NetSecL Legacy, GrSecurity, Linux Security, IPTables.

When I began with NetSecL Linux as a Linux distribution my main concern was the security of that system, so I decided to make this article explaining some of the approaches that were used in the distribution. I am open to help if you would like a server or any other system hardened (NAS, mail, create secure virtual environments etc.) - please contact me.

So let's begin with the vulnerabilities - one of the things that NetSecL protected against were different methods of exploitation.  Here naturally GrSecurity was the solution to this problems. Apart from the patch that grsecurity supplies I needed also to recompile gcc and binutils - you will probably need to check this https://pax.grsecurity.net/. I now see that the binutils is out of date. But you can check this paxtest - it will test your security.

bash-3.1# paxtest blackhat
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 16 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 25 bits (guessed)
Main executable randomisation (ET_EXEC) : 16 bits (guessed)
Main executable randomisation (ET_DYN) : 16 bits (guessed)
Shared library randomisation test : 16 bits (guessed)
Stack randomisation test (SEGMEXEC) : 23 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed

Lets begin with the patch we have from https://grsecurity.net/ . Choose the appropriate kernel version and apply the patch to it. If you are using it on OpenSuse you might want to recompile the gcc itself to have the needed plugins otherwise you will get a warning (as far as I remember) and you will miss some of the important features.

patch -p1 < 
make menuconfig

Lets begin with the kernel configuration, this is one of my config files - after applying GrSecurity patch:

#
# Security options
#

#
# Grsecurity
#
CONFIG_TASK_SIZE_MAX_SHIFT=47
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=10

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
# CONFIG_PAX_RANDKSTACK is not set
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
# CONFIG_PAX_USERCOPY is not set
# CONFIG_PAX_SIZE_OVERFLOW is not set
# CONFIG_PAX_LATENT_ENTROPY is not set

#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
# CONFIG_GRKERNSEC_PROC_ADD is not set
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
CONFIG_GRKERNSEC_AUDIT_PTRACE=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_KEYS=y
CONFIG_TRUSTED_KEYS=m
CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEYS_DEBUG_PROC_KEYS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
CONFIG_SECURITY_PATH=y
CONFIG_INTEL_TXT=y
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=0
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_SECURITY_APPARMOR is not set
CONFIG_INTEGRITY=y
CONFIG_IMA=y
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
CONFIG_DEFAULT_SECURITY_SELINUX=y
# CONFIG_DEFAULT_SECURITY_DAC is not set
CONFIG_DEFAULT_SECURITY="selinux"
CONFIG_XOR_BLOCKS=m
CONFIG_ASYNC_CORE=m
CONFIG_ASYNC_MEMCPY=m
CONFIG_ASYNC_XOR=m
CONFIG_ASYNC_PQ=m
CONFIG_ASYNC_RAID6_RECOV=m
CONFIG_ASYNC_TX_DISABLE_PQ_VAL_DMA=y
CONFIG_ASYNC_TX_DISABLE_XOR_VAL_DMA=y
CONFIG_CRYPTO=y

This is a script that applies the permissions paxctl permission and the key to a normally workin system - mprotect "breaks" some of the working software and permissions should be applied:

#!/bin/sh

#These are permissions for PaX and the paranoid kernels

#Don't edit unless you know what you are doing!

#This script is ran once and then "chmod -x"-ed if you change it you must make it executable again (chmod +x) and re-run it.

#Please report any problems on i_stanchev@ml1.net

echo "Converting /sbin/ adding PT_PAX_FLAGS"

paxctl -Cq /sbin/*

echo "Converting /usr/sbin/ adding PT_PAX_FLAGS"

paxctl -Cq /usr/sbin/*

echo "Converting /usr/bin/ adding PT_PAX_FLAGS"

paxctl -Cq /usr/bin/*

echo "Converting /usr/lib/ adding PT_PAX_FLAGS"

paxctl -Cq /usr/lib64/gimp/2.0/plug-ins/*

paxctl -Cq /usr/lib64/gnome-vfs-2.0/*

paxctl -Cq /usr/lib/gnome-vfs-2.0/*

paxctl -Cq /usr/lib/YaST2/bin/*

paxctl -Cq /usr/lib64/YaST2/plugin/*

echo "Converting /usr/libexec/ adding PT_PAX_FLAGS"

paxctl -Cq /usr/libexec/*

echo "Converting /usr/libexec/xfce4/panel-plugins/ adding PT_PAX_FLAGS"

paxctl -Cq /usr/libexec/xfce4/panel-plugins/*

echo "Converting /usr/lib/qt/bin/ adding PT_PAX_FLAGS"

paxctl -Cq /usr/lib/qt/bin/*

echo "Applying paxctl permissions"

