Sunday of my Life

I meant to make this post, uhh… something like a week ago, and just kept forgetting…

My CCNA certificate and wallet card finally arrived. Yay me! I’m all official and stuff now.

Lately, with my commencement of self-study for my Red Hat Certified Engineer exam and my continual drive to add yet more to my knowledge-base, to make myself a more valuable employee for those who do eventually employ me. I looked recently, after having been prodded with the idea by one of my class-mates, at ‘port knocking”, a form of client-to-server connection establishment and authentication.

This basic premise of port knocking is this:

Client A wants to establish a connection to secure server B

Server B is set to a ’stealth’ mode (all ports are closed, and connection attempts on these ports do not return an ICMP “connection Refused” packet. They are simply ignored, making it appear to the client as if the server itself doesn’t exist).

Server B has a port knock daemon (hereon called a PKD) running, and monitoring the firewall logs for connection attempts.

Client A has a file that contains the port-knock sequence. This is a series of ports that they will attempt to connect to, in sequence, to identify themselves to the PKD.

The PKD detects the port-knock sequence in the firewall’s logs, and sends the firewall a message instructing it to open a pre-decided port (not part of the knock sequence) for communication to take place through.

Client A does its communicating, then sends a second port-knock sequence to close the connection again.

Now, that’s port-knocking, basically. My brainstorm starts here: As port-knocking stands it’s nice and secure to the server, but still vulnerable to such attacks as man-in-the-middle. A skilled intruder could, theoretically, sit on the single-line path between client and server, and monitor the connection attempts, and learn the sequence, right? Right. Which, in the end, invalidates the hole process, an you may as well just leave the whole server open. I see the best implementation of this working like this:

The PKD is intergrated into the firewall itself, so it can monitor and control the IP stack itself directly, instead of having to work through another application to open and close access. Port knock sequences will be limited life-span, preferably one-use only. The new sequence will be transmitted to the client as part of the connection establishment sequence. Connections themselves will use an public/private key ecryption type, such as Kerberos, to encrypt transmissions between the serverand the authenticated client.

When the connection is opened the opening sequence is immediately moved to another database of ‘old sequences’, to prevent someone trying a playback attack with it. If the server detects this sequence being used again within a certain time-frame, then it will record the originating IP address and blacklist it for another set amount of time. As part of the connection-establishment, after the excryption sequence is complete, the server will generate and send to the client the next sequence, registering it in its own database. By this method the sequences are kept expirable, and secure from recording and playback-attack.

Sequence generation itself is the last point I’ve been thinking on. There’s two paths I could see here: multi-level randomisation to generate a series of numbers between 1024 and 65535 (the public, un-registered port number range). That could easily give you a nice long string of port numbers. That’s okay, but the problem with it is that true randomisation is difficult to achieve, and is processor intensive. The other option is algorithmic generation. Several factors can be taken into consideration and fed as variables into the algorithm to pull out the port numbers. The connection ID of the client. Their IP address. Their location in the world. The time of day. The phase of the moon. Anything, really, so long as you can assign a number to it. I personally like this one, for a couple of reasons. One, it messes with the attacker’s malicious little mind; that’s always fun. Two, and most importantly, the attack, through careful analysis, could theoretically find out the numbers used to generate the sequence, and the algorithm behind it. However, if they’re obscure enough they won’t have a snowball’s chance in hell of figuring out what the numbers mean, and so won’t be able to predict the next incarnation of that value.

Anyway, that’s the end of my brainstorm for now. If I had better (much better) programming skills, I think I could really make something out of this. Port knocking, in my opinion, represents one of the better security concepts of the last few years. I’d like to make it a part of my repetoire. Now I just have to find out how.

Today was… hot. Very hot. Try 37 degree celsius (that’s ~98 to those of you in America-land). Despite said heat, though, I ventured into the city today, to visit one of my favourite bookstores. The Technical Bookshop. I am so glad I decided to go too. I bought three books (and have a fourth on order). At a steal, too! $10 for two of them, $20 for one. The one that’s on order I put a $20 deposit down on, and that will cost a further hundred once it comes in, but it will be worth it.

