Friday, November 6, 2009

The time for IPv6 is now!

SkyHi @ Friday, November 06, 2009
As many of you know, we are running out of IPv4 addresses, 800 days is what is left for IANA's global pool of available IPv4 addresses. It's not the question if we will going to run out, it's more a matter of when is it going to happen in 2010 or 2011? This is not to far away from now, so it is time to think about the consequences? At a first glance it doesn't seem to impact us, BC universities or BCNET much. We have more than enough IPv4 addresses left, so what's the problem here?
Obviously there's an immediate problem for new Internet users like startup companies who need address space for their products. And let's not forget about developing countries that are in high demand of IP addresses. Also think about future developments such as every cell phone with an IP address, that would greatly increase the demand for IP addresses. So yes there's a real problem for those cases, the only 'real' solution for them is to use IPv6, basically because they have no other choice.

Now just think one step further. What does that mean if the new youtube can't get IPv4 addresses? yes it will probably use IPv6 addresses. And guess what, our students of course want to be able to reach this "new youtube", but they can't because we (universities in BC) only provide IPv4 access because we thought we didn't have a problem with IPv4 addresses. And all of a sudden we do need IPv6 access! Not because we have a shortage of addresses, but because other parts of the world do have a shortage and we want to be able to communicate with all hosts on the Internet. Imagine a future student for example in china or japan wants to visit the UBC website for information about our programs. But guess what, they can't reach our IPv4 website, because they only have IPv6 access from home or new Iphone. Just a few examples of the need for IPv6 support also in parts of the Internet where we have enough addresses for future use.

What would you answer your CTO if he/she asks you what your IPv6 plans are? "Eeh plan??, I thought that was something for researchers only?" No, IPv6 is no longer a research project and we shouldn't look at it like that. We don't start upgrading our networks to 10gbs when the links are congested, we plan ahead, so that this doesn't happen. They same should be the case for IPv6. We shouldn't wait till the problem presents its self and forcing us to come up with a solution. It's exactly the same for IPv6, we should carefully plan this and gradually roll out IPv6 support and the time to do that is now.

Some of you might have heard translation mechanism. I wouldn't want to bet on IPv4 -IPv6 translation mechanisms (comparable to NAT) which are currently being standardized. If circumstances allow you you really want to go for native (dualstack) connectivity. BCNET is IPv6 ready and we can connect your universities today! Today is the day to start testing, experimenting so that next year you'll be ready to serve your costumers with IPv6 connectivity. Remember that IPv6 is not an extra fancy feature like multicast, it's going to be basic functionality soon, very soon!

Reference: https://wiki.bc.net/atl-conf/display/~atoonk/2008/11/12/The+time+for+IPv6+is+now!

Bypassing firewalls with IPv6 tunnels

SkyHi @ Friday, November 06, 2009
Hello, it's Ryan. We've talked about IPv6 in blog entries and vulnerability notes before. But instead of focusing on IPv6 vulnerabilities, this blog entry will show how functional IPv6 tunneling protocols can be used to bypass IPv4-only firewalls and ACLs. If you'd like a demonstration, watch this video that we created.

For some background information, you may want to review Wikipedia's definition of IPv6 and our blog entry explaining why you should care about it. This post is primarily for users who may have IPv6 on their systems but have not actually deployed it.

To investigate IPv6 tunnels' effect on firewalls, we created a test to see how an IPv6 Teredo-compatible tunnel can be used to trivially bypass an IPv4-only firewall. The video referenced in the first paragraph shows our whole exercise in real time. We used a typical iptables firewall and appended the following rules to reject TCP connections that have the string "google" anywhere in the packet:

iptables -A OUTPUT -p tcp -m string --algo bm --string "google" -j REJECT
iptables -A INPUT -p tcp -m string --algo bm --string "google" -j REJECT

The rules work; browser connections to www.google.com fail. But the rules produce a large number of false positives, won't catch HTTPs connections, and are "expensive" to process, so don't paste them into your iptables script.

Lines 1-5 of this packet capture show exactly how the REJECT rule works (connections are closed, not discarded). There are also some interesting packets on lines 6 and 7. The packets in these lines are IPv6 packets being transported by IPv4 UDP. More specifically, the lines show a router solicitation (us asking for an IPv6 address) and a router advertisement (a router offering an IP prefix).

To see what happens when we browse to an IPv6-enabled website, let's go to http://ipv6.google.com. Looking at the capture file, you can see that the connection was successful. The HTTP GET string was transferred inside of a UDP packet and didn't trigger the iptables rules that were searching for that string inside of TCP packets (line 22).

We've illustrated the potential problem, but what about a solution? Trying to block ports can be effective but is likely to only work for specific brokers who are using the expected ports. Consider the following alternatives:

* IPv6-aware host-based firewalls can be effective. In our example, calling the ip6tables rules below would have blocked connections to http://ipv6.google.com.

ip6tables -A OUTPUT -p tcp -m string --algo bm --string "google" -j REJECT
ip6tables -A INPUT -p tcp -m string --algo bm --string "google"-j REJECT
*

If you're trying to block IPv6 tunnels on the network, you could look for router advertisements or solicitations. Those messages are sent to the all-nodes multicast address ff02::1. Here is an un-optimized example iptables rule that uses iptables:

iptables -I FORWARD 1 -p udp --dport 1024: -m string --hex-string "|ff 02 00 00 00 00 00 00 00 00 00 00 00 00 00 02|" --algo bm -j REJECT

One of our readers pointed out that blocking local IPv6 traffic could cause an operating system to activate an IPv6 tunnel. He is correct; however, this rule should not interfere with native IPv6—it only applies to IPv4 UDP connections that are going between two interfaces (the FORWARD chain).

*

We've heard that IPFilter development version 5.06 will decapsulate IPv6 in IPv4 packets and apply filtering rules. The following syntax, which we haven't tested, might block IPv6 in IPv4 tunnels:

decapsulate in on bge0 family inet6 proto ip all head ipinip6
block in all group ipinip6

*

Evan Wright from our Network Situational Awareness team pointed out that blocking protocols at border routers can stop some types of IPv6 connectivity. Using access control lists at border routers to block protocols 41 (used by 6to4), 43, 44, 58, 59, 60, and 192.88.99.1 (default anycast address of some 6to4 systems) would be a good place to start. Shown as an iptables example, it would look like this:

iptables -A FORWARD -p 41 -j REJECT
iptables -A FORWARD -p 43 -j REJECT
iptables -A FORWARD -p 44 -j REJECT
iptables -A FORWARD -p 58 -j REJECT
iptables -A FORWARD -p 59 -j REJECT
iptables -A FORWARD -p 60 -j REJECT

These examples may not directly apply to your network, but hopefully they illustrated the problem and gave you some suggestions that you can use as a starting point for improving the security of your firewalls.


Reference: http://www.cert.org/blogs/vuls/2009/04/bypassing_firewalls_with_ipv6.html

Managing IPv6

SkyHi @ Friday, November 06, 2009
Managing IPv6 - Part 1
By Ryan Giobbi on August 19, 2009 10:07 AM | Permalink

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded.

The following are some of the reasons why an administrator would want to disable IPv6:

* Many networks have IPv6 connectivity running on their LAN but do not have IPv6 WAN connectivity. Programs may see the connectivity on the LAN and unsuccessfully attempt to use IPv6 to connect to remote IPv6-enabled servers.
* Local IPv6 traffic might be able to bypass IDS systems or other low-layer network defenses.
* Operating systems may obtain global (publicly reachable) IPv6 addresses by creating tunnels.
* Running an additional protocol increases a system's attack surface.
* Global addressing restores end-to-end connectivity.

There are also more than a couple of reasons why an administrator wouldn't want to disable IPv6 connectivity:

* The network has full IPv6 connectivity, and software on the network actively uses some of the features (usually the large pool of global addresses) found only in IPv6.
* Network services running on the LAN are actively using IPv6.
* The network is designed to be a "dump pipe," and the administrator is expected to not interfere with passing traffic.
* Global addressing restores end-to-end connectivity.

Below are instructions for disabling IPv6 on some popular operating systems. At the bottom of the entry are links to scripts that you can run from the command line.



Disabling IPv6 via firewalls or access control lists

To disable IPv6 at a router or firewall, block protocols 41, 43, 44, 58, 59, and 60 as well as UDP ports 3544 and 3545. This firewall policy will likely miss some tunneled and non-routed IPv6 traffic (such as Teredo-compatible tunnels on non-standard ports) running on the local network.

There is too much variation in firewall syntax for us to list rules for every vendor; instead, we've written a few rules in Cisco's ACL syntax and included an ip6tables script linked at the bottom of this page.

access-list ipv6 deny 41 any any
access-list ipv6 deny 43 any any
access-list ipv6 deny 44 any any
access-list ipv6 deny 58 any any
access-list ipv6 deny 59 any any
access-list ipv6 deny 60 any any
access-list ipv6 deny udp any any eq 3544
access-list ipv6 deny udp any any eq 3545



Disabling IPv6 on Windows XP and Server 2003

The easiest way to disable IPv6 on Windows XP and Server 2003 is to run this command from a prompt with administrator privileges and reboot:

netsh.exe interface ipv6 uninstall



Disabling IPv6 on Windows Vista and Server 2008

The IPv6 protocol cannot be uninstalled from Windows Vista. The most effective way of disabling it is to edit the registry:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents]
"Compatibility Flags"=dword:0xFFFFFFFF

If you don't want to edit the registry, the following netsh commands will effectively block IPv6. Note to administrators: using the "domain profile" feature of the Windows firewall will allow you to create rules that block IPv6 connectivity based on whether the user is authenticated to your domain.

netsh advfirewall firewall add rule name "IPv6" protocol=icmpv6 dir=out action=block
netsh advfirewall firewall add rule name "IPv6" protocol=icmpv6 dir=in action=block
netsh advfirewall firewall add rule name "IPv6" action=block protocol=41 dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 43" protocol=43 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 44" protocol=44 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 58" protocol=58 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 59" protocol=59 action=block dir=out
netsh advfirewall firewall add rule name="IPv6 protocol 60" protocol=60 action=block dir=out



Disabling IPv6 on Red Hat Enterprise Linux 5

1. Edit /etc/sysctl.conf
2. Append "net.ipv6.conf.all.disables_ipv6 = 1"
3. Execute "sysctl -p" as root

You can modify "net.ipv6.conf.all.disables_ipv6 = 1" for a specific interface (e.g., "net.ipv6.conf.eth1.disables_ipv6 = 1") to selectively disable IPv6 on that interface.

The following steps will disable IPv6 connectivity on all interfaces:

1. Edit /etc/modprobe.conf
2. Append "alias net-pf-10 off"
3. Execute the command "modprobe -a" as root

For those of you who really want to disable IPv6, add these lines to your iptables scripts:

ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

ip6tables -I INPUT -p all -j DROP
ip6tables -I OUTPUT -p all -j DROP



Disabling IPv6 on Ubuntu Linux (version 9.04)

1. Edit /etc/sysctl.conf
2. Append "net.ipv6.conf.all.disable_ipv6 = 1"
3. Execute "sysctl -p" as root

You can modify "net.ipv6.conf.all.disable_ipv6 = 1" for a specific interface (e.g., "net.ipv6.conf.eth1.disable_ipv6 = 1") to selectively disable IPv6 on that interface.

