Beste Camera
beste-camera.nl
NicciBoekestijn@gmail.com
94.215.165.138
Submitted on 2010/01/01 at 11:57pm
Normaal reageer ik niet op blogs, maar deze keer wil ik toch even aangeven dat het een mooie blog is!

Aangezien het hier een Nederlandse spammer betreft en een .nl domein ben ik maar even gaan neuzen op de Internets. Spam wordt over het algemeen wel redelijk aangepakt in Nederland, reden dus om het een en ander uit te zoeken.

Beste-camera.nl is geregistreerd door ene Jan van Enk met email adres folita.invest@gmail.com
Zoeken op deze info via Google leverde mij de volgende lijst met sites op:

bestetv.info
bestelaptop.info
scooterkopen.info
beste-camera.nl
binnendeur.org
vloertegels.biz
pregnant-women.org

Allemaal geregistreerd onder dezelfde naam, gehost bij Leaseweb, nul echte content,  en bijna allemaal zijn ze ondergeplamuurd met Google Ads meuk en andere referral links zoals bijv. Bol.com in het geval van de website die bij mij gespamd werd.

Nou boeien pagina’s om klikvee aan te trekken mij niet zo, maar je moet niet op mijn website gaan lopen spammen in de comments. Tijd om even wat abusemail te versturen naar de hoster en de ISP van het IP van de spammert

Update:

Door opnieuw op de gespamde standaardzin te googelen kwam ik de spammer nogmaals tegen op: http://www.ceome.nl/?p=738 met een link naar eetkamerstoelen.info, en nog een keer op http://www.shikake.nl/2009/10/28/kattenluikje-tegen-indringers/ met een link naar de al bekende beste-camera.nl.

En nog een update:

Twee nieuwe domeinen gevonden, nl:

zonneschermen.org
drugs-verslaving.com

Beide weer onder dezelfde naam geregistreerd en gehost bij Leaseweb, welke het allemaal niet zo erg vinden want na een abusemailtje blijft het doodstil.

Aangezien onze spammer op basis van Google Adsense zijn centjes verdient ga ik die ook maar eens een mailtje sturen. Stay tuned

23/02/10:

Jippie, nog een domein:

besteverzekering.net

Google Adsense en Leaseweb vinden het allemaal nog steeds best. Een dezer dagen nog maar een mailtje de deur uit denk ik…

I wanted to get access to the local network at my parents house to manage computers using remote desktop. Now it is quite simple to tunnel IP traffic over a SSH connection, but I wanted proper access to the network. I just want to open mstsc on my own computer, enter the local IP address of the computer I want to access and be able to do my stuff.

So I installed PPTPD to enable VPN access to the network. Installed it using apt-get and webmin,  setup a PPP account, configured a connection in Windows XP and connected successfully. Tried accessing the webinterface of the modem that connects to the Internet, nothing… timeout. Curious as I am when it comes to annoying problems I tried accessing the local IP addres of my server. No problem accessing the webserver running this weblog. It seemed that the connection was established properly, but traffic from the client IP address of the PPTP connection was not forwarded to the LAN.

The solution was found after some googling: PPTPD: Can’t access anything but the PPTPD server when connected

By editing /etc/sysctl.conf and removing a commenting character:

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

and issuing the command:

/etc/init.d/procps restart

IPv4 forwarding is enabled permanently, and traffic from the PPTP client is properly forwarded to the rest of the network.

Thanks Internet and Google, if it weren’t for you I would have been messing around until the wee hours

(After finishing this post, I had to mess around for maybe twice the amount of time I put in solving this PPTP issue because of some problem with smileys messing up text on my weblog…)

So, I tried to open an SSH session to my router to see what was going on. For some reason the router refused the connection. Since Internet access was fine I suspected that the router was running fine and had not crashed.

I tried logging in a couple of times more and finally I got access to the router. I looked at the logs and saw that the compromised host was being blocked by the sl_def_acl extended access list. This ACL is as follows:

Extended IP access list sl_def_acl
10 deny tcp any any eq telnet log
20 deny tcp any any eq www log
30 deny tcp any any eq 22 log (74691 matches)
40 permit tcp any any eq 22 log

This access list will be applied to the VTY lines 0 to 4 using the following command which does not refer to any ACL but silently creates the sl_def_acl access list:

login block-for 600 attempts 3 within 30

So, what basically happens is a malicious host attempts to login through SSH, tries 3 times in 30 seconds, and after that the ACL sl_def_acl is applied to the VTY lines. But this also blocks any host including the local network from accessing the router through SSH. So a bruteforce attack is unintentionally converted into a denial of service attack by the router itself. As long as someone tries to login and fails, you will have difficulty accessing the router from any host on any network. I don’t want that so I tried to edit the sl_def_acl access list, but due to some bug this is not possible. I had to create a new access list:

Extended IP access list block_bruteforce
10 permit ip 192.168.64.0 0.0.0.255 any
20 deny tcp any any eq telnet
30 deny tcp any any eq www
40 deny tcp any any eq 22 log

And point the router to the right ACL for blocking bruteforce attempts using:

login quiet-mode access-class block_bruteforce

Now it is still possible to access the router from my local network while some host on the Internet is trying to access it. It is also possible to permit additional hosts or networks by adding this line to the ACL:

permit ip host <host> eq 22 any

Of course, the IP of the attacking host was put in my main inbound ACL to prevent any further traffic. My router, my rules… By the way, the sl_def_acl list could not be removed from the configuration so I had to leave it. Likely this is also related to the bug.

