Pages

26 March 2017

Why Whitelisting Your Server After Cloudflare Setup is Very Important

TLDR; Your server has a public IP Address that is globally accessible. To prevent attacks, deny all access to your global IP address and allow only Cloudflare's IP addresses -- don't skip whitelisting because your server is being scanned constantly by its public address and still accessible for attacks through its public IP address if you skipped whitelisting.

The Cloudflare company made headlines in the news recently and much was discussed about whether or not they are a good choice for your hosting.  I am not interested in that debate, and if you continue reading, I assume you aren't either.  I assume you are using Cloudflare and are happy with it.

I have watched an read many videos and articles about setting yourself up with Cloudflare and many of them tell you to turn on all the advanced settings after setup such as HSTS and other perks offered by the product.  Those options are great and you should turn on those as well, but I have found countless guides never mention how important it is to whitelist.  The Cloudflare company offers a video that speaks of it, but recommends you ask for help from someone technical.  Your choice to use your host's firewall, your ISPs, or your webserver's tools to deny/allow the Cloudflare IP ranges as the right solution varies based on your needs and the tools you use.  I can show you what happens if you don't.

So, after you setup Cloudflare, the GUI will show you a list of to dos which mention whitelisting Cloudflare's IPs.  Go to that page.  A sample of what it looks like is below.

Cloudflare provides a list of IPv4 and IPv6 Addresses to whitelist
Cloudflare's IP Whitelisting


The image above shows all the IP address blocks that Cloudflare will use to connect to your web server.  After setting up Cloudflare, deny access to your web server ports 80 (http) and 443 (http secure) to everyone except Cloudflare IP blocks above and your own access points.  Don't know your access point IPs?  That is one of the many reasons why this is hard for Cloudflare or anyone else to tell people how to perform the whitelisting setting.

I can, provide an example of what happens if you don't whitelist.  I built two servers, which will not be around for many of you to see since I have no need to pay for hosting these.  But, you will be able to see this on on your own server.  If you already performed the whitelisting, you can read something else, but if you are interested then read on.

The following server whitelists only Cloudflare servers in the list above.  The first log entry begins on 08 Mar 2017 as seen below.  The last entry ends today.

root@crumpton:/var/log # head httpd-access.log ::1 - - [08/Mar/2017:01:17:32 +0000] "GET / HTTP/1.0" 200 18427

Servers on the Internet are scanned constantly with many looking for vulnerabilities.  There are numerous scans but we'll focus on PHP attacks.  The scan below is looking for PHP administrative scripts and/or vulnerabilities.  Whitelisting was enabled on this server after the following scan edited for brevity below was complete.  Notice, the command prompt finishes and as I mentioned above, there are no more scans at all on this server since whitelisting was completed.


root@crumpton:/var/log # grep php httpd-access.log 
1XX.9X.8X.XX0 - - [08/Mar/2017:20:09:42 +0000] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 404 226
1XX.9X.8X.XX0
 - - [08/Mar/2017:20:09:42 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.1" 404 226
1XX.9X.8X.XX0
 - - [08/Mar/2017:20:09:42 +0000] "GET /pma/scripts/setup.php HTTP/1.1" 404 219
...
1X1.X6.XXX.97 - - [08/Mar/2017:23:30:46 +0000] "GET /phpmyadmin/scripts/setup.php HTTP/1.0" 404 226
root@crumpton:

So now, lets look at a Cloudflare server without whitelisting.  This server has been whitelisted for seven days now.  But, I am only going to show you the log for yesterday.  First, a count of just the phpMyAdmin based attacks reveals 72 attempts to access phpMyAdmin, which isn't installed. There are so many scans in the file that posting it would make this blog too long to read through.  This server isn't advertised and almost all of the requests are from scanning tools.  The remainder are me playing with it.

azcrumpty@LAMP:/var/log/nginx$ grep -i phpmy access.log.1 | wc -l72
Here is a sample of what they look like:


