INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 2)

Tags

, ,

In this part we will install BIND and secondary name server. For primary name server installation please check INSTALL NSD AS PRIMARY DNS SERVER & BIND AS SECONDARY NAME SERVER (PART 1)

1. Update package library and install BIND

sudo apt-get update
sudo apt-get install bind9 bind9utils bind9-doc

2. All the configuration files are in /etc/bind/ folder. Most of the cases the default options work fine. The only thing I did is add the TSIG key for zone transfer.

3. First create they key file
vi ssh.com.bd-key

key ssh.com.bd-key {
algorithm hmac-md5;
secret "N1aqkdyRDOOM01NYt3Vat3v+QmonX8bsNoSdBUyKNB0=";
};

Make sure you copy the secret properly

4. Add the key in named.conf file

sudo vi named.conf

#TSIG key kompella->martini
include "/etc/bind/ssh.com.bd-key";

server 192.0.2.10 {
keys { ssh.com.bd-key; };
};

5. Add the related zone in named.conf.default-zones file:

zone "ssh.com.bd" IN {
type slave;
file "/var/cache/bind/ssh.com.bd.zone";
masters { 192.0.2.10; };
};

zone "113.0.203.in-addr.arpa" IN {
type slave;
file "/var/cache/bind/203.0.113.zone";
masters { 192.0.2.10; };
};

6. Save and reload BIND service.

sudo /etc/init.d/bind9 restart

7. Test the zone transfer:
dig axfr @192.0.2.10 ssh.com.bd soa -k ssh.com.bd-key

If all are on; you can see all the zone entry.

Continue reading

Install NSD as Primary DNS Server & BIND as Secondary Name Server (part 1)

Tags

, ,

NSD is an authoritative only, memory efficient, highly secure and simple to configure open source domain name server. In most of the cases we use BIND as our name server (authoritative/caching). But here I will show you how to configure NSD as primary name server and BIND as secondary name server; use two different flavor of DNS.

Primary DNS Server: kompella.ssh.com.bd (192.0.2.10)
Secondary DNS Server: martini.ssh.com.bd (203.0.113.10)

Make sure that hostname (/etc/hostname) has been set properly for both of the servers.

A. Install NSD as primary name server

1. NSD service expects to run as a user called nsd, but the package does not actually create this user account. To avoid an error upon installation, we will create this user before we install the software. On each of your machines, create the nsd system user by typing:

sudo useradd -r nsd

2. Update local package and install nsd.

sudo apt-get update
sudo apt-get install nsd

3. The first thing we should do is make sure all of the SSL keys and certificates that NSD uses to securely communicate between the daemon portion of the application and the controller are generated.

sudo nsd-control-setup

4. The main configuration file for NSD is a file called nsd.conf located in the /etc/nsd directory.

cd /etc/nsd
vi nsd.conf

You can use this sample nsd.conf file : http://pastebin.com/JyNyxZCu

5. Next we forward zone file. It’s the same used to have in BIND: http://pastebin.com/3xaiVkfV

6. Reverse zone file : https://pastebin.com/nFELkTZT

7. Testing the Files and Restarting the Service

Now that we have our master server configured, we can go ahead and test our configuration file and implement our changes. You can check the syntax of the main configuration file by using the included nsd-checkconf tool. Simply point the tool to your main configuration file:

sudo nsd-checkconf /etc/nsd/nsd.conf

After you are able to execute the check cleanly, you can restart the service by typing:

sudo service nsd restart

8. Check the logs to see any messages:

sudo tail -f /var/log/nsd.log

nsd_log.png

Next we will configure BIND and secondary name server. Will use TSIG to securely transfer zone file across the DNS server.

mitmproxy : intercept, inspect, modify and replay

Tags

,

https://mitmproxy.org/ is CLI based An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. Installation easy. For Ubuntu do the following:

sudo apt-get install python-pip python-dev libffi-dev libssl-dev libxml2-dev libxslt1-dev libjpeg8-dev zlib1g-dev
sudo pip install mitmproxy

Run mitmproxy

fakrul@console ~> mitmproxy

It will run on port 8080. Now fire up your browser and point it the proxy. You can use it for both http & https. You will get the all the session details.

mitmproxy

OpenVPN in Ubuntu 14.04

Tags

, , ,

The quickest way to install OpenVPN in Ubuntu 14.04:

1. Download the initial script:

$ wget https://git.io/vpn -O openvpn-install.sh

2. Run the command

$ sudo bash openvpn-install.sh

You need to define the external IP address on which you will run the service

a.External IP address on which you will run the service

b. Port No

c. DNS you want to use

To get the public IP you can try the following command:

dig TXT +short o-o.myaddr.l.google.com @ns1.google.com

It will create necessary certificates and also create the first client.

That is all. Your OpenVPN server has been configured and ready to use. You can see added firewall rules /etc/rc.local file:

$ cat /etc/rc.local
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 202.125.97.10

Type the following command start the OpenVPN service:

$ sudo /etc/init.d/openvpn start

The client certificate will be stored in the home directory.

fakrul-apnic.ovpn

To connect from MacOSX, you can use TunnelBlick which is available at https://tunnelblick.net

screen-shot-2016-09-15-at-4-52-37-pm

To add new client run the openvpn-install.sh script. Choose option 1 to add new client and certificate will be store in home folder.

Convert CISCO LWAPP to Autonomous AP

Tags

,

You need IOS which support Autonomus AP mode:

k9w7 - autonomous (or "site survey") IOS
k9w8 - full lightweight IOS
rcvk9w8 - lightweight recovery image

So any image with k9w7, for example c1240-k9w8-mx.124-25e.JAP4. If it’s k9w8, you need controller for the configuration.

Step 1: Delete existing lightweight IOS

delete /recursive /force flash:c1240-k9w8-mx.124-25e.JAP4

Step 2: Power off the AP, press mode button for a while. The AP will fallback recovery mode with IP address in 10.0.0.0/24 range.

Step 3: Connect the AP LAN with you laptop/PC and set IP 10.0.0.2/24. Run tftp server.

Step 4: Type the following command to initialize the and upload new IOS.

ap: tftp_init
ap: ether_init
ap: flash_init

ap: tar -xtract tftp://10.0.0.2/c1240-k9w7-tar.124-25d.JA2.tar flash:

ap: set

BOOT=flash:/c1240-k9w7-tar.124-25d.JA2

ap: reset

I am using WPA for security, bellow link for full configuration:

http://pastebin.com/ryDeYdub

I found following video very help, specially if want to know more about the recovery process.