experts, we configured two ports:

interface gi 1/0/1
switchport mode access
switchport access vlan 24

interface gi 1/0/2
switchport mode access
switchport access vlan25

On the server I setup bridge networking by installing bridge-utils

apt-get install bridge-utils

and adding these lines to /etc/network/interfaces

auto br-vlan25
iface br-vlan25 inet dhcp
bridge_ports eth0 eth1
bridge_fd 9
bridge_hello 2
bridge_maxage 12
bridge_stp off
up /sbin/ifconfig $IFACE up || /sbin/true

When I brought up the interfaces the bridge started forwarding Spanning Tree Protocol (STP) packets, and the switch immediately killed one of the interfaces to prevent a loop.

My solution was to install the ebtables package

sudo apt-get install ebtables

And add the following rules

ebtables -P INPUT DROP
ebtables -P FORWARD DROP
ebtables -P OUTPUT DROP
ebtables -A OUTPUT -p IPv4 -j ACCEPT
ebtables -A OUTPUT -p arp -j ACCEPT
ebtables -A INPUT -p IPv4 -j ACCEPT
ebtables -A INPUT -p arp -j ACCEPT
ebtables -A FORWARD -p IPv4 -j ACCEPT
ebtables -A FORWARD -p arp -j ACCEPT

And then modify /etc/default/ebtables so that all the “no” settings were “yes”, that way the rules would preserve on reboot or interface reset

I now had a functioning bridge, but no firewall, so I added these rules to iptables to only allow locally sourced traffic through

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables  -I FORWARD -s X.Y.Z.o/24 -j ACCEPT
iptables -I FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

And then installed the iptables-persistent package to save iptables rules across reboots and interface resets

apt-get install iptables-persistent

The next step was to look at all the switch ports, identify all the devices that needed to be secured, and move them to the new private vlan.

show int status

find all the vulernable device ports

conf t
int gi 1/0/X
switchport access vlan 25

Then I went to the vCenter and looked at all the guests that needed to be secured, including the esxi hosts themselves, and changed them to the new private vlan.

Now an NMAP scan from on site has access to their equipment, and an NMAP scan from offsite shows just a collection of desktops, printers, and public facing servers. No more free access to esxi hosts, equallogic storage, video cameras, environmental sensors, etc…

Advertisements

Awesome mini wireless keyboard + trackpad

Looking at making a server crash kit and found this little gem…

A miniature keyboard and trackpad over at adafruit.com

Image

“Add a miniature wireless controller to your computer project with this combination keyboard and touchpad. We found the smallest wireless USB keyboard available, a mere 6″ x 2.4″ x 0.5” (152mm x 59mm x 12.5mm)! It’s small but usable to make a great accompaniment to a computer such as the Beagle Bone or Raspberry Pi. The keyboard itself is battery powered (there’s a rechargeable battery inside that you charge up via the included USB cable). The keyboard communicates back to the computer via 2.4 GHz wireless link (not Bluetooth) 

The keyboard can only be used with a USB-host such as a computer. Its not intended to be used with an Arduino or Basic Stamp, etc. We tested it with the Raspberry Pi and it works great: uses only one USB port for both mouse and keyboard.”

Reflection Upon Santosa

Yesterday in class we discussed how society and culture has taught us
to see contentment as negative. We have been pushed to consume consume
consume, and the best way to do that is to convince everyone that they
are not content. That they need something newer, better, more
exciting. That these objects and ideas are the key to finding
happiness. And we are taught that contentment is “settling”, which is
taught to be bad. “Why settle for less” is one ad slogan.

I do not believe the best translation of Santosa for our society is
“contentment”. Right now, my best word is “acceptance”. We must learn
to accept reality for what it is. We cannot wish it to be different.
We cannot let our minds wander and race with ideas of how it would be
better if it were different. What is, simply is. And we must learn to
accept things as they are, and love them as they are, and not want to
change them for no other reason than we love them as they are in the
moment. We do not love them for what they once were and hold on to
that. We do not love them for who we want them to be in the future. We
love them for simply being.

And that includes how we perceive ourselves.

Our society does not just demand that we are dissatisfied with what we
own, what we have in our lives, it also demands that we are deeply
dissatisfied with ourselves. We are too fat. Too thin. Losing too much
hair. Not getting enough sleep. Skin is too rough, too oily, our hair
too gray, teeth too brown… our libido too weak, our ability to focus
not strong enough, our ability to enjoy not free enough…

All of this is a distraction from accepting what is, and loving every
moment with burning ardor.

