Setup PSAD in Ubuntu 9+

Psad scans your firewall log in real time. It can be configured to automatically drop packets and more. While reading the guides that are available for this I ran into a problem, there was no /etc/syslog.conf. On Ubuntu’s webpage I found this release note. It says that as of Ubuntu 9.10, syslog has been upgraded with rsyslog. This can make setting up psad a little tricky.

This guide has been tested on Ubuntu 10.04 LTS Server and 10.10 Desktop

The first thing to do is install psad:

sudo apt-get install psad

Now edit the config file:

sudo nano /etc/psad/psad.conf

Change “ENABLE_SYSLOG_FILE Y;” to “ENABLE_SYSLOG_FILE N;”. We will not need psad to read our syslog.

Another setting to review right now depending on your environment is “EMAIL_ALERT_DANGER_LEVEL”.

Set the email at the top of the config file or leave the default, root. I have root’s mail set to forward to my real email address. To forward root (or any user’s) mail: place a file named “.forward” in their home folder. Inside the file enter the email address where the mail is to go.

Restart psad:

sudo /etc/init.d/psad restart

Next: configure iptables to log the non-legitimate packets. The logging rules need to go after the accept rules but before the drop. Confusing? It was for me.

For example, my default policy for INPUT and FORWARD is to DROP. After this my accept rules for specific ports are appended. Meaning our logging rules must go at the end of the file, before they are dropped because the packets were not accepted by any previous rules.

$IPT -A INPUT -j LOG --log-prefix "firewall1 "
$IPT -A FORWARD -j LOG --log-prefix "firewall1 "

The prefix is going to allow rsyslog to filter the messages. After applying the log rules it is possible to view the end of the syslog to see if logging is working.

sudo tail /var/log/syslog

The last step is for rsyslog to send the messages that contain “firewall1” to psad’s pipe.

sudo nano /etc/rsyslog.d/50-default.conf

We are going to place our rules at the top of the file. That way we can stop “firewall1” messages from making it to any other logs.

:msg, contains, "firewall1" |/var/lib/psad/psadfifo
:msg, contains, "firewall1" ~

Note: the ~ means to discard.

That’s it! Restart rsyslog:

sudo restart rsyslog

To view psad’s status:

sudo psad --Status

Comments and suggestions are welcome!!

Setup Samba on Ubuntu

Updated December 24, 2012. This works on all versions of Ubuntu.

Authenticated network file access is very helpful on your home LAN.

Install:

sudo apt-get install samba

Configuration:

sudo nano /etc/samba/smb.conf

Enter details for the share at the end of the file. Leave the rest of the file default for now. Go back later and edit it.

# Name
[shared_directory1]
# Path
path=/home/user_name/shared_directory
# Restrict access. Useful with multiple shares/users.
valid users=user_name,user_name2
# Enable write access.
read only=no

For more options visit the smb.conf man page: http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html

Start Service:

sudo restart smbd

Note: You must restart the samba daemon for any of the above changes to take effect.

Adding users:

sudo useradd user_name --shell /bin/false
sudo smbpasswd -a user_name

Hint: Use your Windows username and password. This will grant password-less access to the share.

For more options visit the smbpasswd man page: http://www.samba.org/samba/docs/man/manpages-3/smbpasswd.5.html

Accessing the share in Windows:

In the address bar of file explorer:

\\ip\shared_directory1

StatusNet XMPP and GTalk Setup

I tried to get StatusNet’s XMPP bot to connect to GTalk’s servers and got this error: “If set, the ‘from’ attribute must be set to the user’s full JID.” Furthermore, I could not send or receive messages from the bot. It was connected, though. I am using the current version of StatusNet, 0.9.7fix1.

After some extensive searching and not finding anything helpful I fiddled with some of the settings. The change from the example that made everything work was:

$config['queue']['enabled'] = true;

to

$config['queue']['enabled'] = false;

 

If you are using Google Apps for your domain the XMPP settings can be a tricky. This is exactly from my config.php and is setup for update@domain.com.

# xmpp
$config['xmpp']['enabled'] = true;
$config['xmpp']['host'] = 'talk.google.com';
$config['xmpp']['server'] = 'domain.com'; # domain name
$config['xmpp']['port'] = 5222;
$config['xmpp']['user'] = 'update'; # user name
$config['xmpp']['encryption'] = true;
$config['xmpp']['resource'] = 'updatebot'; # something unique
$config['xmpp']['password'] = 'password'; # user password
$config['xmpp']['debug'] = false;
$config['queue']['enabled'] = false;

 

Good luck with your setup and happy micro-blogging!

Update: If using GTalk you will need to login to the bot’s account to accept the invitation request.

Asus RT-N16 DD-WRT: best wireless settings for streaming

MAJOR UPDATE JANUARY 10, 2013: I installed the stock firmware today. The speed is incredible! DD-WRT firmware and my ISP’s speed test peaks at 100 Mbps. So far the stock firmware peaked at 229 Mbps. The limiting factor is probably my ISP. WiFi is also at least 4x faster. Bye for now DD-WRT… I will miss your features! Just kidding. I setup DD-WRT on a WRT54GL as an OpenVPN client. That is the feature I use which doesn’t come with stock firmware. Click here to go to the Asus RT-N16 product page.

I rewrote this to make it easy to follow. If you are having lots of problems – a 30/30/30 to clear the NVRAM may be necessary. Please comment if you have any recommendations. Thanks!

Setup:
=> Basic
-NTP client: enable
-time zone: (yours)
-server: pick a pool for your region here

Wireless:
=> Basic
-mode: AP
-network mode: N-only
-channel: 6 (Find the one with the least noise by doing a “site survey.”)
-width: 20 MHz
-sensitivity range (ACK timing): 0
-network configuration: bridge

=> Security
-mode: WPA2 personal
-algorithim: AES

=> Advanced
-CTS: disable
-frame burst: disable
-beacon: 100
-preamble: short
-shortslot override: short
-tx power: 17 (Here is a thread about this setting for this router.)
-WMM support: enable
-no-acknowledgement: disable

Administration:
=> Keep Alive
-schedule reboot: enable
-time: 05:00 everyday

After rebooting, make sure the settings were saved.