The following steps will disable IPv6 connectivity on all interfaces:

1. Edit /etc/modprobe.d/blacklist
2. Append "blacklist ipv6"
3. Execute the command "modprobe -a" as root

Ubuntu users who run UFW can check /etc/default/ufw. If IPV6=no, you can block IPv6 connectivity with this command:

sudo ufw disable && sudo ufw enable



Scripts

Here are files you can use to disable IPv6. As with all scripts, make sure you understand the implications before running these on your system.

* ip6tables router/firewall shell script
* batch file to disable on Windows XP and Server 2003
* reg file to disable IPv6 on Windows Vista and Server 2008 (Microsoft has published instructions on how to import. Also see the instructions in the solution section of TA09-020A.)




Reference: http://www.cert.org/blogs/vuls/2009/08/managing_ipv6_part_i.html




Managing IPv6 - Part 2



Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings.

Administrators and developers who work with IPv4 will notice that IPv6 has made some changes beyond offering many more addresses than IPv4. The following are some of the changes that have security impacts:

* Many hosts that currently have private IPv4 addresses will have global, publicly reachable addresses.
* ICMPv6 contains much of the functionality of DHCP in IPv4 and cannot easily be entirely filtered.
* IPv6 addresses can be predictable or partially random. Modern operating systems allow both, and there is a tradeoff between system management ease of use and user privacy.

These changes can cause problems. For example, a host that accepts any ICMPv6 type can be fingerprinted easily from remote systems. That might not be a problem for some networks, but it could be critical for others.

There are ways for administrators to handle these challenges. The examples below aren't universally applicable, so use them as a general guide.



Managing networks using global IPv6 addresses

Globally reachable addresses are not "hidden" in the same way as NAT addresses. To filter traffic destined to these clients, administrators can use application-layer proxy servers, stateful network filtering, or host-based firewalls.

Below is an example of filtering traffic to a globally reachable IPv6 address. For the purpose of these rules, 2001:1::/64 is the local network, eth0 is the LAN interface on a firewall, eth1 is the WAN interface on the firewall, and 2001:3::1 is an IPv6 address on the internet.

ip6tables -A FORWARD -p tcp -i eth0 -s 2001:1::/64 -p tcp -j ACCEPT
ip6tables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A FORWARD -p tcp -i eth1 --dport 3389 -s 2001:3::1 -j ACCEPT
ip6tables -A FORWARD -p tcp -i eth1 -m state --state NEW,INVALID -j DROP

The following is an explanation of what's happening in these rules, based on the behavior of a typical router doing NAT.

ip6tables -A FORWARD -p tcp -i eth0 -s 2001:1::/64 -p tcp -j ACCEPT
Pass any traffic that has entered on our LAN's ethernet interface (-i eth0) and that has a source address in the range our LAN is using (2001:1::/64).

ip6tables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
Pass any traffic that is part of an existing connection.

ip6tables -A FORWARD -p tcp -i eth1 --dport 3389 -s 2001:3::1 -j ACCEPT
Allow any traffic coming into our WAN interface (-i eth1) to pass through to our LAN if it matches the TCP port used for RDP (--dport 3389).

ip6tables -A FORWARD -p tcp -i eth1 -m state --state NEW,INVALID -j DROP
Drop all other traffic.

After configuring the firewall, administrators should test the ruleset to confirm it is working as expected. Two commonly used tools that can test IPv6 TCP and UDP policies are nmap and netcat6.

Building on the example above, let's imagine that a user logs into a host with IP address 2001:1::2/64 and starts a netcat listener on port 3389:

$ netcat6 -l -p 3389

A scan of that IP from any host on the internet other than 2001:3::1 should fail. This result can be verified with an nmap comand:

$ nmap -PN -sT 2001:1::2/64 -p 3389

Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-02 14:32 EDT
Interesting ports on 2001:1::2:
PORT STATE SERVICE



Filtering selected ICMPv6 types

The ICMPv6 protocol includes some great functionality. IANA maintains a list of ICMPv6 types and codes.

It is hard to make general statements about which ICMPv6 types should be allowed or denied. The following chart provides some guidance about reasonable firewall policies applied to ICMPv6 types. The types are listed based on whether or not the ICMPv6 type can typically be allowed or denied.
ICMPv6 types typically safe to allow
Purpose/Comments
1, Destination Unreachable general connectivity testing
2, Packet Too Big

sent by routers to notify a node that it should fragment the packets
3, Time Exceeded protects against routing loops
4, Parameter Problem error messages and handling
128, Echo Request ping
129, Echo Reply ping reply
133, Router Solicitation sent by clients to the all-nodes multicast address to request an IP address assignment
134, Router Advertisement

sent by routers to the all-nodes multicast address; clients can use the information in this message to generate an address
135, Neighbor Solicitation queries nodes for IP and connectivity information
136, Neigbor Advertisement

sends IP and connectivity information to other nodes

ICMPv6 types that can typically be denied
Purpose/Comments
137, Redirect

alerts clients to send traffic to another router, presumably one with a more direct route to the destination; like other ICMPv6 types listed, these messages are unauthenticated and could be malicious
138, Router Renumbering automatic reconfiguration of routers
139, Node Information Query allows a host to be fingerprinted
140, Node Information Response allows a host to be fingerprinted
151-154 deny by default
others not yet used, deny by default


We've talked about filtering ICMPv6 types before, so there's no reason to discuss it again. Instead, let's focus on some test case generation options.

There don't seem to be many tools that can generate arbitrary ICMPv6 packets. One of the more commonly used tools is ping6 or ping -6. The ping command sends an echo request message to an individual IPv6 address. Creating arbitrary ICMPv6 types requires a different tool.

Newer versions of the scapy packet crafting tool can be used to generate most ICMPv6 types. Here's an example of typical scapy usage:

# scapy
Welcome to Scapy (2.0.1-dev)
>>> a=IPv6(dst="2001:1::2")/ICMPv6ND_Redirect()
>>> send(a)

To list the available ICMPv6 types (layers), use the ls() command:

>>> ls()
ARP : ARP
ASN1_Packet : None
BOOTP : BOOTP
CookedLinux : cooked linux
...
ICMPerror : ICMP in ICMP
ICMPv6DestUnreach : ICMPv6 Destination Unreachable
ICMPv6EchoReply : ICMPv6 Echo Reply
ICMPv6EchoRequest : ICMPv6 Echo Request
ICMPv6HAADReply : ICMPv6 Home Agent Address Discovery Reply
ICMPv6HAADRequest : ICMPv6 Home Agent Address Discovery Request
ICMPv6MLDone : MLD - Multicast Listener Done
ICMPv6MLQuery : MLD - Multicast Listener Query
ICMPv6MLReport : MLD - Multicast Listener Report
...

To view what parameters a layer will take, use the ls() command again:

>>> ls(ICMPv6ND_Redirect())
type : ByteEnumField = 137 (137)
code : ByteField = 0 (0)
cksum : XShortField = None (None)
res : XIntField = 0 (0)
tgt : IP6Field = '::' ('::')
dst : IP6Field = '::' ('::')

This information can be used when creating packets to allow greater control over specific packets:

a=IPv6(dst="2001:1::2")/ICMPv6ND_Redirect(tgt="2001:1::3")



Disabling/enabling privacy extensions

Currently, IPv6 addresses are typically assigned via stateless autoconfiguration, DHCPv6 or static assignment.

With stateless autoconfiguration, an operating system is expected to generate part (usually the lower 64-bits) of its address. If privacy extensions are enabled, the generated address will be pseudo-random. This is good for privacy but makes remote management difficult.

On Windows Server 2008, privacy extensions can be controlled with a netsh command:

C:\> netsh interface ipv6 privacy enabled|disabled

Linux users should check /proc/sys/net/ip6/conf (the exact location varies between distributions and kernel versions).

Testing the address status of other systems on the same Ethernet segment is possible, assuming that echo requests and replies are accepted on those machines. If the following commands run on a Linux system produce predictable addresses, privacy extensions are disabled:

$ ping6 -B -I eth0 -I [global IPv6 address attached to eth0] ff02::1
$ ip neighbor

Windows users can use these commands:

C:\> ping -S [global IPv6 address] -6 ff02::2
C:\> netsh interface ipv6 show neighbors


Reference: http://www.cert.org/blogs/vuls/2009/10/managing_ipv6_-_part_2.html

Invisible IPv6 traffic poses serious network threat

SkyHi @ Friday, November 06, 2009
* Social Web
* Email
* Close

Digg
Slashdot
Fark
Stumble
Reddit
MIXX
del.icio.us
Newsvine
Technorati
Facebook

Twitter
Your Name:
Your Email Address:
Recipient(s) Email Address:
(Comma separation for multiple addresses)
Your Message:


Invisible IPv6 traffic poses serious network threat
Odds are you have hidden tunnels on your network carrying IPv6 traffic--and possibly IPv6-based attacks
By Carolyn Duffy Marsan , Network World , 07/13/2009
Newsletter Signup

* Share/Email
* Tweet This
* Comment
* Print

IPv6 — the next-generation Internet protocol — isn't keeping too many U.S. CIOs and network managers up worrying at night. But perhaps it should.

View our slideshow on The Evolution of the Internet
See what's driving a Florida university to IPv6.

Experts say that most U.S. organizations have hidden IPv6 traffic running across their networks, and that few network managers are equipped to see, manage or block it. Increasingly, this rogue IPv6 traffic includes attacks such as botnet command and controls.

"If you aren't monitoring your network for IPv6 traffic, the IPv6 pathway can be used as an avenue of attack," says Tim LeMaster, director of systems engineering for Juniper's federal group. "What network managers don't understand is that they can have a user running IPv6 on a host and someone could be sending malicious traffic to that host without them knowing it."

Related Content

Most U.S. network managers are blind to rogue IPv6 traffic because they don't have IPv6-aware firewalls, intrusion detection systems or network management tools. Also, IPv6 traffic is being tunneled over IPv4 connections and appears to be regular IPv4 packets unless an organization has deployed security mechanisms that can inspect tunneled traffic. (See also: 5 of the biggest IPv6-based threats facing CIOs.)

"At least half of U.S. CIOs have IPv6 on their networks that they don't know about, but the hackers do," says Yanick Pouffary, technology director for the North American IPv6 Task Force and an HP Distinguished Technologist. "You can't ignore IPv6. You need to take the minimum steps to secure your perimeter. You need firewalls that understand IPv4 and IPv6. You need network management tools that understand IPv4 and IPv6."

"Although they're not thinking about IPv6, for most of the Fortune 500, it's in their networks anyways," agrees Dave West, director of systems engineering for Cisco's public sector group. "You may not see IPv6 today as a business driver. But like it or not, you are running IPv6 in your network."

IPv6 is the long-anticipated upgrade to the Internet's main communications protocol, known as IPv4. IPv6 features vastly more address space, built-in security and enhanced support for streaming media and peer-to-peer applications. Available for a decade, IPv6 has been slow to catch on in the United States. Now that unallocated IPv4 addresses are expected to run out in 2011, the pressure is on U.S. carriers and corporations to deploy IPv6 in the next few years.