paxctl -mq /usr/lib/gnome-vfs-2.0/*

paxctl -mq /usr/lib64/gnome-vfs-2.0/*

paxctl -mq /usr/lib/YaST2/bin/*

paxctl -mq /usr/lib64/YaST2/plugin/*

paxctl -mq /usr/lib64/gimp/2.0/plug-ins/*

paxctl -mq /usr/bin/*

paxctl -permsx /usr/bin/wine-preloader

paxctl -permsx /usr/bin/wine

paxctl -permsx /usr/bin/wine64-preloader

paxctl -permsx /usr/bin/wine64

paxctl -Cq /usr/lib64/firefox/firefox-bin

paxctl -mq /usr/lib64/firefox/firefox-bin

paxctl -mq /usr/sbin/*

paxctl -mq /sbin/*

paxctl -mq /usr/libexec/*

echo "Done applying paxctl permissions"

Compiling the kernel:

make bzImage
make modules
make INSTALL_MOD_STRIP=1 modules_install
make install
mkinitrd

This is another component the NetSecL Firewall which ensures the network security of the OS. Here you should consider also stopping your unneeded services and comment them out in inetd. This is the script of the firewall:

#!/bin/bash

# 

#This program is free software; you can redistribute it and/or

#modify it under the terms of the GNU General Public License

#as published by the Free Software Foundation; either version 2

#of the License, or (at your option) any later version.

#

#This program is distributed in the hope that it will be useful,

#but WITHOUT ANY WARRANTY; without even the implied warranty of

#MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#GNU General Public License for more details.

#

#You should have received a copy of the GNU General Public License

#along with this program; if not, write to the Free Software

#Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.

#

# This firewall was developed for the NetSecL Linux Distribution and was put together by:

# Yuriy Stanchev - NetSecL Maintainer

#

#The nesecl-firewall is being discussed in the NetSecL forum

#http://netsecl.com/forum/index.php?PHPSESSID=030b98b33c1707cfa364e792b17bfbfe&board=2.0

if [ "$1" = "start" ]; then

IPTABLES="/usr/sbin/iptables"

#Probe internet interfaces

if [ "$(/sbin/ifconfig | /bin/grep eth0)" ]; then

INTERNET="eth0"

elif [ "$(/sbin/ifconfig | /bin/grep eth1)" ]; then

INTERNET="eth1"

else INTERNET="ppp0"

fi

#Get the DNS Server

NAMESERVER=`grep nameserver /etc/resolv.conf |head -1|awk '{print $2}'`

#NAMESERVER="" #Manually set this variabale if the DNS is not recognized

if [ "$NAMESERVER" = "" ]; then

 echo "You must manually set the DNS Server. Please edit /etc/rc.d/rc.firewall or use netconfig to configure your network and set a DNS Server."

fi

CLASS_A="127.0.0.0/8"

CLASS_B="172.16.0.0/12"

CLASS_C="192.168.0.0/16"

CLASS_D_MULTICAST="224.0.0.0/4"

CLASS_E_RESERVED_NET="240.0.0.0/5"

BROADCAST_DEST="255.255.255.255"

# FTP (20, 21) SSH (22) SMTP (25) WHOIS (43) WWW (80) POP (110) IDENT (113) USENET (119)  IMAP (143) SSL (443) PROXY (8008, 8080)

PORTS="20 21 25 80 110 113 443 8080" #

PASSIVEFTP="Y"

PINGDEATH="Y" 

LOGGING="N" 

BEHINDROUTER="Y" #This Rules allows connections from your Router to you (Assumes that the DNS is the IP of your Router/Gateway) 

SSHDREQ="N" #ALLOW INCOMING SSHD REQUESTS

SSHSRV="N" #ALLOW SSH server

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD DROP

# Firewall initialization, remove everything, start with clean tables

$IPTABLES -F # remove all rules

$IPTABLES -t nat -F # remove all rules

$IPTABLES -t mangle -F # delete all user-defined chains

$IPTABLES -X # delete all user-defined chains

$IPTABLES -t nat -X # remove all rules

$IPTABLES -t mangle -X # delete all user-defined chains

#enable broadcast echo protection

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

#Disable Source Routed packets

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $f

done

#Enable TCP SYN Cookie Protection

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Reduce SYN Floods

echo 4096 >/proc/sys/net/ipv4/tcp_max_syn_backlog 

#IP Forward

echo 0 > /proc/sys/net/ipv4/ip_forward

#Disable ICMP redirect Acceptance

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

echo 0 > f$

done

# Send Redirect Messges

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do

echo 0 > $f

done

echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects

# Drop Spoofed Packets coming in on an interface, which, if replied to,

# would result in the reply goingout a different interface.

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > f$

done

# Log packets with impossible addresses

for f in /proc/sys/net/ipv4/conf/*/log_martians; do

echo 1 > $f

done

# Set up our logging and packet 'executing' chains

$IPTABLES -N LOG_DROP

$IPTABLES -N logaborted2

$IPTABLES -A logaborted2 -j LOG --log-prefix "ABORTED " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence

$IPTABLES -A logaborted2 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -N logaborted

$IPTABLES -A logaborted -m limit --limit 1/second --limit-burst 10 -j logaborted2

$IPTABLES -A logaborted -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix "LIMITED " --log-level 4 

# allow everything for loop device

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -j ACCEPT

if [ "$BEHINDROUTER" = "Y" ]; then

$IPTABLES -A INPUT -i $INTERNET -s $NAMESERVER -j ACCEPT

fi

#portscan detector

$IPTABLES -N PORTSCAN

#portscan detection module

# NMAP FIN/URG/PSH

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN,URG,PSH -m recent --set -j PORTSCAN

# SYN/RST

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -m recent --set -j PORTSCAN

# SYN/FIN -- Scan(probably)

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -m recent --set -j PORTSCAN

# NMAP FIN Stealth

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL FIN -m recent --set -j PORTSCAN

# ALL/ALL Scan

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -m recent --set -j PORTSCAN

# NMAP Null Scan

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -m recent --set -j PORTSCAN

#XMAS

$IPTABLES -A INPUT -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -m recent --set -j PORTSCAN

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -m recent --set -j PORTSCAN

if [ "$LOGGING" = "Y" ]; then

$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "PORTSCAN SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence

$IPTABLES -A LOG_DROP -j DROP 

fi

$IPTABLES -A PORTSCAN -j DROP

# Drop packets with bad tcp flags

$IPTABLES -N BAD_FLAGS

$IPTABLES -A INPUT -p tcp --tcp-option 64 -m recent --set -j BAD_FLAGS

$IPTABLES -A INPUT -p tcp --tcp-option 128 -m recent --set -j BAD_FLAGS

if [ "$LOGGING" = "Y" ]; then

$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "BADFLAGS SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence

$IPTABLES -A LOG_DROP -j DROP 

fi

$IPTABLES -A BAD_FLAGS -j DROP

# Drop packets that are too small Note:

$IPTABLES -N SMALL

$IPTABLES -A INPUT -p udp -m length --length 0:27 -m recent --set -j SMALL

$IPTABLES -A INPUT -p tcp -m length --length 0:39 -m recent --set -j SMALL

$IPTABLES -A INPUT -p icmp -m length --length 0:27 -m recent --set -j SMALL

$IPTABLES -A INPUT -p 30 -m length --length 0:31 -m recent --set -j SMALL

$IPTABLES -A INPUT -p 47 -m length --length 0:39 -m recent --set -j SMALL

$IPTABLES -A INPUT -p 50 -m length --length 0:49 -m recent --set -j SMALL

$IPTABLES -A INPUT -p 51 -m length --length 0:35 -m recent --set -j SMALL

$IPTABLES -A INPUT -m length --length 0:19 -m recent --set -j SMALL

if [ "$LOGGING" = "Y" ]; then

$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "SMALL SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence

$IPTABLES -A LOG_DROP -j DROP 

fi 

$IPTABLES -A SMALL -j DROP

# Reject all BOGUS packets

$IPTABLES -N BOGUS

$IPTABLES -t filter -p all -A INPUT -m conntrack --ctstate INVALID -j BOGUS

$IPTABLES -t filter -p all -A OUTPUT -m conntrack --ctstate INVALID -j BOGUS

$IPTABLES -t filter -p all -A FORWARD -m conntrack --ctstate INVALID -j BOGUS

if [ "$LOGGING" = "Y" ]; then

$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "BOGUS SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence

$IPTABLES -A LOG_DROP -j DROP 

fi 

$IPTABLES -A BOGUS -j REJECT

#Enforce SYN only connections on NEW connections

$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn:"

$IPTABLES -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn:"

$IPTABLES -A FORWARD -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

# Drop packets to "odd" ports

$IPTABLES -N ODDPORTS

$IPTABLES -A INPUT -p udp --sport 2:21 -m recent --set -j ODDPORTS

$IPTABLES -A INPUT -p udp --dport 2:21 -m recent --set -j ODDPORTS

$IPTABLES -A INPUT -p tcp --dport 0 -m recent --set -j ODDPORTS

$IPTABLES -A INPUT -p tcp --sport 0 -m recent --set -j ODDPORTS

$IPTABLES -A FORWARD -i $INTERNET -p udp --dport 2:21 -m recent --set -j ODDPORTS

$IPTABLES -A FORWARD -i $INTERNET -p tcp --dport 0 -m recent --set -j ODDPORTS

$IPTABLES -A FORWARD -i $INTERNET -p tcp --sport 0 -m recent --set -j ODDPORTS

if [ "$LOGGING" = "Y" ]; then

$IPTABLES -A LOG_DROP -m limit --limit 6/minute --limit-burst 1 -j LOG --log-prefix "ODDPORTS SHUN " --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence

$IPTABLES -A LOG_DROP -j DROP 

fi 

$IPTABLES -A ODDPORTS -j DROP

#BLOCK OS Fingerprint Detection

$IPTABLES -N os-fingerprint

$IPTABLES -F os-fingerprint

$IPTABLES -A os-fingerprint -p tcp --dport 0 -j DROP

$IPTABLES -A os-fingerprint -p udp --dport 0 -j DROP

$IPTABLES -A os-fingerprint -p tcp --sport 0 -j DROP

$IPTABLES -A os-fingerprint -p udp --sport 0 -j DROP

$IPTABLES -A os-fingerprint -p icmp --icmp-type address-mask-request -j DROP

$IPTABLES -A os-fingerprint -p icmp --icmp-type address-mask-reply -j DROP

#

#refuse packets claiming to be from a Class_A private network.

$IPTABLES -A INPUT -i $INTERNET -s $CLASS_A -j DROP

#refuse packets claiming to be from a Class_B private network.

$IPTABLES -A INPUT -i $INTERNET -s $CLASS_B -j DROP

#refuse packets claiming to be from a Class_C private network.

$IPTABLES -A INPUT -i $INTERNET -s $CLASS_C -j DROP

#Refuse Class E reserved IP

$IPTABLES -A INPUT -i $INTERNET -s $CLASS_D_MULTICAST -j DROP

#Refuse Class D multicast address

$IPTABLES -A INPUT -s $CLASS_E_RESERVED_NET -j DROP

#refuse malformed broadcacst packets

$IPTABLES -A INPUT -i $INTERNET -s $BROADCAST_DEST -j LOG

$IPTABLES -A INPUT -i $INTERNET -s $BROADCAST_DEST -j DROP

$IPTABLES -A INPUT -i $INTERNET -d $BROADCAST_DEST -j LOG

$IPTABLES -A INPUT -i $INTERNET -d $BROADCAST_DEST -j DROP

#Refuse addresses defined as reserved by the IANA

$IPTABLES -A INPUT -i $INTERNET -s 0.0.0.0/8 -j DROP

$IPTABLES -A INPUT -i $INTERNET -s 169.254.0.0/16 -j DROP

$IPTABLES -A INPUT -i $INTERNET -s 192.0.2.0/24 -j DROP

COMBLOCK="0:1 2 8 13 98 111 137:139 161:162 445 901 1214 1524 1999 2049 3049 4329 6346 3128 8000 12345 27444 27665 31335 31337 65535"

TCPBLOCK="$COMBLOCK 512:515 1080 2000 3128 6000:6063"

UDPBLOCK="$COMBLOCK 520 123 517:518 1427 4045 9000"

$IPTABLES -N bad-ports

$IPTABLES -F bad-ports

echo -n "FW: Blocking attacks to TCP port "

for i in $TCPBLOCK;

do

echo -n "$i "

$IPTABLES -A INPUT -p tcp --dport $i -j DROP

$IPTABLES -A OUTPUT -p tcp --dport $i -j DROP

$IPTABLES -A FORWARD -p tcp --dport $i -j DROP

$IPTABLES -A bad-ports -p tcp --dport $i -j DROP

done

echo ""

echo -n "FW: Blocking attacks to UDP port "

for i in $UDPBLOCK;

do

echo -n "$i "

$IPTABLES -A INPUT -p udp --dport $i -j DROP

$IPTABLES -A OUTPUT -p udp --dport $i -j DROP

$IPTABLES -A FORWARD -p udp --dport $i -j DROP

$IPTABLES -A bad-ports -p udp --dport $i -j DROP

done

echo ""

# allow DNS in all directions

if [ "$NAMESERVER" != "" ]; then

$IPTABLES -A OUTPUT -p tcp --sport 0:65535 -d $NAMESERVER --dport 53:53 -j ACCEPT

$IPTABLES -A INPUT -p tcp ! --syn -s $NAMESERVER --sport 53:53 --dport 0:65535 -j ACCEPT

fi

#ALLOW INCOMING SSHD REQUESTS.

if [ "$SSHDREQ" = "Y" ]; then

$IPTABLES -N allow-ssh-input

$IPTABLES -F allow-ssh-input

$IPTABLES -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT

$IPTABLES -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT

$IPTABLES -A allow-ssh-input -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT

$IPTABLES -A allow-ssh-input -m state --state ESTABLISHED,RELATED -p tcp --dport 22 -j ACCEPT

fi

if [ "$SSHSRV" = "Y" ]; then

$IPTABLES -A INPUT -j allow-ssh-input

fi

# Detect aborted TCP connections.

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -p tcp --tcp-flags RST RST -j logaborted

# Allow previously established connections

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "INVALID input: "

$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "INVALID output: "

