mirrorshades

Agents of the Revolution
  • Content count

    941
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by mirrorshades

  1. Ok... I'm adding a few *nix boxes to my home network, and intending to poke little tiny holes in my firewall to SSH in. Is there any kind of proxy/repeater software that will allow me to just have one open port (i.e. 22), but then select the destination on the LAN at run-time? I could do it such that 22 is the linux box, 23 is openbsd, 24 is solaris, etc... but that seems kludgy at best. Was also considering setting one server up as the main host, then adding specific logons for the others. In other words, if I log on as the user "openbsd", then automatically connect to the openbsd server from there -- the initial server is just a pass-through connection. Then I thought about it some more and figured there must be an easier way, because that just sounds too freaking stupid. As an example, the UltraVNC software has a repeater program that basically acts as a connection forwarder. You can open one port for VNC, and provide the LAN target... the repeater automatically makes the connection to the target box. Something like that would be ideal. Of course, it probably compromises the security of SSH somewhat, but since it would just be me coming in (ideally), I'm not really concerned that I might be snooping on myself.
  2. K.I.S.D... for "Keep It Simple, Dumbass"I don't know much about RADIUS as a protocol, and I don't know much about the FreeRADIUS app. I have used Microsoft's bizarro-RADIUS implementation called "Internet Authentication Service"... through which I managed to set up what I think is EAP-TLS on a domain, used for wireless and VPN authentication. I more or less clickey-clicked my way through, and couldn't re-explain to anyone else at this point how I managed to do it. (I hope it doesn't break!)Anyway, as with most things in the *nix world, FreeRADIUS uses various configuration files to keep track of the program options. I found a web-based GUI utility, called Dialup Admin, that is apparently the "official" GUI for FreeRADIUS (never mind that it hasn't been updated in the last few years). I thought it would help ease my transition into the wonderful world of AAA/RADIUS if I installed this utility. You know, just until I figured out the configuration files.So... I had to enable httpd on OpenBSD. This is basically a tweaked version of Apache that, among other things, runs in a chroot setting. The devs of Dialup Admin have the program configured in such a way that is designed to have its main directory "somewhere" in the filesystem, and use soft links to get between /var/www and wherever you put the rest. Works fine in theory, except that chroot breaks the hell out of that setup. Spent some time trying to move files back and forth and change the references... then just went ahead and dropped the whole thing into the /var/www directory (which, you know, includes the config files with passwords and stuff).After several hours of frustration, I finally just scrapped the whole Dialup Admin program. Time spent trying to get all the files to point to each other while not spitting config files out into the browser was time I *wasn't* learning about RADIUS.Tried to add complexity to the overall setup, cost me some time without getting me any closer to a working environment.Next on the list... FreeRADIUS has support for using MySQL to keep track of the data and configuration. Not being one to just use the default setup originally, I proceeded to install MySQL on the OpenBSD box, then set up the necessary configuration for FreeRADIUS. Now... MySQL runs from the command line by default, and it can be a bit goofy to use if you're like me and haven't done command line MySQL syntax for the last few years. I was able to add a new user and grant access to the database, but I hate having to type SQL queries out by hand to see what all is going on, or to have to insert new data (then I have to read through the shema and data dictionary, and wonder what each field means). phpMyAdmin is (yet again) a web-based GUI for MySQL that basically removes the command-line mystique and actually lets you get into your data.So... since I already had httpd running, I decided I'd set up phpMyAdmin and use that for MySQL administration. Initial setup seemed to go okay, right up until I got to the main login screen. I tried logging in as both root and the freeradius user, and in each case received an odd error about the socket not being configured correctly. Spent another couple hours clickey-clicking about Teh Interweb, looking for some possible solutions (again, OpenBSD's uber-secure setup causes some different stuff to happen in different places). Tried changing the phpMyAdmin configuration to hard-code the user/pass into the config file, but that didn't work out either. Decided to abandon phpMyAdmin, again having spent some time trying to solve problems not directly related to the task at hand.Now it turns out that the config files for FreeRADIUS aren't really that difficult to understand... if you go about them the right way. The default/sample files that come with the program are chock-full of all sorts of special conditions and various options that might make sense if I were rolling my own ISP or telco, but not so much for a basic setup like I'm trying. My firewall box (running pfSense) has a working FreeRADIUS implementation on it, which I use for VPN authentication into my home LAN. I took a quick look at the config files for that install, and they are much easier to understand.Thus, I was able to get the OpenBSD FreeRADIUS config files looking the way I needed them to.I was now at the point where I was ready to use the radtest app to verify that FreeRADIUS would return an approval if I provided a valid user/pass combo. Of course, everything I tried (even double and triple checking the spelling, IP addresses, shared secrets) was failing. So... spent some more time poking around for yet another answer.Turns out that if MySQL is configured, then FreeRADIUS pays no attention to the config files. I hadn't eliminated the database yet, and MySQL was still running on the server. Thus, it was looking at an empty database for config info, instead of my carefully crafted text files. Shut down MySQL, removed all references to it in FreeRADIUS, and BAM -- got the approval note straight away from radtest.So basically, I spent several hours fiddling with a modified web server, various GUIs that didn't work right, and some MySQL tomfoolery in order to try and make my life easier... instead of just spending a bit of time *looking* at what I needed which, as it turned out, wasn't as complex as I thought it was.That's what being lazy got me. Lots and lots of extra work with no additional payoff. :)Then I spent a while writing up this blog entry, instead of actually working on the setup some more. Hm... I'll have to blog about that, too.When I get the chance.
