Friday, 25 January 2008

Full Screen Editor for blogger.com thanks to Greasemonkey

The blogger editor to write a new post on your blog is damn small... and on my 24" screen, it's even more sad... all this space wasted...

I know Greasemonkey for a while and I search scripts that would increase the editor size (if I hadn't found it, I would have wirtten it!)

And i've found one that works perfectly well here :

http://userscripts.org/scripts/show/7108
by http://fatknowledge.blogspot.com/


You don't know Greasemonkey yet... ?

It's a must-have !

In short, it's a firefox plugin that allows you to inject custom javascript files into any web page to add some functionnality.

more info here:
http://en.wikipedia.org/wiki/Greasemonkey

Get firefox : http://www.getfirefox.com
Get Greasemonkey plugin : https://addons.mozilla.org/fr/firefox/addon/748
Get the Blogger Script : http://userscripts.org/scripts/show/7108
(click on "install this script" on the upper right corner)
Get more scripts here : http://userscripts.org/

Other usefull plugin for firefox : ad block plus (prevents ads from beeing displayed), firebug (a developer plugin), yslow(a plugin for firebug (which is a firefox plugin))

Wednesday, 23 January 2008

Open a SSH connection through an http proxy and dig tunnels :)

I'm working for an IT Services & Software Engineering company, and I often work for some time (3 months to a year) by the client company's office...

And often, I'm behind a ****ing proxy that filters http request, provide antivirus analysis etc.. Useful for the company securtity and efficiency, but really borring for me.

Those proxy allows http (tcp/80) and https (tcp/443) connections and nothing else...

So no tcp/22 for SSH, and I miss it really much for many reasons.

So here is what to do, to get an SSH connexion to a linux box.

But beware that doing that will certainly break the security contract you signed when you enter the company. Doing that allow you to bypass the content filtering and security. And you could be fired for that...

This blog post will show you how to bypass an http proxy with a basic authentication.

The following post will show you a way to bypass a proxy with NTLM authentication mecanism.

Server configuration



You're a geek like me, so you have a linux box somewhere running 24hours a day running a ssh server in a linux box.

The ssh server usually listen on the tcp/22 port, but this port is filtered by the proxy. The proxy allow tcp/80 & tcp/443.

As the tcp/80 is probably used by your web server, we'll focus on tcp/443, the https port which you probably don't need. But you can do the same with tcp/80 port.

What we need is that your linux box accepts a ssh connection on the tcp/443 port.

We can either change the ssh server setting to listen on port 443 or redirect the connection established on the 443 port to 22 port.

I prefer the second option that leaves untouch the ssh server configuration, and let your linux box be accessed trough ssh on it's standart port.

You can redirect you 443 port to the 22 port using iptables or other tools.
You may even have a graphical interface that allow you to do that easily.

With the sme server, i've such a tools (a web interface attainable only though my local network)

You can find information on how to do that here :

http://tldp.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

if this can help, here is the lines of my iptables-save output that involves the 443 port :


-A PortForwarding_22383 -p tcp -m tcp --dport 443 -j DNAT --to-destination 80.1.1.1:22
-A InboundTCP_22383 -d 80.1.1.1 -p tcp -m tcp --dport 443 -j ACCEPT


where 80.1.1.1 is my external public ip address.

Once this is done, you can test it by trying to open an ssh connection on the port 443, or use telnet (telnet youBoxIp 443) and you should see you open ssh server version : SSH-2.0-OpenSSH_3.9p1.


Configure your ssh client



Putty is a marvelous ssh client for windows, I couldn't live without it.

You can get it here : http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


All settings describe below can be change on the fly when the ssh connection is open (except for the proxy setting... of course) by right clicking in the title window->change settings.

Basic settings





In the hostname field, enter the ip or domain name of your linux box.
in the port field, enter 443 (or 80 if you use the 80 port)

In Saved sessions, enter a string that remind you your trully loved linux box ;o)

Putty's number of lines of scrollback



this is not really a mandatory step, but really usefull.



Replace the 200 value by 20000000 (it should be enough). Adding more zeros could lead putty the behave strangely... i've tried ;o)

Putty's encoding





In order to have a proper display of characters in your putty, you need to set the encoding of putty accordingly to your linux box configuration (mostly UTF-8 or your country's specific charset).