IPv6-based threats are not well understood, but they are becoming more prominent. For example, the issue of IPv6-based attacks was raised at a June meeting of the National Security Telecommunications Advisory Committee, a high-level industry group that advises the White House about cybersecurity.

"We are seeing quite a bit of command and control traffic that is IPv6," says Jason Schiller, senior Internet network engineer, global IP network engineering for the public IP network at Verizon Business. "Hackers are trying to leverage IPv6 to fly under the radar. We're seeing a lot of bot networks where the command and control is under IPv6. We're also seeing illegal file sharing that leverages IPv6 for peer-to-peer communications."

Rogue IPv6 traffic is an emerging threat for network managers. The biggest risk is for organizations that have decided to delay IPv6 deployment because they don't see a business driver for the upgrade – a category that includes most U.S. corporations.

U.S. federal agencies are in a better position to protect themselves against IPv6-based threats because they have enabled IPv6 across their backbone networks. Federal agencies are moving ahead with plans to integrate IPv6 into their enterprise architectures and capital investments.

Rogue IPv6 traffic "is a very real threat," says Sheila Frankel, a computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST).

"People can have IPv6 running on their networks and not know it. Computers and other devices can ship with IPv6 turned on. Ideally, if you're not prepared to protect against IPv6, it should be turned off for all the devices on your network. You need to be prepared to block it at your perimeter. You want to block it coming in and going out," Frankel says.

Frankel recommends that organizations that don't want to run IPv6 in production mode buy firewalls and intrusion-prevention systems that can block both native and tunneled IPv6 traffic.

"You should be blocking not only pure IPv6 traffic but also IPv6 traffic tunneled inside of other traffic," Frankel says. "Network operators have to be aware of the ways IPv6 would normally be tunneled in IPv4 traffic and in the different types of transition mechanisms, and they have to become aware of the rules necessary to block these various classes of traffic."

Where does rogue IPv6 traffic come from?

IPv6 traffic gets on your network because many operating systems–including Microsoft Vista, Windows Server 2008, Mac OS X, Linux and Solaris — ship with IPv6 enabled by default. Network managers have to disable IPv6 on every device that they install on their networks or these devices are able to receive and send IPv6 traffic.

"We're probably talking about 300 million systems that have IPv6 enabled by default," estimates Joe Klein, director of IPv6 Security at Command Information, an IPv6 consultancy. "We see this as a big risk."

Experts say it's likely that network managers will forget to change the IPv6 default settings on some desktop, server or mobile devices on their networks. At the same time, most organizations have IPv4-based firewalls and network management tools that don't automatically block IPv6 traffic coming into their networks.

"The most common IPv6-based attacks that we're seeing right now are when you have devices on the edge of your network that are dual stack, which means they're running IPv4 and IPv6. If you only have an IPv4 firewall, you can have IPv6 running between you and the attacker," Klein says. "The attacker is going through your firewall via IPv6, which at that point is wide open."


Page 2 of 2

Another common problem is IPv6 traffic tunneled over IPv4 using such techniques as Teredo, which is supported by Microsoft, or the alternative 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) approaches.

"The typical IPv4 security devices are not tuned to look for IPv6 tunnels," Klein says. "They offer very weak defense, which is kind of scary."

Klein says the only way network managers can discover IPv6 devices on their network is to run IPv6. Even then, it's extremely difficult to discover IPv6 tunnels.

"You might be able to find the top three tunnels but not all the other sub-tunnels," Klein says. "You can tunnel IPv6 over HTTP over IPv4. How are you going to find that?"

Related Content

To battle these threats, Command Information is offering software called Assure6, which operates in conjunction with deep packet inspection systems to identify IPv6 traffic tunneled over IPv4. Similarly, the McAfee Network Security Platform offers full IPv6 and tunnel inspection. Cisco and Juniper offer IPv6-enabled routers, firewalls and other systems that allow network managers to set IPv6-related security policies.

Klein says he gets one or two calls a month from organizations that have been attacked through rogue IPv6 traffic.

"One of our honeypots that we have set up saw a botnet using an IPv6-only attack," Klein says. "It was hiding itself as IPv4 through our router, and it was attacking and issuing command and controls to a botnet in the Far East."

The number of IPv6 attacks is small but growing, LeMaster says.

"There are fewer people that have IPv6 enabled, so it's not as rich a target as IPv4," LeMaster adds. "The majority of the vulnerabilities are over HTTP. They're application related, where IPv6 is just the transport for those security concerns."

Frankel says IPv6-based threats are common enough that every network manager needs a plan for mitigating them.

"Nobody today will deny that they have to do something about viruses or about spam," Frankel adds. "It's fair to say that rogue IPv6 traffic is in this category of threats that's going to hit you if you ignore it."
To block or not to block IPv6

Experts disagree about whether it's best for network managers to block IPv6 traffic or to enable IPv6 traffic for monitoring purposes.

Most say that if an organization isn't prepared to support IPv6, it should block IPv6 traffic coming into and leaving its network using IPv6-enabled routers, firewalls, intrusion-prevention systems and intrusion-detection systems.

Network managers "should be creating policies…that look for IPv6 traffic and if they see it to drop that packet," LeMaster says. "Within their security incident manager solution they need to look at the profiles of traffic coming into their network. They need that visibility. If they see IPv6 traffic, they need to find out what host it's coming from or going to, and turn that traffic off."

But these experts admit that blocking IPv6 traffic is a temporary solution because a growing number of your customers and business partners will be supporting IPv6.

"If you're not prepared for IPv6, then the prudent thing to do is not to allow it into your network," LeMaster says. "But you shouldn't be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats."

Long term, the better solution is to start running IPv6 so you can gain visibility into your IPv6 traffic and experience with the new protocol, experts say.

"We don't recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you've got to plan, train and implement IPv6," says Lisa Donnan, vice president of advanced technology solutions at Command Information.

Cisco recommends that its customers adopt the same security policies for IPv4 and IPv6, and that these policies be implemented using a layered approach.

"Configuration management, configuration control and policy are going to be pretty critical now as all of these IPv6 devices just show up on the network," West says. "Configuration management may be the largest threat we have around IPv6."

Frankel says now is the time for corporations to start training staff in IPv6 and getting experience with IPv6 so they can protect themselves against IPv6-based attacks.

"Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats," Frankel says. "The other thing they should do is to take their outward-facing servers, those that are external to the corporation's firewalls, and enable IPv6 on them. That way customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process."

IPv6 is "coming," Frankel says. "The best way is to face it head on and to decide you're going to do it in the most secure manner possible."


Reference: http://www.networkworld.com/news/2009/071309-rogue-ipv6.html?page=2

Using ACLs setfacl getfacl

SkyHi @ Friday, November 06, 2009
By Van Emery
Table of Contents

* Introduction
* Assumptions
* Getting Started
* Using ACLs
* More setfacl Details and Examples
* Example Scenario
* The Default ACL
* Using cp and mv with ACLs
* Copying ACLs
* Archive and Restore Files with ACLs
* XFS Notes
* Final Notes
* Additional Resources


Introduction

What are ACLs and why would you want to use them?

ACLs are Access Control Lists for files and directories. They are based on the IEEE's POSIX 1003.1e draft 17, also known simply as POSIX.1e. ACLs are an addition to the standard Unix file permissions (r,w,x,-) for User, Group, and Other. ACLs give users and administrators flexibility and fine-grained control over who can read, write, and execute files. This can all be done without adding mysterious groups and pestering the system administrator.

Commercial Unix operating systems (except SCO) have all had ACL functionality for quite awhile. Microsoft's NTFS also has similar capabilities. FreeBSD 5.x supports POSIX.1e ACLs as well. The new Linux 2.6 kernel supports ACLs for EXT2, EXT3, XFS, JFS, and ReiserFS.

Fedora Core 2, Red Hat's first distribution with a 2.6 kernel, is a good vehicle for taking Linux ACLs for a test drive. This document is a basic HOWTO/tutorial on using ACLs with Fedora.
Assumptions

* You are using Fedora Core 2
* You have another partition besides /, /boot, and swap defined, or some unpartitioned free space on one of your disks
* You are using the EXT2, EXT3, or XFS filesystems
* You can login as root

If you have no free space on the disk, and all of your files and binaries are located in the root ( / ) partition, then you may not want to experiment with ACLs.

Note: Both JFS and ReiserFS can support ACLs under Linux, but Fedora Core 2 does not appear to support it. ReiserFS cannot be mounted with the "acl" option, and jfs_mkfs appears to be seriously broken. Therefore, this HOWTO will be limited to EXT2, EXT3, and XFS.
Getting Started

Assuming you have an EXT2 or EXT3 partition that you are willing to use for testing, we can get started. On my test machine, I have the following available partitions:

* /dev/hda5 /home (ext3)
* /dev/hda9 /XFS (xfs)

For the examples in this HOWTO, I will be using the home directory of user "tristan", which is /home/tristan. Note that this directory belongs to a separate Linux partition, not the the root ( / ) partition. If you have some extra unpartitioned space on one of your disks, this would be a good time to create a test partition. You can do this with the fdisk command, then you can format it with the mke2fs command. Make sure you read up on all the required steps before you do this, otherwise you can nuke your system, disk, or data!

If you did not install Fedora Core 2 with the "XFS" option, but you want to try ACLs on XFS, take a look at the XFS Notes section.

You will need to unmount the partitions of your choice, and then remount them with the "acl" option. First, I made a copy of my /etc/fstab file:

[root@fc2 root]# cp -v /etc/fstab /etc/fstab.org
`/etc/fstab' -> `/etc/fstab.org'

Then, I made the following modifications in red to the /etc/fstab config file. For clarity, I am only including hard disk entries:

LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
LABEL=/home /home ext3 rw,acl 1 2
LABEL=/tmp /tmp ext3 defaults 1 2
LABEL=/usr /usr ext3 defaults 1 2
LABEL=/var /var ext3 defaults 1 2
/dev/hda8 swap swap defaults 0 0
/dev/hdd1 /Data ext3 ro,noatime 1 2
LABEL=/XFS /XFS xfs rw,noatime 0 2

Now, you will need to remount the /home partition with the "acl" option. The easiest way to do this is with the "remount" option, since it will work even while the partition is in use:

[root@fc2 root]# mount -v -o remount /home
/dev/hda5 on /home type ext3 (rw,acl)

Another way to remount the partition with the "acl" option is to make sure that nobody else is on the sytem and the /home partition is not in use, then unmount, then mount the partition:

[root@fc2 root]# umount /home
[root@fc2 root]# mount /home

[root@fc2 root]# mount -l
/dev/hda2 on / type ext3 (rw) [/]
/dev/hda1 on /boot type ext3 (rw) [/boot]
/dev/hda5 on /home type ext3 (rw,acl) [/home]
/dev/hda7 on /tmp type ext3 (rw) [/tmp]
/dev/hda3 on /usr type ext3 (rw) [/usr]
/dev/hda6 on /var type ext3 (rw) [/var]
/dev/hdd1 on /Data type ext3 (ro,noatime) []
/dev/hda9 on /XFS type xfs (rw,noatime) [/XFS]