1. SAMS: Microsoft Windows Server 2003 Dealta Guide: A hand-reference book on the Windows Server 2003 platform, covering all its base capabilities. A handy guide for any aspiring network admin.
2. O’Rielly: Linux Server Hacks: This is the good kinda hack, the things that help systems run better and faster and more securely. Not the media hyped sort of hack that a mother or offshore casino might do on your bank’s systems to get at your money. That’s a crack. I do so wish the media would get the parlance right and stop villifying the innocent parties.
3. Syngress Computers: RHCE (Red Hat Certified Engineer) Study Guide: Okay, this is wonderful (or will be once I get my hands on it). I read quickly throguh the somewhat battered display copy of it today, the only one left. And I cannot wait to get my copy of it. Further study, here I come!
4. Sherrilyn Kenyon’s Character Naming Sourcebook: A bit out of step with the other books, yes, but it was a steal at $10, and a gift for my sister, who is both a big fan of Sherrilyn kenyon, and will be studying professional writing and editing in the coming year.

I am officially geeking out. So much techy goodness. Plus the look on my sister’s face when I handed the book to her was damn nice too.

VLSM, or Variable Length Subnet Masks is a by-product of the advanced routing concepts of such routing protocols as IS-IS, OSPF, EIGRP and RIP version 2, called Classless Inter-Domain Routing (or CIDR, Cider, get it?). At its most simlistic VLSM allows you to take an already subnetted network, and subnet one or more of the subnets further, creating out of them yet more networks. It was developed, like all forms of subnetting, in response to the shrinking address space in the IEEE private network specifications. If you subnetted your network, in order to create seperate router links you would need to use one subnet per point-to-point link. That’s two addresses used out of potentially hundreds or thousands of addresses in that one subnet. A massive waste of addresses.

VLSM, therefore, allows you to specify one subnet for all of your router links and, upon subnetting it, instead of having hundreds of addresses wasted, you can have hundreds of extra networks, each with only the requisite two addresses. Lets run through an example (the actual point of this post, since I literally am studying into my keyboard. One of the best ways to learn somthing is to teach it to someone else, so that’s what I’m doing). Sit back, ladies and gentlemen, and prepare to be amazed, astounded, and bored to death! Binary, ho!

We start with the Class A private address: 10.0.0.0

It has the default subnet mask of: 255.0.0.0

We require 102 networks, one of which will be dedicated to point-to-point router links

As far as our subnetting is concerned the first octet doesn’t exist, since we can’t change it. Since we can’t change it we don’t worry about it. After that point, everything becomes binary:

255.00000000.00000000.00000000

What, boys and girls, is the subnetting formula? That’s right. 2^{n-2. Two to the power of an unknown and variable number, mnus two, will give us the number of useable networks. So, we need 102 of the little buggers? Well, we can’t do that purely in binary, so we have to go as close as we can, without getting under it. So we work with place-values. 1, 2, 4, 8, 16, so on, so forth. The closest we can get is 128. @8}-2 gives us 128-2, or 126. Good. This fits, so we can work with it. We’re borrowing 8 bits for the root subnet. our subnet mask now looks like:

255.11111111.00000000.00000000

Or

255.255.0.0

If we draw an imaginary line down the seperator between the network portion and the host portion we get:

11111111.11111111|00000000.00000000

So, working from this, we start creating our subnets. Best practice states that, if you have ot have one network purely to be further subnetted for router links, you make it the final network, giving you all that extra room before it to logically scale the network with minimum fuss. So, if we do the first, say, 10 networks, including network address and broadcast, we get the following diagram:


10.00000001|00000000.00000000 First Network
10.00000001|11111111.11111111 First Broadcast
10.00000010|00000000.00000000 Second Network
10.00000010|11111111.11111111 Second Broadcast
10.00000011|00000000.00000000 Third Network
10.00000011|11111111.11111111 Third Broadcast
10.00000100|00000000.00000000 Fourth Network
10.00000100|11111111.11111111 Fourth Broadcast
10.00000101|00000000.00000000 Fifth Network
10.00000101|11111111.11111111 Fifth Broadcast
10.00000110|00000000.00000000 Sixth Network
10.00000110|11111111.11111111 Sixth Broadcast
10.00000111|00000000.00000000 Seventh Network
10.00000111|11111111.11111111 Seventh Broadcast
10.00001000|00000000.00000000 Eighth Network
10.00001000|11111111.11111111 Eighth Broadcast
10.00001001|00000000.00000000 Nineth Network
10.00001001|11111111.11111111 Nineth Broadcast
10.00001010|00000000.00000000 Tenth Network
10.00001010|11111111.11111111 Tenth Broadcast
...
10.11111110|00000000.00000000 Final Network
10.11111110|11111111.11111111 Final Broadcast


