npn

/Adam Palmer

About Adam Palmer

This author has not yet filled in any details.
So far Adam Palmer has created 275 blog entries.

Linux iproute2 multiple default gateways

This article describes a Linux server set up with 2 interfaces (eth0) and (eth1). Each interface has a separate ISP, network details and default gateway. eth0 has two sets of network details on the same interface and so a virtual interface (eth0:0) must be created to handle the second IP. By default, Linux only allows for one default gateway. Let’s see what happens if we try to use multiple uplinks with 1 default gateway. Assume eth0 is assigned 192.168.1.2/24 and eth1 is assigned 172.16.1.5/16. Let’s say our default gateway is 192.168.1.1 (which of course is found through eth0) but there’s also a 172.16.0.1 gateway on eth1 which we can’t enter as Linux only allows for the one. Our routing table now looks like this: root@www1:~# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 If a packet comes in to us, routed through the 172.16.0.1 gateway from say 8.8.8.8, our machine will receive it. When it tries to reply to 8.8.8.8 however, it runs down the routing table and sees that it’s not local to eth0 or eth1 and therefore will get routed out through the default gateway (192.168.1.1) – the problem is, this is the wrong gateway and so the target machine will ignore our response due to it being out of sequence and from the wrong IP. Using iproute2, Linux can track multiple routing tables and therefore multiple default gateways. If the packet comes in through one interface and to one IP, it will go out via a specific default gateway. The script to achieve this is as follows: […]

By | October 5th, 2014|BASH, Linux, Networking, SH/BASH|2 Comments

Debian Linux Wheezy OpenVPN & Squid3 HOWTO with Transparent Proxying

Before my last extended period travelling and using public networks, I decided to set up a new low spec virtual machine on one of my hosted servers. I trust my datacenter and their uplinks more than I trust the free WiFi and public networks I travel through, and so while all my internet traffic is being routed over an encrypted tunnel to my dedicated server, I’m a lot happier. I threw Squid3 into the mix, as it caches common assets and the sites I visit. This speeds up my web access and page load time. OpenVPN can be configured more simply with a ‘static key’ configuration, however I’ve chosen to go down the PKI route for future growth. On my new VPN server I run: apt-get install openvpn Once OpenVPN is installed, I’ll need to set up my PKI system, certificate authority (CA), server certificate (vpn) and my first client certificate (npn) […]

By | October 4th, 2014|Hosting, Linux, Networking, VPS|2 Comments

Staying safe on unknown networks

Staying safe on unknown networks isn’t too difficult, as long as you keep security in mind. I often hear hoteliers advising “secure WiFi”. I even took some IT training with a Company (who shall remain nameless) some years back advising using their “secure WPA2 network” for sensitive transmission. The statement is ambiguous in any case, but there is little security to the user in being connected to an encrypted wireless network, where the network operator and the other network users are untrusted. Let’s look at some risks: Regular Ethernet Cabled Network Risks: Interception of your data in transmission through a tap/RF emissions Interception of your data through network manipulation by malicious user on the network (DHCP spoofing, ARP spoofing, etc) Interception of your data at the router controlled by the local system admin, or any other router along the way between any number of admins along the route to your destination. The risks of open WiFi and WEP secured WiFi are the same as above, save that no tap is needed. The medium is the air, and anyone with access to the medium can intercept and manipulate traffic. WPA/WPA2 is a slightly more interesting case. Passive sniffing is out – the access point negotiates different keys per connected client. Therefore one client sniffing the network will observe encrypted data only. That said, network attacks such as DHCP spoofing and ARP spoofing work just fine. […]

By | July 16th, 2014|Security Consultant|0 Comments

My 5 step offshore interviewing process

Often being called on to assemble and manage teams of designers or coders in particular through projects, I’ve developed a few tips and tricks in 12+ years of off-shoring which I wanted to share. They may be obvious to some. With experience, I’ve found that most off shore contractors are hard working and keen to grow but can sometimes be challenging or even impossible to work with. Can a job applicant read? Usually, the job description will contain the old test, “please include the word ‘blah’ at the top of your reply to prove you’ve read this description”. This makes sure that the applicant has read the description rather than just posted a cut and paste canned application to multiple jobs. Sometimes, applicants respond to questions that they prepare rather than actually reading and understanding your questions. I was hiring someone to work on some Google AdWords campaigns. I asked, “can you let me have some stats/supporting evidence/case study on any recent previous job – click through rates, impressions, conversions and metrics.” What I’m asking is, what did you do, and what were the results? The applicant on the other hand, seemed to answer the question, “can you tell me anything y0u can think of about some of your past work?” As an applicant, if you can’t read my requirements and queries accurately, how can I work with you? If you want to save yourself the hassle, have a look at our php programmer services. […]

By | July 15th, 2014|Development, Security Consultant|0 Comments

Open relay mail server fail

After my near fail with a potential phone malware infection, the only thing that could top my week was an actual fail! I managed it in style by managing to publicly expose an open mail relay – talk about basics 101! I’ve been traveling pretty extensively over the last 6 months and frequently find myself on connections where port 25 outbound (SMTP) is blocked. So I’m sitting in an internet cafe in south Peru, on a connection sporting something like 64kbit down and 5kbit up. I’ve just beaten my worst latency record with a ping time of about 5 seconds to 8.8.8.8. I have 4 items sitting in my outbox and I’m wondering if they’re not going because the port is blocked, there’s an issue with my mail server, or whether they’re about to go at any minute but just can’t make it past the huge connection latency. (In case you were wondering, I’m just setting up my excuses!) Eventually some debugging with netcat and tcpdump lead me to confirm that port 25 is blocked. No problem, it’s my personal mail server after all, I’ll just set up a proxy listener on port 2525. With a one liner to execute simpleproxy, my mails start leaving and all is good. I daemonize simpleproxy for later and go and do something else. […]

By | July 14th, 2014|Security Consultant|0 Comments

Exim, DKIM and Debian Configuration

DKIM is a system for cryptographically signing messages and confirming they were sent from a sending server authorized at domain level. A private and public key pair is generated. The private key is used to sign the messages, and the public key is published as a DNS TXT record for the domain name. This allows recipients to electronically verify that mail claiming to be from domain was actually sent by a server authorized to send mail on behalf of that domain. Implementing DKIM into a mail system increases trust and deliverability. Setting up Exim to sign outgoing mail under DKIM (Domain Keys Identified Mail) is a reasonably quick and simple task. Assuming you’re using an up to date version of Debian with Exim4, the process is even easier. […]

By | July 11th, 2014|BASH, Linux, Networking|7 Comments