Author Archives: Admin

IPS Rule to detect and block DNS Recursion

Over the weekend we were notified that our Windows DNS servers were being used in a "Open recursive resolver used for an attack". This is really a mistake on our part for putting the authoritative and recursive services on the internet facing systems, something we will have to change. Also because Windows DNS does not have ACL's like those that exist in Bind and PowerDNS etc, its not a simple case of adding the authorised ranges to the ACL allow recursion.

What I ended up doing was to write a couple of IPS rules to match requests with the DNS Query Flags of 0x0100. I also check for more than 5 requests per minute per source IP and when I get a match to both, I quarantine the source IP for a period of time. Since implementing this it has been working extremely well. I have only applied this rule to the rules pointing to our Windows DNS Servers and not our Linux DNS Servers.

This is the flags of a recursive DNS query.

dns_query

Here is how its done from the command line. Note this is on FortiOS Version 5.0 patch12

config ips custom
edit "MS.DNS.Recursion.Requested"
set action block
set comment ''
set severity info
set signature "F-SBID( --attack_id 8976; --name \"MS.DNS.Recursion.Requested\"; --ipver 4; --protocol udp; --service DNS; --pattern |0100|; --distance 2,packet; --flow from_client; --rate 5,60; --within 2,packet; --track src_ip; --log dns_query;)"
next
edit "MS.DNS.Recursion.Requested.V6"
set action block
set comment ''
set severity info
set signature "F-SBID( --attack_id 7731; --name \"MS.DNS.Recursion.Requested.V6\"; --ipver 6; --protocol udp; --service DNS; --pattern |0100|; --distance 2,packet; --flow from_client; --rate 5,60;--within 2,packet; --track src_ip; --log dns_query;)"
next
end

ips.sensors.1

 

Now to add the IPS Sensor rule.

config ips sensor

edit "Windows DNS Servers"
set comment "Block clients that are not authorised for DNS queries"
config entries
edit 4
set action block
set log-packet enable
set quarantine attacker
set quarantine-expiry 60
set rule 8976 7731
set status enable
next

edit 2
set action block
set log-packet enable
set protocol DNS
set quarantine attacker
set quarantine-expiry 30
set severity medium high critical
set status enable
next

edit 3
set protocol DNS
set severity info low
next
end
next
end

ips.sensors.2

Finally the Firewall rule.

config firewall policy
edit 292
set srcintf "wan1"
set dstintf "LACP1"
set srcaddr "all"
set dstaddr "Windows DNS"
set action accept
set schedule "always"
set service "DNS"
set utm-status enable
set ips-sensor "Windows DNS Servers"
set profile-protocol-options "default"
next
end

ips.firewall.rule

 

This is the end result.

ips.log

Modifying a Zax ITG3 HDD!

Recently a friend received a hard drive from a client which was out of an In The Groove 3 (ITG3) dance machine. The system had been supplied by Zax Amusements. The reason the customer sent the hard drive in was so that my friend could install an updated video driver to support the Nvidia GT210 because the customer was unable to do so. After a bit of investigation, we discovered the reason the customer was having trouble is because Zax Amusements have protected the system drive using Faronics Deep Freeze. On top of this they have also encrypted the ITG3 partition with True Crypt. While I do understand the protection of the system drive in an Arcade machine that is never turned off properly, I can not comprehend the protection of the ITG3 game, which is Open Source and totally Free and is not their property to protect. Zax Amusements also run couple of custom executables, one of which checks the serial number of the HDD. Then on top of all of this, they have put in some weird key mappings into the registry to render the keyboard useless when your in windows.

My friend contacted Zax asking them for their Deep Freeze password so he could install the drivers and leave the system protected as it was. As we expected, Zax ignored the request, so I proceeded with removing the protection from the hard disk for him. In the end doing this was pointless as we ended up supplying a new version of the ITG3 hdd to the customer along with the usb hub and i-pac for the lights. The new system starts up in a fraction of the time of the Zax version.

I was going to release all of the information on how to do it here, but instead I am just going to recommend that any Australian operators with a ITG3 system who need service, contact Jomac. Jomac will be able to supply you with a version of the ITG3 system which runs a lot faster than the version supplied by Zax, and also allows the use of the USB ports for players to use their own songs on usb.

Basic ULN2003 / ULN2803 Tester

A friend of mine was looking for a simple way of testing the ULN2803 IC's so I quickly threw together this circuit and built it on some vero strip board. I would use a 18pin Zif socket if you expect to be checking hundreds of IC's of yor will probably be changing the IC socket pretty regularly. The circuit is powered by a single 5V 1A power pack.

uln2003-2803-tester

Parts List

D1 to D8 - 3mm Red LED

R1 to R8 - 56R 0.6W

R9 to R16 - 220R 0.6W

SW1 - Momentary Push Button Switch

U1 - 18pin ZIF Socket or 18 pin IC Socket

 

When testing an IC you will know there is a short if any of the LED's turn on without the button being pressed, and you will know there is an open if the LED's do not turn on when you press the button. To test a ULN2003 which is a 16 pin IC, put it into the socket towards the back of the socket leaving pins 1 and 18 of the socket empty.