Okay. So, our big subnets are worked out, all fine ‘n’ dandy. That’s just plain old subnetting thus far. Now we come to the VLSM. We take our final subnet up there, and subnet it again. We stop thinking, now, of the number of networks we need. Now we think of the number of hosts per subnet. We need 2 hosts per subnet. In order to achieve this we need to borrow 2 bits, as 2² - 2 = 4 - 2 = 2. In order to achieve this we allocate the remainder of the bits, 30 in total, to networks, giving us the subnet mask of:

255.11111111.11111111.11111100

Or

255.255.255.252

Taking this, and acting as if our final subnet there was our root network, we get this (I’ll only do a couple):


10.254.00000000.000001|00
10.254.00000000.000001|11
10.254.00000000.000010|00
10.254.00000000.000010|11


Giving us router links on the networks 10.254.0.4, 10.254.0.8, 10.254.0.12, etc, etc. See the pattern? Going up by 4s. It makes things easier, believe me. That’s all there is to VLSM. It’s exactly like regular subnetting, just using a different address for your root network. Simple, once you know how.

PPP or the Point-to-Point Protocol, is an open-source (I think) protocol for multi-protocol transport on point-to-point serial links. It was designed as an answer to Cisco’s proprietary HDLC protocol, and to address limitations in this protocol, as well as providing a broad, open base protocol that can be extended and updated, to keep pace with emerging protocol technologies. PPP, being an open-source protocol, is available on almost every manufacturer’s platform, unlike HDLC which is only available on Cisco equipment. This makes PPP a more widely spread protocol because, although CIsco is a market leader in internetworking technology, they are far from the only company on the market.

PPP has many features that set it above HDLC as the data-link serial protocol of choice for the growing internet. It is more correctly known as a protocol suite, like TCP, because it contains a number of sub-protocols that provide its greater functionality. This moduler suite design makes PPP almost infinitely extensible, particularly in its unique encapsulation support for different network-layer protocols. PPP also supports two methods of connection authentication in its modular design. Amongst its sub-protocols, the most well-known and notable are LCP (Link Control Protocol), NCP (Network Control Protocol), PAP (Password Authentication Protocol) and CHAP (Challenge Handshake Authentication Protocol). Below is a description of these protocols:

• LCP: LCP, or the Link Control Protocol, is PPP’s signalling protocol. It provides facilities for call negotiation, setup, maintenance, testing and tear-down. LCP frames may contain data on various configuration parameters, including authentication routines to be used, or status messages, or call-termination signals.
• NCP: NCP, or Network Control Protocol, is almost a protocol suite in its own right. It is the open, modular basis on which PPP’s extensibility rests. For every supported network-layer protocol, there is a corresponding NCP that defines methods of transmission, encapsulation and decapsulation. Since each protocl has its own NCP, it means that new NCPs can be written and andded to the protocol without having to rewrite PPP’s whole structure.
• PAP: PAP, or Password Authentication Protocol, is the older of PPP’s two authentication routines. It takes place at call establishment, immedieately after LCP finishes negotiating the link. The reciever challenges the caller for their credentials, and the caller’s password is then transmitted back in a PPP frame, as clear text. This lack of encryption and predictable sequence makes PAP susceptable ot such attacks as playback¹ and man-in-the-middle². This method of authentication is called a two-way handshake, since the process involves one packet exchange from either end.
• CHAP: CHAP, or Challenge Handshake Authentication (or, sometimes, Acknowledge) Protocol, is the newer and more secure of PPP’s two authentication protocols. At the commencement of the authentication phase of connection, and periodically throughout the duration of the call, the reciever sends a challenge frame to the caller. This frame contains a randomly generated string of characters. Using this string and the password both ends calculate a hash, usually using the MD5 algorithm. The caller then sends this value to the reciever, which will trigger one of two events. Either the reciever will send back an acknowledgement and validation frame if the values match, or it will terminate the session if they do not. Since the challenge string is unique and random, the hash generated will be unique and random, making it impossible to guess the password from a number of intercepted hashes since MD5 is a non-reversible hash. The fact that authentication is repeated periodically — this period being controlled by the caller, and negotiated with LCP a tthe commencement of the call — the damage caused by an intercepted and mis-routed call is mitigated, limiting the time an intruder has to transfer damaging data over the link.

