Dynamic DNS

Hi Folks!

It has been long time, I have not posted anything since December.  Actually I had to do many things. I was battling upkeep of Company Servers and upgrading them. But during that time  I learned many things and I would like to share  with you all. In this post I will introduce you about dynamic DNS, which saves you hassle of persistently changing of your  Router IP  by ISP.

What is Dynamic DNS ?

Dynamic DNS (DDNS) is a service that maps Internet domains name  to IP addresses. It is similar Internet Domain Name service(DNS) but some differences.

Unlike DNS that allows mapping static IP to domain name and domain name to static IP, Dynamic DNS maps your domain name to your dynamic IP. By doing that even though, your IP changes you will access your home router with the your domain name that you choose. And you will be able to access your IP camera or IoTs. But Unlike DNS service that you configure it only once for one domain name, DDNS needs to be informed each time IP has changed. But do be afraid.:)

There are many Dynamic DNS services on the internet enterprise or free. In this post I will introduce you about free dynamic dns, which I am currently using it.–duckns  Duck DNS is free dynamic domain name services. You can signup with your google, twitter, facebook or reddit account. After successfully login, duckdns create a token for you. You will update your new IP with this token so keep it secret.(Figure-1)

                                                  Figure-1

Also write your domain name you choose in to the box with the name domain.(Figure-2)

                                                  Figure-2

Almost done.We have just couple of things to do. As I mention before, we have to feed dynamic DNS service with the new IP, each time IP changes.

To do so, I wrote a shell script which pools every 5 minutes to check if  IP changes. For more information you can visit the link. https://www.duckdns.org/install.jsp

You can tweak the shell script for your own purpose. (If you use this script do not forget to replace  XYXY, xxxxxxxx-yyyy-xxxx-yyyy-zzzzzzzzzzzz  and mail addresses with yours!)

Edited: To execute script below every 5 minutes, we need to add the script on  a crontab.

 

 */5 * * * *  ipchecker.sh

 

ipchecker.sh script

#!/bin/bash
newip=$(curl -s ifconfig.co)
oldip=$(head ip.txt)

echo "old:$oldip"
echo "new:$newip"

if [ "$oldip" != "$newip" ] ; then
        echo "$newip" > ip.txt
        /usr/bin/mail -s "oldIP:$oldip/NewIP:$newip" admin@manintheit.org < ip.txt
#do not forget to create a folder with the name "duckdns"
#$mkdir ~/duckdns
        echo url="https://www.duckdns.org/update?domains=XYXY&token=xxxxxxxx-yyyy-xxxx-yyyy-zzzzzzzzzzzz&ip=" | curl -k -o ~/duckdns/duck.log -K -
        res=$?
        if [ "$res" -eq 0 ] ; then
                /usr/bin/dig XYXY.duckdns.org +short | /usr/bin/mail -s "DuckDNS IP changed" admin@manintheit.org
        else
                /usr/bin/mail -s "DuckDNS Error!" admin@manintheit.org<.
        fi
fi

Figure-3 ipchecker.sh

 

 

Measuring a Temperature with DS18B20

DS18B20 is a digital temperature sensor which measures temperatures from -55°C to +125°C. It uses 1-Wire communication protocol. We have only one data pin for sending and receiving data. For more information see DS18B20 datasheet.

In this post I will use Raspberry PI-III as a micro controller. For data pin I chose GPIO26. Before using this pin as a 1-Wire, we need to enable 1-Wire communication. You can do it raspi-config or adding the lines below end of the /boot/config.txt file and reboot your Raspberry.

#/boot/config.txt
dtoverlay=w1-gpio,gpiopin=26

 

 

 

 

 

 

 

After reboot the system. We should check whether or not device is connected properly. You can see below configuration looks good. 28-0000010edf01 is the my device.

Each DS18B20 contains a unique ROM code that is 64-bits long. The first 8 bits are a 1-Wire family
code (DS18B20 code is 28h). The next 48 bits are a unique serial number. The last 8 bits are a CRC of the first 56 bits.

pi@raspberrypi:~ $ ls -l /sys/bus/w1/devices/28-0000010edf01
lrwxrwxrwx 1 root root 0 Dec 25 08:02 /sys/bus/w1/devices/28-0000010edf01 -> ../../../devices/w1_bus_master1/
28-0000010edf01
cat /sys/bus/w1/devices/28-0000010edf01/driver/28-0000010edf01/w1_slave

5c 01 4b 46 7f ff 04 10 a1 : crc=a1 YES
5c 01 4b 46 7f ff 04 10 a1 t=21750

As you see output above t is the temperature. Bu we need to some calculations conver to Celcius.

t=21750/10=21.750°C
echo $(cat /sys/bus/w1/devices/28-0000010edf01/w1_slave | tail -n +2 | cut -f 2 -d '=') | awk '{x=$1}END{print(x/1000)}'
#/bin/bash
while true
        do
                echo $(cat /sys/bus/w1/devices/28-0000010edf01/w1_slave | tail -n +2 | cut -f 2 -d '=') | awk '{x=$1}END{print(x/1000)}'
                sleep 2
        done

 

Final Result.

 

 

 

 

 

 

 

 

Redirecting http to https

Do you have  a SSL certificated web site and your audience still connects you via  http because of their habit ? Easy way to handle this problem is redirecting http requests to https. By doing that any http requests are redirected to the https. To do that we will use Apache web server (httpd RHEL,CentOS).