Mini PPPoE Server Howto for RedHat 7.3 + Radius Auth

This is here only for historical purposes. The information contained is well and truly out of date, but could be handy for reference purposes.

Date: 25-Oct-2002

1. Install RH 7.3 Installing as a server system works. These instructions should be the same for RedHat 7.2 as well.

2. Set and IP address on the primary NIC to say 10.0.0.1. This is the card that is visible to the internet.

3. Install the updated rp-pppoe from Roaring Penguin http://www.roaringpenguin.com/pppoe/. This was version rp-pppoe-3.5-1 as
of this writing.

4. Download the latest pppd via cvs from samba currentl its 2.4.2b1 as of this writing. I use rsync. Make a dir called
ppp2.4 and then issue the command

rsync -vrz ppp.samba.org::ftp/unpacked/ppp/ ./ppp2.4/

to download the source. You dont really need the -v in the rsync command, but that echos what its doing to the screen so
you can see whats happening.

5. Change to the ppp2.4 directory and then

./configure

make

make install

6. Edit /etc/radiusclient/radiusclient.conf. Set the primary and secondary authentication and accounting servers and hosts.
Watch that your using the right port numbers. If you have an old radius server it is probably using ports 1645/1646.

7. Edit /etc/radiusclient/servers and set the secret password and the hostname of the radius servers your going to
authenticate against.

8. Edit /etc/sysctl.conf and change the line net.ipv4.ip_forward = from 0 to one(1). This makes the system turn on routing
at boot up.

9. Edit /etc/ppp/pppoe-server-options and add proxyarp to the end of the file on its own line. Also add ms-dns {dns ip
addresses} after the lcp-echo-failure lines.

10. Edit /etc/sysconfig/network-scripts/ifcfg-eth1 and change the ONBOOT=no to yes and remove the dhcp from the BOOTPROTO= if
its there.

11. Start the pppoe-server. You will probably need to pass some parameters to it. They will most likely be -I eth1 -L {localip} and -R
{remoteippool}. So you will end up with something like /usr/sbin/pppoe-server -I eth1 -L 10.0.0.1 -R 10.0.0.150. This tells the server
to start serving out IP's to the clients starting at .150. Set the -L IP to the local IP of eth0. When your happy with the
startup parameters you will want to add this same line to /etc/rc.d/rc.local so that the server restarts after a reboot of
the server.

12. You should now be able to test the system. Try adding a user to the system as a user and then add the user to the
/etc/ppp/pap-secrets file. (this assumes you use a user called test with a password of test)

:adding a user:

adduser test

passwd test

:pap-secrets file:

"test" * "test"

13. Now tail -f /var/log/message on the linux system and try to connect to the server with a PPPoE client. If you've got it
right, you will be able to establish a connection.

14. Now add the line plugin radius.so to the file /etc/ppp/pppoe-server-options just before proxyarp.

15. Now test the logging on again with a valid radius user.

16. Congratulations your finished!!!

pppoe-server-options file looks like this:

# PPP options for the PPPoE server

# LIC: GPL

require-pap

login

lcp-echo-interval 10

lcp-echo-failure 2

ms-dns 10.0.0.5

ms-dns 10.0.0.6

plugin radius.so

proxyarp

Contact

Your Name (required)

Your Email (required)

Subject (required)

Your Message (required)

Sega PSU to ATX PSU Adapter

We are pleased to announce the distributor for these is Highway Entertainment. http://www.highway.net.au/news/introducing-the-sega-to-atx-power-supply-adapter-kit/450.html

Over the last few months I have been working on a adapter board to allow Sega power supplies such as the Model 1 and Model 3 PSU, be replaced with a generic ATX power supply without needing to modify the wiring loom. These power supplies, which are no longer available, used to cost over $400 USD from Sega.

This kit will include these two boards and a 30cm IEC C13 to C14 cable. It is expected that these will be available for sale around the beginning of August 2015.