XX.8X.XX.X1 - - [26/Mar/2017:03:53:03 +0000] "GET /phpMyAdmin-2.9.0/scripts/setup.php HTTP/1.1" 404 152 "-" "ZmEu"XX.8X.XX.X1 - - [26/Mar/2017:03:53:04 +0000] "GET /phpMyAdmin-2.9.2/scripts/setup.php HTTP/1.1" 404 152 "-" "ZmEu"XX.8X.XX.X1 - - [26/Mar/2017:03:53:04 +0000] "GET /phpMyAdmin-3.1.0.0/scripts/setup.php HTTP/1.1" 404 152 "-" "ZmEu"XX.8X.XX.X1 - - [26/Mar/2017:03:53:04 +0000] "GET /phpMyAdmin-3.0.1.1/scripts/setup.php HTTP/1.1" 404 152 "-" "ZmEu"XX.8X.XX.X1 - - [26/Mar/2017:03:53:04 +0000] "GET /phpMyAdmin-3.0.0.0-all-languages/scripts/setup.php HTTP/1.1" 404 152 "-" "ZmEu" 


The server is being aggressively scanned compared to the whitelisted one before it where no more scans have shown up since whitelisting was enabled.

Whitelisting also saves bandwidth since only Cloudflare requests come in instead of the server being forced to respond to hacking attempts.  Again, the whitelisted server above has no noise, just requests coming in from Cloudflare from people using the site.

So what can you do?  Do perform the whitelisting and check your web server for scans.  I can't list all of the scans you could see as I am not familiar with every product available for web servers.  Check your web server logs for similar scans and make sure you did the whitelisting correctly.  You know your server's IP Address, so test it at coffee shops, work, free Wi-Fi's to see if you still see your site by entering its IP address directly into the browser yourself.  If you see content, you are still vulnerable to scans.

How do attacks work?  Web servers are assigned numbers and the scanning tools go through each IP address looking for trouble.  Cloudflare doesn't protect you from this type of scan unless you whitelist.  Sure, they hide your IP, if you did that correctly, but IP scanners crawl through every IPv4 number they can and if they retrieve the starting page (index.html), you can identify the site because the welcome page usually indicates the brand. If you didn't hide your IP correctly, you get the following warning from the customer panel in Cloudflare that tells you about your IP leak.

Cloudflare will inform you if you are leaking your servers IP Address
DNS IP Leak Warning

If you search Youtube for how to bypass Cloudflare sites, you will see the favored method is to use the non whitelisted public IP address. DNS leaks, should you have any, are a favorite way to find your server's IP address and launch attacks.  Such attacks will be extremely difficult if not impossible to do if you whitelist properly as shown in the first example.  Such attacks will continue or possibly succeed if you didn't whitelist as shown in the second example.  In summary, the Linux server above is scanned, and the DNS does leak the IP since the same server hosts mail (MX record gives it away). But, the whitelisted FreeBSD server and non-whitelisted Linux server are for demo purposes only and will not exist in April.  Cloudflare can not stop attacks directly to your server's public address. Whitelisting does that.  Cloudflare does support SSL Mutual Authentication called Authenticated Origin Pulls on their site which is another way ensure only their servers can talk to your web server. But that is for your SSL port (443) and doesn't help your unsecured port if it is open, too.  Cloudflare gives your host a Cloudflare  IP address and your server can still be attacked through it, but the attacker has to face all of Cloudflare's security wisdom and might.

The FreeBSD server is whitelisted and hasn't seen scans for several weeks. The pf rules are sloppy and were done quickly for example purposes only.  Don't use sloppy firewall rules on your host should you whitelist via this method -- use a firewall building tool.  I abbreviated the pf.conf rules to the main points.

# cat /etc/pf.confext_if="hn0"
home = "{ 73.95.0.0/16  }"
cloudflare = "{ 103.21.244.0/22 , 103.22.200.0/22 , 103.31.4.0/22 , 104.16.0.0/12 , 108.162.192.0/18 , 131.0.72.0/22 , 141.101.64.0/18 , 162.158.0.0/15 , 172.64.0.0/13 , 173.245.48.0/20 , 188.114.96.0/20 , 190.93.240.0/20 , 197.234.240.0/22 , 198.41.128.0/17 , 199.27.128.0/21 }"
azure = "10.0.1.0/24"
...

block all
...
pass in quick on $ext_if inet from $home to any
pass in quick on $ext_if inet from $azure to any 
pass in quick on $ext_if proto tcp from  $cloudflare to port { http, https }
...
I list all of the Cloudflare IP networks and allow them to pass along with my home block and local Azure systems. Avoid host based rules since you can easily lock yourself out of your server.  I should have added the Cloudflare IP whitelist to the security group in the cPanel below but I found rapidly entering them in the HTTP interface slow and clunky.  In the real world, your provider's GUI will probably be the best choice.

