My Contact was Shared with Facebook

Facebook gives a list of companies who run Facebook ads, and sent my contact information (tel, email) to Facebook.

This list for my account lists some obvious companies, some companies I never heard of, and some companies who really should never have forwarded my contact information to Facebook!

Look up your own list by:

  • Click the three dots on any ad in facebook
  • Click “Why am I seeing this?”
  • Click “Manage Your ad Preferences”
  • Click “Advertisers”

Ubiquiti UniFi the Next Botnet ?

I tested a Ubiquiti access point today. UAP-AC-Lite seems to be a very good and cheap access-point.

When you take it out of the box and connect it to the network it gets an IP address using DHCP and waits for a configuration. In this mode it sends broadcasts to find a controller and listens on port 22 (ssh) with standard login/password of ubnt/ubnt.
That’s not best practice but very usual for devices of this kind.

I tried two configuration modes:

    1. MobileApp based using my Android Phone:
      This App looks good, and works great, if you need just one SSID and not VLAN. Thumbs up, well done ubiquiti.
      But I guess this method will not work if this is you first access point in the network, because you will end with a chicken and egg problem.
    2. UniFi Controller based:
      UniFi runs on Win/Mac and Linux. The Debian package is far to big but it installs cleanly (Why does this webapp need 27MB of fonts?).
      With this webapp you can configure everything and it works good. But then I checked the security…

First I checked what new ports are open on my server:

tcp6 0 0 :::8443            :::* LISTEN 1373/java 
tcp6 0 0 :::6789            :::* LISTEN 1373/java 
tcp6 0 0 :::8843            :::* LISTEN 1373/java 
tcp6 0 0 :::8880            :::* LISTEN 1373/java 
tcp6 0 0 :::8080            :::* LISTEN 1373/java 
udp6 0 0 MYPUBLICIP:50880   :::* 1373/java 
udp6 0 0 :::10001           :::* 1373/java 
udp6 0 0 :::3478            :::* 1373/java 
udp6 0 0 MYINTERNALIP:58426 :::* 1373/java 

That’s to much for a Linux box with a public IP interface.
The documentation tells a little bit what these ports are used for, but some are not explained or not needed for normal operation.
I tried to strip down the open ports for security reasons, but I found no way to disable unused services or at least bind only to one IP. My minimum requirement would be to bind only to an internal interface and block the public interface.

But no way (officially: https://community.ubnt.com/t5/UniFi-Feature-Requests/Allow-Controller-to-run-on-a-Single-IP-Address/idi-p/959213 )

Shure I could write an iptables filterlist to block these ports, but that’s risky. Today they use these 9 ports, but what will happen on the next update ?

Then I checked what services are actually running on these ports. It’s a tomcat server !
A java/tomcat server that listens in all directions IPv4/6 and no easy way to limit this access. What can possibly go wrong?

Most people will never update this controller software, and tomcat had and will have security problems.
http://www.cvedetails.com/product/887/Apache-Tomcat.html?vendor_id=45

Hopefully ubiquiti will provide a smaller footprint configuration tool, with a bit more settings than the app, and add some security settings to the controller software.
Then I would really recommend this nice piece of hardware: Vendor Link  ,  Amazon Link

Version: UAP-AC-Lite, unifi 5.4.11-9184

Sophos UTM BGP Announces 0 Prefixes

Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix.

Discussion: an outbound filter list is set to prevent sending other than the local prefix x/24. Therefor ae ip filter list is configured in the web gui and connected to the bgp neighbor settings as filter list out. The web gui should generate a quagga bgpd.conf from this and it should look like this:

router bgp 2222

neighbor 12.12.12.241 remote-as 1111
neighbor 12.12.12.241 prefix-list REF_BgpFilBgpfiltero_4 out

ip prefix-list REF_BgpFilBgpfiltero_4 seq 5 permit 13.13.13.0/24 le 32
ip prefix-list REF_BgpFilBgpfiltero_4 seq 10 deny 0.0.0.0/0 le 32

But looking into the actual config file in /var/sec/chroot-quagga/etc/quagga showed that the prefix list was missing. The backup config file bgpd.conf.sav showed the correct prefix list was there before. The only change in the meantime was that I removed an other (not used) “filter list in” in the gui. It seems there is a bug in Sophos UTM that the web gui removes all prefix lists from the config file, when you actually want to remove only one.

Workarround: configure a new fillter list and attach it to the neighbor config.

It’s very good that I actually could log into the Sophos box, because I would have never found this bug without ssh access.

Version: 9.408-4

 

PaloAlto Packet Loss of 1% and More

Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode.

Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State”

Discussion: Palo Alto uses only one MAC address for both machines of an HA cluster. The passive box sends LLDP packets using this MAC address. The switch learns this MAC address and sends the traffic to the passive node until the active node sends new packets. The passive node should never send packets with the MAC address of the active node, and should have its own MAC address for LLDP and possibly other services.

Version: PaloAlto current version of Nov 2016, connected to a Cisco Catalyst 6500

Generate CSR using openssl

Browsers started to warn users about certificates with Sha1 signature. Sha256 is needed now a days.
So it’s time to renew certificates from Thawte, Godaddy, etc

You can generate a new Certificate Signing Request with openssl with this command:

openssl req -nodes -newkey rsa:2048 -keyout servername.key -out servername.csr -sha256

“servername.csr” is an ascii file you can send or paste to your certification authority’s interfaces.