$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

#Ping of death

if [ "$PINGDEATH" = "Y" ]; then

$IPTABLES -N ping-death

$IPTABLES -A ping-death -m limit --limit 1/s --limit-burst 4 -j ACCEPT

$IPTABLES -A ping-death -j LOG --log-prefix "iptables ping-death: "

$IPTABLES -A ping-death -j DROP

$IPTABLES -A INPUT -i $INTERNET -p icmp --icmp-type echo-request -j ping-death

$IPTABLES -A FORWARD -i $INTERNET -p icmp --icmp-type echo-request -j ping-death

fi

#Stealth scan

$IPTABLES -N stealth-scan

$IPTABLES -A stealth-scan -j LOG --log-prefix "iptables stealth-scan: "

$IPTABLES -A stealth-scan -j DROP

$IPTABLES -A INPUT -i $INTERNET -p tcp ! --syn -m state --state NEW -j stealth-scan

$IPTABLES -A FORWARD -i $INTERNET -p tcp ! --syn -m state --state NEW -j stealth-scan

# Allow certain critical ICMP types

$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable

$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT # Dest unreachable

$IPTABLES -A FORWARD -p icmp --icmp-type destination-unreachable -j ACCEPT &> /dev/null # Dest unreachable

$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded

$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT # Time exceeded

$IPTABLES -A FORWARD -p icmp --icmp-type time-exceeded -j ACCEPT &> /dev/null # Time exceeded

$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem

$IPTABLES -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT # Parameter Problem

$IPTABLES -A FORWARD -p icmp --icmp-type parameter-problem -j ACCEPT &> /dev/null # Parameter Problem

$IPTABLES -A INPUT --fragment -p icmp -j LOG --log-prefix "Fragmented IMCP: "

$IPTABLES -A INPUT --fragment -p icmp -j DROP

# PORTS

if [ "$NAMESERVER" != "" ]; then

for i in $PORTS;

do

$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport $i:$i -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport $i:$i -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp ! --syn -s $NAMESERVER --sport $i --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

done

# Passive ftp

if [ "$PASSIVEFTP" = "Y" ]; then

$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport 1024:65535 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 -d $NAMESERVER --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp ! --syn -s $NAMESERVER --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

fi

fi

if [ "$LOGGING" = "Y" ]; then

$IPTABLES -A LOG_DROP -j LOG --log-prefix "Attack log: "

$IPTABLES -A LOG_DROP -j DROP

$IPTABLES -A INPUT -j LOG_DROP # drop all incomming

$IPTABLES -A FORWARD -j LOG_DROP # drop all forwarded

fi 

elif [ "$1" = "stop" ]; then

iptables -F

iptables -X

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -P INPUT ACCEPT

elif [ "$1" = "status" ]; then

iptables -L -v

else

echo "usage: $0 start|stop|status"

fi

exit $RETVAL

I will stop here - there is much more to it, however if you are interested in any way please contact me. I hope you liked the article and it was helpful for you to harden the system you have.

References:

http://www.spectrumcoding.com/tutorials/exploits/2013/05/27/buffer-overflows.html
http://www.drdobbs.com/security/anatomy-of-a-stack-smashing-attack-and-h/240001832
http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options

FreeNAS - Permanent errors have been detected

I was looking at one of my FreeNAS installations the other day. Unfortunately I found one of my drives with errors and as far as I remember those files were corrupt during the file transfer so I was quite sure the drive is OK - I had it tested with UBCD/Vivard anyway. So here is what I did to clear the error. If you experience those errors constantly consider replacing the drive (see the references).

zpool status -v

pool: ITSoft                                                                  
state: ONLINE                                                                  
status: One or more devices has experienced an error resulting in data          
        corruption.  Applications may be affected.                              
action: Restore the file in question if possible.  Otherwise restore the        
        entire pool from backup.                                                
   see: http://illumos.org/msg/ZFS-8000-8A                                      
  scan: scrub repaired 0 in 0h12m with 2 errors on Sun Jul 27 00:12:58 2014     
config:                                                                         
                                                                                
        NAME                                          STATE     READ WRITE CKSUM
        ITSoft                                        ONLINE       0     0     2
          gptid/6358bf65-f6ea-11e3-9135-080027eb8f88  ONLINE       0     0     4
                                                                                
errors: Permanent errors have been detected in the following files:             
                                                                                
        /mnt/ITSoft/DriverPack_12.3.iso                                 
        /mnt/ITSoft/DRP13-R377-DVD.iso                       

zpool clear ITSoft gptid/6358bf65-f6ea-11e3-9135-080027eb8f88

Here I did the mistake of deleting both of the files. Don't do it. Some explanations why not to do it, before clearing the drive - see the references.

"That error is telling you that inode <0x9f115> is corrupt (deleting the file broke the 

filename->inode mapping, so it's just reporting the inode now). Either something still has the 

file open or the metadata just needs to be cleaned up (which a scrub should do)."