An example of the GUI without the rules above is below.  You see I also whitelist admin ports.


Firewall rules for inbound connections show administrative ports SSH and WEBMIN are whitelisted
Firewall Rules in cPanel



13 December 2015

Mac OS X Two Factor Authentication Demo with Yubikey

With today's security threats, passwords alone may not be a strong enough defense against security incidents and many of you might want a little extra to secure your Apple Macintosh computer against such threats.  Yubico has an affordable solution you might like to try.  Yubico already provides excellent documentation on how to do this, but I have a few tweaks of my own which you can see in the video below or continue reading.



First, the video opens with demo number one.  This demo shows logins with the Yubikey inserted and removed.  Additionally, you can see the substitute user command (su) and superuser do command  in the demo.  The demo doesn't show the standard GUI based Mac OS X authentication challenge, but it too will require the Yubikey to be used in addition to the password.

Demo number two is pretty much the same, but Yubico suggests you uncheck the "Require user input (button press)" box when you set the challenge response feature.  I prefer to leave it checked.  The only pain from doing so comes from the ykpamcfg command which seems to have a short wait when it queries the key during setup.  You have to be Johnny on the spot and hit the button pretty quick, which I don't show in the video.  But once you get past doing so, the Yubikey with button press is very easy to use. 

Next up, the video shows the installation which requires the easy to install Homebrew application.  As mentioned above, Yubico writes really good documents perhaps so you'll buy lots of Yubikeys.  I think the confusing part of their guide is the PAM config section is a bit too wordy and repetitive, listing the same steps over and over again for the same files. Yubico's guide could be condensed to mention editing the files su, sudo, authorization, and screensaver in /etc/pam.d and adding the entry "require       auth       pam_yubico.so mode=challenge-response" line above the first line beginning with "account," but the guide assumes you might not know vi very well and spells out the extra steps.

The last note about their guide is how there is little discussion on the other /etc/pam.d files you could use a Yubikey with. Savvy Yubikey experts will notice I added the /etc/pam.d/su file to my list. Also, you might want to do something with /etc/pam.d/sshd either by adding Yubikey protection or using SSH keys, if you wish to enable remote logins on your Mac.  If you are remotely logging in with Secure Shell, you can't insert your key, so certificate based authentication is, IMHO a nice substitute.


You might want to use Apple's Filevault along with your Yubikey so your computer is encrypted and its data is protected at rest.

17 October 2015

Mac OS X El Capitan Non User Encrypted FileVault Boot

You can choose a disk encryption FileVault password as an alternative encryption option available for your Mac OS instead of  unlocking FileVault with your user account.  For years on many platforms, full disk encryption was unlocked using one password typically not associated with the user's login.  You can achieve this today on the Macintosh platform, not as easily as you could from normally enabling FileVault encryption, almost as easily as the preferred method.

To do this, you can follow the steps below and/or watch the video.



The first step is to make a Mac OS bootable USB drive which is outside the scope of this blog but easy to find with a Google Search.  

The next step is to boot the bootable drive.  Insert it into a USB port, reboot your Mac, and hold down the Option (ALT) key on start choosing the USB installer disk.

The next step assumes you are willing to erase the Mac completely assuming you have it all backed up on Apple's time machine or a similar program.  Once the installer loads, choose the Utiliies -> Disk Utility option.  From there we'll setup encryption, erase the disk and choose the encrypted journaled option.  Pick the password you want for your drive and select Erase and remember the password chosen here.

After it is setup with the encryption key, begin the installation process.

The Mac will reboot after installation.  If all went well, you would be asked for the password you chose above.  Enter your disk password at the password entry prompt and the Mac should begin booting up. You must go through the configuration steps and may optionally recover from your Time Machine drive when prompted or start over with a blank install.

And that is all there is to it.  It is pretty much as easy as using File Vault normally. 

