Network management: Difference between revisions
m →Tray |
|||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Defense = | |||
== Block all packets from a 1.2.3.0/24 == | |||
<source lang="console"> | |||
$ sudo iptables -I INPUT -s 117.25.128.0/24 -j DROP | |||
</source> | |||
= Tray = | |||
== Making a samba share == | == Making a samba share == | ||
| Line 5: | Line 17: | ||
at the end of <span class="shell">/etc/samba/smb.conf</span> add a share config. | at the end of <span class="shell">/etc/samba/smb.conf</span> add a share config. | ||
< | <source lang="properties"> | ||
[ea] | [ea] | ||
comment = pistis - echo admin | comment = pistis - echo admin | ||
| Line 12: | Line 24: | ||
read only = No | read only = No | ||
create mask = 0755 | create mask = 0755 | ||
</ | </source> | ||
then add the Samba account. | then add the Samba account. | ||
< | <source lang="bash"> | ||
$ sudo smbpasswd -a mhan | $ sudo smbpasswd -a mhan | ||
</ | </source> | ||
then restart samba | then restart samba | ||
< | <source lang="bash"> | ||
$ sudo systemctl restart smbd.service nmbd.service | $ sudo systemctl restart smbd.service nmbd.service | ||
</ | </source> | ||
then on Windows execute the following. For the username, you may have to enter it in the form <span class="package">mhan@pistis</span> or <span class="package">pistis\mhan</span>. Enter the password you used when you added the Samba account for the user. | then on Windows execute the following. For the username, you may have to enter it in the form <span class="package">mhan@pistis</span> or <span class="package">pistis\mhan</span>. Enter the password you used when you added the Samba account for the user. | ||
< | <source lang="doscon"> | ||
C:\>net use Z: \\pistis\ea /savecred /persistent:yes | C:\>net use Z: \\pistis\ea /savecred /persistent:yes | ||
</ | </source> | ||
== Checking the accessibility of a port through the network == | == Checking the accessibility of a port through the network == | ||
| Line 45: | Line 58: | ||
<source lang="bash"> | <source lang="bash"> | ||
$ traceroute pisteo.example.com | $ traceroute pisteo.example.com | ||
</source> | |||
== Get public IP address from CLI == | |||
<source lang="console"> | |||
$ dig +short myip.opendns.com @resolver1.opendns.com // this one doesn't seem to work | |||
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}' | |||
$ wget -qO- http://ipecho.net/plain | xargs echo | |||
</source> | |||
== Query DNS record == | |||
<source lang="console"> | |||
$ dig +short -t txt _acme-challenge.domain.com | |||
"kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU" | |||
$ host -t txt _acme-challenge.domain.com | |||
_acme-challenge.domain.com descriptive text "kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU" | |||
</source> | |||
== Get local IP address from CLI == | |||
<source lang="console"> | |||
$ hostname -I | awk '{print $1}' | |||
192.168.86.21 | |||
</source> | |||
== Get server certificate fingerprint == | |||
<source lang="console"> | |||
$ gnutls-cli --insecure vpn.server.edu | |||
Processed 0 CA certificate(s). | |||
Resolving 'vpn.server.edu'... | |||
Connecting to '129.24.220.45:443'... | |||
- Certificate type: X.509 | |||
- Got a certificate list of 1 certificates. | |||
- Certificate[0] info: | |||
- subject `C=US,postalCode=12331,ST=VA,L=Springfield,street=1 University of Muchakan,O=University of Muchakan,OU=IT,CN=vpn.server.edu', issuer `C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon RSA Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-04 00:00:00 UTC', expires `2020-04-03 23:59:59 UTC', SHA-1 fingerprint `9521c4b9db51e376a9527ca38d46925e09e171f1' | |||
Public Key ID: | |||
4390f7806426e1db181442a4b31dfe2887fb5b33 | |||
Public key's random art: | |||
+--[ RSA 2048]----+ | |||
| o+ =+=o | | |||
| . + +o.o | | |||
