Hackepedia - User contributions [en]

Using views to restrict recursion

2006-03-16T19:39:57Z

Mcr:

This is an example of a name server that does not do recursion for
hosts outside of its' network, but still servers zones to the world.

<pre>
//
// named.conf for Red Hat caching-nameserver
//

acl "cooperix" { 192.139.46.0/24; };

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/

allow-recursion { "cooperix"; };
transfer-source 192.139.46.131;

// query-source address * port 53;
//recursion no; // Do not provide recursive service

};

logging {
channel "eastasia_local0" {
syslog local0;
severity info;
};

category "unmatched" { "null"; };
category "default" { "eastasia_local0"; "default_debug"; };
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

view "normal" {

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};

//
//
// Public Secondaries
//
include "/home/russell/DNS/public-secondary.conf";
include "/home/russell/DNS/sns.flora.ca.conf";
include "/home/mcr/DNS/public-secondary.conf";
include "/home/russell/DNS/jungle.ca-secondary.conf";

//
//
// FLORA Secondaries
//
include "/home/russell/DNS/pns.flora.ca-secondary.conf";
include "/home/russell/DNS/team.openconcept.ca-secondary.conf";
};

include "/etc/rndc.key";

view "hesiod" HS {
zone "." HS {
type slave;
file "hesiod.zone.bak";
masters {
192.139.46.244; // pns.flora.ca
};
};

include "/home/russell/DNS/public-hs-secondary.conf";
include "/home/russell/DNS/flora-hesiod-secondary.conf";

};

</pre>

DNS things

2006-03-16T19:37:41Z

Mcr:

This is a list of useful information for people setting up DNS servers.

* [[Using views to restrict recursion]]

Main Page

2006-03-16T19:37:11Z

Mcr:

__NOTOC__

<table width="100%" cellspacing="3" cellpadding="4">
<tr><td rowspan="2" width="56%" valign="top" bgcolor="#d7e7fa" style="border:1px solid #CEDEF4; padding:1em;padding-top:0.2em; color: black;">
The rough idea for this site was to create and provide answers to commonly asked questions and those that aren't currently answered online. It is maintained by hackers. If you do not understand a term, look it up at [http://www.wikipedia.org Wikipedia]. If you've come here to find answers or examples, hopefully you will find them. If you have an answer or example, we hope that you will leave those as well.

You may have also been sent here because you're new to the [[internet]], or would like to learn the etiquette.

Some other random pages to get you started:

*[[Cider|How to make Cider]]
*[[LILO|Fixing a broken LILO]]
*[[Debugging]]
*[[$HOME]]
*[[Bytes]]
*[[Ports]]
*[[Privilege_escalation|Privilege Escalation]]
*[[Disk_breakdown|The breakdown of a disk]]
*[[DNS things]]

</td><td width="24%" valign="top" bgcolor="#e7f7e7" style="border:1px solid #BAD0EF; padding: 1em; padding-top: 0.5em; color: black;">
'''Major Categories'''
{{MajorCategories}}

</td></tr>
</table>

Please see [http://meta.wikipedia.org/wiki/MediaWiki_i18n documentation on customizing the interface]
and the [http://meta.wikipedia.org/wiki/MediaWiki_User%27s_Guide User's Guide] for usage and configuration help.

Message authentication check

2005-10-27T20:33:34Z

Mcr:

A message authentication check, or [[MAC]] is a cryptographic check that a
message is from a given origin.

Most MACs are constructed from keyed [[one way hash]] functions.
The method is for the sender and receiver to agree on a symmetric key,
and to then calculate:

C = hash(K_a | message)

[[IPsec]] uses the HMAC methods, which actually calculate:
C = hash('55555555', hash(K_a | message | 'uuuuuuuuu'))

this usage makes HMAC-MD5 and HMAC-SHA1 immune to recently discovered birthday
attacks on MD5 and SHA1.

Ipsec

2005-10-27T20:25:26Z

Mcr: /* IPsec */

=== IPsec ===

[[IPsec]] (outlined in [[RFC]] 2401) is a security enhancement to the [[IP]] and [[IPv6]] protocols in [[Internet]] communication. Since [[IPsec]] is a combination of keyed-hash, symmetric [[cryptography]] as well as assymetric cryptography it's proper to make this a seperate section outlining all functions of the protocol here.

[[IPsec]] has three protocols Authenticated Header ([[AH]]), Encapsulating Security Payload ([[ESP]]), and IP Compression ([[IPComp]]). In a short explanation [[AH]] adds a [[message authentication check]] to the header ensuring integrity of the payload. [[ESP]] encrypts the payload following the [[IPsec]] header making it safer from [[sniffing]], and also adds a [[message authentication check]].