31 May 2015

TV, Ubuntu, and AMD's TV Wonder 600 USB Installation

The ATI TV Wonder 600 USB is not supported on Windows 7 or later but is still supported on GNU/Linux.  The best thing to know is that it's really quick and easy to setup and install on Ubuntu.  All you need to do is execute three steps and you can watch TV in less than 5 minutes.  The instructions on the Linux TV website are all you need and always up to date.  To be brief,  open a terminal window and perform the following commands:


  1. cd /lib/firmware
  2. sudo wget http://steventoth.net/linux/hvr1400/xc3028L-v36.fw
  3. sudo apt-get install me-tv
And that's all there really to is to it.  Just start Me Tv and scan for stations.

The short video below shows you the steps.


02 November 2014

Cable Modem and DSL Home Networks Using VLANs Sharing Ethernet with DD-WRT in Control

This article continues the VLAN discussion from the previous post,  showing you the settings for DD-WRT to make an isolated LAN sharing Ethernet wiring between you and a roommate in the common areas of your home.  This requires installing custom firmware from DD-WRT or OpenWRT.  The included video shows a real world setup that matches the article, but simulates some components described herein.  The cable colorings match the diagram with VLAN7 in yellow and the trunk lines in orange.



I assume you have two networks in your home such as cable and DSL for you and your roommate and you want to use wired networking with access to both networks in common areas with only one Ethernet cable per room. VLANs are a great solution for this. Let's say your roommate needs  a connection in the office and one for the downstairs TV for her entertainment device (XBOX, AppleTV, etc), thus you two need to share the Ethernet cable for common rooms.  For this scenario, we will split the trunk into a Y configuration, bridging two physically separate cables together with VLAN tagging and trunking sending both LANs to two floors in the home.

Home Shares DSL and Cable in Wired Ethernet Using VLANs with DD-WRT, OpenWRT, and VLAN Trunks
Home Network Carrying  multiple VLANs


We will assign your roommate VLAN7 in the basement distribution switch (switch2), but we'll exclude the Netgear WNDR3800 basement router since which serves the cable modem.  In the prior article, you see the basement switch (switch2) as a VLAN distribution point, but it will become a VLAN access point for VLAN7.

Switch 2 changes from the previous build by adding a second trunk to the first floor switch (switch3). Port 3 is now tagged and includes both VLAN1 for the homeowner LAN, and VLAN7 the DSL LAN.  Port 2 is assigned to VLAN7's DSL modem which is simulated with a laptop in the video  Switch2 doesn't include VLAN7 in the Wan port (W) column excluding it from being able to receive VLAN7 traffic.

Image shows two VLAN trunks and one port assigned to VLAN7
DD-WRT VLAN Trunks and Ports on Linksys e3000

This is the first floor DD-WRT router using the venerable Linksys WRT54GS router.  In this configuration, port 4 is assigned to VLAN7, while the remaining ports stay on VLAN1 except for the WAN port which is the trunk line from the basement.  This router supports the roommate's living room device on port 4.  The video uses my receiver to simulate the roommate's device.

This diagram tags the VLAN trunk port and assigns the VLANs to their proper ports
Linksys WRT54GS VLAN Trunk

The 2nd floor VLAN distribution runs DD-WRT on a Linksys e3000 and uses port 4 for VLAN7 and supports the roommate's computer in the office.

This image shows VLAN7 on its own port, the WAN port as a trunkline, and the remaining ports on VLAN1


Electric wiring or wireless technologies can also be used to connect different networks to devices around the home and these solutions tend to be the the star attraction when you inquire at places like Micro Center or Best Buy for help, but you have another very powerful technique in VLANs which can be used with the inexpensive equipment you or others have discarded.  You can also find many managed switches under $100 U.S. if you wish to purchase hardware dedicated to VLAN networks.


19 October 2014

Home VLAN Trunking with OpenWRT and DDWRT




My edge router is a Netgear WNDR3800 running OpenWRT which creates four VLANs for my domicile.  I use Linksys e3000s running DD-WRT as managed switches distributing LANs where I want them to go.  I will show how I use the remaining Linksys e3000 units to send all four VLANs into one trunk line.  The DD-WRT and the OpenWRT projects have this well documented in a TL;DR manner showing all the command line steps.  I did the whole thing using the GUI interfaces and I will show the wiring as well.  I use VLAN trunking since my office has only one ethernet connection but I have multiple LANs and I want the ability to change the wiring without running physical wires.  Re-wiring is done with software changes!  Of course, you can buy managed switches but many of you might have collected these consumer routers over the years or would like to save some money on the used market since managed switches can be pricey. The short video above contains a demo toward the end.