"Normally, the path and name of the file with the error would be displayed, the <0x80> suggests 

the corrupted file was deleted (before or after the error). It is a reference to the indirect 

block that contained the file. This suggests that no active files were corrupted, just a file 


that was already deleted, or has since been deleted."

 pool: ITSoft                                                                  
 state: ONLINE                                                                  
status: One or more devices has experienced an error resulting in data          
        corruption.  Applications may be affected.                              
action: Restore the file in question if possible.  Otherwise restore the        
        entire pool from backup.                                                
   see: http://illumos.org/msg/ZFS-8000-8A                                      
  scan: scrub repaired 0 in 0h12m with 2 errors on Sun Jul 27 00:12:58 2014     
config:                                                                         
                                                                                
        NAME                                          STATE     READ WRITE CKSUM
        ITSoft                                        ONLINE       0     0     2
          gptid/6358bf65-f6ea-11e3-9135-080027eb8f88  ONLINE       0     0     0
                                                                                
errors: Permanent errors have been detected in the following files:             
                                                                                
        ITSoft:<0xab>                                                           
        ITSoft:<0xae>              

So once the damage has been done I had to repair it.
zpool scrub ITSoft

This will take some time so check the status zpool status -v to see the progress. 

pool: ITSoft                                                                  
 state: ONLINE                                                                  
status: One or more devices has experienced an unrecoverable error.  An         
        attempt was made to correct the error.  Applications are unaffected.    
action: Determine if the device needs to be replaced, and clear the errors      
        using 'zpool clear' or replace the device with 'zpool replace'.         
   see: http://illumos.org/msg/ZFS-8000-9P                                      
  scan: scrub repaired 0 in 0h12m with 0 errors on Thu Aug 14 00:30:25 2014     
config:                                                                         
                                                                                
        NAME                                          STATE     READ WRITE CKSUM
        ITSoft                                        ONLINE       0     0     0
          gptid/6358bf65-f6ea-11e3-9135-080027eb8f88  ONLINE       0     0    89
                                                                                
errors: No known data errors     

And just in case another clear:
zpool clear -F ITSoft

End result:

 pool: ITSoft                                                                  
 state: ONLINE                                                                  
  scan: scrub repaired 0 in 0h12m with 0 errors on Thu Aug 14 00:30:25 2014     
config:                                                                         
                                                                                
        NAME                                          STATE     READ WRITE CKSUM
        ITSoft                                        ONLINE       0     0     0
          gptid/6358bf65-f6ea-11e3-9135-080027eb8f88  ONLINE       0     0     0
                                                                                
errors: No known data errors    

References:
http://serverfault.com/questions/581351/zfs-checksum-errors-what-files-are-affected
http://serverfault.com/questions/576898/clear-a-permanent-zfs-error-in-a-healthy-pool
http://www.retrospekt.dk/2011/08/zfs-drive-replacement/     

Mikrotik SRCNAT

This is useful if you want to allow some services trough the router. There is also a DST nat have a look at this post as well:  http://yuriystanchev.blogspot.com/2014/01/mikrotik-destination-nat.html

/ip firewall nat add chain=srcnat src-address=<internal ip>  protocol=tcp dst-port=<port> action=src-nat to-addresses=<real ip> to-port=<port> 

Have fun.

VirtualBox and phpvirtualbox

I am using successfully Virtualbox now on more than 2 servers with phpvirtualbox interface. It is very convenient with few things you should have in mind:

1. Prepare your virtual machines on another host with Virtualbox and then export them and import them back. Because the console on phpvirtualbox didn't work out good at least for me. When you prepare the virtual machines use Bridge adapter. If you get an error before starting you can change the bridged adapter (example the adapter was wifi in my case you can change it to eth0).

2. Reserve the RAM that you need - resources are consumed regardless if the RAM is used or not.

3. After importing the virtual machines note on the network settings if it is denying the connections and correct it to Allow them.

Now to the server after installing Ubuntu Server follow this steps:

sudo apt-get update
sudo apt-get install virtualbox

Now we need to get the virtualbox version:
sudo VBoxManage --version

and get the appropriate extension pack from here:

http://download.virtualbox.org/virtualbox/

After downloading the extension pack install it
VBoxManage extpack install

If you mess up the package:

VBoxManage extpack uninstall "Oracle VM VirtualBox Extension Pack"

The init script for the vbox web service is missing so we need to initialize the vboxwebsrv process. You can get the starting script from here:
http://www.virtualbox.org/svn/vbox/trunk/src/VBox/Installer/linux/vboxweb-service.sh

sudo update-rc.d vboxweb-service.sh defaults 99 01

Don't forget to edit this file:
etc/default/virtualbox
VBOXWEB_USER=vbox

Add the users:
sudo useradd -d /home/vbox -m -g vboxusers -s /bin/bash vbox
sudo passwd vbox

Install Ngnix:
sudo apt-get install nginx php5-common php5-mysql php5-fpm php-pear unzip

