Posted on Leave a comment

Securing The New Server & Security In General

This was originally going to be part of another post, but it ended up getting more complex than I originally intended so it’s been given it’s own. I go into into many of my personal security practices, on both my public facing servers & personal machines. Since the intertubes are so central to life these days, good security is a must, especially since most people use the ‘net to do very sensitive operations, such as banking, it’s becoming even more essential to have strong security.

Since bringing the new server online & exposing it to the world, it’s been discovered in record time by the scum of the internet, SSH was under constant attack within 24 hours, and within that time there were over 20,000 failed login attempts in the logs.
This isn’t much of an issue, as I’ve got a strong Fail2Ban configuration running which at the moment is keeping track of some 30 IP addresses that are constantly trying to hammer their way in. No doubt these will be replaced with another string of attacks once they realise that those IPs are being dropped. I also prevent SSH login with passwords – RSA keys only here.
MySQL is the other main target to be concerned about – this is taken care of by disabling root login remotely, and dropping all MySQL traffic at the firewall that hasn’t come from 127.0.0.1.

Keeping the SSH keys on an external device & still keeping things simple just requires some tweaking to the .bashrc file in Linux:

alias ssh='ssh -i <Path To Keys>'

This little snippet makes the ssh client look somewhere else for the keys themselves, while keeping typing to a minimum in the Terminal. This assumes the external storage with the keys always mounts to the same location.

Everything else that can’t be totally blocked from outside access (IMAP, SMTP, FTP, etc), along with Fail2Ban protection, gets very strong passwords, unique to each account, (password reuse in any situation is a big no-no) and where possible TOTP-based two factor authentication is used for front end stuff, all the SSH keys, master passwords & backup codes are themselves kept offline, on encrypted storage, except for when they’re needed. General password management is taken care of by LastPass, and while they’ve been subject to a couple of rather serious vulnerabilities recently, these have been patched & it’s still probably one of the best options out there for a password vault.
There’s more information about those vulnerabilities on the LastPass blog here & here.


This level of security paranoia ensures that unauthorized access is made extremely difficult – an attacker would have to gain physical access to one of my mobile devices with the TOTP application, and have physical access to the storage where all the master keys are kept (along with it’s encryption key, which is safely stored in Meatware), to gain access to anything.
No security can ever be 100% perfect, there’s always going to be an attack surface somewhere, but I’ll certainly go as far as is reasonable, while not making my access a total pain, to keep that attack surface as small as possible,and therefore keeping the internet scum out of my systems.
The last layer of security is a personal VPN server, which keeps all traffic totally encrypted while it’s in transit across my ISP’s network, until it hits the end point server somewhere else in the world. Again, this isn’t perfect, as the data has to be decrypted *somewhere* along the chain.

Posted on 4 Comments

Virgin Media Hub 3 Crap & Router Upgrades

I posted a while back a teardown of the VM Superhub 2 router, as VM has “upgraded” to a rebranded Arris TG2492S/CE CM. Alas Virgin Media in their wisdom have decided that simple router features like being able to change the LAN subnet & DHCP server range are far too complex to trust to the Great Unwashed, so they’ve removed them entirely from the firmware, and locked the local LAN onto the 192.168.0.0/24 range.
As my network is already numbered in the 10.0.0.0/16 range, with several statically addressed devices present and other systems relying on these static assignments, using this router would have meant renumbering everything.

Luckily Virgin had the decency to leave the “modem mode” option in the firmware, effectively disabling the WiFi & routing functions & allowing the connection of a third-party router. Some searching for a suitable replacement for the core of my network turned up the Linksys WRT1900ACS. While I waited for this to arrive, some temporary workarounds were needed to make everything function well enough with VM’s crap router.

WRT1900ACS
WRT1900ACS

These routers have been designed as a modern replacement for the venerable WRT54G series of routers from some time ago, with full support for OpenWRT/DD-WRT firmware, and with a beefy 1.6GHz dual core CPU & 512MB of RAM I doubt I’ll be able to knock this one over with too much network traffic! This was pretty much the most powerful router I could afford, and should mean I don’t need to upgrade for a long time. (No teardown of this yet, as it’s taking care of the network at present. Maybe some point in the future I’ll take the plunge).

The stock firmware isn’t totally awful, and has some nice features, but I decided it needed to be replaced with DD-WRT for more security & future flexibility. I’ll leave the firmware flashing stuff for another post πŸ˜‰

Posted on Leave a comment

Some Site Changes

After a few years of running with the same look, I’ve decided on some changes.

  • New theme!
    The site now looks much better, and has better support for more eye candy πŸ˜‰
  • Addition of my QRZ link
  • New QSO logging system
    Accessible from a button in the header, this is my new preferred system for logging my radio contacts. (I was originally using CQRLOG under Linux). If I’ve spoken to you on the radio your callsign will most likely appear immediately. πŸ™‚
    If not, I’m probably working mobile. In that case, drop me a comment or an E-Mail πŸ™‚

Finally there have been some behind the scenes changes to implement some better security on site.
Getting the number of hits I do per day, this site gets attacked by the Internet’s Great Unwashed on a regular basis. No attack has ever been successful but more security never hurts!

73s folks!

Posted on 1 Comment

Velleman MK179

Completed Kit
Completed Kit

This is the Velleman MK179 Proximity Card Reader, which is supplied in kit form. In the image above you can see the completed kit, the read coil is etched onto the black PCB on the left. Bringing a recognised card close to the coil operates the relay on the main PCB for a programmable amount of time.

Main PCB
Main PCB

Closeup of the main PCB, 12v DC input at top right. Left IC is an LM358 dual Op-Amp, the IC on the right is a PIC12F629 with Velleman’s custom firmware.
Logic power is supplied to the ICs & the oscillator from the LM7805 regulator at the top of the PCB. The relay is a standard 15A SPDT 12v coil relay, with the switch contacts broken out onto the screw terminals on the left.

Schematic Diagram
Schematic Diagram

As it is not provided with the kit, unlike other Velleman kits, here is the schematic for this.

 

Posted on 1 Comment

Co-Op Bank Card Reader

Keypad
Keypad

This is a little security measure you get with Internet Banking with the Co-Op, generates codes to confirm your identity using your bank card. About the size of a pocket calculator, this is the keypad & screen.

Card Slot
Card Slot

The rear of the unit, the card slots into the top, manufactured by Gemalto Digital Security.

Card Contacts
Card Contacts

Outer back cover removed, showing the 8 contacts for the chip on the bank card, the 2 contacts below that switch on power when a card is inserted. Power comes from 2 lithium coin cells in the compartment on the lower left.

PCB Rear
PCB Rear

PCB removed from the casing, showing the internal components. Two large pads at top left are battery connections, while the only IC on the board is the main CPU, under the card connector. 6MHz oscillator & 32Khz crystal on board for processing & timekeeping. LCD screen connection at far right.

Keypad Contacts
Keypad Contacts

Reverse side of the PCB, with the keypad contacts. LCD on right, with programming interface pads at side of keypad.