Archive for the ‘Linux’ Category.

Building OpenVAS in Slackware

I’m a huge fan of OpenVAS. It is a great tool for probing your network and finding possible security holes. Many of you have probably heard of Nessus, another fantastic tool, but it can be pretty pricey. I would recommend it for business, but for home use, go for OpenVAS.

In many cases, I would recommend you setup a Linux distribution called Kali Linux. It has a lot of really good tools built right in, including OpenVAS, but I’ve started running into issues with it lately. I’ll run a scan, and the systems load gets so high it becomes completely unresponsive for days at a time, then fails to finish. I’m not sure what I’m doing wrong there, so I decided to wipe the machine and put my good ‘ol Slackware back on it. After using it for several weeks I have decided to leave it Slackware as those issues have disappeared. So now I’m going to point you in the direction to get OpenVAS installed, plus a few extras that will make things easier.

I’m going to assume you are familiar with slackbuilds.org and hopefully a wonderful tool called sbopkg, as some wonderful people over there have build script for OpenVAS that will make your life so much better. Kent Fritz has written a great guide on how to get going over on slackbuilds.org. Go through his steps then come back here.

FYI, I have build and used OpenVAS on both 32 and 64bit Slackware and even on ARM using a Raspberry Pi. I’ve only had one program (hiredis) fail to build using sbopkg, so I had to do it the old fashioned way and download the build script and source and build outside sbopkg.

Note that while going through the instructions over on slackbuilds.org, before running any type of sync command, stop the running processes like openvasmd and openvassd. This is because the first time you run them, they will require a large amount of memory and will crash on the Raspberry Pi (I’m not sure on the pi2, I haven’t tried yet). By ensuring those processes are not running, it will surely finish properly.

Welcome back… I’m assuming you followed the instructions over on slackbuilds.org and are ready to continue. Here are some tips and script to make like just a little easier.

First, edit some permissions:

chmod 755 /etc/rc.d/rc.redis
chmod 755 /etc/rc.d/rc.openvassd
chmod 755 /etc/rc.d/rc.openvasmd
chmod 755 /etc/rc.d/rc.gsad

Now we are going to create a bunch of scripts that will simplify everything.

/usr/bin/openvas-start

#!/bin/bash
echo "Starting OpenVAS Services"
/etc/rc.d/rc.redis start
/etc/rc.d/rc.gsad start
/etc/rc.d/rc.openvassd start
/etc/rc.d/rc.openvasmd start

/usr/bin/openvas-stop

#!/bin/bash
echo "Stopping OpenVAS Services"
/etc/rc.d/rc.gsad stop
/etc/rc.d/rc.openvassd stop
/etc/rc.d/rc.openvasmd stop
/etc/rc.d/rc.redis stop

/usr/bin/openvas-feed-update

#!/bin/bash
echo "Updating OpenVAS Feeds"
echo "Stopping OpenVAS if running..."
/usr/bin/openvas-stop
openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync
echo "Rebuilding Database"
openvasmd --rebuild
echo "You can start OpenVAS now if needed"

/usr/bin/openvas-setup

#!/bin/bash
test -e /var/lib/openvas/CA/cacert.pem  || openvas-mkcert -q
if (openssl verify -CAfile /var/lib/openvas/CA/cacert.pem \
    /var/lib/openvas/CA/servercert.pem |grep -q ^error); then
    openvas-mkcert -q -f
fi
openvas-nvt-sync
openvas-scapdata-sync
openvas-certdata-sync
if ! test -e /var/lib/openvas/CA/clientcert.pem || \
    ! test -e /var/lib/openvas/private/CA/clientkey.pem; then
    openvas-mkcert-client -n -i
fi
if (openssl verify -CAfile /var/lib/openvas/CA/cacert.pem \
    /var/lib/openvas/CA/clientcert.pem |grep -q ^error); then
    openvas-mkcert-client -n -i
fi
/etc/rc.d/rc.openvasmd stop
/etc/rc.d/rc.openvassd stop
/etc/rc.d/rc.openvassd start
openvasmd --migrate
openvasmd --rebuild
/etc/rc.d/rc.openvassd stop
killall openvassd
sleep 15
/etc/rc.d/rc.openvassd start
/etc/rc.d/rc.openvasmd start
/etc/rc.d/rc.gsad restart
/etc/rc.d/rc.redis restart
if ! openvasmd --get-users | grep -q ^admin$ ; then
    openvasmd --create-user=admin
fi

Here is a great program that can help find any issues while getting setup. This link is mentioned in Kent’s instructions. So hopefully you have it already.

wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup -o /usr/bin/openvas-check-setup

Here we are going to chmod those files:

chmod 755 /usr/bin/openvas-start
chmod 755 /usr/bin/openvas-stop
chmod 755 /usr/bin/openvas-feed-update
chmod 755 /usr/bin/openvas-setup
chmod 755 /usr/bin/openvas-check-setup

WOW! That is a lot! Alright, so several files have been created. Here is what each one does.
/usr/bin/openvas-start:
This will start all the services needed.
/usr/bin/openvas-stop:
This will stop all the services.
/usr/bin/openvas-feed-update:
This will update all your feeds.
/usr/bin/openvas-setup:
This script will help if you have any issues. Sometimes OpenVAS feeds cause an issue, and by running this command you will find it fixes the problem 99% of the time.
/usr/bin/openvas-check-setup:
This one will help you diagnose issues.

