Tuesday, 29 April 2014

Windows Administration the hard way

I had several problems recently. 

Issue 1:

The issue was that the software I support was unable to install itself, due to permission. The strangest thing was that cacls was not present and had to get it from somewhere else.

After forcing the temp directory to the system user everything worked as a charm. However before rushing - delete the temporary files. It seems that the program was unable to install due to a corrupt directory and because it was not able to  write to it from the system user.
1. cacls "C:\WINDOWS\Temp" /G <adminuser>:F
otherwise I can not read the contents of the directory ...
2. Rename the corrupt directory. 3. cacls "C:\WINDOWS\Temp" /G SYSTEM:F

Note maybe there is a way to add both users from cacls but I was kind of in a hurry.

Issue 2:

I needed to remotely install the software I support so I needed Remote Registry and RPC enabled. The Firewall had to be shut - note if you haven't enabled Remote Desktop - don't disable the firewall, it is better to set it start manually. Other workaround would be to just enable the service in the firewall - in my case it was file and printer sharing see issue 5. So you can do this with this script. Check the references for further info.

net start RemoteRegistry
net start rpcss
net stop mpssvc
sc config RemoteRegistry start=auto
sc config rpcss start=auto
sc config mpssvc start=disable

Issue 3:

How do you fix a messed up installations remotely? This relates to the above Issue 2. You need 3 things only.

1. Admin rights.
2. Remote Registry you can use the connect to PC feature.
3. Services you can connect to remote PCs.

And that's it, then restart and re-install the software.

Issue 4:

How to get the built in administrator:
net user administrator /active:yes
net user administrator password

Overflow Android

Since one year or so passed I thought why not retire the classic version of Overflow for Android.

Here is the new version with the new design from Lyubina Karapeeva:

And here is the classical version:

Hope you enjoy it. 

Thursday, 24 April 2014

Mikrotik speed it up

This is an attempt to speed up the connection of Mikrotik in the local network to services and others.

First let us begin with the TOS. As far as I understood from the Winbox interface - it is the same as DSC on further looking into it seems a bit different. Anyways here is what I have for ToS and what the numbers behind it actually mean:

new-tos (max-reliability | max-throughput | min-cost | min-delay | normal integer) - specify TOS value to be used in conjunction with action=change-tos
max-reliability - maximize reliability (ToS=4)
max-throughput - maximize throughput (ToS=8)
min-cost - minimize monetary cost (ToS=2)
min-delay - minimize delay (ToS=16)
normal - normal service (ToS=0) 

You will probably ask yourself why DSC of 5,6,7 here please see the script in the references below - it's a way of prioritizing the traffic in your network so it is normal to have different but close values.

From here you will find a print out of my configuration in
/ip firewall mangle

Here it is very confusing when you have the connection marks (CM) and packet marks (PM) - just don't confuse those, since they mean different things especially if you do this from the WinBox  interface - mistakes can happen, but it is easier to understand the rules if you do it from WinBox. Also one note if you try to configure this from command line you should make the command be 1 line meaning that the text should not have a new line (Enter) it will break the command and this is a common mistake. 

/ip firewall mangle add

 chain=prerouting action=mark-connection new-connection-mark=ICMP-CM passthrough=yes protocol=icmp src-address= 

chain=prerouting action=mark-packet new-packet-mark=ICMP-PM passthrough=yes connection-mark=ICMP-CM 

 chain=prerouting action=change-dscp new-dscp=6 passthrough=yes packet-mark=ICMP-PM 

chain=prerouting action=mark-connection new-connection-mark=DNS-CM passthrough=yes protocol=tcp src-address= dst-port=53 

chain=prerouting action=mark-connection new-connection-mark=DNS-CM passthrough=yes protocol=udp src-address= dst-port=53,5353 

chain=prerouting action=mark-packet new-packet-mark=DNS-PM passthrough=yes connection-mark=DNS-CM 

 chain=prerouting action=change-dscp new-dscp=6 passthrough=yes packet-mark=DNS-PM 

Winbox Port 8291 (Local Management)
     chain=input action=change-dscp new-dscp=7 passthrough=yes protocol=tcp dst-port=8291 

Skype, HTTPS
     chain=postrouting action=change-dscp new-dscp=7 passthrough=yes protocol=tcp dst-port=443 

Priority - 6 - SSH
     chain=prerouting action=set-priority new-priority=6 passthrough=yes protocol=udp port=22 

Priority - 5 - HTTP Requests
     chain=prerouting action=set-priority new-priority=5 passthrough=yes protocol=tcp dst-port=80 connection-bytes=0-5000000 

Priority - 5 - Yahoo IM
     chain=prerouting action=set-priority new-priority=5 passthrough=yes protocol=tcp port=5050 

Priority - 0 - VOIP - skypetoskype
     chain=forward action=set-priority new-priority=7 passthrough=yes layer7-protocol=skypetoskype  

/queue type add name=PFIFO-64 kind=pfifo pfifo-limit=64
/queue tree add name=ICMP parent=ether1-gateway packet-mark=ICMP-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64
/queue tree add name=DNS parent=ether1-gateway packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64