[[IPsec]] usually uses the [[IKE]] protocol to do symmetric key setup, and to provide authentication of end-points (vs authentication of individual packets).

== OS Implementations ==

For GNU/[[Linux]] the popular implementation is [http://www.openswan.org./ openswan] which is the result of the disbandment of [http://www.freeswan.org./ freeswan].

[http://www.freebsd.org/handbook/ipsec.html FreeBSD IPsec] requires you build it into your kernel, this will require:
options IPSEC
options IPSEC_ESP
in /usr/src/sys/i386/conf/$YOUR_FIREWALL and a [http://www.freebsd.org/handbook/kernelconfig.html kernel recompile].

[[OpenBSD]] has a built-in [[IPsec]] stack. It has a daemon called [[isakmpd]] which speaks the ISAKMP/Oakley [[aka]]. IKE Key management protocol is used for establishing security associations (private encryption keys) between peers.

[http://www.microsoft.com/resources/documentation/Windows/XP/all/reskit/en-us/Default.asp?url=/resources/documentation/Windows/XP/all/reskit/en-us/prcg_cnd_gngz.asp Microsoft WinXP Pro] apparently has ipsec built in as well.

$HOME

2005-10-27T19:23:52Z

Mcr:

Many examples will use $HOME, so this page is here to let you know that on [[UBO]]s, $HOME is your home directory. If my username was frank, I could do:

$ grep frank /etc/passwd | awk -F: '{print $6}'
/home/frank

I can see my home directory is frank. If I want to go there I can type

$ cd /home/frank

to change directory there. There are also a few shortcuts to get to your $HOME directory.

$ cd $HOME

and even easier

$ ~

will put you there.

$ pwd
/home/frank

(print working directory) will show you which directory you're currently in.

$HOME

2005-10-27T19:22:57Z

Mcr:

Many examples will use $HOME, so this page is here to let you know that on [[UBO]]s, $HOME is your home directory. If my username was frank, I could do:

$ grep frank /etc/passwd | awk -F: '{print $6}'
/home/frank

I can see my home directory is frank. If I want to go there I can type

$ cd /home/frank

to change directory there. There are also a few shortcuts to get to your $HOME directory.

$ cd $HOME

and even easier

$ ~

will put you there.

pwd

(print working directory) will show you which directory you're currently in.

Init

2005-10-27T19:14:06Z

Mcr:

When a system is finished booting, the kernel spawns init as process 1. Init then boots the rest of the system by means of the [[RC]] (runcommand) scripts which eventually spawn [[getty]] processes so that you can log in. If you boot in single user mode, init will spawn a bourne shell for you and leaves the system in this state so that you can do maintenance. Init is also inherited as the parent process of processes that have been orphaned. It's duty thus is to reap zombie processes of those that died.

For [[UBO]]:

$ man 8 init

to understand the init process of your operating system.

Init

2005-10-27T19:12:32Z

Mcr: I believe rc is the standard naming convention

Syslog-ng

2005-10-27T19:11:08Z

Mcr: /* FreeBSD */

[http://www.balabit.com/products/syslog_ng/ syslog-ng] is a centralized replacement for [[syslog]] that
guarantees availability of logs, and is very flexible.

== [[FreeBSD]] ==

As of FreeBSD 5.4-RELEASE:

You can not restart syslog-ng.sh in the local directory, you need to use the complete path.
# pwd
/usr/local/etc/rc.d
# ./syslog-ng.sh
./syslog-ng.sh: Cannot determine the PREFIX
# /usr/local/etc/rc.d/syslog-ng.sh
Usage: syslog-ng.sh {start|stop}

also make sure you do not have
syslogd_flags="-d"
still set in rc.conf or you'll be stuck in debug mode during [[init]] the next time you reboot. Remove the -d.
syslogd_program="/usr/local/sbin/syslog-ng"
syslogd_flags=""

Syslog-ng

2005-10-27T19:10:05Z

Mcr:

[http://www.balabit.com/products/syslog_ng/ syslog-ng] is a centralized replacement for [[syslog]] that
guarantees availability of logs, and is very flexible.

== [[FreeBSD]] ==
You can not restart syslog-ng.sh in the local directory, you need to use the complete path.
# pwd
/usr/local/etc/rc.d
# ./syslog-ng.sh
./syslog-ng.sh: Cannot determine the PREFIX
# /usr/local/etc/rc.d/syslog-ng.sh
Usage: syslog-ng.sh {start|stop}

also make sure you do not have
syslogd_flags="-d"
still set in rc.conf or you'll be stuck in debug mode during [[init]] the next time you reboot. Remove the -d.
syslogd_program="/usr/local/sbin/syslog-ng"
syslogd_flags=""
work as of FreeBSD 5.4-RELEASE.