Give it time:
When starting OpenVAS, each part is thrown into the background to finish loading. Depending on your computers speed, it can take a while before you can do anything. Best to watch with top, htop, or iotop to see when everything has finished loading. Then proceed to use GreenBone.

Possible Issues:
When trying to log in to the GreenBone Security Assistant, You might get an error that says the OMP service could not be found. Try running the openvas-setup-check. If you get an error saying there are no users, run openvas-setup. This will fix it. This is a problem I have seen several times in the past on both Slackware and Kali, so I believe it to be a bug somewhere in OpenVAS.

I think that’s just about it. You should now be up and running with OpenVAS!

Fix BackupPC Not Getting All Your Windows Files

BackupPC is a fantastic tool for backing up all your machines. I use it to back up both Windows and Linux machines. Linux is easy, all you need is SSH and rsync, but Windows is kind of a pain. You need to use Windows shares in most every case. In the future, I’ll talk about how to use Cygwin to use SSH and rsync to backup a Windows machine.

The problem that I have, is there is a bug in Samba versions 3.6 to 4.1 that will cause the tarbackup function to stop the backup before it finished, and BackupPC will report the backup was complete. I haven’t run into this with every Windows machine, but I have in most. Generally what causes this is using another user account to login and perform the backups, instead of using the normal user account. If you backup a Windows machine using the smb method and it appears not everything is being backed up, then this is the guide you want to follow.

To start, I’m currently running Debian 7 (Wheezy) with Samba version 3.6. I tried getting Samba 4.2 to build, but several of my libraries are out of date. If you are currently running 4.0 or 4.1, you might be able to build 4.2 on your server. Otherwise, go with 3.5.22 (being the latest 3.5 series at the time of this writing). (https://bugzilla.samba.org/show_bug.cgi?id=10605)

There are several packages that need to be installed for this to work. Every config is different, but all I have to install was autoconf, make, and gcc.

apt-get install autoconf make gcc

Now we need to download the Samba sources and build it, but not install.

cd /opt
wget https://download.samba.org/pub/samba/stable/samba-3.5.22.tar.gz
tar -zxf samba-3.5.22.tar.gz
cd samba-3.5.22/source3/
./autogen.sh
./configure
make

That was the hard part, if Samba didn’t build correctly, you might be missing other packages. You maybe told what they are, otherwise, Google.

Now set the path for $SmbClientPath to /opt/samba-3.5.22/source3/bin/smbclient. You can either change the $SmbClientPath in your backuppc config, or just change it for hosts that are having issues. If you are reading this, I’m going to assume you know how to do that.

Now test (this will do a FULL backup, so it can take some time):

/usr/share/backuppc/bin/BackupPC_dump -v -f <computer name>

You can watch as it goes along (note that you will NOT see it running in the GUI). This can take some time, but when complete you will have an idea of if everything worked or not.

Did this work for you? Did you build Samba 4.2 or newer? Let me know in the comments.

Adafruit touchscreen on a Raspberry Pi B running Slackware ARM.

I recently had the opportunity to get a friend a new Raspberry Pi Model B. I really like these, I have several all running Slackware ARM. While I have tried other distros, I find myself always going back to Slackware after a while for one reason or another, but that is a talk for another day. My friend decided he wanted to run Slackware on one of his Raspberry Pis, so I helped him out and get everything installed. Then I was presented with another issue. He wanted to use his Adafruit touchscreen. Now, Adafruit’s documentation and setup guides are really good, but only if you are running Raspbian (or a Debian based system). So that did present an issue, but one I wanted to solve.

Before I continue, please note that I did get this working (video and images at the bottom of the post), but I had to deliver the Pi back before I got a change to try again from scratch. This guide is based heavily off my best recollection of the steps I took, and may not be complete. If I’m missing something, or you can’t get it to work, let me know and I will try to help… or send me a screen so I can do this again.

Start with checking out this guide: https://learn.adafruit.com/adafruit-pitft-28-inch-resistive-touchscreen-display-raspberry-pi/software-installation it was helpful in getting everything going.

