Scott O'Brien

It’s a new year and time to start getting new years resolutions into action. I’ve moved into my new area in the study so I’ve started setting it up how I like.

I’ve put my router in bridge mode (so it just acts as a layer two modem/bridge) and let my router then establish a pppoe session with my ISP and do all the routing with iptables (I’ve got to update my firewall script and services running on the box and post up the how-to’s later on for that.) Now the little crappy d-link thing doesn’t fall over and die when torrenting (the router will do all the routing and torrenting without hogging up entries in the NAT table is always a good thing)

One of my new years resolutions is to digitise everything (and make it reliable to do so) so I don’t have to worry about any paper floating around in my life (I HATE paperwork). To do this, I want to add a few more features in my home network, whilst improving security (especially after my VoIP was hacked a while ago)

I’m splitting my network into ‘trusted’ and ‘not so trusted’ zones. The beauty is because my router now has two nicks, putting a small 8 port switch into the equation will allow me to route traffic between these zones in a nice firewalled way.

I’d generally be lazy and put WPA-PSK security on the access point.

I feel safe doing this, from a zdnet article

All you need to do is use WPA-PSK security with a random alpha-numeric pass-phrase that has a minimum of 10 characters. I estimated that a truly random alpha-numeric 10-character pass-phrase using modern single-core computers will take one thousand PCs working in parallel 500 years to crack

I lol’d a bit where it says “.. you could run WEP (104 bit AKA 128) security, which might take a semi-skilled script kiddy using two PCs in an active attack configuration 10 minutes to break.

At the moment, my wireless is secured by only a 64 bit WEP key (shock horror!) Why? Because I’ve got damn devices like the Nintendo DS sitting on here which I’ve been wasting a bit of time on lately that don’t support WPA.

I could hide my SSID, do MAC filtering and not run DHCP, all that jazz, but the end of the story is that this can all be hacked by people who know what they’re doing (Mac addresses can be spoofed, if you’re using your wireless network then you’re still broadcasting stuff.)

I’m not terribly worried at the moment if someone hacks in, they can steal some of my crappy 1.5Mbit internet, they can print to my printer (have fun). My workstations themselves are to some degree protected, but what about when I build my file server and start storing bank statements, tax file numbers? all that stuff? The more layers of security the better! (I learnt this the hard way, trust me)

As I’ve already said, the way I’m lessening my fear of these security problems is by splitting my network into trusted and not so trusted zones.

User Isolation security means that the wireless clients won’t be able to see each other on the network. I’ll allow traffic too and from certain devices on the trusted network (the printer for instance.) but to gain access to any of my secure boxes (Fileserver, other workstations) then wireless clients will have to first connect through WEP, then establish a secured VPN connection into the trusted zone. With this setup, even if someone breaks into my WiFi, good on them, they get crippled net (I might cripple WiFi net bandwidth to the net, not decided yet) and access to.. well, my printer again *sigh*

Network stack lol!

so I’ve moved back home with the family now. One thing I’ve been meaning to do is to digitise my life and get set up on the cloud. I think it’ll be really basic to start off with. VPN access in to my home network, firewall everything off, then create a few layers of the network.

The issue is that I want to go paperless. I want to set up a ZFS Fileserver to store and snapshot all my data with remote encrypted backups of important documents and the like. I want to make sure hackers can’t get in and take any of this data of gain access to the network. The problem is my DS still needs access with WEP to go on the net. I’m thinking of splitting my network into two subnets. One for wireless and one for wired devices and just add things like the printer and ssh access to the fileserver through the firewall to access the LAN subnet..

I’ll be blogging the setup of my new computer, my fileserver and home network setup. Before I can really dig into this though, I need to get my study set up.

so, since I had the scare with my Asterisk VoIP box being hacked and a telephone call to Antarctica having being made, I decided to do something about it.

My home network now consists of my D-Link Wireless router being put into Bridge mode, with all services pretty much turned off on the thing.

My internal network is 10.12.0.0/16. I plan to sub-divide up this address space later, but for now, I’m pretty much just keeping it in one big heap until I set up my servers and want to separate them further from the wireless workstations, for this reason though, I’m keeping my setup pretty simple all pretty much in a 10.12.1.0/24 space..

Anyway, I’m doing what I should have done a long, long time ago. I’ve set up iptables to block all traffic (except ICMP for now, and ssh inbound.)

I’m being a bit lighter on resources on this cheap little router (the Fit-PC) so I’m using dnsmasq for DNS and DHCP.

Plans for the future. I want to have a pool of ipv6 addresses that my DHCP server can assign and make them publicly addressable through some ipv6 trunk somewhere. That’d be pretty sick.

In my previous post I mentioned how I didn’t back up or migrate any of my data before we stopped paying the hosting company, so it’s all lost.

$ ssh-keygen -t rsa

This will prompt you for a location to save the key and a passphrase, you can just enter past those and accept all the defaults.

Our next step is to transfer the public key across to our backup server.

$ ssh-copy-id -i ~/.ssh/id_rsa.pub backupUser@backupserver.com

Site Note on using OSX or disto where you don’t have ssh-copy-id.. This will work just as well

cat ~/.ssh/id_rsa.pub | ssh backups@backupserver.com “cat – >> ~/.ssh/authorized_keys”

This will prompt you for the login password for the host, then copy the
keyfile for you, creating the correct directory and fixing the permissions as necessary.

Now test to make sure you can log into the backupserver without requiring a password.

Step 2. Creating the backup script
I made a backup script (backup.sh, me sure to ‘chmod u+x backup.sh’ once it’s been created) to run through these few backup procedures. The first step is to do a dump of the database to file. You could very well host an SQL server on the other side and mirror the database to get things up and running faster, but that was overkill for my needs.. Besides, always remember there are many ways to skin a cat and this one seemed to work nice for all intents and purposes.

The backup script has two parts in it, basically do a dump of the database, then copy that over to the server as well as all the public_html or htdocs or where you put your public hosted files.

echo “Running backup script…”

echo “Running a dump of the database..”

mysqldump –user=scottyob –password=somePassword –all-databases > /var/www/scottyob.com/backup/database.dump #backup of database

echo “Syncing the backup directory..”

rsync -a -e ssh /var/www/scottyob.com/backup/ backups@backuphost.com:backups/
rsync -a -e ssh /var/www/scottyob.com/htdocs/ backups@backuphost.com:htdocs/

echo “Backup made on ” `date` >> /var/www/scottyob.com/backuplog.txt

And there you have it, a script to backup your website to a user ‘backups’ on the server ‘backuphost.com’

Step 3. Automated..ness

This is no good for me unless it’s automated. I just ran this script under a cron job to automate this procedure

Edit your cron file using

$ crontab -e

Then I told it that at one minute past midnight, it should backup my website every day (add the following line)

1 0 * * * /var/www/scottyob.com/backup.sh

And there we have it folks, my backup procedure now so my site will never have to be started from scratch again.