PPP’s method of framing data, preparing it for transmission across the serial link, is quite similar to HDLC, making the two protocols in some ways compatible, although HDLC’s use of a proprietary type field prevents true compatibility. PPP, unlike HDLC, also supports seamlessly both synchronous³ and asynchronous⁴ serial transmissions. As with any transmission protocol PPP’s encapsulation follows a set number of fixed-length fields in a set order, allowing each frame to be decapsulated at the recieving end and interpreted clearly. Below is the framing sequence for PPP, sorted by order of transmission:

1. Start Flag: This 1 byte field indicates the beginning of the PPP frame. It always consists of the binary value 01111110.
2. Address: This 1 byte field always contains the standard broadcast address of 11111111. PPP does not assign addresses to hosts because it is designed purely for point-to-point links, where there will only ever be two hosts.
3. Control: This 1 byte field consists of the binary sequence 00000011, a standardised control number which represents the transmission of unsequenced user data, providing a connectionless transmission not unlike the Logical Link Control protocol.
4. Protocol: The 2-byte protocol field indicates which protocol’s frame is encapsulated in the data field of the PPP frame, thus telling PPP which NCP it will have to use. Different values in this field can indicate such protocols as IP, IPX, and AppleTalk.
5. Data: The data field of the PPP frame can vary between 0 and 1500 bytes in length, containing a full, complete frame of the protocol indicated in the protocol field. Since this frame is variable in length, its end is indicated by the End Flag field immediately proceeding it. This consists of the same value as the Start Flag.
6. FCS: The FCS, or Frame Check Sum, is a 2-byte field consisting of a binary hash of the frame contents preceeding it. It is used as an error-detection mechanism. If the frame on the other end does not sum down t othe same vlaue, then an error has entered the frame data and it is dropped.

In summary, PPP is a serial point-to-point link transmission and control protocol suite that supports by synchronous and asynchornous links, multiple network-layer protocol encapsulations, strong, attack-resistant authentication routines and is a non-proprietary, open-source protocol that can be implemented across many varied hardware platforms, allowing inter-manufacturer communication. It is quickly replacing HDLC as the protocol of choice for point-to-point serial WAN links.

1: Playback Attack: A playback attack is an intrusion or subversion method which involves the attacker intercepting the transmission, accertaining which frame contains the encrypted password and storing that, to be ‘played back’ at the target machine at a later date, attempting to imitate a legitimate user.

2: Man-in-the-middle Attack: A Man-in-the-middle Attack involves that attacker, instead of intruding the system thsemvles, intercepting and holding the communication packets between two end-points and modifying them, in an attempt to get the systems to divulge sensitive data to what they believe to be a legitimate destination.

3: Synchronous Transmission: In data communications a synchronous link involves two end-points using a single set clocking rate to transmit their data at. They constantly monitor the connection for clocking points, modifying the clock rate according to these, allowing constant fine-tuning, so both ends stay in synch. The most prevailent example of this is a 56K dialup modem, which transmits data at the clock rate of 56,000 cycles per second. This constant synchronised clocking allows the use of TDM (Time-Division Multiplexing) to allow multiple connections to share the one communications link. TDM works by allowing each connection to transmit for a set number of cycles before it moves to the next. This sequence is repeated over and over, with the reciever being aware of it. Packets are reassembled at the reciving end using this TDM sequence as a guide.

4: Asynchronous Transmission: Unlike a synchronous link, asynchronous communication does not make use of clocking rates. It instead monitors the connection itself, transmitting data as fast as it can. Connection negotiation can place an upper limit on this transmission type if, for example, a recieving host can only recieve data at a lower rate than the transmitter can send it. This method of transmission relies upon set packet preambles and trailers to define where a packet begins and ends, since packets can be of a variable length depending upon the size of the data field. The link protocol may elimiate this need by maknig use of fixed-length frames, splitting up later packets to make them fit. One of the most common asynchronous protocols which also uses this method of delivery is ATM (Asynchoronous Transfer Mode), which uses fixed-length ‘cells’ of 53 bytes.

You heard me, folks. I have officially just completed my CNAP (Cisco Networking Academy Program) Semester 4 Final and compulsary voluntary feedback exams. I scored 88.9% on the final, and with this score (considering the pass is 70%), I am more than happy. Didn’t help — being the paranoid soul that I am — to have a group of people standing behind me laughing as I do the exam. Or the V.35 Serial Cable hitting me in the back of the head. But I got through it regardless of any machinations on their part, real or imaginary. Remember folks: Just because you think they’re out to get you is no reason to assume they aren’t.

LAMP (acr., n.) Linux, Apache, MySQL, PHP

A complete Webserver running Apache HTTPD server, with PHP Hypertext Preprocessor and MySQL Database server, running on a Linux Serverbase.