If you had trouble unmounting your target partitions, you may need to drop to single user mode with the init 1 command. This should allow you to unmount the filesystems. After that, you can remount the filesystems and issue an init 3 or init 5 command to put you back into your regular operating environment.
Using ACLs

Now, we can actually start using ACLs. The basic commands that we are interested in are:

* getfacl
* setfacl

We will first look at the getfacl command. The owner of the directory we will be working with is "tristan", and the guest user will be "axel" and the guest group will be "lensmen". First, create a test file, then look at the permissions and the ACL:

[tristan@fc2 tristan]$ cd /home/tristan
[tristan@fc2 tristan]$ cp /etc/services pizza

[tristan@fc2 tristan]$ ls -l pizza
-rw-r--r-- 1 tristan tristan 19936 May 28 16:59 pizza

[tristan@fc2 tristan]$ getfacl pizza
# file: pizza
# owner: tristan
# group: tristan
user::rw-
group::r--
other::r--

So far, there is nothing very exciting to see. Now, let's change the ACL so that user "axel" can read and write to the file:

[tristan@fc2 tristan]$ setfacl -m u:axel:rw- pizza
[tristan@fc2 tristan]$ getfacl pizza
# file: pizza
# owner: tristan
# group: tristan
user::rw-
user:axel:rw-
group::r--
mask::rw-
other::r--

[tristan@fc2 tristan]$ ls -l pizza
-rw-rw-r--+ 1 tristan tristan 19936 May 28 16:59 pizza

You will notice that there is now an extra user entry in the ACL, and there is a "+" next to the file in the output from the ls command. The "+" indicates that an ACL has been applied to the file or directory. Now, let's add a group ("lensmen") and another user ("tippy") to the ACL for pizza:

[root@fc2 tristan]# setfacl -m u:tippy:r--,g:lensmen:r-- pizza

[root@fc2 tristan]# getfacl pizza
# file: pizza
# owner: tristan
# group: tristan
user::rw-
user:axel:rw-
user:tippy:r--
group::r--
group:lensmen:r--
mask::rw-
other::r--

Hmmm...what's the mask entry? This is the effective rights mask. This entry limits the effective rights granted to all ACL groups and ACL users. The traditional Unix User, Group, and Other entries are not affected. If the mask is more restrictive than the ACL permissions that you grant, then the mask takes precedence. For example, let's change the mask to "r--" and give user "tippy" and group "lensmen" the permissions rwx, and see what happens:

[tristan@fc2 tristan]$ setfacl -m u:tippy:rwx,g:lensmen:rwx pizza

[tristan@fc2 tristan]$ setfacl -m mask::r-- pizza

[tristan@fc2 tristan]$ getfacl --omit-header pizza
user::rw-
user:axel:rw- #effective:r--
user:tippy:rwx #effective:r--
group::r--
group:lensmen:rwx #effective:r--
mask::r--
other::r--

The ACL now shows an "effective" rights mask. Even though "tippy" has been given rwx permissions, he actually only has r-- permissions because of the mask.

In most cases, I want the effective mask to allow whatever permissions I granted to named users and groups, so my mask will be rw- or rwx. I will reset it like this:

[tristan@fc2 tristan]$ setfacl -m m::rw- pizza

[tristan@fc2 tristan]$ getfacl --omit pizza
user::rw-
user:axel:rw-
user:tippy:rw-
group::r--
group:lensmen:rwx #effective:rw-
mask::rw-
other::r--

What about using the setfacl command to change normal User, Group, and Other permissions? No problem! This can be used instead of chmod:

[tristan@fc2 tristan]$ setfacl -m u::rwx,g::rwx,o:rwx pizza

[tristan@fc2 tristan]$ ls -l pizza
-rwxrwxrwx+ 1 tristan tristan 19965 May 29 09:31 pizza

[tristan@fc2 tristan]$ getfacl --omit pizza
user::rwx
user:axel:rw-
user:tippy:rw-
group::rwx
group:lensmen:rwx
mask::rwx
other::rwx

Note that the mask changed! Whenever you change the permissions of a user or a group with setfacl, the mask is changed to match. Therefore, if you want a restrictive mask, it must be applied after the user and group permissions are modified.

Another thing to keep in mind is that the chmod command does not alter the file's ACL...the ACL information will remain intact, except that the mask entry can change as described above.
More setfacl Details and Examples

The setfacl command has many options. In this section, we will look at some of the more useful ones.
Remove Specific Entries from an ACL

You can remove specific ACL entries with the -x option. In this example, we will remove the entry for user "tippy" and user "axel" but leave the other entries alone:

[tristan@fc2 tristan]$ getfacl --omit pizza
user::rwx
user:axel:rw-
user:tippy:rw-
group::rwx
group:lensmen:rwx
mask::rwx
other::rwx

[tristan@fc2 tristan]$ setfacl -x u:tippy,u:axel pizza

[tristan@fc2 tristan]$ getfacl --omit pizza
user::rwx
group::rwx
group:lensmen:rwx
mask::rwx
other::rwx

Error:


drwxr-srwx+ 2 smbwi webdev 4.0K Nov 6 12:19 news
drwxr-srwx+ 2 smbwi webdev 20K Nov 6 12:20 items
drwxr-srwx+ 2 smbwi webdev 4.0K Nov 6 12:20 faq

Soluton:

Remove Entire ACL

To completely remove an ACL from a file or directory:

[tristan@fc2 tristan]$ setfacl -b pizza

You can also use:


[tristan@fc2 tristan]$ setfacl --remove-all pizza



Using the --set Option

If you want to explicitly set all of the file permissions on a file or a group of files, you must use the --set option. This is different from the -m option, which only modifies the existing ACL. The --set option replaces all permissions and ACLs with the new values. When you use the --set option, all of the User, Group, and Other permissions must be defined. Here is an example:

[tristan@fc2 tristan]$ setfacl --set u::rw,g::rw,o::-,u:tippy:r pizza

[tristan@fc2 tristan]$ getfacl --omit pizza
user::rw-
user:tippy:r--
group::rw-
mask::rw-
other::---

Using setfacl Recursively

If you want to apply ACLs to an entire directory and all of its subdirectories, use the -R option. Given the directory hierarchy /home/tristan/Level1/Level2/Level3/Level4, the following command will add an ACL entry for group "lensmen" to all of the Level* directories and their contents:

[tristan@fc2 tristan]$ setfacl -R -m g:lensmen:r-x /home/tristan/Level1

Using ACL Entries from a File:

What if you have a lengthy ACL that needs to be used frequently? Rather than typing it over and over again on the command line, you can save the ACL as a text file and use it to apply ACLs to other files. For example, we will create the ACL config file /home/tristan/myacl:

user:axel:rw-
user:tippy:rw-
group:lensmen:r--
group:marty:r--
group:fafnir:r--
mask::rw-
other::---

Now, we can easily apply these ACL modifications to files:

[tristan@fc2 tristan]$ setfacl -M myacl test*

[tristan@fc2 tristan]$ ls -l test*
-rw-rw----+ 1 tristan tristan 168 May 30 09:41 test1
-rw-rw----+ 1 tristan tristan 168 May 30 09:42 test2
-rw-rw----+ 1 tristan tristan 168 May 30 09:42 test3

[tristan@fc2 tristan]$ getfacl test1
# file: test1
# owner: tristan
# group: tristan
user::rw-
user:axel:rw-
user:tippy:rw-
group::rw-
group:marty:r--
group:lensmen:r--
group:fafnir:r--
mask::rw-
other::---

Note on UID, GID, and Permissions

When you are using setfacl, you can use numeric UIDs and GIDs instead of the actual names. The UIDs and GIDs do not have to exist yet. If you use names, then they must exist or you will get an error. You can use the

getfacl --numeric filename

command to view the numeric values.

Also, when you are specifying permissions, you can use octal permissions (0-7) instead of (r,w,x,-).
Example Scenario

Now that we have seen basic command usage, let's use a practical example to learn some more about ACLs. Tippy is working with Tristan on a project. He needs to be able to read, write, create, and delete files related to the project, which are located in Tristan's home directory. Tristan wants to do this without bothering the system administrator with requests for new groups and group membership changes. When the project is over, Tristan will remove the permissions for user "tippy" without bothering the sysadmin.

All of the project files are located in /home/tristan/Project. Here is how Tristan will handle the situation:

[tristan@fc2 tristan]$ setfacl -m user:tippy:--x /home/tristan
[tristan@fc2 tristan]$ getfacl /home/tristan
getfacl: Removing leading '/' from absolute path names
# file: home/tristan
# owner: tristan
# group: tristan
user::rwx
user:tippy:--x
group::---
mask::--x
other::---

[tristan@fc2 tristan]$ setfacl -R -m u:tippy:rwx,o::--- Project
[tristan@fc2 tristan]$ getfacl Project
# file: Project
# owner: tristan
# group: tristan
user::rwx
user:tippy:rwx
group::rwx
mask::rwx
other::---

[tristan@fc2 tristan]$ cd Project
[tristan@fc2 Project]$ ls -l
total 1560
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so.2
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so.2.2
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so.3
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so.3.2
[tristan@fc2 Project]$ getfacl --omit libkrb5.so
user::rwx
user:tippy:rwx
group::r-x
mask::rwx
other::---

Now, Tippy can access the /home/tristan/Project directory. He can read, modify, add, and delete files. However, he cannot delete the Project directory, nor can he view any other files in Tristan's home directory. This is good, because Tippy likes to test his limits. Let's see what he can and can't do:

[tippy@fc2 tippy]$ cd /home/tristan
[tippy@fc2 tristan]$ ls
ls: .: Permission denied
[tippy@fc2 tristan]$ rm -rf Project
rm: cannot remove `Project': Permission denied
[tippy@fc2 tristan]$ cd Project
[tippy@fc2 Project]$ ls -l
total 1560
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so.2
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so.2.2
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so.3
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so.3.2
[tippy@fc2 Project]$ touch status-report.txt

[tippy@fc2 Project]$ date >> libkrb5.so.3
[tippy@fc2 Project]$ rm libkrb5.so.3
[tippy@fc2 Project]$ ls -l
total 1136
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so.2
-rwxrwx---+ 1 tristan tristan 86532 May 29 14:02 libgssapi_krb5.so.2.2
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so
-rwxrwx---+ 1 tristan tristan 423572 May 29 14:02 libkrb5.so.3.2
-rw-rw-r-- 1 tippy tippy 0 May 29 16:06 status-report.txt

Now, after the project is complete, it is a simple matter for user Tristan to revoke Tippy's access to /home/tristan:

[tristan@fc2 tristan]$ setfacl -x u:tippy: /home/tristan
[tristan@fc2 tristan]$ getfacl /home/tristan
getfacl: Removing leading '/' from absolute path names
# file: home/tristan
# owner: tristan
# group: tristan
user::rwx
group::---
mask::---
other::---

If user "tippy" decides to snoop around in /home/tristan/Project again, he will not be able to:

[tippy@fc2 tippy]$ cd /home/tristan
-bash: cd: /home/tristan: Permission denied
[tippy@fc2 tippy]$ ls /home/tristan/Project
ls: /home/tristan/Project: Permission denied

Note that this entire example was done without having to involve the system administrator!
The Default ACL

Up until now, we have been looking at the access ACL. There is also another type of ACL, called the default ACL. The default ACL is only applied to directories, and it defines the permissions that a newly created file or directory inherits from its parent directory.