Some Layer-7 Priorities:

/ip firewall layer7-protocol

add action=set-priority chain=forward comment="Priority - 0 - File Sharing - Bittorrent" layer7-protocol=bittorrent
add name=bittorrent regexp="^(\13bittorrent protocol|azver\01\$|get /scrape\\\

add name=skypeout regexp="^(\01.\?.\?.\?.\?.\?.\?.\?.\?\01|\02.\?.\?.\?.\?.\?.\
    \1E.\?.\?.\?.\?.\?.\?.\?.\?\1E|\1F.\?.\?.\?.\?.\?.\?.\?.\?\1F| .\?.\?.\?.\
    \?.\?.\?.\?.\? |!.\?.\?.\?.\?.\?.\?.\?.\?!|\".\?.\?.\?.\?.\?.\?.\?.\?\"|#.\
add name=skypetoskype regexp="^..\02............."

/ip firewall mangle add action=set-priority chain=forward comment="Priority - 0 - VOIP - skypetoskype" layer7-protocol=skypetoskype new-priority=7

Thursday, 17 April 2014

Yuriy's NodesUP - Android

I decided to make a small update on my app. The idea behind this application came to me while of course I was outside of the office on some meetings and a client called with his problem - that our appliance did not work, actually some switch was "stuck" and these was the reason for the problems. But I had to browse from my phone to find this out so naturally this application was born and you can ping, rdns and check the MX records with it. Also in this updated version I have put a "Wifi On" button since I was in the ridiculous situation where I had wifi, but no Internet and I did not want to do this - I wanted to check my real ip from my 3G network.

Here it is the new version ;)

Monday, 14 April 2014

Mikrotik firewall Tools and Rules

It passed some time since I initially configured the firewall of my Mikrotik. So I invested some of my time to make it better. 

First get the list of connections:
/ip firewall connection

Study them little closer with the whois information that you will be able to get. For those connections that I didn't quite agree, because I didn't see any reason of existence, I did this:

/ip firewall filter add chain=forward src-address= dst-address=<ip>/<mask> action=drop

Note the direction here - it is from the source to the destination (meaning generally it is most likely in the internet). You can also change this to your preference - block it the other way. Take care because some services may stop functioning - so add comments and also don't forget the order of the rules - meaning which are on top, some might overrule others.

The other interesting tool we can use here is called torch, with it you can basically find which flow of traffic consumes most and possibly that could be an attack or just a permanent connection (example could be an smtp service outside of the company).

/tool torch

One other thing is that it is more convenient to use the connection state and torch from WinBox if you are going to monitor those things in real time, however the command line does the same, BUT here you can use it to copy paste the text - which contains valuable information for further analysis.

Under attack or not?

Well another logical thing here would be to check the resources taken from the device. You can check this from here

/system resource monitor

Final thoughts - close whatever you don't need as services from the router or limit them to the local network where possible and scan it from outside. You can do a scan for instance with 

Below you will find some material on SYN filtering, DoS attack rules etc. I gathered them from the references below in one place, hopefully it is useful for you. 

SYN filtering
Some advanced filtering can by applied to tcp packet state.

/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no

For v6.x:

/ip settings set tcp-syncookies=yes

For older RouterOS versions:

/ip firewall connection tracking set tcp-syncookie=yes


add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="detect and drop port scan connections" disabled=no 
add chain=input protocol=tcp connection-limit=3,32 src-address-list=black_list action=tarpit \
comment="suppress DoS attack" disabled=no 
add chain=input protocol=tcp connection-limit=10,32 action= add-src-to-address-list \
address-list=black_list  address-list-timeout=1d comment="detect DoS attack" disabled=no 

These rule’s are a little reactive to DoS and port scanning attempts, port scanning is dropped but a DoS attack is ‘tarpitted’ in that all connection’s are slowed down to increase the resource usage on the attackers device


add chain=input protocol=icmp action=jump jump-target=ICMP comment="jump to chain ICMP" disabled=no 

note this rule seems to be invalid - still haven't found why:
add chain=input action=jump jump-target=services comment="jump to chain services" disabled=no 

add chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept comment="0:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept comment="3:3 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept comment="3:4 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept comment="8:0 and limit for 5pac/s" disabled=no 
add chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept comment="11:0 and limit for 5pac/s" disabled=no 

add chain=ICMP protocol=icmp action=drop comment="Drop everything else" disabled=no 

These rules form the ‘ICMP’ chain which we jumped to from input, it limited various ICMP packet to stop people ping flooding you


Bruteforce login prevention

To stop SSH/FTP attacks on your router, follow this advice.
This configuration allows only 10 FTP login incorrect answers per minute
in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h


This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:

add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no

To view the contents of your Blacklist, go to "/ip firewall address-list" and type "print" to see the contents.


Tuesday, 8 April 2014

Goodbye Windows XP

It was a nice operating system, but lately with all this security issues it seems to be a good idea to get this:
and this:
Especially when you know that the official support from Microsoft is ending today. Yes, today.

One more interesting thing I came across the last week or so was the source code of another deprecated operating system MSDOS 2.0 have a look:

That's it for now and take care.