You can find these setting on your linux box in /etc/sysconfig/i18n

cat /etc/sysconfig/i18n
LANG="fr_FR@euro"
SUPPORTED="fr_Fr@euro:fr_FR:fr"
SYSFONT="lat0-sun16"
SYSFONTACM="iso15"


here it's fr_FR which is ISO-8859-1 charset.
You can find which charset match with your country code in /usr/share/i18n/locales/your country code

cat /usr/share/i18n/locales/fr_FR
comment_char %
escape_char /
%
% French Language Locale for France
% Source: RAP
% Address: Sankt Jo//rgens Alle 8
% DK-1615 Ko//benhavn V, Danmark
% Contact: Keld Simonsen
% Email: Keld.Simonsen@dkuug.dk
% Tel: +45 - 31226543
% Fax: +45 - 33256543
% Language: fr
% Territory: FR
% Revision: 4.3
% Date: 1996-10-15
% Users: general
% Charset: ISO-8859-1
% Distribution and use is free, also
% for commercial purposes.



Keep alive settings





The http proxy will automatically close an idling connection. To avoid that, putty has the keep alive parameter which simulate an activity and thus avoid the proxy to close the connection.

Set it to 4 seconds which is a good value.

Proxy settings





Here is the tricky part...

You need to get the proxy url and port, login and password.

In most case, your company uses Microsoft windows and Internet explorer.

You can get the proxy settings from internet explorer, in :
Tools->Internet Options->Networking->Network parameters





If the checkbox in the proxy server fieldset is ticked, then just use the information in this fieldset (have a look in Advanced also) but in most case, it will use a script.
copy and paste the proxy script in the internet explorer address bar, save the content to a file and read it...

You need to determine what is the proxy url you use.
The proxy scripts usually use your network address and subnet to determine which is the proxy server you should use with function such as dnsDomainIs(host, "aDomain.com") or isInNet (host, "10.0.123.0", "255.255.255.0")

     if ( dnsDomainIs (host, ".domain.com.") ||
dnsDomainIs (host, ".sub.domaine.com.") ||
dnsDomainIs (host, ".domain.net.") ||
dnsDomainIs (host, ".domain2.com.") ||
isInNet (host, "10.0.112.0", "255.255.255.0") ||
isInNet (host, "10.1.112.0", "255.255.255.0"))

{

if (isInNet (myIpAddress (),"10.3.0.0", "255.255.0.0"))
return "PROXY srv-proxy-01.site.dom:8090;" +
"PROXY srv-proxy-02.site.dom:8090";
else
return "PROXY srv-proxy-01.site2.dom:8090;" +
"PROXY srv-proxy-02.site2.dom:8090";
}


in this case, the proxy usr would be one of the srv-proxy-02.site2.dom and the port would be 8090.

In a command console(Windows key+R, type cmd), you can get your ip address with the following command :
ipconfig /all

Which will help you to determine the proxy settings that is calculated by the scripts.

Or more basically you can run, still in a console

netstat -a


and look for something like a proxy...

The proxy url might contains the word proxy so
netstat -a | find "proxy"



Once you have it (or you can try each url & port in the script)
paste it in the proxy hostname an port.

Username is usually your NT Domain\windows account username.
You can get it by hitting CTRL+ALT+SUPPR, it will be displayed the the window that appears. (type escape to return to where you were)

SSH compression





Enabling ssh compression will make the connexion smoother...

SSH tunnels






SSH Tunnels, one of the wounderfull functionnality of the SSH protocol.

in the source port, type 22, in the destination 127.0.0.1:22.

this will create a tunnel that will take the tcp traffic on the port 22 of the local machine to the remote 22/tcp port with the ip 127.0.0.1 : your linux box, all that throug the ssh connection (established on the 443 port, forwarded to the 22 port)

Like this, you can browse file with a secure ftp programm like winscp, filezilla, or any text editor that supports SSH like ultraedit.

You'll just need to point this programs to localhost:22.
Not on yourLinuxBoxIp:443, because this link won't be kept alive by default by these programs.

Another usefull tunnel is L3390->192.168.1.24:3389

where 192.168.1.24 machine would be a windows computer with remote desktop activated (Windows Key+pause, remote connection tab, remote desktop fieldset) on your private network that can be reached by your linux box.

with this, you can run Microsoft Terminal Service Client : windows key + R, type mstsc, type localhost:3390 and you'll be able to use your windows computer which is also up 24h a day ;o) and browse the web as if you were at home (a bit slowly though).

You can see why i wrote this post :
http://mansonthomas.blogspot.com/2008/01/remote-desktop-client-with-windows-2000.html


Save settings






Save all these settings.