When you create a new directory inside a directory that already has a default ACL, the new directory inherits the default ACL both as its access ACL and its default ACL.

Here is an example of defining a default ACL for a directory, and what happens when files and directories are created underneath that directory:

[tristan@fc2 tristan]$ mkdir Plato

[tristan@fc2 tristan]$ setfacl --set u::rwx,g::r-x,o::- Plato

[tristan@fc2 tristan]$ setfacl -d --set u::rwx,u:tippy:rwx,u:axel:rx,g::rx,g:lensmen:rx,o::- Plato
[tristan@fc2 tristan]$ getfacl Plato
# file: Plato
# owner: tristan
# group: tristan
user::rwx
group::r-x
other::---
default:user::rwx
default:user:axel:r-x
default:user:tippy:rwx
default:group::r-x
default:group:lensmen:r-x
default:mask::rwx
default:other::---

[tristan@fc2 tristan]$ cd Plato
[tristan@fc2 Plato]$ touch guitar
[tristan@fc2 Plato]$ getfacl guitar
# file: guitar
# owner: tristan
# group: tristan
user::rw-
user:axel:r-x #effective:r--
user:tippy:rwx #effective:rw-
group::r-x #effective:r--
group:lensmen:r-x #effective:r--
mask::rw-
other::---

[tristan@fc2 Plato]$ mkdir Zep
[tristan@fc2 Plato]$ getfacl Zep
# file: Zep
# owner: tristan
# group: tristan
user::rwx
user:axel:r-x
user:tippy:rwx
group::r-x
group:lensmen:r-x
mask::rwx
other::---
default:user::rwx
default:user:axel:r-x
default:user:tippy:rwx
default:group::r-x
default:group:lensmen:r-x
default:mask::rwx
default:other::---

[tristan@fc2 Plato]$ cd Zep
[tristan@fc2 Zep]$ touch airship
[tristan@fc2 Zep]$ getfacl airship
# file: airship
# owner: tristan
# group: tristan
user::rw-
user:axel:r-x #effective:r--
user:tippy:rwx #effective:rw-
group::r-x #effective:r--
group:lensmen:r-x #effective:r--
mask::rw-
other::---

The umask has no effect if a default ACL exists. In the following example, the umask is honored when a file is created in the /home/tristan directory, which has no default ACL. When a file is created under /home/tristan/Plato, which has a default ACL, you can see that the umask is ignored:

[tristan@fc2 tristan]$ umask ugo=
[tristan@fc2 tristan]$ umask
0777
[tristan@fc2 tristan]$ touch button
[tristan@fc2 tristan]$ ls -l button
---------- 1 tristan tristan 0 Jun 1 00:47 button

[tristan@fc2 tristan]$ cd Plato
[tristan@fc2 Plato]$ touch switch
[tristan@fc2 Plato]$ ls -l switch
-rw-rw----+ 1 tristan tristan 0 Jun 1 00:47 switch

You can also modify and create default ACLs with another syntax, prefixing the u, g, or o entries with a "d" :

[tristan@fc2 tristan]$ setfacl -m d:u:axel:rwx,d:g:lensmen:rwx Plato
[tristan@fc2 tristan]$ getfacl Plato
# file: Plato
# owner: tristan
# group: tristan
user::rwx
group::r-x
other::---
default:user::rwx
default:user:axel:rwx
default:user:tippy:rwx
default:group::r-x
default:group:lensmen:rwx
default:mask::rwx
default:other::---

Using cp and mv with ACLs

Three major file utilities, ls, cp, and mv have been updated to handle ACLs. The mv command will always preserve ACLs if it is possible. If it is not possible, it will issue a warning. The cp command will only preserve ACLs if used with the -p or -a options.

In both cases, if you are trying to copy/move from a filesystem that supports ACLs to a filesystem that does not, only the standard Unix permissions will be retained. In the example below, you can see that using the cp -p command within the ACL-enabled /home filesystem worked, and using the same command to copy the file to the /root directory (which is not ACL-enabled) resulted in an error message. As root, do the following:

[root@fc2 root]# cd /home/tristan
[root@fc2 tristan]# mkdir ACL
[root@fc2 tristan]# cp -p pizza ACL/pizza
[root@fc2 tristan]# ls -l ACL/pizza
-rw-rwx---+ 1 tristan tristan 19965 May 29 09:31 ACL/pizza

[root@fc2 tristan]# cp -p pizza /root
cp: preserving permissions for `/root/pizza': Operation not supported
[root@fc2 tristan]# ls -l /root/pizza
-rw-rwx--- 1 tristan tristan 19965 May 29 09:31 /root/pizza

Copying ACLs

If you already have a file with a complex ACL, you can easily copy that ACL to other files by piping the output of a getfacl command into the setfacl command. Here is an example of copying the ACL from bingo.txt to all of the files starting with "test":

[tristan@fc2 Compaq]$ ls -l
total 4
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:52 bingo.txt
-rw-rw---- 1 tristan tristan 0 Jun 2 09:53 testa1
-rw-rw---- 1 tristan tristan 0 Jun 2 09:53 testa2
-rw-rw---- 1 tristan tristan 0 Jun 2 09:55 testa3
-rw-rw---- 1 tristan tristan 0 Jun 2 09:53 testa4
-rw-rw---- 1 tristan tristan 0 Jun 2 09:55 testa5

[tristan@fc2 Compaq]$ getfacl bingo.txt | setfacl --set-file=- test*

[tristan@fc2 Compaq]$ ls -l
total 24
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:52 bingo.txt
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:53 testa1
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:53 testa2
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:55 testa3
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:53 testa4
-rw-rw----+ 1 tristan tristan 0 Jun 2 09:55 testa5

[tristan@fc2 Compaq]$ getfacl --omit testa5
user::rw-
user:axel:rw-
user:tippy:rw-
group::rw-
group:marty:r--
group:lensmen:r--
group:fafnir:r--
mask::rw-
other::---

You can also archive all of the ACLs from an entire directory tree, then restore them later. You might want to do this if you are recovering files from backup media that does not support ACLs, like CD-ROM. Here is an example of archiving/saving all of the ACLs in the /home/tristan/Tree directory tree, and restoring them.

There are 898 files in this tree:

[tristan@fc2 tristan]$ du -h Tree
9.5M Tree/A/B/C/D
19M Tree/A/B/C
29M Tree/A/B
38M Tree/A
9.5M Tree/AA/BB/CC/DD
19M Tree/AA/BB/CC
29M Tree/AA/BB
38M Tree/AA
86M Tree

Now, let's archive the ACLs into a file in our home directory:

[tristan@fc2 tristan]$ getfacl -R Tree > Tree.facl
[tristan@fc2 tristan]$ ls -l Tree.facl
-rw-rw-r-- 1 tristan tristan 120550 Jun 2 12:08 Tree.facl

Now, we will simulate restoring the files from CD without ACLs by stripping all of the ACLs off:

[tristan@fc2 tristan]$ setfacl -R -b Tree

Now we can restore all of the ACL entries with one command:

[tristan@fc2 tristan]$ setfacl --restore Tree.facl

Archive and Restore Files with ACLs

What if you want to archive/backup files or directories with ACLs? Besides cp, what is there? Unfortunately, tar, cpio, pax, and dump will not save and restore ACL information. You can use the setfacl --restore mechanism in conjunction with a standard archiving/ backup system, but that is far from ideal. The answer is star, a TAR-like utility that is included in the Fedora Core 2 distribution.

Quotes from Star's author:

* Star is the fastest known implementation of a tar archiver.
* Star is even faster than ufsdump in nearly all cases.

Sounds interesting, doesn't it?

We can archive the entire /home/tristan/Tree directory tree from our previous example. We have to use the acl and -Hexustar options in order to archive and restore the ACL data. Here we go:

[tristan@fc2 /]$ cd /home/tristan

[tristan@fc2 tristan]$ star -Hexustar -acl -c f=Tree.star Tree
star: 8201 blocks + 0 bytes (total of 83978240 bytes = 82010.00k).

Now we will simulate losing our files and restoring them from a Star archive:

[tristan@fc2 tristan]$ rm -rf Tree

[tristan@fc2 tristan]$ star -acl -x f=Tree.star
star: 8201 blocks + 0 bytes (total of 83978240 bytes = 82010.00k).

When you check out the /home/tristan/Tree directory tree, you will find that it has been restored along with all the ACLs!
rdiff-backup

If you want to use a disk-to-disk backup instead of a tape archiver, consider using rdiff-backup. The stable branch now supports ACLs.

XFS Notes - Setting Up an XFS Filesystem with ACLs

XFS natively supports POSIX.1e ACLs. Unless you installed Fedora Core 2 with the XFS option, you will need to install the XFS RPM packages in order to use XFS. They are located on FC-2 ISO disk #4, in the Fedora/RPMS directory. You will need to install the following packages:

* xfsprogs-2.6.13-1.i386.rpm
* xfsprogs-devel-2.6.13-1.i386.rpm

Use the rpm -ivh xfsprogs*rpm command and you will soon be ready to go.

You will need a spare partition for your XFS filesystem. In my case, I created a spare partition as /dev/hda9. You must now create an XFS filesystem:

[root@fc2 root]# mkfs.xfs -i size=512 -f -L "/XFS" /dev/hda9
meta-data=/dev/hda9 isize=512 agcount=8, agsize=61046 blks
= sectsz=512
data = bsize=4096 blocks=488368, imaxpct=25
= sunit=0 swidth=0 blks, unwritten=1
naming =version 2 bsize=4096
log =internal log bsize=4096 blocks=2560, version=1
= sectsz=512 sunit=0 blks
realtime =none extsz=65536 blocks=0, rtextents=0

The -i option is used to specify the size of the inodes. 256 is the default, but 512 bytes per inode significantly increases the speed of ACL lookups.

Now, create a directory to act as the mountpoint:

[root@fc2 root]# mkdir /XFS

Now, we have to actually mount the new filesystem. Unlike EXT2 and EXT3, no "acl" option is necessary. XFS assumes that you want ACLs. Example:

[root@fc2 root]# mount -v -t xfs /dev/hda9 /XFS
/dev/hda9 on /XFS type xfs (rw)

[root@fc2 root]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 4.2G 197M 3.8G 5% /
/dev/hda1 97M 5.9M 86M 7% /boot
/dev/hda5 9.7G 128M 9.0G 2% /home
/dev/hda7 985M 17M 919M 2% /tmp
/dev/hda3 15G 3.2G 11G 23% /usr
/dev/hda6 4.9G 184M 4.4G 4% /var
/dev/hdd1 29G 11G 17G 38% /Data
/dev/hda9 1.9G 160K 1.9G 1% /XFS

Alternatively, you could have used the mount command with the disk label "/XFS" that was added when you created the XFS filesystem. Example:

[root@fc2 root]# mount -v -t xfs -L "/XFS" /XFS
mount: mounting /dev/hda9
/dev/hda9 on /XFS type xfs (rw)

The last step is to add an entry to /etc/fstab so that the filesystem/partition will be mounted automatically during system boot. Here is a sample entry:

LABEL=/XFS /XFS xfs rw,noatime 0 2

You can now start using the filesystem with ACLs.
Final Notes

There are limits to how many ACL entries can be applied to each file or directory. The number is filesystem dependent. EXT2 and EXT3 can have up to 32 entries, and XFS can have up to 25. Reiser and JFS can have over 8,000.