It is a wonderful thing, and the backbone of the internet. Without webservers the Internet as we know it could not exist. These are the remote computers that store our websites and serve them out to whomever may ask for them. With the advent of the Open Source Revolution a webserver became a thing that anyone with the know-how and desire could setup his-or-herself without much in the way of monetary outlay. I, being the networking geek I am, have recently done this myself, as have many other people like me. This post isn’t going to be a tutorial on compiling your own webserver, although one of them may be forthcoming down the track, if I feel like it. I, instead, ran into some problems whilst making my server, and in all my hours of Googling I didn’t find anyone else who’d had this problem. Thus, this post:

This isn’t so much about Apache HTTPD, which compiled the first time perfectly for me. It’s more about MySQL and PHP, which didn’t. I couldn’t even get them to the ‘make’ stage, for it turned out that I had a problem with some packages installed on my Fedora Core 4 server. Problem being: they weren’t installed. Shock horror! Agog and aghast! Yada, yada… anyway. In order to compile properly both PHP version 5 and MySQL 4.1 require the GNU gcc-c++ compiler modules. Installing these is fairly simple, considering that FC4 comes with yum preinstalled and configured for you. Simply do this:

<root@myserver># yum install gcc-c++

Simple, no?

No.

See, gcc-c++ has a package dependancy that yum will not, no matter how much you try, be able to resolve. It requires libstdc++-4.0.1-4.fc4. That’s the long and the short of it. yum cannot install this. Why, may you ask? If you do:

<root@myserver># sudo yum list libstdc++*

There it is in that lovely list. Yet yum claims to not be able to install it. If, then, you do:

<root@myserver># rpm -qa | grep libstdc++

You will find in that list, libstdc++ already installed by default. So what’s the problem here? Well… gcc-c++ requires 4.0.1-4, and you have 4.0.1-8. It’s too recent. yum cannot count this as a valid dependancy resolving package, for the revision number is incorrect. Enter PBone’s RPM Finder. Searching their entire FTP archive for (and I quote) “libstdc*4.0.1-4.fc4″ will, after 4 or 5 pages of RPMs, finally turn up the correct, neeed version of libstdc++ for the i386 platform. Huzzah! In order to install this, since it’s older than your currently installed version, requires the use of an extra switch in the rpm command, in order to tell RPM that, yes, you do in fact wish to downgrade the package:

<root@myserver># rpm -Uvh --oldpackage <url of package>

Okay… once RPM retrieves and installs that package, go back and do the yum install command from earlier, and all should be fine ‘n’ dandy this time around. Happy compiling!

I can successfully install, configure and otherwise Make Good an Apache HTTPD Webserver on Linux. Who’da thunk?

So, inm the midst of a flurry of Cisco CCNA Examinations. Fun they are. Real fun. Cisco are very, very misleading in their exams. Everything must be read very carefully and you must spend every moment aware, hunting for the inconsistancies, the little tricks in thier questions. The questions hidden inside questions. The questions whose answers consist of nothing but 128 character binary strings, three of which only have 1 character differences between them. Fun, no?

So I did the exam for Module 7: Distance-Vector Routing Protocols today. Pass mark was 70%. I scored 57.4%

I was duped, I tells ya! Duped! They played me for a fool in a number of questions. Unfortunately I have no idea which questions they were because Cisco won’t actually tell you what you got right and what you didn’t. They do give you feedback on the things you have to read up on to get things right next time (if the exam is exactly the same next time, which it never is. Each exam has a question pool and is randomly drawn from that every time). I think even this feedback is misleading. There’s things listed here, like IGRP Metrics, that weren’t even on the exam. I get the feeling you’d be told you needed to read up on certain areas even if you got 100%. They nver want you to think that you could know everything they teach you.

Misleading exams. I hate them and the people who design them.

Dorothea has recently been putting up on Caveat Lector a series of posts on fighting referer spam and bandwith hogs that endlessly trawl your site with bots (ignoring the stringent rules you, or she in this case, laid down in the robots.txt file, of course). Find linkyness below:

Killing Referer Spam

Latest Bad Referer

Brandimensions

Raft Of New Blockees

More To Ban

Hell, if this interests you, then I’d suggest subscribing to her Spam Specific RSS Feed with your news aggregator. There will be much goodness to come in this section, I can feel it. It’s already got some invaluable stuff in there that I am using to protect Sunday from these bastard sons of a bastard’s barstard’s barstard. (Guessed I don’t like spammers of any kind yet?)

Sign up, read. Play, fiddle, learn (as one of my friends says). You’ll be glad you did, trust me.