Wednesday, December 12, 2012

Protect yourself while working on a remote cisco device

Couple of things to remember when working on a remote router

1. Always make sure to get a copy of the config! VERY IMPORTANT. In case something goes to hell, you need to make sure that you are able to get back to where you started.

2. Reload command. The reload command will restart the router without saving changes. So if you are going to be working on a remote router, and you are not sure if some of the changes that you will make are going to possibly lock you out of the device (or kill it); use the command `reload in 30`. This will reload the device in thirty minutes, regardless of changes that you make. You can also cancel the reload with a `reload cancel`.

Remember these things!

Friday, November 9, 2012

Completely ripped off from here: http://andym3.wordpress.com/projects/the-broadcom-wireless-card-guide/

How to configure broadcom wireless drivers in Linux.


The Broadcom Wireless Card Guide

Introduction: Unfortunately, most Broadcom wireless cards need proprietary firmware to get connected; many major distributions make it easy to get this firmware, but the tools they bundle need an Internet connection to get it, which is not always possible. Most tutorials currently online also assume you have a working Internet connection already, but this one will give you instructions on how to install the drivers manually. Don’t worry, it’s not that hard. :D
Step 1: find out what card you have.
There are lots of Broadcom cards out there. To find out what yours is, open a terminal and type or copy-paste (use right-click > Paste to paste into terminals) the following for Ubuntu and Debian:
sudo lspci -vnn | grep 14e4
Or the following for Fedora and others:
su -c "lspci -vnn | grep 14e4
The result should be something like this:
02:00.0 Network controller [0280]: Broadcom Corporation BCM4312 802.11b/g LP-PHY [14e4:4315] (rev 01)
From this, you need the PCI ID, which has been italicized in the sample above. Now look up your PCI ID in the following table:
PCI IDChipDriver(s)Notes
14e4:4301BCM4303b43legacy-
14e4:4306BCM4306 rev. 2b43legacyTwo IDs, same card (?)
14e4:4320
14e4:4307BCM4306 rev. 3b43-
14e4:4311BCM4311b43, wl-
14e4:4312BCM4312b43Unsure about this one
14e4:4313BCM4313b43, wlUnsure about this one
14e4:4315BCM4312b43, wlRequires LP/PHY firmware
14e4:4318BCM4318b43-
14e4:4328BCM4321wlTwo IDs, same card (?)
14e4:4329
14e4:432bBCM4322wl-
14e4:4353BCM43224wl-
14e4:4357BCM43225wl-
Okay, that table above might confuse you, so let me explain. On the first column you get the PCI ID of the card, which you should already know. On the second column, you get the actual chip’s name. These are not the same as Product IDs (the part of the PCI ID after 14e4:); you can probably use those to verify that you have the right card. On the third column you have the drivers that support each card. You will need to pick one of them and install it; details lie below. And on the fourth column you have any notes related to the card.
If your card isn’t listed there, it probably doesn’t work. I recommend you check this page for more details, but watch out for conflicting information!
Step 2: Pick the right driver.
There are two major drivers for the current series of Broadcom cards, plus one for older cards and one in development (not mentioned here).
  1. Broadcom STA (also known as wl) is the official, Broadcom driver for a few cards typically found in Dell and HP laptops. It’s theoretically more stable than b43 and doesn’t need additional firmware, but it lacks some advanced features and is proprietary software.
  2. b43 is a free-as-in-freedom unofficial driver that requires, however, proprietary firmware to work. It offers a lot more features than wl and, in my experience, is also a lot faster. It can have some issues with new cards, but it should generally work.
  3. b43-legacy is a driver for older BCM43xx cards that don’t work with b43; it’s also free-as-in-freedom, but requires proprietary firmware.
Using this information and the table above, pick one of the drivers and skip to the relevant section…
Installing the Broadcom STA (wl) driver
Ubuntu: you’ll need to download the following packages (choose your Ubuntu release, architecture and mirror): dkmspatchfakeroot and bcmwl-kernel-source.
After you’ve downloaded the .deb files, use a USB flashdrive or some other means of file transfer to get them on the computer you want to install to. Then, just double-clicking each file should bring up Ubuntu Software Center and let you install it.
Then just navigate to System > Administration > Additional Drivers (or Hardware Drivers for older releases) and activate the Broadcom STA driver.
Check out this page for more information about online installation, but please note that the offline installation instructions are pretty much outdated for wl.
Important note: if this fails, use Keryx (0.92, not 1.0) to do an offline upgrade and install the bcmwl-kernel-source package. An up-to-date Keryx tutorial is on my to-do list.
Other distributions: you can compile the STA driver yourself. 32-bit .tar.gz64-bit .tar.gz,readme. The readme explains how to compile the drivers pretty well, so I’m not going to do that here.
Installing the b43 driver (non-LP/PHY cards)
If your card’s PCI ID is 14e4:4315 (BCM4312 chip), you should use the instructions a little further down, since it’s a LP/PHY card.
Get b43-fwcutter: for Ubuntu, download and install b43-fwcutter (pick your version and architecture;direct link for the impatient). I believe it’s installed by default with openSUSE and Fedora, and possibly others. If your distribution doesn’t have it, download the tarball and compile it using the following commands (I recommend you only do this if you have some experience with the Linux shell):
tar xjf b43-fwcutter-013.tar.bz2
cd b43-fwcutter-013
make
cd ..

