A couple of years ago I wrote a post about a dual ISP config with a Juniper SRX firewall. At the time I ran into some challenges regarding the DHCP client functionality of the SRX. For some reason it couldn't get a lease from the Ziggo ISP DHCP servers. Any other DHCP server on my local network worked just fine. Since I created a work-around at the time (by using an additional NAT router and static IP addresses) I didn't give it much thought.... Until last week.
Last week I ran into a networking challenge that kinda freaked me out. For some reason my Apple TV wouldn't connect to my NAS, but it could connect to the Internet. For some reason my Apple TV got a public IP address while it was located on my internal network. The public IP address was completely unknown to me. So, WTF was giving my Apple TV a public IP address?
NGINX (pronounced as engine-x) is a versatile (reverse) proxy service for Linux which can be used for many purposes. This post gives a relative small and easy example that I use at home for accessing insecure web services in my home. These are:
- Domoticz
Free and opensource Domotica software - SabNZBd
Free and opensource software for downloading binaries from usenet. Available for multiple operating systems - Sonarr
(former NZBDrone) is a so-called PVR (personal video recorder) for Usenet users, which checks multiple RSS feeds (also called Indexer) for new episodes of the shows you're following.
These services run on different platforms and are not protected by username/password or encryption. Something that's not done if you want to access this over the Internet.
To get secure access to these services you might want to use a VPN solution into your home, but you can also achieve this by using a reverse proxy that 'protects' these services.
I run my NGINX reverse proxy on Ubuntu Linux, but it will also run on the average Raspberry Pi.
The Juniper Virtual SRX firewall can run on multiple platforms, but VMware Workstation is not mentioned in the list of supported platforms. Having some experience with both, I know that almost all VM's designed for the VMware ESXi environment will run on the (stand-alone) VMware Workstation product.
I downloaded the .ova file from the Juniper website and imported it in VMware Workstation v12.1. During the import I adjusted the number of CPU's to save resources, which turned out to be a mistake. The VM really needs the two CPU's, because if you don't it just won't work (routing failures, etc..). So, don't change the defaults for CPU and memory.
With the launch of Firefox v42 (and up) they introduced an adBlocker in the browser. The ad blocking feature is available (by default) during the use of Private Browsing.
But if you don't want to see those advertisements, and for some reason you don't want to use Private Browsing (like me), than you're out of luck (by default). There's no normal way to enable this feature without the use of Private Browsing (or use an adBlocker add-on for Firefox). Thankfully, Firefox uses a config module in which you can tweak almost everything.... including the Tracking Protection.
My 'little' off-site Raspberry Pi backup/remote storage project will probably use a combination of Bittorrent Sync and rsync. The latter will be used to backup personal information, but I want that data to be absolutely secure. So I want to use encryption. Preferably by using container that I can mount (e.g. Truecrypt or the Apple OSX encrypted disk images).
The problem with containers is that many backup solutions tend to backup / transfer the entire container when a change occurred. Thankfully, rsync only copies the changes.
The Microsoft Active Directory is a place where you can find different kind of objects;
- Users
- Computers
- Servers
- Printers
- (Security) Groups
- etc.
One thing you don't find are generic devices. And with devices I mean devices according to the LDAP definition (ObjectClass: device).
The last couple of weeks, I've been playing with Kali Linux to explore exploits on networks (wireless and switched networks). One of the exploits I'd liked to explore was that of an 'Evil Access Point' which can be done with Kali Linux and a suitable wireless LAN adapter.
An Evil Access Point creates an wireless network SSID to lure unsuspecting users/computers in to connecting to it. This network is pretending to use 802.1x for security (which is mainly used in corporate network environments), and those networks require typically a username and password (or certificate) to connect.
When the user/computer tries to connect, it (the evil AP) collects the user-name and a hash of the password. The password can be recovered by using dictionary files, rainbow tables, or by using brute-force. After the password has been found it can be used with the captured user-name to connect to the corporate network.
My Apple OSX server (Mountain Lion) at home is the centre of my network and entertainment system. It provides provides the following services:
Since several (soft-, and hardware) upgrades and redesigns of my internal network (from a single VLAN to a multi-VLAN with firewall services and traffic inspection) several services failed under certain circumstances. E.g. Air-Video would work internally where the client was in the same network as the OSX server network interface. But trying to connect through the SSL VPN stopped working for some reason. Also, the VNC Viewer did work in the old days, but stopped working over time. Same for several static NAT entries; worked before, and stopped working without 'no reason'. Other services like ssh did work in the old and new network design....