Anyway, this is what I set up to prevent my router to be compromised, comments are always welcome.

Some months ago I got my CCNA certification, and I was surprised by the low level of knowledge and experience that was needed to pass the exams. I passed the first exam with 948 points and my second one with 825. The last exam was a lot harder, and I realised that I hadn’t studied topics like dynamic routing protocols enough. Still I passed, because of my general knowledge of networking concepts and experience with calculating subnetting.

Anyway, I decided not to continue studying more Cisco stuff right away, but to get some hands-on experience first, so I bought this device.

The Cisco 851W is a router with a 100Mbit/s Ethernet WAN port. I got an Ethernet router because I wanted to use this router at home with the existing Internet connection. In the house where I live we have an ADSL Internet connection with a subnet of 16 IP adresses. There is no need to configure port forwarding in the modem, it just assigns public IP addresses through DHCP.

It took me some days to properly configure the 851W. I discovered that having a CCNA certificate in no way means that you can configure Cisco devices all by yourself.  Configuration discussed in Cisco study material is often quite basic and focuses on interfaces, not on complete configurations.

Anyway, I found this handy Excel sheet for generating a basic configuration: Configuring the Cisco 851W or 871W: Standard IOS. Using this sheet I got a basic working configuration.

Of course this configuration needed some tweaking. I added and changed the following things:

Static NAT entries and corresponding firewall rules

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.64.5 5597 interface FastEthernet4 5597
ip nat inside source static tcp 192.168.64.237 5001 interface FastEthernet4 5001
ip nat inside source static tcp 192.168.64.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.64.5 8000 interface FastEthernet4 8000
ip nat inside source static tcp 192.168.64.5 38515 interface FastEthernet4 38515
!
ip access-list extended Guest-ACL
deny   ip any 192.168.64.0 0.0.0.255
deny   tcp any any eq smtp
permit tcp any host 217.149.192.18 eq smtp
ip access-list extended Internet-inbound-ACL
permit tcp any any eq 38515
permit tcp any any eq 5597
permit tcp any any eq 5001
permit tcp any any eq 8000
permit tcp any any eq 3389
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp host 63.208.196.95 any established
!
access-list 1 permit 192.168.64.0 0.0.0.255
access-list 1 permit 192.168.60.0 0.0.0.255

As you can see there are some ports forwarded to my own PC for various software running on it. When entering static NAT entries you have to enter corresponding firewall rules. Dynamic NAT entries seem to overrule the firewall, static entries do not work without firewall rules.

This basic Excel sheet configuration also adds a firewall rule to deny “Guest” users access to my own seperate network. They will only “see” network 192.168.60.0/24. I added another firewall rule to deny access to any SMTP server except the one from the ISP, to prevent spamming from trojans which is quite likely to happen with the current users of the wireless network. Later I will also add a firewall rule to block any incoming traffic on port 25 because nobody is likely to run a mailserver on this network except for malicious purposes. I also added a firewall rule permitting any traffic from members.dyndns.org, to make Dynamic DNS work properly (more on this later).

Separate WLANs for house and private use

dot11 ssid 35bis
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 *snip*
!
dot11 ssid ruthenium
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 *snip*

interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid 35bis
!
ssid ruthenium
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2432
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN – routed WLAN
encapsulation dot1Q 20
ip address 192.168.60.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled

This part of the configuration defines two SSID’s and two Dot11Radio0 subinterfaces that are attached to respectively Vlan1 and Vlan20. You can also see the access list attached to the Guest VLAN.
One thing I discovered was that Cisco calls broadcasting a SSID “guest mode”. On most routers with a wireless interface, only one SSID can be set to guest mode. That means that my own WLAN is not visible, which is only a small annoyance.

Dynamic DNS configuration

Dynamic DNS using Dyndns.org is a little bit hard to setup, but after some googling I got it to work. Following is the configuration used for dynamic dns:

ip host members.dyndns.org 63.208.196.95
ip ddns update method myupdate
HTTP
add http://vagevuur:<snip>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://vagevuur:<snip>@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!

To properly setup dynamic DNS you need to add the IP address of members.dyndns.org to the host list, because most routers are not set up to lookup domain names for security reasons. This breaks the dynamic dns settings.
You also have to add a firewall rule that allows the Dyndns site to connect to the routers WAN ip address on any established port. The router does not use NAT to connect to the site, so there are no NAT entries that overrule the firewall. By entering permit tcp host 63.208.196.95 any established in an access list applied to the WAN interface the connection is allowed because the firewall notices that Dyndns connects on the port requested in the outgoing connection.

By the way, entering the add and remove lines can only be done by entering half of the command before the question mark, then pressing CTRL-V on your keyboard, entering the question mark, and then the rest of the line. Entering a ? directly will cause the IOS help to appear, which breaks the command.

Well, this concludes my post about configuring my Cisco router. The complete configuration is available for viewing on: http://chelydra.dyndns.org/static/851wcfg.txt Enjoy and have fun!