Enabling and using ACLs on a filesystem can reduce performance. It does not make sense to use ACLs for the root partition ( / ), /boot, /usr, /var, etc. I can see ACLs being very useful in /home and other user data partitions.

The only way to get familiar with Linux ACLs is to practice using them. Have fun with it!
Additional Resources

* Andreas Grünbacher's "POSIX Access Control Lists on Linux" whitepaper (local copy)
* Excellent article on Linux ACLs by Carla Schroeder
* Linux ACL Homepage
* rdiff-backup page
* man getfacl
* man setfacl
* man acl
* man star
* /usr/share/doc/star-1.5a25 documentation
* Star ACL README file


Last updated: 2005-09-22


Reference: http://www.vanemery.com/Linux/ACL/linux-acl.html

Linux Tips: get the list of subdirectories with their owner & permissions and full paths

SkyHi @ Friday, November 06, 2009
I needed to get a list of all the subdirectories that were owner by some other user than root under /var and their permissions/owner with full paths. My first thought was to use ls and something like this:
ls -dlR */
drwxr-xr-x 2 root root 4096 2009-06-05 06:25 backups/
drwxr-xr-x 8 root root 4096 2009-05-11 06:02 cache/
drwxr-xr-x 2 root root 4096 2009-05-06 04:49 ec2/
drwxr-xr-x 25 root root 4096 2009-05-25 14:55 lib/
...
will show the subdirectories just as I needed but only at one level. Using */*/ would show the next level, etc. This obviously is not a solution and unfortunately I had found no other way to do this with ls. Using:
ls -alR | grep ^d
drwxr-xr-x 15 root root 4096 2009-05-11 06:02 .
drwxr-xr-x 22 root root 4096 2009-06-03 15:02 ..
drwxr-xr-x 2 root root 4096 2009-06-05 06:25 backups
drwxr-xr-x 8 root root 4096 2009-05-11 06:02 cache
drwxr-xr-x 2 root root 4096 2009-05-06 04:49 ec2
drwxr-xr-x 25 root root 4096 2009-05-25 14:55 lib
....
works somehow, but since I don’t have the full paths this is useless.

Maybe this can be done with ls, but since I have not found a way to do this, I turned to find. Find allows me very simple to get the list of subdirectories with their full paths:
find /var -type d
/var
/var/backups
/var/lib
/var/lib/ucf
/var/lib/ucf/cache
/var/lib/vim
/var/lib/vim/addons
/var/lib/php5
/var/lib/iptraf
/var/lib/mysql-cluster
/var/lib/collectd
...
and to get also the owner/permissions we can get help from ls:
ls -dl `find /var -type d`
drwxr-xr-x 15 root root 4096 2009-05-11 06:02 /var
drwxr-xr-x 2 root root 4096 2009-06-05 06:25 /var/backups
drwxr-xr-x 8 root root 4096 2009-05-11 06:02 /var/cache
drwxr-xr-x 3 www-data www-data 4096 2009-05-11 06:02 /var/cache/apache2
drwxr-xr-x 2 www-data www-data 4096 2008-09-08 05:08 /var/cache/apache2/mod_disk_cache
drwxr-xr-x 3 root root 4096 2009-06-03 09:32 /var/cache/apt
drwxr-xr-x 3 root root 4096 2009-06-03 09:32 /var/cache/apt/archives
drwxr-xr-x 2 root root 4096 2009-06-03 09:32 /var/cache/apt/archives/partial
drwxr-xr-x 2 root root 4096 2009-06-05 06:25 /var/cache/apt-show-versions
drwxr-xr-x 2 root root 4096 2009-06-03 09:32 /var/cache/debconf
drwxr-xr-x 2 root root 4096 2009-06-05 06:25 /var/cache/locate
drwxr-sr-x 42 man root 4096 2009-06-05 06:25 /var/cache/man
...

And finally the oneliner that gives us all the folders that are owned by some other user as root:
ls -dl `find /var -type d` | grep -v root
drwxr-xr-x 3 www-data www-data 4096 2009-05-11 06:02 /var/cache/apache2
drwxr-xr-x 2 www-data www-data 4096 2008-09-08 05:08 /var/cache/apache2/mod_disk_cache
drwxr-s--- 2 mysql adm 4096 2009-06-05 06:25 /var/log/mysql
drwxr-sr-x 2 news news 4096 2009-05-06 04:49 /var/log/news

time for awk now ;)

Update: as per the comment bellow from chlovechek a much cleaner solution is:
find /var ! -user root -type d -ls

Reference: http://www.ducea.com/2009/06/05/linux-tips-get-the-list-of-subdirectories-with-their-owner-permissions-and-full-paths/

Linux Iptables block incoming access to selected or specific ip address

SkyHi @ Friday, November 06, 2009
Sometime it is necessary to block incoming connection or traffic from specific remote host. iptables is administration tool for IPv4 packet filtering and NAT under Linux kernel. Following tip will help you to block attacker or spammers IP address.
How do I block specific incoming ip address?

Following iptable rule will drop incoming connection from host/IP 202.54.20.22:

iptables -A INPUT -s 202.54.20.22 -j DROP
iptables -A OUTPUT -d 202.54.20.22 -j DROP

A simple shell script to block lots of IP address

If you have lots of IP address use the following shell script:

A) Create a text file:

# vi /root/ip.blocked
Now append IP address:

# Ip address block file
202.54.20.22
202.54.20.1/24
#65.66.36.87

B) Create a script as follows or add following script line to existing iptables shell script:

BLOCKDB=”/root/ip.blocked”
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

C) Save and close the file.


Reference: http://www.cyberciti.biz/tips/howto-block-ipaddress-with-iptables-firewall.html

iptables script ipv6

SkyHi @ Friday, November 06, 2009
#!/bin/sh
#------------------------------------------------------------------------------
# Configuration.
#------------------------------------------------------------------------------

# For debugging use iptables -v.
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
MODPROBE="/sbin/modprobe"
RMMOD="/sbin/rmmod"
ARP="/usr/sbin/arp"

# Logging options.
# Note: We use --log-level debug, so that the messages are not output
# to all virtual consoles (which would be quite annoying).
# Alternative: Start klogd with -c 4 (e.g. by setting KLOGD="-c 4" in the
# /etc/init.d/klogd startup-script.
LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options"
LOG="$LOG --log-ip-options"

# Defaults for rate limiting (to prevent DoS attacks and excessive logging).
# TODO: What is a good value for --limit and --limit-burst?
# TODO: Test rate limiting.
RLIMIT="-m limit --limit 3/s --limit-burst 8"

# Unprivileged ports.
PHIGH="1024:65535"

# Common SSH source ports.
PSSH="1000:1023"

# Load required kernel modules (if automatic module loading is disabled).
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_conntrack_irc


#------------------------------------------------------------------------------
# Mitigate ARP spoofing/poisoning and similar attacks.
# For details see:
# * http://en.wikipedia.org/wiki/ARP_spoofing
# * http://www.grc.com/nat/arp.htm
#------------------------------------------------------------------------------

# Hardcode static ARP cache entries here (e.g. for the network gateway).
# $ARP -s IP-ADDRESS MAC-ADDRESS


#------------------------------------------------------------------------------
# Kernel configuration.
# For details see:
# * http://www.securityfocus.com/infocus/1711
# * http://www.linuxgazette.com/issue77/lechnyr.html
# * http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html
# * /usr/src/linux/Documentation/filesystems/proc.txt
# * /usr/src/linux/Documentation/networking/ip-sysctl.txt
#------------------------------------------------------------------------------

# Disable IP forwarding.
# Note: We turn this on and off to reset all settings to their defaults.
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/ip_forward

# Enable IP spoofing protection (i.e. source address verification).
# Note: This is special, as it seems to only be enabled if you set
# */all/rp_filter AND */eth0/rp_filter (for example) to 1! Setting only
# */all/rp_filter alone does _not_ suffice, which is pretty counter-intuitive.
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done

# Protect against SYN flood attacks (see http://cr.yp.to/syncookies.html).
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ignore all incoming ICMP echo requests (i.e. disable ping).
# Usually not a good idea, as some protocols and users need/want this.
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Ignore ICMP echo requests to broadcast/multicast addresses. We do not
# want to participate in smurf (and similar) DoS attacks.
# For details see: http://en.wikipedia.org/wiki/Smurf_attack.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Log packets with impossible addresses.
for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done

# Don't log invalid responses to broadcast frames, they just clutter the logs.
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Don't accept or send ICMP redirects.
for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done
for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done

# Don't accept source routed packets.
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done

# Disable multicast routing. Should not be needed, usually.
# TODO: This throws an "Operation not permitted" error. Why?
# for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done

# Disable proxy_arp. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done

# Enable secure redirects, i.e. only accept ICMP redirects for gateways
# listed in the default gateway list. Helps against MITM attacks.
for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done

# Disable bootp_relay. Should not be needed, usually.
for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done

# TODO: These may mitigate ARP poisoning attacks?
# /proc/sys/net/ipv4/neigh/*/locktime
# /proc/sys/net/ipv4/neigh/*/gc_stale_time

# TODO: Check rest of /usr/src/linux/Documentation/networking/ip-sysctl.txt.
# Are there any security-relevant options I missed? Check especially:
# icmp_ratelimit, icmp_ratemask, icmp_errors_use_inbound_ifaddr, arp_*.


#------------------------------------------------------------------------------
# Default policies.
#------------------------------------------------------------------------------

# Drop everything by default.
# Note: The default policies are set _before_ flushing the chains, to prevent
# a short timespan between flushing the chains and setting policies where
# any traffic would be allowed.
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

# Set the nat/mangle/raw tables' chains to ACCEPT (we don't use them).
# Packets will simply pass through these tables unchanged.
# TODO: What happens if the modules aren't loaded?
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

# TODO: Correct? Remove this?
# $IPTABLES -t raw -P PREROUTING ACCEPT
# $IPTABLES -t raw -P OUTPUT ACCEPT


#------------------------------------------------------------------------------
# Cleanup.
#------------------------------------------------------------------------------

# Delete all rules.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# Delete all (non-builtin) user-defined chains.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# Zero all packet and byte counters.
$IPTABLES -Z
$IPTABLES -t nat -Z
$IPTABLES -t mangle -Z


#------------------------------------------------------------------------------
# Completely disable IPv6.
#------------------------------------------------------------------------------

# Block all IPv6 traffic, otherwise the firewall might be circumvented by an
# attacker who simply sends IPv6 traffic instead of IPv4 traffic.
# Note: The safest way to prevent IPv6 traffic is to not enable support for
# IPv6 in the kernel in the first place (neither built-in nor as a module).