AdapterKit ieclead

 

These power supplies were used in games such as Virtua Racing, Star Wars Arcade, Virtua Fighter, Wing War, Sega VR-1, Dennoo Senki Net Merc, Virtua Fighter 2, Manx TT Superbikes, Sega Rally Championship, Sega Rally Pro Drivin', Sky Target, Virtua Cop 2, Dead or Alive, Dynamite Baseball, Dynamite Cop, Pilot Kids, Virtua Fighter 2.1, Motor Raid, Zero Gunner, Boat Race GP, Virtua Fighter 3, Virtua Fighter 3tb, Sega Bass Fishing/Get Bass, Scud Race, Le Mans 24, Scud Race Plus, Harley Davidson & L.A. Riders, Fighting Vipers 2, Sega Rally 2, Ski Champ, Daytona USA 2, Daytona USA 2: Power Edition, Dirt Devils, L.A. Machineguns, Spike Out, The Lost World: Jurassic Park, The Lost World: Jurassic Park Special, Virtua Striker 2, Virtua Striker 2 Version '98, Virtual-On Oratorio Tangram, Star Wars Trilogy Arcade, The Ocean Hunter, Emergency Call Ambulance, Magical Truck Adventure, Spikeout Final Edition etc etc...

After lots of effort things are finally coming together and the boards should be available sometime in the next couple of months.

Power supplies with a pin out like that in the below images can be replaced with an ATX power supply with this kit.

outputs

AstroPinout

This version (below) has a -5v on CN2, but it is not connected on the wiring harness in the Sega machines.400-5306-01.end

Further down this page you will find pictures of power supplies that are able to be replaced with this adapter kit.

DC Board

The DC Board has indicator led's for the presence of 3.3v, 5v and 12v.

I have added a connector labelled Astro to the board for the Service, Test, AF+ and AF- for Astro City.

Below is a picture of an early prototype on the right and the final finished board on the left.

WP_20150706_010

The kit will include 2 boards. One board will accept the existing 110V plug in, and will have an IEC female output to go to the ATX PSU. The second board will take the 20 or 24 pin ATX plug and present the same connectors as you get on the original power supply. There are quite a few power supplies that can be replaced with this kit.

 

Power supplies like those pictured below can be replaced.

Note: Some power supplies do not have a 3.3v connector. If that is the case then the connector is simply not used.

400-5330-03 PSU

segapsu

 

 

 

 

 

 

JQA Power Supply / 400-5330-02-91

Top View

jqa_002

Front View

jqa_001

 

NVS-4000 PSU

This unit is common in Astro cabinets and has a couple of extra wires which we have also included on the replacement board.

NVS4000-Pinout

 

400-5264-91 PSU

400-5264-91

 

400-5264-91.2

 

400-5306-01 PSU

WP_20150806_008

WP_20150806_007

 

Update - 06-July-2015

The circuit boards arrived from the manufacturer, and they look fantastic. This board has been made with a thicker substrate than normal (2mm) and also has heavier 4oz copper to handle the high current required.

WP_20150706_003

The board powered with a 20pin ATX psu. The board will work with 20 pin and 24 pin ATX Power supplies.

Green Led = 3.3v, Red Led = 5v and Yellow Led = 12v

WP_20150706_005

Top view of an almost finished board. Just missing the 4pin header in the middle of the board.

WP_20150706_006

Bottom view of the almost finished board. Just missing the 4pin header in the middle of the board.

WP_20150706_008

 

Update - 16-July-2015

The AC Board has arrived this morning.

mainsboard

The assembled AC Board

ACBoard

Both the boards together.

AdapterKit

 

Update - 17-July-2015

The task of assembling the boards has begun.

production-begins

Update - 17-July-2015

The finished product. The AC board has some transparent heat shrink over it to provide a little bit of protection from it being put on top of a metal case, or someone touching it while its live.

CompletedBoards

Below are some photo's from the an installation by Aaron in New Zealand who was kind enough to send these photo's back.

115320

121340

121918

121911

123249

DAP008 pwm as replacement for LD7575 pwm

Recently a friend had a faulty power supply come in for repair. It had the usual problems of blown caps in the secondary, but this one also had issues on the primary side and had blown its FET, a couple of smd resistors and the PWM. The PWM was a LD7575PS. As neither of us had any of these PWM's on hand I decided to go searching for a possible replacement that we may have instead of having to wait for them to arrive from a supplier/ebay.

After a lot of searching on Google, I was unable to find anything except for a post on a forum somewhere that stated there was no replacement that was pin compatible. I did not believe this, so I kept looking. Eventually I decided to search for a datasheet on a PWM that I had, with the markings DAP08. which I had not been able to find anything on. After some searching, for some reason, I ended up searching DAP008 instead, and low and behold, there it was. So now I had both datasheets, I was able to do a quick comparison. To start with, the pinouts were identical, so now it was just the electrical characteristics that were going to determine if it could be used. The frequency of the LD7575 can be set by a resistor between RT (pin 1) and Ground. The datasheet shows that a 100K resistor will give a frequency of 65KHz on the LD7575, and that is exactly what the power supply we were repairing had. So now that I knew the switching frequency, I looked at the DAP008 datasheet and sure enough, the frequency on the DAP008 was also 65KHz.

