More Zonkyness

Adventures in Cisco IOS Land: A Route For “Unknown” Internal Networks

Cisco, Computing, Working Notes No Responses »

Jan 262013

First defining the problem. Let us say that I have a network with plenty of space for subnets (perhaps 10/8) and I am only using a very small number of the possible subnets – for this example, perhaps 10.0/16, 10.1/16, 10.2/16. What happens when I ping something like 10.52.1.3? Or perform a network scan of 10/8 ?

Well logically if a packet is destined for an unknown network, it will get routed to the default gateway (or “gateway of last resort” in Cisco’s rather gloomy terminology). Given that in most cases, the default gateway is going to be pointed in your ISP’s direction, this is probably not a sensible choice. In most circumstances it probably doesn’t matter, but there are a number of scenarios where it could be an issue :-

If the default gateway thinks that the route to 10/8 is back down to the router, then you’ll have packets bouncing back and forth for a while. This may not be a major issue … or it could be if someone tries to flood all your unknown networks as quick as possible.
Your default gateway could be a firewall of some kind which helpfully blocks such packets itself. However it may also helpfully log all these in your log files as problems which unhelpfully conceals other issues. You do inspect your log files, don’t you?

There are quite possibly other problems I cannot think of on a lazy Saturday, but it’s also the case that preventing packets destined for unknown packets leaking is the right thing to do.

So how to do it ? With a static route of course :-

conf t
> ip route 10.0.0.0 255.0.0.0 Null0 254
> ipv6 route 2001:db8:beef::/48 Null0 254

The choice of the device Null0 is a bit problematic; it should really be a “device” that returns a ICMP destination unreachable immediately. However it’s better than nothing.

The choice of the “metric” 254 (or “administrative distance”) is specifically chosen to allow any other route learnt by any mechanism to overrule this route.

Having a route to Null0 that covers all your internal subnets may seem alarming, but it seems to work – at least for my network. It is also documented that routing will choose the most specific route in preference to the least specific route – or in other words a route to 10.0/16 is used in preference to the route to 10/8.

Of course if some Cisco routing guru comes along, I’d be more than willing to be corrected. I’ve also tried to check this against Cisco’s “routing for dummies” document.

Can Hackers Cause Your Local Sewage Plant To Run Backwards ?

Computing, Security No Responses »

Jan 132013

Perhaps.

But it is a lot more complex than the mainstream press would have you believe. That story above is effectively about researchers using a specialised search engine to find what is effectively the login banner of SCADA systems … that is those systems that control utilities such as sewage plants, power systems, etc. What is not so widely publicised is that the same researchers warned about these insecurities as far back as 2010, so the latest warning by the US government is a bit lackadaisical.

On the other hand the discovery of what is effectively login banners is just that – login banners. Whilst this is pretty poor practice, it does not necessarily mean that the bad guys can get into the relevant systems. Attaching critical systems directly to the Internet is something that really should not be done, but is often done because :-

It has probably long been the practice to attach such systems up in such a way that work can be carried out from home. In the past, it would have been via a dial up modem. Making such systems available on the Internet makes such insecurity more visible, although dial up modems themselves are not necessarily secure.
Attaching the systems directly to the Internet is the kind of laziness that comes from a desire for convenience. Only services that everyone on the Internet can legitimately make use of should be directly on the Internet. Attaching “work from home” services should be done via some sort of gateway service, such as a VPN system, but that requires more work.
On occasions, such systems are connected directly to the Internet in an emergency for convenience – such as getting a vendor to look at some problem. And of course once connected, it tends to stay connected. Amazingly enough, it often seems that the customer needs to jump through hoops for the convenience of a vendor rather than the other way around.

Of course gateway systems themselves can be vulnerable especially given the problems we have with weak passwords.

Earlier I mentioned that just because a SCADA system can be reached from the Internet does not mean a bad guy can break into it to cause damage. Well, that is true enough but most experts think that SCADA systems are riddled with security issues including default passwords left unchanged, etc. Pehaps as poor as the Internet was back in the early 1990s.

It is a strange thing, but it seems that vendors who sell us stuff do not seem to pay much attention to security until bad guys start attacking them and exposing their vulnerabilities.

So we have a situation where SCADA systems are directly connected to the Internet, and many of those SCADA systems are vulnerable in some way. Does this mean that bad guys are going to break in and destroy the utilities ?

Well, perhaps. But on previous occasions, the bad guys have broken in just to look around. As someone remarked to me recently, the bad guys are busy making money and unless they see a way to make money from insecure SCADA systems they will leave alone. Of course there is always the issue of cyber-terrorism where the bad guys are less interested in money and more in making a point of some kind or another.