# If the ip6tables command is available, try to block all IPv6 traffic.
if test -x $IP6TABLES; then
# Set the default policies (drop everything).
$IP6TABLES -P INPUT DROP 2>/dev/null
$IP6TABLES -P FORWARD DROP 2>/dev/null
$IP6TABLES -P OUTPUT DROP 2>/dev/null

# The mangle table can pass everything through unaltered (we don't use it).
$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null
$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null

# Delete all rules.
$IP6TABLES -F 2>/dev/null
$IP6TABLES -t mangle -F 2>/dev/null

# Delete all (non-builtin) user-defined chains.
$IP6TABLES -X 2>/dev/null
$IP6TABLES -t mangle -X 2>/dev/null

# Zero all packet and byte counters.
$IP6TABLES -Z 2>/dev/null
$IP6TABLES -t mangle -Z 2>/dev/null
fi


#------------------------------------------------------------------------------
# Custom user-defined chains.
#------------------------------------------------------------------------------

# LOG packets, then ACCEPT them.
$IPTABLES -N ACCEPTLOG
$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT "
$IPTABLES -A ACCEPTLOG -j ACCEPT

# LOG packets, then DROP them.
$IPTABLES -N DROPLOG
$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP "
$IPTABLES -A DROPLOG -j DROP

# LOG packets, then REJECT them. TCP packets are rejected with a TCP reset.
$IPTABLES -N REJECTLOG
$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT "
$IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A REJECTLOG -j REJECT

# A custom chain which only allows minimal (RELATED) ICMP types
# (destination-unreachable, time-exceeded, and parameter-problem).
# TODO: Rate-limit this traffic?
# TODO: Allow fragmentation-needed?
# TODO: Test.
$IPTABLES -N RELATED_ICMP
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A RELATED_ICMP -j DROPLOG


#------------------------------------------------------------------------------
# Only allow the minimally required/recommended parts of ICMP. Block the rest.
# For details see:
# * http://tools.ietf.org/html/792
# * http://tools.ietf.org/html/1122
# * http://www.iana.org/assignments/icmp-parameters
# * http://www.daemon.be/maarten/icmpfilter.html
#------------------------------------------------------------------------------

# Note: Be careful if you're using kernels older than 2.4.29. Some locally
# generated ICMP error types (going through OUTPUT) are erroneously tagged
# as INVALID (instead of RELATED).
# Details: http://lists.debian.org/debian-firewall/2006/05/msg00051.html.

# TODO: This section needs a lot of testing!

# First, drop all fragmented ICMP packets (almost always malicious).
$IPTABLES -A INPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG
$IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG

# Allow all ESTABLISHED ICMP traffic.
# TODO: Tighten this some more?
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT

# Allow some parts of the RELATED ICMP traffic, block the rest.
# TODO: FORWARD?
$IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT
$IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT

# Allow incoming ICMP echo requests (ping), but only rate-limited.
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Allow outgoing ICMP echo requests (ping), but only rate-limited.
# TODO: Really do rate limiting here?
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT

# Drop any other ICMP traffic.
$IPTABLES -A INPUT -p icmp -j DROPLOG
$IPTABLES -A OUTPUT -p icmp -j DROPLOG
$IPTABLES -A FORWARD -p icmp -j DROPLOG


#------------------------------------------------------------------------------
# Selectively allow certain special types of traffic.
#------------------------------------------------------------------------------

# Allow all incoming and outgoing connections on the loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Allow incoming connections related to existing allowed connections.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections related to existing allowed connections.
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Uncomment this (and comment the above line) to allow all outgoing
# connections (except for INVALID ones).
# $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# TODO: Read Securing Debian Manual's "Disabling weak-end hosts issues".
# For details see:
# * http://www.debian.org/doc/manuals/securing-debian-howto/
# * ftp://ftp.isi.edu/in-notes/rfc1122.txt

# TODO: Split the ESTABLISHED,RELATED rules by state, protocol, type?


#------------------------------------------------------------------------------
# Miscellaneous.
#------------------------------------------------------------------------------

# Drop SMB/CIFS, and related Windows traffic without logging. We don't care.
# TODO: I think not all of these use TCP _and_ UDP. Tighten the rules!
$IPTABLES -A INPUT -p tcp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP
$IPTABLES -A INPUT -p udp -m multiport \
--dports 135,137,138,139,445,1433,1434 -j DROP

# Explicitly drop invalid incoming traffic (use DROPLOG if you want logging).
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# Drop invalid outgoing traffic, too.
# Note: This may prevent you from performing certain scans. Also, see above
# comment about ICMP packets being erroneously marked as INVALID instead of
# RELATED in kernels older than 2.4.29. Remove this rule if needed.
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

# This is not needed, as we use policy DROP for FORWARD, and we disabled
# ip_forward anyways. However, if we would use NAT, INVALID packets would
# bypass our rules, so we block them explicitly here, just in case.
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# Hinder portscanners a bit.
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP

# TODO: Some more anti-spoofing rules? For example:
# TODO: Test.
# $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# TODO: Block known-bad IPs (see http://www.dshield.org/top10.php).
# $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG


#------------------------------------------------------------------------------
# Drop any traffic from IANA-reserved IPs.
# Note: You could easily block valid traffic, e.g. if your ISP uses private
# addresses (see RFC 1918) in their network. If in doubt, remove these rules.
# For details see:
# * ftp://ftp.iana.org/assignments/ipv4-address-space
# * http://www.cymru.com/Documents/bogon-bn-agg.txt
#------------------------------------------------------------------------------

$IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP
# $IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP
$IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP
$IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP
# $IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP
$IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP


#------------------------------------------------------------------------------
# Selectively allow certain outbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow outgoing DNS requests. Few things will work without this.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow outgoing HTTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow outgoing HTTPS requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP!
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT

# Allow outgoing "submission" requests.
# Submission (RFC 2476) is used for sending email, and uses port 587.
# This can be encrypted or unencrypted, depending on the server (I think).
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT

# Allow outgoing POP3S requests. Do NOT allow unencrypted POP3!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow outgoing SSH requests.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow outgoing FTP requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_ftp kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow outgoing NNTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow outgoing NTP requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT

# Allow outgoing IRC requests. Unencrypted, use with care.
# Note: This usually needs the ip_conntrack_irc kernel module.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT

# Allow outgoing requests to various proxies. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT

# Allow outgoing DHCP requests. Unencrypted, use with care.
# TODO: This is completely untested, I have no idea whether it works!
# TODO: I think this can be tightened a bit more.
$IPTABLES -A OUTPUT -m state --state NEW -p udp \
--sport 67:68 --dport 67:68 -j ACCEPT

# Allow outgoing CVS requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT

# Allow outgoing SVN requests. Unencrypted, use with care.
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT

# Allow outgoing Tor (http://tor.eff.org) requests.
# Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)!
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT

# Allow outgoing Bacula (http://www.bacula.org) requests.
# Unencrypted (usually), use with care.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
$IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9101 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9103 -j ACCEPT
# $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9102:9103 -j ACCEPT

# Allow outgoing OpenVPN requests.
$IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT

# TODO: ICQ, ...


#------------------------------------------------------------------------------
# Selectively allow certain inbound connections, block the rest.
# TODO: This could be tightened a bit more (limit source/dest port ranges).
#------------------------------------------------------------------------------

# Allow incoming DNS requests.
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

# Allow incoming HTTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT

# Allow incoming HTTPS requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

# Allow incoming POP3 requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

# Allow incoming POP3S requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT

# Allow incoming SMTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# Allow incoming SSH requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Allow incoming FTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

# Allow incoming NNTP requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT

# Allow incoming BitTorrent requests.
# TODO: Are these already handled by ACCEPTing established/related traffic?
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT

# Allow incoming nc requests.
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT

# Allow incoming Bacula (http://www.bacula.org) requests.
# Ports: Console -> DIR:9101, DIR -> SD:9103, DIR -> FD:9102, FD -> SD:9103
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9102 -j ACCEPT
# $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 9101:9103 -j ACCEPT


#------------------------------------------------------------------------------
# Explicitly log and reject everything else.
#------------------------------------------------------------------------------

# Use REJECT instead of REJECTLOG if you don't need/want logging.
$IPTABLES -A INPUT -j REJECTLOG
$IPTABLES -A OUTPUT -j REJECTLOG
$IPTABLES -A FORWARD -j REJECTLOG


#------------------------------------------------------------------------------
# Testing the firewall.
#------------------------------------------------------------------------------

# You should check/test that the firewall really works, using for example
# iptables -vnL, nmap, ping, telnet, ...


#------------------------------------------------------------------------------
# Exit gracefully.
#------------------------------------------------------------------------------

exit 0

Reference: http://usalug.org/phpBB2/viewtopic.php?t=13265

Incorrect sendmail pop3 password

SkyHi @ Friday, November 06, 2009
This is the error message:

Command stream end of file, while reading char user=... host=...

Thursday, November 5, 2009

How to make a bootable CD from a bootable floppy

SkyHi @ Thursday, November 05, 2009
Put the floppy in the floppy drive, and don't mount it, YET.

Code:

dd if=/dev/fd0 of=/home/sam/floppy.img

Mount /home/sam/floppy.img:
Code:

mkdir /mnt/floppy.img
mount -o loop /home/sam/floppy.img /mnt/floppy.img

Customize the image:
Code:

cd /mnt/floppy.img/
rm
cp /home/sam/bios.bin .

or any other files you want on the CD. But don't exceed the 1.44 MB size of a floppy. Check space left in the mounted image
Code:

df -h

Unmount the floppy image
Code:

cd ..
umount /mnt/floppy.img

Make the .iso CD image file:
Code:

mkisofs -o /home/sam/floppy.img.iso -b /home/sam/floppy.img /home/sam/floppy.img

Burn the iso file to a CD:
Code:

wodim dev=/dev/hdc -sao driveropts=burnfree -dummy /home/sam/floppy.img.iso

This is a dummy burn, with the drive laser off. After you check the dummy run for errors, by looking at the program output, hit the up arrow, delete '-dummy', Enter. If you need a DOS boot floppy image file: http://www.fdos.org/bootdisks/autogen/FDOEM.144.gz .

You want to find out if your girlfriend is cheating on you, having cyber whoopie, or just misbehaving. Even if the computer is secured with a password you can boot with the:
http://www.efense.com/helix
CD and search the entire drive partition for text strings:
Code:

dd if=/dev/sda2 bs=16065 | hexdump -C | grep 'I love you.'

