Finally Saying No to NoCatSplash

For the last 6 months or so, I’ve been running a free wireless access point for my neighborhood. In an effort to get my local community to know each other (and local goings-on), I’ve back-ended the system using the elgg social networking platform.

To use the free wifi, you have to register on the social site.

The Captive Portal

Uptime however has been a major pain – for quite some time NoCatSplash has been broken in DD-WRT. Ever since version 24 (at the very least), it’s been grouchy – all of the sudden not working and requiring a reboot (or possibly clearing and resetting the iptables targets and restarting splashd)  to fix. The wiki documents a few workarounds, but I’ve gotten tired of the overall bugs.

Initially I planned on simply fixing it, but after a little bit of thought,  I decided to give OpenWRT another look. I’m sure I could have gotten away with using the mini or micro versions of DD-WRT and adding to it, but last time I used OpenWRT’s build environment I was really impressed – so I spent this weekend working with it again.

Building your own image is simple – using the ImageBuilder system (I’m working with WRT-54G’s)  simply “make image” setting the target PROFILE and PACKAGES via environment variables. This method uses existing binary packages to build a .bin or .trx file for easy installation (via the web interface or mtd command). “make info” will give you a long list of profiles, and packages that are readily available are contained in the packages subdirectory.

Recompiling packages is extremely easy – download the SDK:

mkdir ~/devel && cd ~/devel

wget http://downloads.openwrt.org/kamikaze/8.09.2/brcm-2.4/OpenWrt-SDK-brcm-2.4-for-Linux-i686.tar.bz2

tar xjvpf OpenWrt-SDK-brcm-2.4-for-Linux-i686.tar.bz2

If the package already exists, check it out via subversion:

cd OpenWrt-SDK-brcm-2.4-for-Linux-i686

svn export svn://svn.openwrt.org/openwrt/packages/net/<packagename>  package/<packagename>

And to compile simply execute:

make package/<packagename>/compile V=99

(On older versions it’s “make package/<packagename>compile V=99″)

After hitting my head against the nocatsplash package’s failure to build correctly, I finally opted to look at nodogsplash. “Because it will at least build” is probably not the best way to choose captive portal software, but it’s mine.

First thing requiring a fix is a bug that causes nodogsplash to crash when one sends a request to the auth-server without a “redir” GET variable being set – a bug evidenced by:

links “http://192.168.1.1:2050/nodogsplash_auth/?tok=fffffff”

Thankfully the crash is “gracefully” handled in safe.c’s safe_strdup()…. but it still causes the daemon to crash.

So – a quick patch, as well as some added “features” (including a magic token) and I’m set. Patches to source can be added to package/<packagename>/patches. Upon make, patches in this directory are first applied.

So instead of waiting around for a fix to NoCatSplash in DD-WRT, I’m moving on. So far NoDogSplash has proven effective – although I’m far from actually migrating to it (the old access point is still running for the time being). In the next few weeks I should have a custom web interface built, as well as pmacctd configured (I am exporting Netflow version 9 data to a collector as a C.Y.A measure), and bandwidth shaping properly enabled.

Custom patches to NoDogSplash are forthcoming.

Chasing Ghosts this afternoon…

Starting yesterday evening, I’ve been noticing a LOT more attempted connections to :445 (tcp).

Initially I was under the impression that the issue was isolated to the network I was on, although I’ve had confirmations from another non-related network (plus another host I have offnet) that :445 traffic is slightly higher than what is believed to be normal, but then again – what’s normal (without a good netflow collector and historical data, you probably have no idea)

A quick scan of the DSL routers I have access to, shows 314 unique IPs originating such scans to multiple destinations (this is one quick run of “show ip cache flow  | i  01BD” on each of 3 routers). I’m seeing the same thing on a VPS host I have located in Virginia.

Being a little more than curious, I’ve fired up nepenthes and within 8 minutes I had 3 SMB exploit attempts, where the affected machine tries to download “myreceve.com”

These exploits were hitting vulnerabilities on :139 (tcp), however, and I don’t believe are related (also they’re from the same class B network)

66.xx.xx.xx -> 66.xx.xx.xx ftp://1:1@66.xx.xx.xx:9015/myreceve.com

Connecting to this host in particular gives a warm welcome:

nc 66.xx.xx.xx 9015
220 fuckFtpd 0wns j0

Back to what prompted my initial interest – :445, I can’t seem to figure out whats really going on – packet captures indicate more than a normal SYN scan, but without some additional review, I have no idea why so many requests from so many hosts identical to this:

NetBIOS Session Service
Message Type: Session message
Length: 47
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Negotiate Protocol (0x72)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
Flags2: 0x0000
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 604
User ID: 0
Multiplex ID: 0
Negotiate Protocol Request (0x72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12

I’ve only slightly glanced over other SMB sessions, and this seems like a normal request… I’m a little baffled as to why every pcap I have from an apparently compromised host uses process id “604”, but otherwise each request appears valid.

So…. it’s probably nothing (usually is), but it definitely piqued my interest for a time today. Happy Thanksgiving!

Update at 22:25

At the advice of others, I’m installing dionaea, which apparently has better SMB support, to see if I can determine exactly what these connections are. I’ll post an update when I’m finished.