But should you worry about the security of SCADA systems? Probably not. After all, why worry about something you have no power over? Should I worry about the security of SCADA systems – definitely (as you may have guessed my work involves security). Anyone in the information security business should be looking at their own SCADA systems and wondering whether they are protected properly.

Modern Low-Level Keyboard Mapping for Linux

Linux No Responses »

Jan 112013

Customising keyboard maps in Linux is somewhat … confused with lots of different tools and layers to perform the same task. There are a number of tools for performing some form of keyboard mapping, but the most common ones have some disadvantages :-

xkb (which is the modern X way), and xmodmap (which is deprecated but conveniently has a very simple syntax for dealing with a single key) both work fine for ordinary keys but cannot do anything with “unusual” keys not passed into X. Just look online for just how many people have trouble with multimedia keys not being recognised.
The PS/2-specific tools of dumpkeys, loadkeys, and setkeycodes which work fine, but are somewhat reluctant to help out with USB keyboards.
Plus the desktop environment you are using may well have its own idea of how the keyboard will be used (GNOME has a nasty tendency to grab the menu key away from me).

There is fortunately another way which is rather difficult to find information about. Which is the reason behind this posting of course.

This “other method” is to use the generic input system to perform the keyboard mapping which has certain advantages over other methods. Most of the information to do this came from a README file contained within the source code.

The Example Keyboard

To demonstrate keyboard mapping, it is helpful to have an example keyboard with custom mappings to play with. Many of the keyboards I use this for are rather complex with many mappings, but I also have a mini keyboard with relatively few mappings :-

Original Key	new function
Esc	Lock screen
`/~	Esc
Caps Lock	Control
Insert	Delete
Delete	`/~

No great mystery as to why I want my keyboard mapped this way – I’m just fussy about keyboards.

The Basic “Tool”

In fact there is just one tool – /lib/udev/keymap – which performs all of the relevant tasks. Before it can do anything, it needs to be provided with the path of the relevant input device. This is easiest done from the console (rather than in X) as root. The easiest way of identifying the device is to unplug the keyboard, reboot the machine, and :-

# ls /dev/input/e* > /var/tmp/old.list
[Plug in keyboard]
# ls /dev/input/e* > /var/tmp/new.list
# diff /var/tmp/old.list /var/tmp/old.list
> /dev/input/event13
> /dev/input/event14

If you are lucky, there will be just one new input device. If not, you will have to try each one in turn. The first job is to record the keycode of each key to be customised in turn. To do this, it is necessary to run keymap with the input device and the “-i” option, and each keystroke will result in some output :-

# /lib/udev/keymap /dev/input/event13 -i
Press ESC to finish, or Control-C if this device is not your primary keyboard
scan code: 0x70029   key code: esc
# /lib/udev/keymap /dev/input/event13 -i
Press ESC to finish, or Control-C if this device is not your primary keyboard
scan code: 0x70035   key code: grave
scan code: 0x70039   key code: capslock
scan code: 0x70049   key code: insert
scan code: 0x7004C   key code: delete

A key can be mapped temporarily using keymap. But before that a list of possible key names is useful to have; there is one to be found in /usr/include/ :-

# grep KEY_ /usr/include/linux/input.h | less

The relevant name would be the part that follows the “KEY_” converted to lower-case.

# /lib/udev/keymap /dev/input/event13 0x70035 esc

But that is rather a temporary solution; it is better by far to create a file containing the necessary mappings to be automatically applied :-

# cat /tmp/custom-filco.map
0x70029 screenlock
#	Original: key code: esc
0x70035 esc
#	Original: key code: grave
0x70039 leftctrl
#	Original: key code: capslock
0x70049 delete
#	Original: key code: insert
0x7004C insert
#	Original: key code: delete

Making The Mappings Permanent

The first step is to obtain some details to uniquely (or as much as possible) identify the keyboard. Run :-

# udevadm info --export-db > /tmp/udev-db.txt

And look through the output for the input device you previously used. Look for a ID_VENDOR_ID and ID_MODEL_ID that you can use.

Next add a rule to /lib/udev/rules.d/95-keymap.rules along the lines of :-

ENV{ID_VENDOR_ID}=="04d9", ENV{ID_MODEL_ID}=="2011", RUN+="keymap $name custom-filco.map"

Once this is working you may want to add it to your version of custom-filco.map as a comment to preserve it for use after upgrades; alternatively you may wish to create a new file that will not get overwritten.

Before activating the new rule, remember to copy /tmp/custom-filco.map into /lib/keymaps/custom-filco.map. And again keep another copy in a safe place to preserve.

As to how to activate, a reboot is probably the simplest way.

Doing A Celebratory Dance At The Edge Of The Fiscal Cliff

Politics No Responses »

Jan 022013

According to the news, the US politicians have finally decided not to take a running jump off the edge of the fiscal cliff and have come to some form of agreement in relation to US taxes. The markets have of course bounced dramatically because of the good news … or is it?