To start, lets look at the diagram below showing the Netgear WNDR3800 serving the connection to the WAN.
Netgear WNDR3800 uses each port as a distinct VLAN with Port 2 as a VLAN Trunk
Netgear WNDR3800 as VLAN Distributor

The Internet goes into the WNDR3800's WAN port.  This router supports my guest wireless LAN 192.168.2.0/24 and the primary LAN 192.168.1.0/24.  Additionally, it supports a server control LAN 192.168.5.0/24 and the DMZ LAN 192.168.4.0/24.  The server LAN has only one PC-BSD based ATOM server running my IPv6 blog using ports 3 and 4 on the device.  Port 1 on the WNDR3800 goes into a power line adaptor, but isn't really used.  Port 1's main purpose is to be open in case of an emergency requiring a cable connection to VLAN1,which is the administrative LAN.

On the right, you see I have a Linksys e3000 in the basement which receives the trunk output from the WNDR3800 into its own WAN port. The settings are pictured below.

Linksys e3000 VLAN Trunk Setup with DD-WRT using WAN port and Physical Port 1
DD-WRT Trunking with Linksys e3000
The WAN port is used for input from the WNDR3800 physical port 2.  Port W in the picture above is the WAN port and it is tagged with VLANs 1 through 5 selected.  VLAN2 must be included per the DD-WRT wiki.  The middle ports serve the main network VLAN1 but these can be switched to different VLANs as needed.  Port 4 pictured above is tagged and contains all the same VLANs as the intake port, or "WAN" port as it is labelled.  Port 4 is actually physical port 1 on the Linksys e3000.  The DD-WRT switch guide identifies that the numbering is reversed from the GUI so port 4 in the GUI is labelled as port 1 on the device.

Port 1 is the trunk port sending everything upstairs to my office.  I prefer building servers in the comfort of the office rather than cold and cramped basement so I use the VLAN tagging to make the switch ports on the upstairs Linksys e3000 VLANs 4 and 5, but as you see I switched them to VLAN3 (GUEST) for the demo and the other port is still VLAN1.  For server building, I bring both VLAN4 and VLAN5 upstairs for DMZ and server control allowing me to easily configure the server with the proper IPs the first time without needing to change IPs once placed into the server area downstairs.

Below is the configuration of the upstairs DD-WRT using VLAN5 (SERVER) into physical port 1. DHCP/WAN and other features that make the e3000s a primary router are disabled but not depicted in any of the pictures below.

One port is switched to VLAN 5 on the Linksys e3000
Linksys e3000 with VLAN Trunking and VLAN5

As you can see from the above steps, VLAN trunking is pretty easy and OpenWRT/DD-WRT make virtual wiring quite easy.  Of course, with just about everything wireless nowadays, I suspect this article will get few hits.  You can assign wireless networks to VLANs just as my guest network is bridged to VLAN3.

You can see the devices in their real world setup below.  The basement e3000 should have two orange cables but the house is wired with blue so I put a white label with orange text around it on the right but the photo isn't very sharp around the cable nor is the label's text visible in the picture.

The far right is the trunk upstairs and is a blue cable with an white label with orange text
Linksys e3000 Basement VLAN Trunk Orange
I should use a blue VLAN1 colored cable for the gaming PC instead of the gray one in the picture.
VLAN Trunk in on orange cable into WAN port with remaining ports on VLAN1
Office e3000 with trunk in WAN port and AnyLAN port in Yellow

Netgear WNDR3800 backplane with separate VLANs
Netgear WNDR3800 running OpenWRT as Gateway Router

Netgear WNDR3800 Backplane VLAN Connections 

Intel ATOM Server with PC-BSD
Intel ATOM Server running PC-BSD





06 October 2014

Take and Bake Pizza Delicious Crust

Improving the Crust of Pre-made Pizza


I love the taste of Papa Murphy's take and bake pizza and I feel this pie is one the best values in fast food, but I don't like the crust so much.  The crust needs something extra which for some could be dipping sauce, but I like to spice up the crust myself with my own blend of seasonings.  You can use whatever seasonings you like, of course and if you do leave a note about your choices of spices and enhancers below.

Take a look at the video to see how to improve the crust of the pizza.