Search This Blog
Saturday, December 29, 2012
Friday, December 28, 2012
ufw - Uncomplicated Firewall
The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
The kernel's packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task.
ufw - Uncomplicated Firewall
The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall.
ufw by default is initially disabled. From the ufw man page:
“ ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls. ”
The following are some examples of how to use ufw:
First, ufw needs to be enabled. From a terminal prompt enter:
sudo ufw enable
To open a port (ssh in this example):
sudo ufw allow 22
Rules can also be added using a numbered format:
sudo ufw insert 1 allow 80
Similarly, to close an opened port:
sudo ufw deny 22
To remove a rule, use delete followed by the rule:
sudo ufw delete deny 22
It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on this host:
sudo ufw allow proto tcp from 192.168.0.2 to any port 22
Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.
Adding the --dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port:
sudo ufw --dry-run allow http
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### END RULES ###
-A ufw-user-input -j RETURN
-A ufw-user-output -j RETURN
-A ufw-user-forward -j RETURN
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
COMMIT
Rules updated
ufw can be disabled by:
sudo ufw disable
To see the firewall status, enter:
sudo ufw status
And for more verbose status information use:
sudo ufw status verbose
To view the numbered format:
sudo ufw status numbered
Labels:
firewall,
linux,
ubuntu,
ubuntu 12.04
AT-Commands
In this tutorial I will walk through the steps of sending and receiving text message (SMS) from your Ubuntu laptop using a package called minicom. We also need a modem which dials into the telco provider. For this I use a USB Wifi modem.
Firstly connect the USB Wifi modem to a USB port of your laptop or PC. Fire up your mnicom program. If it was not installed, you can easily do so by typing:
#apt-get install minicom
To launch minicom, type:
root@ubuntu:~/script# minicom -m
Welcome to minicom 2.3
OPTIONS: I18n
Port /dev/ttyUSB1
Press ESC,Z for help on special keys
AT S7=45 S0=0 L1 V1 X4 &c1 E1 Q0
OK
You will get a OK prompt, which means that your minicom recognizes the USB Wifi modem. You can configure the device when in OK prompt using a combination of keys i.e. Press Ctrl and A together and release.Then press Z for the menu. In the menu you should press O to configure minicom.
One of the important settings is the port settings. In my case it is set at /dev/ttyUSB1. In case you need to terminal into a Ciso router, you can try /dev/ttyS0. To do this press Ctrl and A together and release.Then press Z for the menu. In the menu you should press O to configure minicom. Select Serial Port setup
Set the Bps as 115200 8N1
Now let’s send a SMS to your own mobile phone. At the OK prompt in minicom type:
Send a message to your handphone
at+cmgf=1
OK
at+cmgw=”some_mobile_number”
For example,
at+cmgw=”12345678″
> its fun
>
Press Ctrl+Z when you finish typing your message. In my case I don’t need to type the country code +91
+CMGW: 1
OK
at+cmss=1
+CMSS: 0
OK
My handphone received the SMS
To read the SMS,
at+cmgl=”all”
+CMGL: 1,”STO SENT”,”mobilenumber”,,
its fun
+CMGL: 0,”STO UNSENT”,”+mobilenumber”,,
hello !!
OK
at+cmgr=0
+CMGR: “STO UNSENT”,”+mobilenumber”,
hello !!
OK
Making calls from Modem to Mobile Pphone
ATDmobilenumber;
Reading messages on your Wifi Modem SIM Card
Read all the messages
at+cmgl=”all”
+CMGL: 0,”REC READ”,”+91mobilenumber”,,”10/06/20,19:43:29+32″
It works!
+CMGL: 1,”REC UNREAD”,”+91mobilenumber”,,”10/06/21,19:03:10+32″
chill
The latest SMS is unread
Read the SMS
at+cmgr=1
+CMGR: “REC READ”,”+91mobilenumber”,,”10/06/21,19:03:10+32″
chill
OK
Now the status is read
at+cmgl=”all”
+CMGL: 0,”REC READ”,”+91mobilenumber”,,”10/06/20,19:43:29+32″
It works!
+CMGL: 1,”REC READ”,”+91mobilenumber”,,”10/06/21,19:03:10+32″
chill
OK
Labels:
linux,
minicom,
modem,
ubuntu,
ubuntu 12.04
AppArmor
AppArmor is a Linux Security Module implementation of name-based mandatory access controls. AppArmor confines individual programs to a set of listed files and posix 1003.1e draft capabilities.
AppArmor is installed and loaded by default. It uses profiles of an application to determine what files and permissions the application requires. Some packages will install their own profiles, and additional profiles can be found in the apparmor-profiles package.
To install the apparmor-profiles package from a terminal prompt:
sudo apt-get install apparmor-profiles
AppArmor profiles have two modes of execution:
- Complaining/Learning: profile violations are permitted and logged. Useful for testing and developing new profiles.
- Enforced/Confined: enforces profile policy as well as logging the violation.
Using AppArmor
The apparmor-utils package contains command line utilities that you can use to change the AppArmor execution mode, find the status of a profile, create new profiles, etc.
- apparmor_status is used to view the current status of AppArmor profiles.
sudo apparmor_status
- aa-complain places a profile into complain mode.
sudo aa-complain /path/to/bin
- aa-enforce places a profile into enforce mode.
sudo aa-enforce /path/to/bin
- The /etc/apparmor.d directory is where the AppArmor profiles are located. It can be used to manipulate the mode of all profiles.Enter the following to place all profiles into complain mode:
sudo aa-complain /etc/apparmor.d/*
To place all profiles in enforce mode:sudo aa-enforce /etc/apparmor.d/*
- apparmor_parser is used to load a profile into the kernel. It can also be used to reload a currently loaded profile using the -r option. To load a profile:
cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
To reload a profile:cat /etc/apparmor.d/profile.name | sudo apparmor_parser -r
- service apparmor can be used to reload all profiles:
sudo service apparmor reload
- The /etc/apparmor.d/disable directory can be used along with the apparmor_parser -R option to disable a profile.
sudo ln -s /etc/apparmor.d/profile.name /etc/apparmor.d/disable/ sudo apparmor_parser -R /etc/apparmor.d/profile.name
To re-enable a disabled profile remove the symbolic link to the profile in /etc/apparmor.d/disable/. Then load the profile using the -aoption.sudo rm /etc/apparmor.d/disable/profile.name cat /etc/apparmor.d/profile.name | sudo apparmor_parser -a
- AppArmor can be disabled, and the kernel module unloaded by entering the following:
sudo service apparmor stop sudo update-rc.d -f apparmor remove
- To re-enable AppArmor enter:
sudo service apparmor start sudo update-rc.d apparmor defaults
Profiles
AppArmor profiles are simple text files located in /etc/apparmor.d/. The files are named after the full path to the executable they profile replacing the "/" with ".". For example /etc/apparmor.d/bin.ping is the AppArmor profile for the /bin/ping command.There are two main type of rules used in profiles:- Path entries: which detail which files an application can access in the file system.
- Capability entries: determine what privileges a confined process is allowed to use.
As an example take a look at /etc/apparmor.d/bin.ping:#include <tunables/global> /bin/ping flags=(complain) { #include <abstractions/base> #include <abstractions/consoles> #include <abstractions/nameservice> capability net_raw, capability setuid, network inet raw, /bin/ping mixr, /etc/modules.conf r, }
- #include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.
- /bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.
- capability net_raw,: allows the application access to the CAP_NET_RAW Posix.1e capability.
- /bin/ping mixr,: allows the application read and execute access to the file.
Subscribe to:
Posts (Atom)