Firstly, this decision is late. US politicians have been trying to come to some form of agreement with regard to taxation and spending for at least 18 months; the deadline everyone was worried about was introduced to concentrate minds on an agreement. And yet no agreement was reached until the last moment. US politicians deserve to be fired for not coming to an agreement sooner.

Secondly, this decision is not a full decision at all. The agreement only covers taxation, and does not cover agreements on spending cuts. They have given themselves a further two months to agree the rest of it. And who is to say that they will manage an agreement this time around?

There are those who argue that the phrase “fiscal cliff” is scaremongering, and that it should really be called a “fiscal hill” (or some other phrase). They’re wrong.

The actual effects of going over the fiscal cliff may well be rather gradual with tax increases and spending cuts only gradually kicking in over the year of 2013. But that is ignoring the big problem.

The big problem is that the politicians in charge of the world’s largest economy are a bunch of incompetent idiots who would rather argue for partisan advantage than do their job – govern the country in the interests of all of the citizens of the US. In most circumstances, a bunch of people in charge of a large organisation who could not agree on a budget in a timely fashion could and would be fired.

Perhaps the citizens of the US should get together and “kick some ass” – point out to their politicians that they are expected to govern the country properly, and if they do not pull their socks up, they will all be booted out of office come the next election – Democrats and Republicans. It is not the fault of any one party, but the fault of both.

Getting Started With Awesome

Computing, Linux, Working Notes No Responses »

Dec 312012

This has been updated for Awesome 3.5

I have long been interested in tiling window managers, which would seem to offer the flexibility I crave. But switching is painful when you want your machine to be as functional as much as possible. On at least two occasions I have switched … and very quickly switched back when problems were encountered.

So just for the fun of it, I have decided to give it another go … in a way that can be gradually worked into functionality.

But first, what exactly is a tiling window manager? Well a conventional window manager works with overlapping windows where windows can stack on top of each other and overlap. A tiling window manager on the other hand uses tiling to maximise the size of every displayed window.

Or in other words, if you want to make the maximum use of space on your screen, a stacking window manager usually asks you to manually move and resize windows yourself whereas a tiling window manager does it all automatically. Although with a tiling window manager, you will need to rotate amongst different tiling layouts to suit.

Tiling window managers tend to be keyboard driven rather than mouse driven, but this is merely an aspect of their implementation.

A Testing Environment

The key to setting up any window manager gradually over time without losing an existing working environment, is to create a separate display which a new window manager can control. This can be quite easily accomplished with a nesting X server, which is provided by the xserver-xephyr package.

As to the choice of window manager, the title of this post gives away the secret – Awesome. Of course the same method works for other window managers too.

The first step is to install the required packages :-

sudo apt-get install xserver-xephyr awesome awesome-extra

The next step is to create a simple shell script to start the nested X server. This basically starts the nested X server with a sensible screen size, and sets the $DISPLAY environment variable so that any further X programs are directed to communicate with the nested X server. The nested X server simply starts up as a standard window within which Awesome operates. The script looks like :-

#!/bin/sh

Xephyr -ac -reset -screen 1280x1000 :1 &
export DISPLAY=:1.0
sleep 5
awesome --config ~/src/site/etc/awesome/config.lua

The sleep command in there is to wait until X has settled down before trying to manage it … without this, it is possible that awesome will fail to open the display (on a slower laptop it worked without; on a faster desktop it did not). The parameter to awesome is to set the preferred location for the configuration file (which I will describe next), although you can leave it out to use the default.

Don’t start it yet! Before doing that, copy the default configuration file to the specified location so you have something to work with :-

cp /etc/xdg/awesome/rc.lua ~/src/site/etc/awesome/config.lua

It’s All In The Repository

The custom configuration file I specified just happens to point to a directory and file within the working copy of a Subversion repository. Using a repository for configuration files has all sorts of benefits; not least of which is to reverse “poor” choices made along the way. Whilst describing how to get one set up is beyond the purpose of this post, it is well worth doing.

Of course if you are working with a repository, it is important to remember to commit changes at every stage :-

% svn add ~/src/site/etc/awesome 
A         /home/mike/src/site/etc/awesome
A         /home/mike/src/site/etc/awesome/config.lua
% svn commit ~/src/site/etc/awesome -m "Awesome: Initial Configuration from default"
Adding         src/site/etc/awesome
Adding         src/site/etc/awesome/config.lua
Transmitting file data .
Committed revision 166.

I won’t be documenting every single commit, but they are all in there!

It is also helpful (at this stage) to create a symlink between the default configuration directory (~/.config/awesome) and the working copy of your repository. The configuration directory can probably be changed, but one thing at a time!