Update 06:00 11/25/2009

I’ve got dionea running and collecting bitstreams. Same basic signature (process id: 604), but now with a _lot_ more information in the captures (as dionaea is a little more fluent in the SMB protocol). Tonight: Cooking and reading pcaps.

Multiple WAN linux-based router

My friend Mat recently asked how difficult it is to build your own router. He’s living in a house with 4 or 5 other guys, and two Internet connections (one for work purposes, the other apparently comes with the house).

My immediate suggestion was to grab an old Sun Cobalt Raq server. My former router was based off a Qube3 picked up off ebay for less than $80.00. The things are great: low power consumption, two NICs, an LCD screen, a trippy green LED panel….

Fear my awesome green LED
Fear my awesome green LED
USB, Serial, and 2 ethers
USB, Serial, and 2 ethers

There’s numerous walkthroughs on how to turn these things into mailservers, etc… (google for them). The basic gest of what one needs to do is:

  • Upgrade the ROM. This has fixes for 2.6 kernels as well as support to boot from an ext3 filesystem.
  • Install the root filesystem on the drive(s). This can be done by mounting the IDE drives in another box, or using an nfs server to install from the Qube itself.
  • Compile a kernel. While there are many patches out there, I’ve found that (possibly aside from the LCD screen, which I’ve never bothered with), a vanilla 2.6 kernel will work fine

Nothing that’s too incredibly different from setting up a normal box. I would highly recommend two resources: The first of which is Braggtown, the second one being Tim and Tina Wileys site

As far as items to install: I’m personally using Quagga for static routing  and OSPF (I use the Cobalt as a route server. Also Quagga has a nice Cisco-like CLI), OpenSwan for VPN access, VTUN for quick tunnel here and there (over which I run OSPF), Roaring Penguin L2TP for various layer 2 tunnels, etc, etc..

Iproute2 provides for the ability to properly handle multiple WAN connections via multiple routing tables. There are 255 tables available for routing and  iproute2 makes the use of named tables easy – simply add the numeric value and tablename to /etc/iproute2/rt_tables.

When working with multiple WAN interfaces, I generally setup the second routing table and rules similar to this:

ip route add default via <gateway for this connection> dev <interface> table <tablename>

ip rule add from <WAN IP> table <tablename>

The above simply adds an interface into the table and adds a default gateway. To isolate a machine on the internal LAN to ONLY use the newly defined routing table, one can simply:

ip rule add from 192.168.32.10 table <tablename>

ip rule add to 192.168.32.10 table <tablename>

Depending on your default policy,  you may need to make alterations to your iptables rules as well (especially to support forwarding and NAT masquerading) You can also hook into TOS flags (amongst other things) and route based on port numbers, etc. Basically the sky is the limit (you can do round-robin routing out interfaces, etc)

Next up is IPv6. IPv6 tunnels are easy to come by these days – Hurricane Electric and Sixxs.net are two of the more popular tunnel-brokers, MyBSD is a Malaysian broker I would personally recommend (good for IRC, latency is high, it goes down semi-frequently.. but I like Malaysia).  Also be aware that some brokers block common IRC ports. (Luckily I’m currently testing IPv6 for the ISP I work for and am now working off our /32)

Quagga can handle IPv6 address auto-assignment on your LAN. By default, ipv6 nd suppress-ra is set on most all interfaces. Disable it on the LAN interface, slap an IPv6 address and subnet in that interface config – and voila – your IPv6 router is now handling IPv6 autoconfiguration.

I recently upgraded to using a small form-factor IBM ThinkCentre 8183B2U.

The ThinkCenter, with KnightRider eyes
ThinkCenter with a Courier dialup modem and 3 USB drives atop it

The power consumption is also fairly low (I believe), and wanting to do a little more with the router, I figured why not spend another $80. Of course, the downside to the ThinkCentre is having only 1 on-board NIC and 2 PCI slots. In the near future I plan on picking up a quad-port LINKX ethernet card, to consolidate cards (I presently have 2 PCI NICs added to the router for connections to the LAN and a monitoring tap). Hopefully I can find a quad port card that will fit in the small form-factor .

And excuse the mess, I’ve yet to make things “pretty” yet.

The “Fish” turns 111,111

My car (nicknamed “The Fish” for it’s fishlike appearance) just celebrated a birthday of sorts.

First of all, the car is a 1999 Ford Taurus SE.. and as you can see in this dealer picture – it has all of the features of an aquatic animal – two bulbous eyes, two smaller “nostril” looking things, sideview mirrors that could possibly be fins, and a mouth where the ford emblem is.

The FISH! (We'll, another Fish)
The FISH! (Well, another Fish)

I’ve been working for a while on the possibility of using a WebpadDT as a touchscreen for a car pc. The inside of the Fish is huge – but at 8 inches or so, the WebpadDT takes up a lot of space. On the other hand, it’s quite a bit cheaper than a lilliput screen.

While driving home this weekend, I looked down and noticed an upcoming milestone:

111,108 miles
111,108 miles

I got the camera ready – almost at 111,111 miles. Good Old Lucky 111,111 – make a wish!
Well… maybe not. Turns out 111,108 is an unlucky number:

My Brake Light is Out.
My Brake Light is Out.

My brake light was apparently out. A quick notice from the cop, and I was on my way. Being only about a mile from my house meant I had to drive around the block a few times, but finally I hit it:

111,111 miles
111,111 miles