  3. Okay, let's say I have this entry in my /etc/crontab file (FreeBSD in case that makes a difference): 1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update I can't get my head around the bizarre way that the columns work. Does the above mean that the command will be run every day at 1:01 am? Or does it mean that it will be run every 1 minute for every 1 hour? To me, it reads that it will only run at 1:01 am every day of every month... but based on some other log files, it seems to be doing stuff more frequently than that. (I think that's where I'm getting confused.)
  4. Bah.
  5. Just wondering who out there is a licensed ham? No need to drop your callsign... but there seems to be a pretty good level of interest and experience here. I've been licensed since 1991, but once I left high school I never really did much with the hobby. Trying to get back into it now. Extra points for including your license class. I have a "real" General ticket... back from the days of the 13 wpm code test (though I couldn't do it today, even if threatened).
  6. Interesting write-up (if a bit lacking in detail) on the National Security Agency's "Red Team" of penetration testers: http://www.popularmechanics.com/technology...aw/4270420.html
  7. In my neck of the woods, it is mainly AIX, Solaris, and RHEL.
  8. You will need to do this with some sort of scripting language; you can use client-side scripting (i.e. JavaScript, JScript) or server-side scripting (ASP, PHP) for that kind of effect.
  9. Subject more or less says it all. Anyone know a decent way to evaluate the %PATH% environment variable on a Windows box, remotely? (Like, in such a way that would be practical to script it and execute against a large number of machines at once.) I have banged my head on this for several hours now and have not come up with a useful solution... has to be able to run against a default install of the OS, not an option to install a third-party app. And a follow up for extra points... Windows 2000/2003, anyone know a magical way to "fix" the upper limit of 1024 characters in the path? (Again, in a manner that would suit bulk maintenance instead of one at a time clickey-clicking.) If anyone can provide a decent answer/solution for either or both questions, I will officially drink a beer in your honor.
  10. Well, no... it depends on what is installed on each one.
  11. Even though it's been done, I feel the need to respond to a couple points: Welcome to the Big Leagues. This is for my job, where I am in fact a part of a team that maintains several thousand servers. And, in fact, the company I work for is probably midsized technology-wise compared to some of the big behemoths out there (how many servers do you think IBM, Google, or Microsoft have running?). Well, again... these are servers, so they don't just restart every single day. In fact, it would be a Very Bad Thing if some of them did. There are some that only reboot 3 or 4 times a year under highly controlled conditions. Also when considering servers (as opposed to desktop/workstation PCs), a startup script is not a reliable means to execute something since an interactive logon may happen rarely, if ever. We do have a tool that allows us to run arbitrary commands on-demand, so that part isn't an issue. (It was just a problem with getting the remote value locally.) The network share idea is decent, but the problem there is that the network is so segmented there is no way to guarantee that our internal firewalls will allow Windows filesharing traffic from any given point to any other given point on the network. Enterprise-level network administration is a peculiar beast; a lot of the conventional wisdom or best-practice guidelines either can't be practically adhered to or were beat down by middle and upper management politicking. It is a fascinating world for someone like me, who cut his teeth on smaller Mom and Pop type networks.
  12. Problem with a startup script would be the need to restart the server. Also, that's not very bulk-friendly since I would have thousands of files to sift through. I have found a workaround that gives me what I need... it doesn't look like there's an in-built way to get at it with 2000/2003.
  13. http://fastmail.fm/ Edit: Actually, I lied. The free service doesn't offer POP3, but they do let you do IMAP. Should work just as well, I had one I used with Thunderbird for a long time.
