08 Oct 09 New Rapidswitch Server

Further to my UK VPS posts, I took out a nice new server at RapidSwitch. I am fully aware of their recent extended outages, however after some quite extensive research, I am confident enough that this was an isolated and unfortunate set of circumstances, and it will not dissuade me from hosting with them. Maybe I’m used to paying too much for bandwidth, but about £150.00 ($230?) per month for a dedicated 100mbit? I don’t believe it. I was paying that for about 3mbit in the past, albeit premium network and bandwidth (not to say that RS isn’t of course). I’ve run some speed tests at various times throughout the day and from various locations. Here’s my latest:

# wget http://download.thinkbroadband.com:8080/1GB.zip
–2009-10-07 22:17:07–  http://download.thinkbroadband.com:8080/1GB.zip
Resolving download.thinkbroadband.com… 80.249.99.148
Connecting to download.thinkbroadband.com|80.249.99.148|:8080… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1073741824 (1.0G) [application/zip]
Saving to: `1GB.zip’

100%[==========/.../============>] 1,073,741,824 11.2M/s   in 96s

2009-10-07 22:18:42 (10.7 MB/s) – `1GB.zip’ saved [1073741824/1073741824]

10.7MB/sec average over 1GB download? That’s definitely 100mbit. I still can’t quite get over the speed for the price I’m paying.

Ping time from my local host (UK) is 16-17msec, from UK Solutions, it’s 5msec. From SagoNet in Florida, US, it’s 118msec.

Server was set up in about 18 hours from order, and that includes a private /26 AND a non standard routing setup, that they don’t offer by default.

So far so good, but very pleased at time of writing..

Tags: 100mbit, ping, rapidswitch, uk vps, vps

03 Oct 09 Linux Security Freelancer – Securing a node – Where to start?

As a Linux Security Freelancer, I’m often asked where best to start when securing a single linux host. Whereas most would suggest configuring iptables or similar, the most effective first step in my opinion is to remove unnecessary services.

There are a number of methods that you can use to show open sockets at least:
lsof -U will list open sockets
nmap -sT -sU localhost will scan your local machine for open TCP or UDP ports
netstat -a | grep LISTEN will show all listening sockets.

Forgive me for stating the obvious, but the first thing to do is disable any open sockets or services that aren’t required. On a default install, this could include the likes of the portmapper service, identd and an smtpd.

Next, you want to suitably lock down user accounts, check passwords, and perhaps consider enforcing a secure password policy, at minimum I generally prefer at least 8 characters, at least one uppercase, one lowercase and one integer. Obviously this shouldn’t be easily guessible, nor should it just end in a ‘1′.

Once done, the next thing that you want to do is to suitably firewall the services that you do require open, and perhaps also restrict the rate of ICMPs, etc, with iptables.
(more…)

Tags: buffer overflow, freelancer, icmp, identd, iptables, Linux, linux security freelancer, lsof, netstat, nmap, node, ping, portmapper, root, security, Security Consultant, setuid, smtpd, suid

09 Sep 09 Shell Return Codes – Ping Monitoring

BASH – The Bourne Again Shell amongst most if not all other shells allows each application to exit with a return code. Some shells and environments have limits on what range this integer can fall into. Something between 0 and 255 inclusive is always a safe bet. In BASH, the variable $? is populated with the return code of the last command to return control back to the shell. It is important to preserve the return code immediately after the application exits that we want to monitor, as subsequent commands will overwrite the variable. The ping tool returns 0 on success:

Now of course there are easier ways of achieving the above task, although I’ve laid out the script in this way hoping that the way I have laid it out illustrates capturing the code and preserving it beyond the ‘if’ that follows which would have overwritten it. Just as further illustration, calling ping invalid followed directly by echo $? shows a return code of ‘2′ – obviously the return code for such a failure. Calling echo $? again immediately after shows a return code of ‘0′ as the return code of ping was overwritten by the return code of the first echo statement. Bash builtins return codes to the shell as any other application would.

Tags: bash, host, monitor, ping, return code, script, shell, shell script, uptime, variable

15 Sep 08 Quick Linux and Windows OpenVPN HOWTO and tutorial, including VPN routing

OpenVPN is a popular Windows/Linux VPN Server/Client pair. I think there’s a separate GUI available for it if you’re so minded. This howto will cover command line usage only.

I’ll provide example configuration based on a Linux server and a Windows client, however the same applies pretty easily if you wanted to mix and match.

On debian, apt-get install openvpn. On any other linux distro, use your own package manager or alternatively download from source and compile.
(more…)

Tags: 10.8.0.1, 10.8.0.2, apt-get, client, compile, compression, daemon, daemonize, debian, default gateway, distro, established, forward, generate, interface, IP address, iptables, ip_forward, keepalive, Linux, linux server, masquerade, nat, openvpn, package manager, ping, related, remote, route, route add, route delete, route print, routing, secret key, server, source, tap, tcp, tcpdump, traffic, tun, udp, VPN, vpn client, vpn server, windows, windows client