Unload the module: run this command: sudo modprobe -rv b43 ssb (or su -c "modprobe -rv b43 ssb" if you don’t have sudo installed or usable).
Get the firmware: you’ll need to download this package. Then open a Terminal, cd to where you downloaded it and run the following commands (substitute b43-fwcutter with the actual path to the b43-fwcutter executable if you compiled it yourself):
tar xjf broadcom-wl-4.150.10.5.tar.bz2
cd broadcom-wl-4.150.10.5/driver
sudo b43-fwcutter -w /lib/firmware wl_apsta_mimo.o

If you don’t have sudo installed or usable (just su), use this command instead:
su -c "b43-fwcutter -w /lib/firmware wl_apsta_mimo.o"
Finish up: I suggest you restart. You can probably get around with using sudo modprobe -v b43on some distros (I usually do that on Ubuntu), but please, please, don’t ever run that command on openSUSE, you’ll just completely mess your system up and yell at me. On second thought, please just restart after installing.
Installing the b43 driver with LP/PHY firmware
This seems to only be relevant for BCM4312, which happens to be the card I have. First, you’ll need b43-fwcutter, which you can get using the instructions above. Then, get the correct firmware package and use these commands to install it:
sudo modprobe -rv b43 ssb
tar xjf broadcom-wl-4.178.10.4.tar.bz2
cd broadcom-wl-4.178.10.4/linux
sudo b43-fwcutter -w /lib/firmware wl_apsta.o

As usual, change sudo to su -c and put the rest in quotes if you don’t have sudo.
To finish up, restart your system.
Installing the b43legacy driver
Again, get b43-fwcutter as described above, then download this package and use the following command to install it:
sudo ./b43-fwcutter-013/b43-fwcutter -w /lib/firmware wl_apsta-3.130.20.0.o
I don’t own any b43legacy-compatible card, so I’m not sure whether you need to unload the b43legacy module (using sudo modprobe -rv b43legacy before you install the firmware. I’d say you should do it, just to be sure, then restart after installing the firmware.

Monday, February 21, 2011

Sunday, February 20, 2011

Configuring Services to Start at Boot with Fedora

Recently some people have been asking me how to start and stop services in linux CLI. This is a simple task to do, and once you know the tools to do it, it will be a breeze. The host system that I am using is Fedora, but this will work on other like distros like CentOS or RHEL.

The first way to do it is with the command service

So to start a service like SSH you would type:

service sshd start

Or for OpenVPN you would use:

service openvpn start

And to stop them you just add stop at the end of the same command:
 
service sshd stop



Now if you have recently installed a new service and you want it to start at boot you need to use the command ntsysv. I have attached a little video that should show how easy this is. But remember, you must be root to do this. You just check or uncheck the services that you want to start on boot. If you have any questions just leave them in the comments and I will try and answer them.

Thursday, November 18, 2010

Firesheep and how to protect yourself

In recent weeks an old vulnerably has become very popular, with the release of FireSheep.

FireSheep is a Firefox extension that takes advantage of something called session-hijacking. Normally when you go to a website that requires you to log in (e.g. Facebook.com) you are served up to an HTTPS website. (Although, Facebook does not default to HTTPS, you have to manually enter it in.) This is an SSL connection that encrypts all of the network traffic from your computer to the Facebook servers. This is how you want all of your traffic to be sent. Then when you log in with your password, the password is encrypted so that anyone who may be listening in, would only get unreadable data. What happens is that after the server (Facebook.com) has verified your password, it sends you what is called a session cookie. This session cookie is sent to your computer after you have verified the password. So instead of having to enter in your password every time you want to do something, it just looks and sees that you have the session cookie that you got from verifying the password, and it lets you continue. Now, you have to pass this session cookie to Facebook every so often, just so that it knows that you are allowed to do all the things that you are doing. This sounds great, because who wants to have to enter in your password every time you want to friend someone? Or make a status update? No one.

The reality is, this is a serious security vulnerability. Because only Facebook's login page is sent over SSL. So your password is sent encrypted, but the rest of the time you are browsing, you are not. So when Facebook asks for that session cookie, someone can very easily "hijack" your cookie. This is what FireSheep does. It waits for a session cookie to be sent over the network, and takes it. Once someone has a session cookie, the website can no longer discern you from them. Because the only way you could have gotten the session cookie is from verifying the password. Right?

There are several things that you can do to prevent this from happening.


  1. The first and easiest way is to never use "open" or unencrypted wireless internet. The way that the encryption protocols work, they are auto-isolating. Which basically means, that even though you could have 20 people on one wireless router or access point, they are all basically on their own "line", they are separate from each other. It makes no difference what the password is, just that it is encrypted somehow. If you were just going to have the wireless open for everyone, just put a piece of paper on the wall that tells the password.
  2. Use SSL whenever possible! When you go to twitter.com or facebook.com (Or a growing number of websites) always tell it HTTPS:// (e.g. https://www.twitter.com or https://www.facecbook.com)
  3. Use an end to end encryption technique such as OpenVPN or tunnel your traffic through an SSH tunnel.
  4. If you are unable to do any of these things, do not use website that require you to log in while using an unencrypted wireless signal. If you do, you are rolling the dice. As of this posting, FireSheep has been downloaded 770,000 times.
I will post a tutorial on how to use OpenVPN or SSH tunneling shortly.


Tark