  14. I'm guessing you've got some sort of financial interest in this project -- either someone has hired you to write this kind of proxy server, or you've written something that you're hoping to market at large. As you'll probably discover or have already, there's not a lot of love on the Internet for spammers. Most people abhor spam and go out of their way to get as little as possible. (Of course, there is still money to be made, so I can understand where you're coming from.) The problem you're likely to run into is that, because most people are violently anti-spam, there are a lot of resources put forth to blocking/removing spam and also retaliating against spammers -- and a lot of people/companies will do this without financial compensation, simply because they hate spam so much. To offer some (admittedly unsolicited) advice, you are probably going to end up in a losing battle. Spammers must constantly be "on the run" -- open relays are shut down or blacklisted, ISP accounts are locked or terminated, IP addresses are blocked. You will need to ask yourself if you think that whatever financial gain you expect to make is worth the hassle and headaches. I'd also suggest, as a moderator, that you please do your best to keep your interaction on this topic civil in the BinRev forums. What you are asking has extreme potential to begin large-scale flame wars, which is not what we want to see happen. I'm sure there are other forums out there that may be more open to discussions on these topics -- if you see this thread deteriorating, it may be better for everyone involved to move this topic elsewhere. (Though you are absolutely welcome to post about other topics here that may be of interest to the community.) Hope this was useful. Oh also, if you simply *must* get involved in unsolicited mass email, please do your best to ensure proper spelling and grammar. Spam is annoying enough on its own.
  15. Been a few years, but I seem to recall having more success with TCP instead of UDP. I guess it slowed it down a teeny bit, but I didn't really notice most of the time. Was significantly better at maintaining the connection, though. Not sure if that's what the problem is, but you might give it a shot just to see.
  16. Yeah, I didn't mention. This is in a domain, and I am using an account with domain admin rights. (And, thus, local admin on the box itself.)
  17. Yup. Doesn't work. Problem is that it wants to expand the variable locally before passing it to the remote system. Today I actually did find the registry key where the Path variable is stored, which is much easier to get at remotely.
  18. Well, er, yes. But show me a way to do that on a remote box besides logging on and opening a command prompt.
  19. To start at an even "lower" level, you could look at Linux From Scratch: http://www.linuxfromscratch.org/ I've always wanted to set one up, but never quite have the time to dig into it.
  20. Moved to Nubie HQ. In order for something like you have described to work, you would need to run netcat on the remote machine and then initiate a connection from your own machine; you have explained it the other way around. There are plenty of how-to guides on doing something like this -- in fact, I believe the exact process is described in the netcat docs. The "at" command is just a task scheduler for Windows. It has nothing at all to do with what you're describing, at least not directly.
  21. Well the thing is, you're kind of being a bit open-ended. It seems like you're interested in websites/web development -- is that an accurate statement? If that's the context you're looking for, then absolutely HTML, SQL, and some sort of server-side programming would be in order. By counterexample, however, if you're interested in embedded systems, then probably you won't find much use for most of that stuff. Likewise, if you're interested in artificial intelligence and neural networks, or porting linux to strange hardware platforms, or multimedia encoding, you'll need to read up on different areas. Even saying "things a 'hacker' would find useful" is kind of vague, since you'll never get two people to exactly agree on what a "hacker" is. So don't worry about what you "should" learn. What interests you the most? Start there.
  22. Nah... instead of worrying about what someone else tells you to learn, you need to figure out what YOU want to learn and start there. Can't go wrong with HTML, if you're interested in web pages at all. From there, if you still need help figuring out specific topics, just describe the kinds of stuff that you want to do.
  23. Hm... not necessarily. Getting all sorts of certs means that -- 1) You have the time to dedicate to studying, 2) You have some money to pay for the testing, and 3) You are good at memorizing, or you test pretty well in general. Certifications may give you an edge in a job interview, or may get you a few extra bucks in your paycheck, but they don't automatically indicate a given level of expertise in the field. I work in a large (LARGE) IT department, and I can't think of anyone there who is certified. Not to say that they aren't, but it's really not something that gets mentioned on a regular basis. Of course, I work for a massive corporation. May be a different ballgame in smaller companies... I can't say, since I've not really ever worked in one. But overall -- and this is a topic that comes up time and time again on Teh Internets -- I tend to believe that certifications aren't really as fabulous as some folks make them out to be.
  24. Free DIAL-UP??? Not even worth it. The web isn't rigged for 56k anymore. I had a free dial-up account when I attended grad school 10 years ago, and it was only marginally useful even then. Nowadays, I can't even imagine. (I remember once upon a time, though, when 14.4 kilobaud was SCREAMING! Like, the whole BBS screen would load in just 1 or 2 seconds!)
  25. Assuming you run the script as an admin-level user, sure. I haven't looked recently, but I'm pretty sure that either MSDN or just Microsoft.com has lots of documented code samples for various administrative tasks like that. That one, probably not. Normally they don't make it easy to get passwords back out of a system once they're encrypted. (Even as an Administrator, you cannot READ other users' passwords, though you can change them to something new.) Too vague. See my previous comment about code for administration.