Now, download all the needed files:

wget http://adafruit-download.s3.amazonaws.com/libraspberrypi-bin-adafruit.deb
wget http://adafruit-download.s3.amazonaws.com/libraspberrypi-dev-adafruit.deb
wget http://adafruit-download.s3.amazonaws.com/libraspberrypi-doc-adafruit.deb
wget http://adafruit-download.s3.amazonaws.com/libraspberrypi0-adafruit.deb
wget http://adafruit-download.s3.amazonaws.com/raspberrypi-bootloader-adafruit-20140917-1.deb

Download and install deb2tgz (https://code.google.com/p/deb2tgz/). This will help you convert those deb files to tgz for Slackware.

Now convert those deb files to tgz (deb2tgz *.deb)

Then install (installpkg *.tgz)

Now, you need to make a copy of raspberrypi-bootloader-adafruit-20140917-1.deb and place it in another directory. Once there, run:

ar x raspberrypi-bootloader-adafruit-20140917-1.deb

This will explode out the archive. Find the file called data.tar.gz, and run:

tar -zxf data.tar.gz

Now there will be some new directories. One is called boot. Make a backup of you /boot directory, then copy everything in that new boot to /boot.

cp -r /boot /boot.bak
cd boot
cp * /boot

This will install the correct kernel that you need to use.

Next, open /boot/config.txt. The only line you need is gpu_mem=32.

Now, there are a few more packages you need to install. First is called evtest. I found an awesome slackbuild repository located over at https://github.com/PhantomX/slackbuilds.git, and we are going to install his evtest package.

git clone https://github.com/PhantomX/slackbuilds.git
cd slackbuilds/
cd evtest/
./evtest.SlackBuild 
installpkg evtest-1.32-x86_64-1root.txz

Notice how the arch listed in the Slackware package as x86_64, don’t worry, it works, just install it.

Next is tslib. Here is how I built and installed it (also, I cheated and did not build a Slackware package).

wget http://ftp.de.debian.org/debian/pool/main/t/tslib/tslib_1.0.orig.tar.gz
tar -zxf tslib_1.0.orig.tar.gz 
cd tslib-1.0/
./autogen.sh 
./configure
make
make install

Last, we need to build a package called xf86-video-fbturbo. (Forgive me, you may not need to run make in that first directory, but definitely in the src directory)

git clone https://github.com/ssvb/xf86-video-fbturbo
cd xf86-video-fbturbo/
./autogen.sh 
make
cd src
autoreconf -vi
./configure --prefix=/usr
nano xorg.conf 
make
make install

There, that was fun! Alright, lets edit a few more files.

Open /boot/cmdline.txt, and place this one line in there (it is the only line for me, you maybe different)

dwc_otg.lpm_enable=0 console=tty1 nofont root=/dev/mmcblk0p3 fbcon=map:10 fbcon=font:VGA8x8 rootfstype=ext4 rootwait ro

Then open /etc/X11/xorg.conf.d/99-calibration.conf (if the directory or file does not exist, create it!) and place this in the file.
Note the commented out items, I meant to experiment with them, I don’t remember if those options break anything, but I doubt it.

Section "InputClass"
    Identifier "calibration"
    MatchProduct "stmpe-ts"
    Option "Calibration" "3800 200 200 3800"
    Option "SwapAxes" "1"
EndSection
 
Section "Device"
        Identifier      "Allwinner A10/A13 FBDEV"
        Driver          "fbturbo"
        Option          "fbdev" "/dev/fb1"
#        Option          "SwapbuffersWait" "true"
        # `man fbturbo` to know more options
#        Option          "AccelMethod" "G2D"
EndSection
 
Section "Monitor"
    Identifier "Monitor0"
    Option "DPMS"
EndSection
 
Section "Screen"
    Identifier "Screen0"
    Device     "main"
    Monitor    "Monitor0"
    DefaultDepth 16
    SubSection "Display"
            Depth 16
            Modes "320x240"
    EndSubSection
EndSection

Lastly, open /etc/rc.d/rc.local and add these lines:

modprobe spi-bcm2708
modprobe fbtft_device name=adafruitrt28 rotate=90 frequency=32000000
export FRAMEBUFFER=/dev/fb1

I also recommend adding the export framebuffer to your user’s ~/.bashrc file. You need that before X will start.

I really hope I got this all right. Feel free to complain. Maybe I’ll get another chance to play with this again in the near future, and this time, I’ll get it right! I wish you all the best of luck! Cheers,

IMG_20150206_224415IMG_20150206_224423

If the video above isn’t loading, you can view it here: https://www.youtube.com/watch?v=KpzBYshxY9c

Netflix on Slackware

UPDATE! This doesn’t seem to be required anymore. Netflix should work fine as long as your Mozilla-NSS is up to date and you are running Chrome 39 or higher!