If it doesn't works, try other proxy settings in the proxy configuration script.
If it still don't work, it may be because your company uses the NTLM authentication protocol. This will be described in a next article.

late update : http://blog.mansonthomas.com/2008/04/open-ssh-connection-through-proxy-with.html

Thursday, 17 January 2008

Remote Desktop Client with Windows 2000

At one of my client office, their computers runs under windows 2000.

I needed to access a windows 2003 server with a RDP Client.

Windows 2000 does not have mstsc.exe installed, but the one for windows XP works well with windows 2000.

Terminal Services Client comes in two versions, 5.1 & 6. The 6 needs a Genuinue Advantage validation (I didn't try but I don't think ti's possible under windows 2000 to have this validation), but the 5.1 here :

http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx

don't !

Run the installer, click next until the end and then WindowsKey+R, type mstsc

et voila !

Friday, 11 January 2008

Set up a secondary Domain Name Server with bind9 on a ubuntu linux

On my spare time, I manage the technical subjects of a small webagency i've created with a friend when I was in my second year of Engineer school. It's named 123monsite.com.

Tonight I dig the secondary (slave) DNS server subject. Until now, we used a DNS server from our registar as DNS backup.

But as we grow, we need more servers and a secondary DNS of our own is becomming handy.

We've rent a dedibox from the free.fr ISP (a server for 30€/month : via 2Ghz, 2Go Ram, 160Go HDD, 5Go of monthly backup).

I choosed ubunty feisty server (7) among all OS available (many linux flavour and some windows)

So here is how I set up my secondary domain name server on my ubuntu server with bind9.


Let's say the domain of the primary name server is ns0.primarydomain.com (80.1.1.1)
The secondary will be : ns1.primarydomain.com (80.2.2.2)

And the domaine we'll want to be handle by both servers is myDomain.com (90.9.9.9).


Give your secondary server a domain name



The primary domain primarydomain.com can't be handled by your master dns server itself (ns1.primarydomain.com). It must be another DNS server that handle it (usually your registars DNS servers).

So, go to the registar web interface of your primarydomain.com,

and add a new A record like :

ns1 A 80.2.2.2

so that ns1.primarydomain.com points to 80.2.2.2

(replace the IP by the IP of your secondary server)

This modification may take up to 48 hours depending on which gtld (com/net/org) or tld(fr/uk/de) you are. It can be very quick on tld and biz/info gtld.

Once it is done, you need to be sure that your server reverse dns is correct.
That is : the mean to get the name of a server from it's IP. It's very important as without the reverse dns entry, you're server will be declared as a spam server by most mail server (a server with an ip but no domain is very suspicious).

You need to contact your registar in order to know how to do that.
I'm currently trying to achieve that, a zone check still give me a warning about no reverse dns for the slave DNS server.

Slave server : Update the server & install Bind9



serveur update : (don't know why, but sudo is not enough, need to swicth to root to do this)
sudo su -
apt-get update; apt-get upgrade;exit;

bind9 install :
sudo apt-get install bind9


Ensure that both servers are reachable on port 53 tcp & udp



In order your secondary server duplicates the myDomaine.com zone and that the zone can be reached by clients who wants the ip of the myDomain.com, you need to have the tcp & udp port 53 open.

to check you can use nmap (from a machine which is not behind a firewall that restrict outgoing communication) :

sudo nmap -sU -O -p 53 ns0.primarydomain.com;
sudo nmap -sU -O -p 53 ns1.primarydomain.com;


It should display something like this :

root@ns1:/usr/local/bin# nmap -sU -O -p 53 ns0.primarydomain.com                            
                                                                                       
Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-31 00:43 CET                         
Interesting ports on ns0.primarydomain.com (XX.YY.ZZ.WW):                                  
PORT   STATE         SERVICE                                                           
53/udp open|filtered domain                                                            
Too many fingerprints match this host to give specific OS details                      
                                                                                       
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ 
Nmap done: 1 IP address (1 host up) scanned in 3.92 seconds                            

53/udp is open

Edit your slave /etc/bind/named.conf



edit the secondary server /etc/bind/named.conf file and add at the end of the file

zone "myDomain.com" {
     type slave;
file "myDomain.com.backup";
masters { 80.1.1.1; };
};


  • type slave; indicates it's a secondary(slave) server
  • file "myDomain.com.backup"; indicates where should the replicated zone be stored on the file system. In this case, it would be /etc/bind/myDomain.com.backup
  • masters ip; indicates what is the ip of the master server



On the master server : Restrict the domain replication to your secondary DNS server and edit your myDomain.com zone file



You may restrict which IP are allowed to duplicate your zones from the master server.