Apache is the world’s most used web server software. It has many features loadbalancing, cgi support, headers and content rewriting, URL rewriting etc,. In this post we will use URL rewriting capability of Apache, which is supported by mod_rewrite.

mod_rewrite module provides flexible and powerful way to URLs using an unlimited number of rules. By default, mod_rewrite maps a URL to a filesystem path. However, it can also be used to redirect one URL to another URL, or to invoke an internal proxy fetch.

You can add the configuration below either .htacces or apache2.conf (httpd.conf on RHEL, CentOS).

#Redirect permanently any request, which comes from Port 80(http) to https.
<IfModule mod_rewrite.c>
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://manintheit.org/$1 [R=301,L]
</IfModule>

Do not forget to enable mod_rewrite module. You can check with apache2ctl or httpd utility.

On Debian, Ubuntu system.

root@debian:/etc/apache2# apache2ctl -M|grep rewrite

On RHEL, CentOS system.

[root@centos7 media]# httpd -M| grep rewrite

You can track the requests http to https with curl -v.

redirection

 

 

 

 

 

 

Port Knocking

Port knocking is one of hardening method to prevent unauthorized user access the services. This method ability to externally open ports that, by default, keep closed by firewall. It works by sending  TCP packets to predefined closed ports in right order. In my virtual environment, I have two Linux based systems one is Debian8 and the other is Centos7.

Debian8(Server):

IP:192.168.17.139

Services:knockd,ssh

Centos7(client):

IP:192.168.17.135

Services:ssh

I closed ssh port accessing anywhere except for my current connection to configure knockd service on Debian8.

root@debian:~# iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@debian:~# iptables -A INPUT -p tcp --dport 22 -j REJECT

Installing knockd service :

root@debian:~# apt-get install knockd

Configuration of knockd service:

First we need to activate knockd service by configuring  parameter START_KNOCKD=0 to  START_KNOCKD=1 on /etc/default/knockd file.(Figure-1)

knockd

 

 

 

 

 

Figure-1

After that, we configure consecutive of ports to be used and what TCP packet will be send, before open  SSH port file by editing /etc/knockd.conf  file.(Figure-2)

knockd2

Figure-2

According to configuration Figure-2 – To open SSH port, we have to  send TCP SYN packet for each port 7000, 8000, 9000 in order which is not more than 50 seconds. To close SSH port, we have to  send TCP SYN packet for each  port 9000, 8000, 7000 in order which is not more than 50 seconds.

Enabling knockd service:(It will also start after reboot)

root@debian:~# systemctl enable knockd.service

Starting knockd service:

root@debian:~# systemctl start knockd.service

To send a TCP SYN packet for specific ports you can use nmap network utility. Below you can find shell script to do that.

Make sure that nmap is installed on your system. If It is not, you can install as it below.

#For Debian System
apt-get install nmap
#For Redhat,Centos System
yum install nmap

Usage:

./portKnock.sh <IP> <open,close>

./portKnocking.sh 192.168.17.139 open

./portKnocking.sh 192.168.17.139 close

#!/bin/bash
IP=$1
choose=$2
count=$#
echo $count
if [[ count -eq 2 ]] ; then
case $choose in
	open) 
		echo "---opening ports for $IP"
		for port in 7000 8000 9000 
		do
			echo "sending SYN for port $port"
			nmap -v -PS --disable-arp-ping -p $port $IP
			
		done

		;;
	
	close)
		echo "---closing ports for $IP"
		for port in 9000 8000 7000 
		do
			echo "sending SYN for port $port"
			nmap -v -PS --disable-arp-ping -p $port $IP
		done
		;;
	*)
	esac
else
		echo "Wrong usage... ./portKnock.sh <IP> <open/close>"
fi

Syslog:

./portKnocking.sh 192.168.17.139 open

Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 1
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 2
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 3
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: OPEN SESAME
Nov 27 11:52:23 debian knockd: openSSH: running command: /sbin/iptables -I INPUT 1 -s 192.168.17.135 -p tcp --dport 22 -j ACCEPT

./portKnocking.sh 192.168.17.139 close

Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 1
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 2
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 3
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: OPEN SESAME
Nov 27 11:53:32 debian knockd: closeSSH: running command: /sbin/iptables -D INPUT -s 192.168.17.135  -p tcp --dport 22 -j ACCEPT

For more information about port knocking you can visit http://www.zeroflux.org/projects/knock

Happy Hardening.

 

 

Cyberchondriac

Today’s new word  is Cyberchondriac.

Cyberchondriac, someone who looks up medical advice on the Internet for every symptom  they have  and get anxious because they think they have serious illness.

Free SSL Certificate

Q: Is is possible to get free SSL certificate, which is supported by modern web browsers such as Chrome, Mozilla Firefox, IE etc,.

A: Actually, yes you can have free green bar SSL certificates which is supported by modern web browsers. Let’s Encrypt is a free, automated, open Certificate Authority. But before you have SSL certificate, It requires some of the things you have to do to confirm you are the owner of domain that you want to get SSL certificate. There are some web sites to direct you, https://www.sslforfree.com is one of them.

 

Hello world!

Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!

 

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]