50 Sci-Fi/Fantasy Novels That Everyone Should Read

I love reading lists. If anyone wants to share reading lists with me, or sites with great reading lists, feel free to post them here :)

Flavorwire

People say it all the time: they’d love to get into science fiction or fantasy, but they’ve no idea where to start. If this is you (or if you’re one of those stubborn folks who looks snootily down on genre), listen up. Your trusty Flavorwire editors have a few suggestions for you — that is, a whole 50 sci-fi and fantasy novels that are well worth your time, whether you’re brand new to the concept of dragons and/or spaceships or a seasoned veteran. A few notes on the construction of the list: no short stories or short story collections, no matter how brilliant (looking at you, Kelly Link), were included. Also, in the interest of fairness, only one work or series by any given author was included. Finally, because this is a list of novels that adults should read, it skews light on the YA, including only those books that…

View original post 2,872 more words

Stamped Deep

This is a writing exercise to write about an object we found that led to us learning something about someone we hadn’t known before.

–Stamped Deep–

Lt. Col. John Thomas. The black letters stamped deep into the silver bracelet stood out as a name not known to me.

I learned that my mother was once in love.

I learned he died in the Vietnam war and left her heartbroken.

I learned that she tried to comfort herself by drinking and dancing.

I learned that is how she met my father.

I learned that is how she became pregnant.

I learned that is why they got married.

I learned that she would dream about Lt. Col. John Thomas every night, but that there was always some obstacle keeping her from reaching him, and that she would wake up in tears.

I learned that my mother never really loved my father.

I learned that 40 years later he would still be in her dreams.

I learned why my mother was always so sad.

Lt. Col. John Thomas. The black letters stamped deep into the silver bracelet stood out as a name not known to me.

 

unmasked

“Let’s retrace our steps”, I reassure my tearful three year old son who has just lost his superhero mask somewhere between a grilled cheese sandwich for lunch and wandering the local nursery in search of more vegetables for our garden. He knows how good I am at finding things, and is eager for me to find his mask. “You’re a good finder, dad.” he says with his superhero muscle padded chest puffed out with confidence. In reality, I am worried I will let him down.

Retracing my steps is something I find myself doing a lot these days. A few days later I am on a similar journey with my recently separated wife. “Let’s go for a walk,” I suggest as we met at the botanic garden near my office, the garden where we had our first flirtation as I read her tarot, while she shyly blushed at the Lovers card peaking at her from the bottom of the deck. Where we would have our first kiss leaning against her favorite fig tree, and shared walks where we talked about our future.

But this walk isn’t about finding our lost love. It feels more like a crime scene investigation, trying to understand how we let things get so out of control. I see symbols of ruin everywhere. A dead hawk, my wife has a fascination with dead birds as evidenced by her award winning Book of Dead Birds, lays near the place we performed that first magical tarot card reading. The beloved fig tree has been cut down, leaving a knife like edge of a stump that cuts deep into our flesh as we sit in shock and take in the surroundings. The landscape is almost unrecognizable. It feels disorienting. The changes to the garden are as real and manifest as the changes in our hearts, and it is clear there is no going back to the place we once were.

Returning to my empty home I am reminded of my ten year old self, how, when my parents separated, I would walk home from school and let myself into a dark and empty house. I have never forgotten the exact moment that little boy broke down in tears crying out “why did you leave me dad?” I can feel that pain in my heart again, now, as I return to emptiness. But the house isn’t just empty. It is as different as the unrecognizable landscape of the garden. I find signs around the house that things are not the same. The light fixture that we bought to symbolize my mother after she passed away, the light that is the heart of the kitchen, is mysteriously askew, like a weather vane pointing in a new direction. My tarot cards are missing, my childhood photos carelessly left in the garage to warp and wrinkle, the never completed projects around the house feel like tombstones marking the death of each aspiration. Everything that I once was, that I once dreamed about, has been cast aside and replaced with stress and unhappiness.

When the big day that has been looming over our heads for weeks arrives, the day she officially moves into her new home, I get a text that reads “just got hit by a wave of ‘what the hell am I doing’ “. I’m not sure anyone ever knows what they are doing, I think we are always just hoping for the best. I reassure her that the environment and energy we had created for ourselves was not working out, and that we both need space to decompress and find ourselves again. It would be harder to recover if we were still living together, and any improvements would be so small as to be unnoticeable from day to day. But, if we are apart, we can heal and see the changes in each other more clearly. And maybe we will find that we do still want to be together.

Sometimes you can’t retrace your steps and find what you’ve lost. Sometimes you have to accept your new reality and move forward. We can’t keep hiding our true identities behind not-so-super masks.

As for my son’s superhero mask, I did find it. I didn’t let him down.