I modified the
/etc/nginx/sites-available/default 

Nginx seems to be very picky when it comes to configuration - however it is very fast and stable. Modify the configuration to this:

server {
        listen 80; ## listen for ipv4; this line is default and implied
  #      listen [::]:80; ## listen for ipv6

        root /usr/share/nginx/www;
        index index.php index.html index.htm;

        # Make site accessible from http://localhost/
        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to index.html
                try_files $uri $uri/ /index.html;
                # Uncomment to enable naxsi on this location
                # include /etc/nginx/naxsi.rules
        }

        location /doc/ {
                alias /usr/share/doc/;
                autoindex on;
                allow 127.0.0.1;
                deny all;
        }

        # Only for nginx-naxsi : process denied requests
        #location /RequestDenied {
                # For example, return an error code
                #return 418;
        #}

        #error_page 404 /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
                root /usr/share/nginx/www;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
root /usr/share/nginx/www;
                try_files $uri =404;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
                include fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }
}

Let's reload the web server:
sudo /etc/init.d/nginx reload

Download:
http://sourceforge.net/projects/phpvirtualbox/

Extract it in:
/usr/share/nginx/www

sudo cp config.php-example config.php
sudo nano config.php

Set the variables:

/* Username / Password for system user that runs VirtualBox */
var $username = 'vbox';
var $password = 'yourpassword';
var $consoleHost = 'your ip here';

Change this as well:
var $location = "http://localhost:18083";

Or you will get this:

Exception Object
(
    [message:protected] => Could not connect to host (http://127.0.0.1:18083/)
    [string:Exception:private] =>
    [code:protected] => 64
    [file:protected] => /usr/share/nginx/www/lib/ajax.php
    [line:protected] => 128
    [trace:Exception:private] => Array
        (
        )

    [previous:Exception:private] =>
)

I changed here the ip to localhost because otherwise the soap can not be connected because of ipv6.

sudo sysctl net.ipv6.bindv6only net.ipv6.bindv6only=0

How to start all VMs at boot here is a script that does the trick. Have in mind it is very important that the names of the VMs are without white spaces otherwise the VMs won't start - use it to your advantage.

#!/bin/bash
#
#This init script autostarts necessary vms at boot
#and saves running vms on shutdown

# Sed explanation: sed -e 's/^.//' -e 's/.$//'
#   1.  -e means to allow multiple arguments in a single sed command
#   2.  's/^.//' means to substitute (s) / at the beginning of the line (^), any character (.) / [substitute with nothing] /
#   3.  's/.$//' means to substitute (s) / any character (.), at the end of the line / [substitute with nothing] /

VBOXUSER=vbox
RUNNINGVMS=$(sudo -H -u $VBOXUSER vboxmanage list runningvms | cut -d " " -f1 | sed -e 's/^.//' -e 's/.$//')
STOPPEDVMS=$(sudo -H -u $VBOXUSER vboxmanage list vms | cut -d " " -f1 | sed -e 's/^.//' -e 's/.$//')

case "$1" in
  start)
        for i in $STOPPEDVMS
                do
                        echo "Starting" $i "VM"
                        sudo -H -u $VBOXUSER vboxmanage startvm $i --type headless
                        sleep 5
                done
    ;;
  stop)
        for i in $RUNNINGVMS
                do
                        echo "Saving state of" $i "VM"
                        sudo -H -u  $VBOXUSER vboxmanage controlvm $i savestate
                done
    ;;
  *)
    echo "Usage: /etc/init.d/startvm {start|stop}"
    exit 1
    ;;
esac

exit 0

This will start the script at boot:

update-rc.d [name of the script] defaults 99 01

How to add a raw disk (can be applied also to flash drives and external drives). Now log in as the vbox user and execute. In this example I add the whole disk (/dev/sdb) in raw format:

sudo usermod -a -G disk vbox
sudo chmod 777 /dev/sdb
VBoxManage internalcommands createrawvmdk -filename /home/vbox/sdb.vmdk -rawdisk /dev/sdb

If there is a partition on the disk add this to the end of the command specify the correct number of partitions:

-partitions 1 -relative

List the VMs to get the ids: 

VBoxManage list vms

Starting a vm:

/usr/bin/VBoxHeadless -startvm badc09ac-8ef4-4be9-b45b-73eb8d590b1f

Helps if for no apparent reason the home points to root. Setting vbox user home:
su vbox

VBoxManage setproperty machinefolder /home/vbox

References:

http://www.virtualbox.org/svn/vbox/trunk/src/VBox/Installer/linux/vboxweb-service.sh

http://www.vionblog.com/virtualbox-4-3-phpvirtualbox-debian-wheezy/
http://trac.nginx.org/nginx/ticket/345
https://forums.virtualbox.org/viewtopic.php?f=7&p=181318
http://scarygliders.net/2011/11/04/virtualbox-and-iscsi-nas-how-to-linux-windows/