... will search the whole drive partition for the text string specified between the single quotes. Searching an entire disk partition several times can be quite tedious. This particular command string prints the search results to the screen, with the offset where it is located in the partition. Dd works in the decimal system. Hexdump works in hexidecimal. The output text string is at offset 0x020d0d90h. You convert that to decimal with one of the many calculators found in Linux. This is decimal offset: 34,409,872. We want some manageable numbers, custom designed for speed and ease of use. The decimal disk offset is roughly 34 million, so the data we want to view is 34 MB into the partition. We divide 34,409,872 by some power of 2. Experience says 2^13 is about what we want to get a quotient in the thousands. 34,409,872/8192=~4200. The data we want is 8,192 4,200 byte blocks, OR, 4,200 8,192 byte blocks, into the partition. We check: 4200*8192=34406400; 34,409,872-34406400=3472. This means the following command line will start reading 3,472 bytes before the search string location.
Code:

dd if=/dev/sda2 bs=4200 skip=8192 count=2 | hexdump -C > file.txt

... and finish reading approximately 4,200 bytes after the string. This will net you 3.4k of disk contents before the search string, and 4.2k after. That's a 7.6k chunk of disk, plenty for what we're doing. With this method you search all the deleted files, any chat activity, and emails. It works no matter what security is being employed on the machine. It works with NTFS, ext2, ext3, reiserfs, swap, and FAT partitions. But, it is illegal to use this method on a computer you aren't authorized to search. People can be sued, or imprisoned for performing unauthorized searches. On a related note, you can search system memory with this method, by substituting
Code:

/dev/mem

for
Code:

/dev/sda2

.
Write system memory to a CD. This is useful for documenting memory contents without contaminating the HDD. I recommend using a CD-RW so you can practice a little. This doesn't involve dd, but it's cool.
Code:

wodim /dev=/dev/scd0 -raw driveropts=burnfree /dev/mem

to find the cdwriter:
Code:

wodim --devices

This method records raw, so you have to do a:
Code:

dd if=/dev/hdd | hexdump -C | less

to view the recorded memory. You can also employ the string search method above, substituting
Code:

/dev/hdd

for
Code:

/dev/sda2

.
Code:

dd if=/dev/hdd | hexdump -C | grep 'string'

string is any ascii sequence, hex sequence (must be separated with a space: '55aa09' searches for the hex string '55aa09'),
list:
Code:

'[[:alnum:]]' any alphanumeric characters
'[[:alpha:]]' any alpha character
'[[:digit:]]' any numeric character
'[[:blank:]]' tabs and spaces
'[[:lower:]]' any lower case alpha characters
'[[:upper:]]' any uppercase alpha character
'[[:cntrl:]]' ASCII characters 000 thru 037, and 177 octal
'[[:graph:]]' [:alnum:] and [:punct:]
'[[:punct:]]' any punctuation character ` ! ' # $ % ' ( ) * + - . / : ; < = > ? @ [ \ ] ^ _ { | } ~
'[[:space:]]' tab, newline, vertical tab, form feed, carriage return, and space '[[:xdigit:]]' any hex digit ranges('[a-d]' = any, or all abcd, '[0-9]' = any, or all 0123456789)

Code:

dd if=/dev/sda | hexdump -C | grep '[:punct:]' | less

... will return every line from the
Code:

hexdump -C

output that contains any punctuation characters specified above. It will not gather only punctuation characters.
Back up your MBR:
Code:

dd if=/dev/sda of=mbr.bin count=1

Put this on a floppy you make with:
Code:

dd if=boot.img of=/dev/fd0

I back up floppies to a HDD. Floppies don't last forever, so I do:
Code:

dd if=/dev/fd0 of=/home/sam/floppies/backup.bin conv=notrunc

If my floppy fails, I can make unlimited copies:
Code:

dd if=/home/sam/floppies/backup.bin of=/dev/fd0 conv=notrunc

Here is a command line to read your BIOS, and interfaces:
Code:

dd if=/dev/mem bs=1k skip=768 count=256 2>/dev/null | strings -n 8

dd will not duplicate or erase an HPA, OR, host protected area. Dd will erase a disk completely, but not as well as using the hardware secure erase, security erase unit command
Dd need not be black boxed like other inexpensive forensic software:
http://www.cftt.nist.gov/
For a low cost bootable CD based professional ghosting solution, that supports all operating systems and file systems:
http://www.feyrer.de/g4u/
Variation of dd for data rescue off defective media:
http://www.garloff.de/kurt/linux/ddrescue/
Department of Defense implementation of dd:
http://dcfldd.sourceforge.net/
Sdd is useful when input block size is different than output block size, and will succeed in some instances where dd fails:
http://linux.maruhn.com/sec/sdd.html
This is one of the best links I haven't written about dd:
http://www.softpanorama.org/Tools/dd.shtml

Copyright 2008 by AwesomeMachine.
All Rights Reserved.


Public Domain Copyright Material Begins Here:

Note that sending a SIGUSR1 signal to a running 'dd' process makes it
print to standard error the number of records read and written so far,
then to resume copying.

Code:

$ dd if=/dev/zero of=/dev/null& pid=$!
$ kill -USR1 $pid; sleep 1; kill $pid

10899206+0 records in 10899206+0 records out



BLOCKS and BYTES may be followed by the following multiplicative suffixes: c 1, w 2, b 512, kB 1000, K 1024, MB 1000*1000, M 1024*1024, GB 1000*1000*1000, G 1024*1024*1024
So,
Code:

dd if=/dev/sda of=/dev/sdb bs=1GB

Will use one gigabyte block sizes.
bs=4b would give dd a block size of 4 disk sectors. 1 sector=512 bytes.
bs=4k would indicate dd use a 4 kilobyte block size. I have found bs=4k to be the fastest for copying disk drives on a modern machine.

OPERANDS The following operands are supported:
Code:

if=file

Specifies the input path. Standard input is the default.
Code:

of=file

Specifies the output path.
Standard output is the default.
seek=blocks Skip this many blocks in the output file.
Code:

ibs=n

Specifies the input block size in n bytes (default is 512).
Code:

obs=n

Specifies the output block size in n bytes (default is 512).
If no conversion other than
Code:

sync, noerror, and, notrunc

is specified, each input block is copied to the output as a single block without aggregating short blocks.
Code:

cbs=n

Specifies the conversion block size for block and unblock in bytes by n (default is 0). If cbs= is omitted or given a value of 0, using
Code:

block or unblock

produces unspecified results. This option is used only if ASCII or EBCDIC conversion is specified.
Code:

ascii and asciib

operands, the input is handled as described for the unblock operand except that characters are converted to ASCII before the trailing SPACE characters are deleted.
Code:

ebcdic, ebcdicb, ibm, and ibmb

operands, the input is handled as described for the block operand except that the characters are converted to EBCDIC or IBM EBCDIC after the trailing SPACE characters are added.
Code:

files=n

Copies and concatenates n input files before terminating (makes sense only where input is a magnetic tape or similar device).
Code:

skip=n

Skips n input blocks (using the specified input block size) before starting to copy. On seekable files, the implementation reads the blocks or seeks past them. On non-seekable files, the blocks are read and the data is discarded.
Code:

iseek=n

Seeks n blocks from beginning of input file before copying (appropriate for disk files, where skip can be incredibly slow).
Code:

oseek=n

Seeks n blocks from beginning of output file before copying.
Code:

seek=n

Skips n blocks (using the specified output block size) from beginning of output file before copying. On non-seekable files, existing blocks are read and space from the current end-of-file to the specified offset, if any, is filled with null bytes. On seekable files, the implementation seeks to the specified offset or reads the blocks as described for non-seekable files.
Code:

count=n

Copies only n input blocks.
Code:

conv=value

[,value. . . ] Where values are comma-separated symbols from the following list:
Code:

conv=notrunc

Tells dd not to abbreviate blocks of all zero value, or multiple adjacent blocks of zeroes, with five asterisks (when you want to maintain size) Do not use notrunc for copying a larger volume to a smaller volume. Without
Code:

conv=notrunc

Do not truncate the output file.
Code:

ascii

Converts EBCDIC to ASCII.
Code:

asciib

Converts EBCDIC to ASCII using BSD-compatible character translations.
Code:

ebcdic

Converts ASCII to EBCDIC. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with
Code:

dd conv=unblock

beforehand.
Code:

ebcdicb

Converts ASCII to EBCDIC using BSD-compatible character translations. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with
Code:

dd conv=unblock

beforehand.
Code:

ibm

Slightly different map of ASCII to EBCDIC. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with dd
Code:

dd conv=unblock

beforehand.
Code:

ibmb

Slightly different map of ASCII to EBCDIC using BSD-compatible character translations. If converting fixed-length ASCII records without NEWLINEs, sets up a pipeline with
Code:

dd conv=unblock

beforehand. The
Code:

ascii (or asciib), ebcdic (or ebcdicb), and ibm (or ibmb)

values are mutually exclusive. block Treats the input as a sequence of NEWLINE-terminated or EOF-terminated variable-length records independent of the input block boundaries. Each record is converted to a record with a fixed length specified by the conversion block size. Any NEWLINE character is removed from the input line. SPACE characters are appended to lines that are shorter than their conversion block size to fill the block. Lines that are longer than the conversion block size are truncated to the largest number of characters that will fit into that size. The number of truncated lines is reported. unblock Converts fixed-length records to variable length. Reads a number of bytes equal to the conversion block size (or the number of bytes remaining in the input, if less than the conversion block size), delete all trailing SPACE characters, and append a NEWLINE character. The block and unblock values are mutually exclusive.
Code:

lcase

Maps upper-case characters specified by the LC_CTYPE keyword tolower to the corresponding lower-case character. Characters for which no mapping is specified are not modified by this conversion.
Code:

ucase

Maps lower-case characters specified by the LC_CTYPE keyword toupper to the corresponding upper-case character. Characters for which no mapping is specified are not modified by this conversion. The lcase and ucase symbols are mutually exclusive.
Code:

swab

Swaps every pair of input bytes. If the current input record is an odd number of bytes, the last byte in the input record is ignored.
Code:

noerror

Does not stop processing on an input error. When an input error occurs, a diagnostic message is written on standard error, followed by the current input and output block counts in the same format as used at completion. If the
Code:

sync

conversion is specified, the missing input is replaced with null bytes and processed normally. Otherwise, the input block will be omitted from the output. notrunc Does not truncate the output file. Preserves blocks in the output file not explicitly written by this invocation of dd. (See also the preceding
Code:

of=file

operand.)
Code:

sync

Pads every input block to the size of the ibs= buffer, appending null bytes. (If either block or unblock is also specified, appends SPACE characters, rather than null bytes.)

ENVIRONMENT VARIABLES

The following environment variables affect the messages and errors messages of dd:

Code:

LANG

Provide a default value for the internationalisation variables that are unset or null. If

Code:

LANG

is unset or null, the corresponding value from the implementation-dependent default locale will be used. If any of the internationalisation variables contains an invalid setting, the utility will behave as if none of the variables had been defined.

Code:

LC_ALL

If set to a non-empty string value, override the values of all the other internationalisation variables.

Code:

LC_CTYPE

Determine the locale for the interpretation of sequences of bytes of text data as characters (for example, single- as opposed to multi-byte characters in arguments and input files), the classification of characters as upper- or lower-case, and the mapping of characters from one case to the other.

Code:

LC_MESSAGES

Determine the locale that should be used to affect the format and contents of diagnostic messages written to standard error and informative messages written to standard output.

Code:

NLSPATH

Determine the location of message catalogues for the processing of LC_MESSAGES.

Public Domain Copyright Material Ends Here:

Reference: http://www.linuxquestions.org/questions/linux-newbie-8/learn-the-dd-command-362506/