Version: tested with OpenSSL 1.0.1e 11 Feb 2013 on Debian 7

F5 data flood

Problem: A F5 load balancer LTM sends lots of data to some clients. Sometimes this fills up all the available bandwidth with 1 Gbit or more. At the same time the input traffic does not raise. The traffic charts look like if F5 is attacking some clients (reversed DDoS :-) )

Discussion: After some time of staring at tcpdump output like in Matrix :-) I found the following behavior:

10 A client sends an HTTP request to the F5
20 The F5 forwards the HTTP request to a webserver and gets the data
30 The F5 sends the data to the client, eg. the data has 10kByte which fits into the TCP window
40 A router on the way to the client sends an "ICMP unreachable need fragmentation 1440 Byte"
50 The F5 replays the 10kByte in fragmented packets smaller than 1440 Byte
60 The router sends "need fragmentation" again
70 The F5 replays the already fragmented 10kByte at wire speed
80 goto 60 

Why does the router send “need fragmentation” although the packets are already fragmented ?
The ICMP packet shows that the fragmented packets arrive reassembled at the client side, which means some router between the F5 and the client reassembles the fragments and ignores the need fragmentation packets from the client router. “Automatic reassembly and offloading is evil!”

This is obviously a bug on the router which reassembles the packets. But on the other hand the F5 LTM should not send out the same data in a loop up to wire speed, it should either throttle the packet flow, or it should not retransmit the already fragment packets after “need fragmentation”. The normal retransmit for missing tcp packets should apply.

I filed this bug with F5 twice but they said this behavior is correct and they won’t change it.

Solution: Fix the bogus router if you can. If you can’t I think there is no other solution than don’t use F5 LTM

Update: A work arround is to disable pathmtudiscovery on F5. Without PMTU Disovery the DF IP header is not set and routers and firewalls usually fragment large packets them self and don’t send ICMP Need Frag messages.

# tmsh
root@(F5)(cfg-sync Changes Pending)(Active)(/Common)(tmos)# sys db
root@(F5)(cfg-sync Changes Pending)(Active)(/Common)(tmos.sys.db)# modify tm.pathmtudiscovery value disable
root@(F5)(cfg-sync Changes Pending)(Active)(/Common)(tmos.sys.db)# modify tm.enforcepathmtu value disable

Version: tested with F5 LTM 11.2.1 and 11.5

Howto generate an SSL key and self signed cert with openssl

For SSH, HTTPS, TLS SMTP,POPS, IMAPS you need a RSA key pair. Most Linux package installers produce this pairs automatically, but if you like, you can generate them yourself.

The quickest method I found is:

openssl req -x509 -nodes -newkey rsa:2048 -keyout servername.key -out servername.crt -days 1024

This command asks you some questions. The most important one is:

Common Name (e.g. server FQDN or YOUR name)

Enter the hostname of your server here.

You can check the content of key and crt files with these commands:

openssl rsa -in servername.key -text
openssl x509 -in servername.crt -text

AVM Fritz!box DHCP Problem

Problem: I wanted to provide a CWMP (TR-069) ACS URL to an AVM modem using DHCP on the WAN Interface, but the DHCP server ignores this vendor-option.

Discussion: Following the TR-069 specs, the CWMP-ACS Server can be included in an dhcp response using vendor-option (SubOption 1). Usually vendor options should work with isc-dhcp-servers like that:

option space vo;
vo.acsurl code 1 = text;vo.provcode code 2 = text;
vendor-option-space vo;

option vo.acsurl “http://acs.server/”;
option vo.provcode “modemtype”;

But in this case the isc-dhcp (4.1.1) ignored this option.

After some cross-checks with working setups, I recognized, that the  AVM modems (7360 and 7390) are missing an option in the dhcp request.
Option “Parameter-Request Option 55” doen’t include “Vendor-Option 43”, which means isc-dhcpd doesn’t send the vendor-option, because the AVM tells it wouldn’t accept it.

Solution: You can force the isc-dhcpd to send vendor-option even though the AVM doesn’t request it. You have to add the following line to your dhcpd.conf:

option dhcp-parameter-request-list = concat(option dhcp-parameter-request-list,2b);

IPv6 Only Test

The IPv6 designers refused to define an IPv4/IPv6 gateway, because it’s a contradiction to the NO-NAT, End2End paradigm of IPv6. The result is that IPv6 doesn’t really lift off, because every IPv6 user has IPv4 too (Dual Stack), which gives no pressure to move on to implement IPv6.

Large providers had to implement NAT instead of IPv6 to give their users connectivity, because NAT implemented a solution to address exhaustion now. If there has been an NAT64 gateway right from the start, we would have IPv6-only on our smart phones now instead of 10.x.x.x. That would give End2End capabillities at least for IPv6.

To test and show the current status of IPv6, I’m running an open WLAN hotspot with IPv6 ONLY. The access point is located in Wien, Rudolf von Alt Platz with the SSID AKK-IPV6ONLY.

I will add an IPv6 Only + NAT64 hotspot in the future.

Update Cisco Catalyst Software

I had to update the software of a new Cisco Catalyst 4948 yesterday.
As usual I did:

copy tftp://<hostname>/<filename> bootflash:
conf t
boot system flash bootflash:<filename>
exit
reload

But the switch ignored the new software image.
During boot it said:

Booting first image from bootflash

Solution: The config-register was set to 0x2101 right out of the box. I had to change this to 0x2102. With this value the switch honors the bootvar and boots into the configured system image.

conf t
config-register 0x2102
exit
reload

The config-register has different meanings on different cisco plattforms.
For the Catalyst 4948 the config-register contains a bit field explained at:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/supcfg.html#wp1051990