Wine .Net

I needed .Net installed on wine, however the issue is that not all install correctly if you follow this approach you will get the installation correct to .Net 3.0

1. Use Wine from the official repository:
http://www.winehq.org/download/

2. Use winetricks for the installation and read from winehq the instruction on the installation (they are below the description):
winetrick­s -q msxml3 dotnet35­sp1

3. Use the .Net Verification tool to verify the installation:
http://blogs.msdn.com/b/astebner/archive/2008/10/13/8999004.aspx

4. If something fails use the clean-up tool to uninstall the version that failed:
http://blogs.msdn.com/b/astebner/archive/2012/08/04/10336934.aspx

References:
http://blogs.msdn.com/b/astebner/archive/2008/10/13/8999004.aspx
http://appdb.winehq.org/objectManager.php?sClass=version&iId=10166
http://www.winehq.org/download/
http://blogs.msdn.com/b/astebner/archive/2012/08/04/10336934.aspx

Some thoughts on Proxmox and some linux partitioning

Proxmox turned out to be a nice virtualization option. Аt first glance it seems to me that the resources thanks to open-vz are accumulated very well.

After you install you can access the virtual infrastructure here:

https://<ip>:8006

One other thing is that I had to add another partition to the virtual environment

List all hard drives:
lsblk

sudo parted /dev/sdb <- your device here

mklabel gpt
mkpart ext3 2048s -1s

print

quit

sudo partprobe -s /dev/sdb

sudo mke2fs -t ext3 /dev/sdb1 -L "label"  

sudo tune2fs -c0 -i0 /dev/sdb1

sudo mkdir /media/partition

sudo chown root:root /media/partition

sudo chmod 777 /media/partition

add an entry in fstab

 /dev/sdb1 /media/partition ext3 defaults 0 0


and then sudo mount -a to refresh fstab.

One other thing is that the PC I installed it on did not have 64 bit virtual support, which generally is bad - not to say stronger words. Anyways I had to use templates on the proxmox because for some reason I was not able to install Ubuntu Server actually even with the template. Turnkey which is Ubuntu based was installed!? Anyway it is 32 bit and doesn't need 64 bit virtualization, but as it seems there was some issue so I was forced to install a CentOS although I wanted my environment to be as homogeneous as possible.

One other notable thing is the networking - it seems some templates pass the dhcp from my router and that the templates are configured to accept those and some as CentOS template had to be set? I set my network settings at a gateway level - so this a bit annoyed me. But you can set your networking settings through the web interface and I did not know that :D

So just dig in the gui you will find the network settings - don't do this. I did it the hard way:
ifconfig eth0 <ip> netmask <mask> broadcast <broadcast> 
route add default gw <gw ip>


Don't forget to set the DNS.

Conclusion: It's Ok to be used for 32-bit Linux based systems with the default templates. 

References:
https://pve.proxmox.com/wiki/Turnkey_Linux_Templates

http://forum.proxmox.com/threads/8139-trouble-with-opening-a-console-to-an-openvz-container

http://forum.proxmox.com/threads/10213-Network-problem

http://forum.proxmox.com/threads/9913-Proxmox-v2-1-1-TASK-ERROR-No-accelerator-found!

http://pve.proxmox.com/wiki/OpenVZ_Console

http://www.tecmint.com/ifconfig-command-examples/
http://www.ubuntux.org/edit-fstab-to-mount-partition-at-startup

Mint on Amilo L1310G - Wifi issues

I had to install Mint 16 Petra on Amilo L1310G unfortunately with issues on the Wifi. So I read trough look at the references. And had to modify a make file from the old driver and created a package. You are free to use it.

Driver

https://drive.google.com/file/d/0B1HfGZPmAyo0d2JvNFI5Q3Z3MmM/edit?usp=sharing



make
make install
modprobe fsaa1655g
/proc/fsaa1655g/radio
echo 1 > /proc/fsaa1655g/radio
echo 0 > /proc/fsaa1655g/radio

1. Download the tar and compile the driver - don't forget to get the kernel headers:

2. Open (what I think is) your former "options"-file:

sudo nano /etc/modprobe.d/alsa-base.conf

3. Scroll down untill you find 
"# Prevent abnormal drivers from grabbing index 0". You should find some lines that start with "options". Now add the following:

options fsaa1655g radio=1

options ath_pci rfkill=0

Save it.

4. Now we'll add the module so it will load at startup, again using a terminal:

sudo nano /etc/modules

5. At the end of the file, add the following:

fsaa1655g

Save it.

Try this if the led is not blinking blue. For me this driver works.

Than you can examine the file
You can switch the radio with commands

References:

http://ubuntuforums.org/showthread.php?t=2214060

http://ubuntuforums.org/showthread.php?t=1530962

http://marvec.org/amilo/