|o . o ..o | | |||
| = . = . . | | |||
|. o o . S | | |||
| . o . | | |||
|o o o | | |||
| + oE | | |||
|..o... | | |||
+-----------------+ | |||
- Status: The certificate is NOT trusted. The certificate issuer is unknown. | |||
*** PKI verification of server certificate failed... | |||
- Description: (TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256) | |||
- Session ID: BB:02:45:FF:1D:DB:E9:D3:25:FF:BA:80:8B:45:01:FF:27:04:26:41:50:A8:9D:9A:E6:62:C8:0F:50:4D:85:9B | |||
- Version: TLS1.2 | |||
- Key Exchange: RSA | |||
- Cipher: AES-128-CBC | |||
- MAC: SHA256 | |||
- Compression: NULL | |||
- Options: safe renegotiation, | |||
- Handshake was completed | |||
- Simple Client Mode: | |||
^C | |||
$ | |||
</source> | |||
== Network tracing using tools built in to Windows == | |||
<source lang="dos"> | |||
c:\files> netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=no traceFile=C:\Temp\NetTrace.etl | |||
</source> | </source> | ||
Latest revision as of 18:45, 24 March 2021
Defense
Block all packets from a 1.2.3.0/24
$ sudo iptables -I INPUT -s 117.25.128.0/24 -j DROP
Tray
- Last tested on Ubuntu 16.04 LTS (xenial) & Windows 10.0.10586
at the end of /etc/samba/smb.conf add a share config.
[ea]
comment = pistis - echo admin
path = /var/www/ea
admin users = mhan
read only = No
create mask = 0755
then add the Samba account.
$ sudo smbpasswd -a mhan
then restart samba
$ sudo systemctl restart smbd.service nmbd.service
then on Windows execute the following. For the username, you may have to enter it in the form mhan@pistis or pistis\mhan. Enter the password you used when you added the Samba account for the user.
C:\>net use Z: \\pistis\ea /savecred /persistent:yes
Checking the accessibility of a port through the network
Checking if port 8080 is accessible on pisteo.example.com
$ sudo hping3 -T -t 1 -p 8080 pisteo.example.com
Tracing a route
$ traceroute pisteo.example.com
Get public IP address from CLI
$ dig +short myip.opendns.com @resolver1.opendns.com // this one doesn't seem to work
$ dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'
$ wget -qO- http://ipecho.net/plain | xargs echo
Query DNS record
$ dig +short -t txt _acme-challenge.domain.com
"kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU"
$ host -t txt _acme-challenge.domain.com
_acme-challenge.domain.com descriptive text "kjg8gWocWWlJXrQIVYsxT1b7JkPsQoI2iJlsaetnOAU"
Get local IP address from CLI
$ hostname -I | awk '{print $1}'
192.168.86.21
Get server certificate fingerprint
$ gnutls-cli --insecure vpn.server.edu
Processed 0 CA certificate(s).
Resolving 'vpn.server.edu'...
Connecting to '129.24.220.45:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `C=US,postalCode=12331,ST=VA,L=Springfield,street=1 University of Muchakan,O=University of Muchakan,OU=IT,CN=vpn.server.edu', issuer `C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon RSA Server CA', RSA key 2048 bits, signed using RSA-SHA256, activated `2019-04-04 00:00:00 UTC', expires `2020-04-03 23:59:59 UTC', SHA-1 fingerprint `9521c4b9db51e376a9527ca38d46925e09e171f1'
Public Key ID:
4390f7806426e1db181442a4b31dfe2887fb5b33
Public key's random art:
+--[ RSA 2048]----+
| o+ =+=o |
| . + +o.o |
|o . o ..o |
| = . = . . |
|. o o . S |
| . o . |
|o o o |
| + oE |
|..o... |
+-----------------+
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
- Description: (TLS1.2)-(RSA)-(AES-128-CBC)-(SHA256)
- Session ID: BB:02:45:FF:1D:DB:E9:D3:25:FF:BA:80:8B:45:01:FF:27:04:26:41:50:A8:9D:9A:E6:62:C8:0F:50:4D:85:9B
- Version: TLS1.2
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA256
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
^C
$
Network tracing using tools built in to Windows
c:\files> netsh trace start scenario=NetConnection capture=yes report=yes persistent=no maxsize=1024 correlation=no traceFile=C:\Temp\NetTrace.etl