On your master server, on each zone you can add

zone "myDomain.com" {
type master;
file "masters/myDomain.com";

 allow-transfer {
127.0.0.1; //localhost
80.2.2.2; //my secondary DNS
80.4.4.4;//registar secondary DNS
};
};


If you used one of your registar DNS server as a backup, you can add its ip in the list so you'll have 2 backup servers.

Now, you need to add ns1.primarydomain.com as a valid secondary name server.

So edit your zone file on the master server, (mine are in /etc/masters/myDomain.com)

update your serial number with the current date reversed + the number of update of the day on 2 digits :

2008011101

$TTL 86400
@                       IN SOA   ns0.primarydomain.com. postmaster.primarydomain.com. (
2008011101; serial number
7200 ; 21600 refresh
900 ; 3600 retry
3600000 ; expire
86400 ; minimum

; name servers
; ----------------
IN NS    ns0.primarydomain.com.
IN NS    ns1.primarydomain.com.
IN NS    ns.registardomain.com.



Don't forget the ending dot on each domain !!

This tells that the domain is relative to the root servers and not relative to the machine domain name.

if you forgot the ending dot on ns1.primarydomain.com, named will use the following domain :

ns1.primarydomain.com.theCurrentServerDomainName.com

instead of

ns1.primarydomain.com


Before reloading named check the named.conf and your myDomain.com zone syntax

named-checkconf /etc/bind/named.conf
named-checkzone myDomain.com /etc/masters/myDomain.com
zone myDomain.com/IN: loaded serial 2008011202
OK

This command named-checkconf should run silently (ie, if everything is OK, nothing is printed on the screen, otherwise, there's a problem.)

Reload named on both server



/etc/init.d/bind9 reload


now /var/cache/bind/myDomain.com.backup should be the same as your zone file on the master server.

and in your log file, you should see this :

tail -f /var/log/syslog
...
Jan 13 06:13:29 sd-3393 named[3885]: loading configuration from '/etc/bind/named.conf'
Jan 13 06:13:29 sd-3393 named[3885]: no IPv6 interfaces found
Jan 13 06:13:29 sd-3393 named[3885]: zone myDomain.com/IN: Transfer started.
Jan 13 06:13:29 sd-3393 named[3885]: transfer of 'myDomain.com/IN' from 80.1.1.1#53: connected using 80.2.2.2#48850
Jan 13 06:13:29 sd-3393 named[3885]: zone myDomain.com/IN: transferred serial 2008011201
Jan 13 06:13:29 sd-3393 named[3885]: transfer of 'myDomain.com/IN' from 80.1.1.1#53: end of transfer
Jan 13 06:13:29 sd-3393 named[3885]: zone myDomain.com/IN: sending notifies (serial 2008011201)



Now the zone is replicated.
But, whenever you'll restart your named server, the named server will send a 'notify' to itself to check whether the zone is up to date or not.

The problem is that currently your named server is not allowed to notify itself.
And if you run a service bind9 restart (or /etc/init.d/bind9 restart) you'll get this in the /var/syslog

Jan 18 03:55:57 sd-3393 named[21952]: shutting down: flushing changes
Jan 18 03:55:57 sd-3393 named[21952]: stopping command channel on 127.0.0.1#953
Jan 18 03:55:57 sd-3393 named[21952]: no longer listening on 80.2.2.2#53
Jan 18 03:55:57 sd-3393 named[21952]: no longer listening on 127.0.0.1#53
Jan 18 03:55:57 sd-3393 named[21952]: exiting
Jan 18 03:56:00 sd-3393 named[22062]: starting BIND 9.3.4 -u bind
Jan 18 03:56:00 sd-3393 named[22062]: found 1 CPU, using 1 worker thread
Jan 18 03:56:00 sd-3393 named[22062]: loading configuration from '/etc/bind/named.conf'
Jan 18 03:56:00 sd-3393 named[22062]: no IPv6 interfaces found
Jan 18 03:56:00 sd-3393 named[22062]: listening on IPv4 interface eth0, 80.2.2.2#53
Jan 18 03:56:00 sd-3393 named[22062]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 18 03:56:00 sd-3393 named[22062]: command channel listening on 127.0.0.1#953
Jan 18 03:56:00 sd-3393 named[22062]: zone 0.in-addr.arpa/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: zone 127.in-addr.arpa/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: zone 255.in-addr.arpa/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: zone myDomain.com/IN: loaded serial 2008011203
Jan 18 03:56:00 sd-3393 named[22062]: zone localhost/IN: loaded serial 1
Jan 18 03:56:00 sd-3393 named[22062]: running
Jan 18 03:56:00 sd-3393 named[22062]: zone myDomain.com/IN: sending notifies (serial 2008011203)
Jan 18 03:56:00 sd-3393 named[22062]: client 80.2.2.2#33392: received notify for zone 'myDomain.com'
Jan 18 03:56:00 sd-3393 named[22062]: zone myDomain.com/IN: refused notify from non-master: 80.2.2.2#33392


To correct this, edit your /etc/bind/named.conf.options and add before the ending };

the folling :

allow-notify { 80.2.2.2; };


Don't forget to replace the ip by your slave server IP.