Status Bar Size

One of the annoyances I remember from the last time I played with Awesome, was the tiny size of the status bar. It is all very well maximising the size of the main screen area, but some of us have high resolution screens and tired old eyes! Within the config.lua file (or whatever you named your file), look for :-

mywibox[s] = awful.wibox({ position = "top", screen = s})

And change it to add a height parameter :-

mywibox[s] = awful.wibox({ position = "top", screen = s, height=32 })

The exact choice of size is of course down to personal preferences! However changing the size also means changing the font would be wise :-

awesome.font = "LMSans10 10"

Making the font too much larger will result in some display oddities … at least for now.

Adding A Title Bar

In theory, there is no need for a title bar with a tiling window manager, but I guess I am a little too conventional as a window without a title bar still looks a little weird to me. Plus my shell prompts stick useful bits of information into the window title bar and I would really rather hang on to that extra information. Still, drawing title bars on windows turns out to be really simple … just find the existing code to do so and :-

local titlebars_enabled = true

Some appearance tweaks and indeed messing around with the unnecessarily large number of buttons could be usefully accomplished, but for now this is fine.

Themes

Of course messing around with the appearance of a window manager is probably best dealt with using themes (if they are supported). The default configuration file I worked with included enabling beautiful via :-

require("beautiful")
beautiful.init("/usr/share/awesome/themes/default/theme.lua")

It is easier to tinker with themes with a configuration file you can edit, so I copied this theme.lua to the configuration directory named as default-theme.lua, and changed the configuration :-

-- beautiful.init("/usr/share/awesome/themes/default/theme.lua")
beautiful.init(awful.util.getdir("config") .. "/default-theme.lua")

I also removed the previous section’s font setting and set the same font within the new configuration file :-

theme.font = "LMSans10 10"

To cope with the larger font, I also increased the width of each menu item :-

theme.menu_width  = "300"

Although this width does depend on having an appropriately sized screen, and not having too many levels to your menu (if it gets too wide, the extra levels don’t appear neatly).

And finally I commented out the command used to set the background … having a background image for a tiling window manager (which is designed to utilise the whole screen) is a touch unnecessary. And I don’t particularly like the default image :-

--theme.wallpaper_cmd = ...

For now I will leave the colours alone … the defaults may not be perfect but are not sufficiently irritating to spend time on right now. But the details of how to change colours of various components can be found in the theme file we have created.

Disabling Layouts

Personally I believe that you can have too much of a good thing, and choosing between the rather large number of different possible layouts that Awesome makes available is one of those. To reduce the number of possibilities, simply comment out some of the possibilities when setting the “layouts” variable in the configuration file :-

layouts =
{
    awful.layout.suit.floating,
    awful.layout.suit.tile,
    --awful.layout.suit.tile.left,
    --awful.layout.suit.tile.bottom,
    --awful.layout.suit.tile.top,
    awful.layout.suit.fair,
    --awful.layout.suit.fair.horizontal,
    awful.layout.suit.spiral,
    --awful.layout.suit.spiral.dwindle,
    awful.layout.suit.max,
    --awful.layout.suit.max.fullscreen,
    --awful.layout.suit.magnifier
}

Which you command out does not matter so much, and indeed you may very well change you mind at a later point.

A Menu

Whilst the menu built into Awesome has undoubtedly many advantages, I already have a somewhat adequate menu built up over years that relies on myGtkMenu. Whilst changing this menu could well be sensible, it does also seem sensible to keep it around during the transitional period. To do so is simply a matter of replacing certain bindings :-

 -- {{{ Mouse bindings
 root.buttons(awful.util.table.join(
-    awful.button({ }, 3, function () mymainmenu:toggle() end),
+    --awful.button({ }, 3, function () mymainmenu:toggle() end),
+    awful.button({ }, 3, function () awful.util.spawn("/opt/bin/myGtkMenu /home/mike/lib/root.menu") end),
     awful.button({ }, 4, awful.tag.viewnext),
     awful.button({ }, 5, awful.tag.viewprev)
 ))

If you hadn’t guessed, I’ve started using diffs to show the changes where it makes sense; if you cannot read diffs, this page is probably not for you.

That bit replaces the root window, but not the status bar menu :-

 mylauncher = awful.widget.launcher({ image = image(beautiful.awesome_icon),
-                                     menu = mymainmenu })
+--                                     menu = mymainmenu })
+                                       command = "/opt/bin/myGtkMenu /home/mike/lib/root.menu" })

My own menu has some issues in that it doesn’t yet have anything to control awesome itself. But is good enough to get started with.

Final Word … Or Not!

And that is it! Or at least it is enough to be getting on with.

Older Entries Newer Entries