openswan and sonicwall vpn tunnel

Two years ago I wrote an article about connecting openswan to checkpoint.

Here is a new example of connecting openswan to a sonicwall device.

ipsec.conf:

conn sonicwall
type=tunnel
# left=%defaultroute
left=serverip
leftsubnet=10.0.0.0/24
leftid=@macofserver #same on both ends
# leftxauthclient=yes
right=ipfosonicdevice
rightsubnet=192.168.0.0/24
# rightxauthserver=yes
rightid=@macsonicwall #add it as optional on the sonicwall interface
keyingtries=0
pfs=no
aggrmode=yes
auto=add
auth=esp
keyexchange=ike
esp=3des-sha1
ike=3des-sha1
authby=secret
# xauth=yes

ipsec.secrets:
@macofserver @macsonicwall : PSK "sasgSFgdasfg"

Start/Stop/Debugging:

ipsec setup --start
ipsec setup --stop
ipsec setup --restart


#after changes are made apply them
ipsec auto --replace sonicwall

#when debugging, it exists when it works
ipsec whack --name sonicwall --initiate

#after it works
ipsec auto --up sonicwall

Debug for phase1 and 2:
tcpdump -i eth0:0 host ipfosonicdevice
Logs:
tail -f /var/log/secure

References:
http://www.pelagodesign.com/blog/2009/05/18/ubuntu-linux-how-to-setup-a-vpn-connection-to-a-sonicwall-router-using-openswan-and-pre-shared-keys-psk/
http://www.sonicwall.com/downloads/SonicOS_Enhanced_to_Openswan_Using_GroupVPN_with_XAUTH.pdf

OpenWrt, limit the access to the internet

I just tried a Linksys WRT54GL. It’s nice, but what if you have to add hotspot services on it.
I have installed Coova for fun.
A common scenario is to have anonymous clients accessing it with all kind of systems, all kind of software and, of-course, viruses trojans.
So, just to be prepared you want to allow access only to a few ports: 80 (http), 443 (https), 5222 (jabber), 5050 (yahoo messenger), 1863 (MSN), etc.

All you have to do is to add the following two lines in /etc/firewall.user below “Allow SSH on the WAN interface” section:
iptables -A forwarding_rule -i br0 -m multiport --dports 80,443,5222,5050,1863 -j ACCEPT
iptables -A forwarding_rule -i br0 -j DROP

Now restart the firewall:
/etc/init.d/S35firewall restart
Test.

That’s all.

opensuse 11 on dell inspiron 1501 and dell vostro 1510

I got a new laptop from work, first thing to do with? … of course, install linux….
because ubuntu disappointed me, hdd problem convinced me to try something else (any distro you may chose, i’m pretty sure you have to hack drivers).

From previous experience with dell 1501, i prefered opensuse 11.0.
On 1501, everything was smooth: ndiswrapper for wifi (fwcutter and restricted driver are unstable) ati driver from the opensuse’s page (check http://en.opensuse.org/Ati).
Graphic performaces? Not even like in windows, too bad.

Now let’s get back to vostro 1510.
After installing opensuse 11 with gnome, the keyboard and touch pad did not work.
No fix on google.
No problem let’s try kde (last kde I had used was on redhat 9, that’s on 2003-2004).
After several minutes and one reboot I could log in. Strange to work with kde but not with gnome.
Those guys from gentoo said it’s becuase ACPI. Anyway it works.
Now let’s fix network:
- the wired network

rmmod/modprobe r8169 driver to have the wired internet working

- the wireless network

ndiswrapper saves the day, I’ll not give details, I add the fact that I have used XP drivers from dell.com.

For the video card:

go to opensuse’s page download the ymp file and use it with yast. For compiz use simple-ccsm.

Conclusions:

- opensuse 11.0 works better on dell 1501 than ubuntu (i have tried with ubuntu 6.06, 7.10 and 8.04);
- i have no ideea why gnome did not work (the keyboard was not working) and kde succeded to be used on vostro 1501;
- ubuntu is not the only and last alternative to windows on your desktop or laptop, I still have ubuntu installed, but sometime is a pain to modify/hack it;
- the video card from vostro (Nvidia Geforce 8400M) performs as expected (2600fps when running glxgears), compiz works perfect;
- no hdd problems when running opensuse on these two laptops, no need to modify the power management of the harddisk to save it’s life.

I’ll write more about these linux distro in combination with the laptops I have around.

Get rid of ssh brute force attacks

I was looking for a solution to ban those ip that abuses my sshd processes using dictionary attack (some of them using romanian user accounts, just take a look at this link, from a slashdot article, and search for romania).

Having a look on google i have found this two methods:

• using denyhosts (through hots.deny) – http://howtoforge.com/preventing_ssh_dictionary_attacks_with_denyhosts
• using a patch for iptables (by using a new user-defined chain) – http://hostingfu.com/article/ssh-dictionary-attack-prevention-with-iptables

For me the easyest was by using denyhosts because it has rpms build already made for opensuse (link from opensuse’s wiki).

Access MS Office Project Web Access from linux

After some time I have found (by googling) a way to use MS Project web access (2003 version) in IE6 running in wine.

The problem is the IE6 installation doesn’t include MDAC necessary to access project server for data.
IE6 uses some activex, which wont work without MDAC. Installing MDAC was a little bit tricky (there are only a few pages mentioning how to install it for ies4linux) but I am sure you’ll manage to do it.

Here are the steps (tested in ubuntu 7.10 i386):

-install wine
-install ies4linux

wget http://www.tatanka.com.br/ies4linux/downloads/ies4linux-latest.tar.gz
tar zxvf ies4linux-latest.tar.gz
cd ies4linux-*
./ies4linux

- downlaod MDAC_TYP.EXE (search it on google) and copy it in “~/.ies4linux/ie6/drive_c/kits”
- get wine ready to install MDAC:

export WINEPREFIX="/home/username/.ies4linux/ie6"
open winecfg and “Add programs” and select MDAC_TYP.EXE, select compatibility level to windows 2000
Save and close

- install MDAC_TYP.EXE

hit wine MDAC_TYP.EXE and follow on-screen wizard.

-open ms pwa (here it comes

open ie6 and add the hostname of the ms project server at the trusted sites
enter the url of the MS PWA
install activex packages (both) when you are asked

- enjoy

Caveats:

It consumes a lot of memory. You better have at leas 1gb. At first ran of PWA in wine, my ubuntu consumed 1.3GB RAM, and the load of the system was about 4. It’s a little bit slow.

Anyway, it’s running…