Now restart named and you should see the following :

Jan 18 03:57:03 sd-3393 named[22062]: shutting down: flushing changes
Jan 18 03:57:03 sd-3393 named[22062]: stopping command channel on 127.0.0.1#953
Jan 18 03:57:03 sd-3393 named[22062]: no longer listening on 80.2.2.2#53
Jan 18 03:57:03 sd-3393 named[22062]: no longer listening on 127.0.0.1#53
Jan 18 03:57:03 sd-3393 named[22062]: exiting
Jan 18 03:57:06 sd-3393 named[22117]: starting BIND 9.3.4 -u bind
Jan 18 03:57:06 sd-3393 named[22117]: found 1 CPU, using 1 worker thread
Jan 18 03:57:06 sd-3393 named[22117]: loading configuration from '/etc/bind/named.conf'
Jan 18 03:57:06 sd-3393 named[22117]: no IPv6 interfaces found
Jan 18 03:57:06 sd-3393 named[22117]: listening on IPv4 interface eth0, 80.2.2.2#53
Jan 18 03:57:06 sd-3393 named[22117]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 18 03:57:06 sd-3393 named[22117]: command channel listening on 127.0.0.1#953
Jan 18 03:57:06 sd-3393 named[22117]: zone 0.in-addr.arpa/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: zone 127.in-addr.arpa/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: zone 255.in-addr.arpa/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: zone myDomain.com/IN: loaded serial 2008011203
Jan 18 03:57:06 sd-3393 named[22117]: zone localhost/IN: loaded serial 1
Jan 18 03:57:06 sd-3393 named[22117]: running
Jan 18 03:57:06 sd-3393 named[22117]: zone myDomain.com/IN: sending notifies (serial 2008011203)
Jan 18 03:57:08 sd-3393 named[22117]: client 80.2.2.2#33392: received notify for zone 'myDomain.com'
Jan 18 03:57:08 sd-3393 named[22117]: zone myDomain.com/IN: notify from 80.2.2.2#33392: zone is up to date



Now let's say you have a second domain mySecondDomain.com handled by your DNS master server.

If you add
IN NS ns2.primarydomain.com

to the mySecondDoman.com zone file on the master server without have updated your named.conf on the slave DNS server (ns2.primarydomain.com),

you'll get in the /var/syslog of your slave DNS server the following message

Jan 18 04:43:59 sd-3393 named[22117]: client 80.1.1.1#49917: received notify for zone 'mySecondDomain.com': not authoritative


It's says you're not authorative because the zone mySecondDomain.com is not yet configured in your slave named.conf.

Add it exactly like the first domain, reload, and it's done.


If you manage loads of domain (like I do, 153 domains as of today !) with your master DNS Server, in the SLAVE /var/log/syslog you may find some messages like this :

Jan 18 05:06:48 sd-3393 named[22117]: zone myDomainXXXX.com/IN: zone transfer deferred due to quota


Don't panick, it just tell that the transfer of this zone is delayed because the slave server will transfer only 10 (the quota) zone at one time.

The transfer will be retryed later, check the later in the log file, you'll see the transfer.

Problems



On my first try, I made a try with primarydomain.com which is the domain of the master DNS server (which is silly if you think twice about it ;o).

I got the following message :
zone primaryDomain.com/IN: refresh: non-authoritative answer from master 80.1.1.1#53 (source 0.0.0.0#0)


Which is correct. the primaryDomain.com is handled by your registar DNS and it cannot be authorative for itself. The authorative server for primaryDomain.com is the registar DNS server.

So I tryed with another domain my primary DNS server handle (myDomain.com) and it works.

I've read that this error often occurs when :

  • you're editing the wrong named.conf file. Try to run ' sudo service bind9 stop;sudo named -g' The third line will show you the configuration file used
  • You're running two copy of named (ps -edf | grep named)
  • The zone file on the master server has a problem, check the zone syntax with named-checkzone as shown above



Documentation :