With this information we fitted the DAP008 to the power supply and fired it up and sure enough, it sprang to life. We did not even remove the 100K resistor between pin 1 and ground. So we put some load onto the outputs and left it running on test for a little while and nothing was getting hot so off it went back to the client, and its been running happily ever since.

Letter to the Australian government regarding the proposed “Meta Data Retention” laws

As part of voicing of my concern, I sent the below letter to my local MP to show that I am against the proposed laws that are now in Parliament. It is looking like the bill will pass with little to no opposition unless we all get up off our backsides and make it known to all the politicians that we do not want this law passed.

Dear Ms Bishop,

I am strongly opposed to the Governments proposed Data Retention laws, both as the owner of a ISP/CSP and also as an individual.

The proposed laws,

Lack in technical merit. meaning that they will be simple to circumvent. Making the whole process a very expensive failure. Not that this has ever stopped a government before.

Infringe on basic rights, and your rights to privacy and freedoms that we are all taught about in school. So much for Australia the lucky country. Even China is appearing to be more liberal now.

Are not wanted by the public. So the government should be listening and dropping the whole process. The government is elected to represent the people of Australia, not to control them and spy on them.

Will add significant costs to operating a small ISP/CSP, such that we may no longer be able to compete with larger companies at all.

Has been found to be invalid in the EU due to privacy. Not to mention that I do not trust ASIO or The Federal Police to "Do the Right Thing" when it comes to using peoples private data. The reason for the courts is to make sure that they only get access when it is warranted, and not just because they think it will be interesting to see what they are doing on the off chance that they might find one bad guy.

What ever happened to freedom in Australia? If this bill passes, what will the government try next? Maybe pass a law that requires all citizens wear gps ankle bracelets like convicts, so that the security agencies can see where you were two years ago.

Please do not allow this bill to continue, you are making Australia the laughing stock of the world, and ultimately will have a tremendously negative effect on the Australian Technology Sector for both private citizens and businesses alike.

Sincerely

{signature}

WHMCS Module for ISPConfig

Back in September 2014 I purchased the commercial version of the ISPConfig module for WHMCS from Germanius on the ISPConfig forum and for the most part the module worked, however there is an error that is being reported by many users in which you get the error  "SOAP Error: no_server_error" when you enable the create website function. After having no joy trying to get this fixed by Germanius, I finally got frustrated enough that I ended up writing a new version of the module and released it as opensource under the GPL3.

You can find the module at http://www.github.com/cwispy/ispcfg3

For instructions on how to configure the module, see the wiki https://github.com/cwispy/ispcfg3/wiki

For support or other issues, please see the thread on HowtoForge

https://www.howtoforge.com/community/threads/new-ispconfig-module-for-whmcs.67824/

My updates to rawNumbers.php for Nagvis

At work I utilize Nagios to monitor our systems and Nagvis to display things in a visual way on a large screen monitor so we can see whats it going on at a glance. One of the gadgets we use quite a bit is the rawNumbers.php by Sascha Runschke. Now while it works well at what it does, which is displaying data as a number in image format, it is very limited with customizations. Nagvis gives you the ability to pass options in the gadget_opts field so that you can choose what you want to display. What I have done is to add some extra functionality to the gadget to allow you to modify the following

* divide = <value> divides the perfdata by this number.

This allow you to set the divisor for traffic data which is in bps to show as MB/s. As an example, your perfdata is 3752690,4Bits/s and you use divide=1048576, then rawNumbers will display 3.5 as the output
* datauom = <string> shows this as the uom instead of the perfdata, showuom must not be set to 0.

This is a fairly simple change that allows you to change what displays after the value. For example, you might want to show Hz for Hertz or C for Celsius after your values. Note that showuom must not be set to '0' or whatever you set here will not display.
* showuom = <0|1> default = 1 shows the unit of measure.

This allows you to turn off the display of the unit of measure so it does not display.
* string = s s is a string the perfdata label has to contain

This allows you to choose what to display if you have multiple perfdata in the array. It is handy when displaying traffic counters. You would set string=traffic_in and string=traffic_out to get both in the inbound and outbound traffic data to show. Replace traffic_in / traffic_out with your own perfdata names of course.

This example uses gadget_opts of:

In: showuom=1 divide=1048576 datauom=Mb string=traffic_in

Out: showuom=1 divide=1048576 datauom=Mb string=traffic_out

image1

Here is another example from a UPS. These use divide=10 to format them correctly.

image2

 

Download the below file and extract the contents into your nagvis  gadgets directory. (likely something like /usr/share/nagvis/share/userfiles/gadgets) Be sure to back up the original files first in case something goes wrong.

Download rawNumbers.zip

 

 

Hopefully these changes will come in handy for someone else.