Getting Netflix to run in Linux has been in the news again. Before you had to use pipelight and wine to get everything running. Even then, I’ve heard it doesn’t even work all that well. I never did try it myself because I run Slackware64 without multilib, so I can’t even execute 32bit applications like wine.

Fortunately, some very smart people have figured out how to get real native Netflix working in Linux. Many of the sites out there show you how to do it with Ubuntu, but that didn’t work for me, which I’ll explain later.

Lets get going. First you need Chrome 37 or newer. Snag the build scripts from the Slackware extras section: http://mirrors.slackware.com/slackware/slackware64-14.1/extra/google-chrome/. Change if you are not running 64bit. This also works (from what I’m told) if you are running Slackware 14.0

Next snag the latest deb from Google, https://www.google.com/chrome/browser/ and select either the 32bit or 64bit download depending on what you’re running.

After running the build script, you will have a package ready to install in your /tmp directory. The best part of the chrome build script is it will figure out the version number of Chrome before building the package. Install the package using installpkg.

Before moving on, I want to explain the difference between the Ubuntu and Slackware setup. As I started writing this, I had a package that was just a tiny little bit out of date. One of the requirements is libnss. At the time I was running version 3.16 and you need 3.16.4. I found this great post over on linuxquestions.org which gives instructions on building the newer version of libnss. Just before posting this I found that the wonderful Slackware maintainers updated it for me! Just make sure to fully patch your system and you will get mozilla-nss-3.16.4.xxxxx.txz. If you actually read this entire paragraph, I’m impressed. Thanks for making it worth my time writing it.

Start up Chrome and go to https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg and install. Once installed, right click on the new icon and select options. Here we are going to setup a new custom User Agent that will allow Netflix to play. Put the following options in the fields.

New User-agent name: Netflix Linux
New User-Agent String: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2114.2 Safari/537.36
Group: Chrome
Append?: (defaults are fine)
Indicator Flag: IE

Be sure to select your new User Agent and then login to your Netflix account. Once in go to your account settings and select the option to use HTML5 over Silverlight. Enjoy watching Netflix in Linux!

Things learned while using Perfect Forward Secrecy

Recently I upgraded some on my servers to use PFS. For those not familiar with PFS please read https://en.wikipedia.org/wiki/Forward_secrecy. Now I must admit, I have a strange setup of servers. I have a set of servers for each client and each performs a different function. One is an app server that can be accessed by client.company.com. These servers run nginx. I Also have a Nagios and Backuppc server that are accessed by nagios.custom.company.com. I purchased a wildcard SSL certificate for *.company.com. Before you say anything, I realize that using multilevel subdomains is not complaint with wildcard certs (see RFC 2818 and RFC 2459). Nagios is ONLY for me, not the customer, so I don’t care about the SSL warnings. To help illustrate:

customer.company.com -> nginx
nagios.customer.company.com -> Apache

Unfortunately, I’m pretty locked down on what OS I can run, and currently it is Ubuntu 12.04 (Yes, 14.04 is out, but it has too many issues and our software don’t run stable under it). Which means I have nginx 1.6 and Apache 2.2. Nginx 1.6 supports PFS, which I implemented without an issue, while Apache 2.2 does… but doesn’t. It appears to be some hack job by Ubuntu (Version 2.2.22 doesn’t have PFS, but 2.2.27 appears to have it. As we know, Ubuntu will back-port patches, and it looks like a patch got in to give semi-support to PFS, I decided not to use it).

Here is the interesting thing. With this setup, whether I setup PFS on Apache or not, I got the same results. The instant I setup PFS on nginx, I could no longer use the Nagios server on the Apache machine. In Firefox I would get an SSL error that I couldn’t bypass. No matter what, it wouldn’t work, even with other browsers.

So, I did a test. What would happen if I followed the rules of using wildcard SSL certs? So I changed the Nagios server to work under nagios-custom.company.com, and guess what? It actually worked!

I have no idea how this is. It seems that the browser is remembering something about the certificate, because it is the same one used on all servers. I tested this by having a machine connect just to the nagios server (before the URL change), and it worked until I accessed the app server with the same browser.

I’m now following the rules on wildcard SSL certs, and my naming is as follows

customer.company.com -> nginx
nagios-customer.company.com -> Apache

Now everything works, even though I’m not using PFS on the Apache servers.

If you want to setup PFS, check out this page, https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy, as it has great information. Be sure to use https://www.ssllabs.com/ssltest/ to test your server.

Lastly, I put this up in the hopes that is anyone else runs into this issue it will provide some insight to resolving the issue. If you have any additional information, please leave a note in the comments below (You don’t even have to give a real email, if you do, I won’t spam you or anything).