Mastodon

This blog has joined the Fediverse

TL;DR

My blog noteblok.net has joined the Fediverse. You can follow my posts via this new handle: stv0g@noteblok.net.

This has been made possible by the WordPress ActivityPub Plugin. With the ActivityPub plugin installed, the WordPress blog functions as a federated profile, along with profiles for each author. For example, my blog-wide profile can be found at @blog@noteblok.net. Authors like myself, on the other hand, would have their individual profiles at @stv0g@noteblok.net.

The integration allows following the blog from your own Fediverse platform and account like Mastodon. I return you can also react and comment to my blog posts via simply replying with your existing Fediverse account.

SSH Access for Netgear’s Nighthawk M5 Mobile LTE/Router

In my previous post, I demonstrated how to gain root access by enabling a Telnet daemon via the routers AT-over-TCP interface. In this post I will close this gasping security hole by replacing the Telnet with a Secure Shell (SSH) daemon. Netgear’s firmware does not ship with a SSH daemon itself. So we first build a statically linked Dropbear instead of the rather heavy OpenSSH daemon.

Building Dropbear SSH

I’ve build a statically linked version of Dropbear using a Debian-based Docker image as it allows us to use the packaged cross-compiler toolchains by Debian:

Dockerfile
FROM debian:bullseye

RUN apt-get update && \
    apt-get -y install \
    	wget tar bzip2 build-essential \
	gcc-arm-linux-gnueabihf \
	binutils-arm-linux-gnueabihf

RUN wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2022.82.tar.bz2
RUN tar xvf dropbear-2022.82.tar.bz2

WORKDIR /dropbear-2022.82

ENV CC=arm-linux-gnueabihf-gcc
ENV CFLAGS="-DDROPBEAR_SVR_PASSWORD_AUTH=0"

RUN ./configure --host=arm-linux-gnueabhf \
	--disable-zlib \
	--disable-shadow \
	--disable-syslog \
	--disable-lastlog \
	--enable-static
RUN make PROGRAMS="dropbear scp" MULTI=1

RUN arm-linux-gnueabihf-strip dropbearmulti

With this Dockerfile we can build the image, create a temporary container and copy the resulting binary from the image to your local folder:

docker build -t dropbear .

id=$(docker create dropbear)
docker cp ${id}:/dropbear-2022.82/dropbearmulti ./
docker rm ${id}

Installing Dropbear

Now that we have a statically linked version of the SSH daemon, we will need to copy it to our target. I accomplished this by using netcat (nc):

On the target

mkdir -p /data/mod/bin
pushd /data/mod/bin

nc -l -p 1234 > dropbearmulti
chmod +x dropbearmulti

ln -s dropbearmulti dropbear
ln -s dropbearmulti scp

On the machine which build Dropbear

nc <ip-of-target> 1234 < dropbearmulti

This is followed by installing a SystemD service which start the SSH daemon on system boot:

cat > /etc/systemd/system/dropbear.service <<EOF
[Unit]
Description=Dropbear SSH server
After=network.target

[Service]
Type=forking
ExecStart=/data/mod/bin/dropbear -R
PIDFile=/var/run/dropbear.pid

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now dropbear.service

Before you will be able to connect to the target, you will need to install an authorized_keys file. Password login is not supported.

mkdir -p /home/root/.ssh
cat > /home/root/.ssh/authorized_keys <<EOF
ssh-rsa AAAAB3NzaC1...GaoxPrQ== # replace by your SSH key
EOF

All that remains is a quick test:

ssh root@<ip-of-target>

Disable SSH daemon

In order to restore the security of the device we must also disable the Telnet daemon. There are in principle two options to achieve this:

  • Reverse the steps from my first blog post via the AT-over-TCP interface.
  • Use the iptables firewall to block access to the Telnet port

I’ve decided to go for the second option:

cat > /etc/systemd/system/block-telnet.service <<EOF
[Unit]
Description=Block Telnet access
After=network.target

[Service]
Type=simple
ExecStart=/usr/sbin/iptables -I INPUT -p tcp --dport telnet -j DROP
ExecStop=/usr/sbin/iptables -D INPUT -p tcp --dport telnet -j DROP

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable --now block-telnet.service

GoSƐ – A terascale file-uploader

GoSƐ is a modern and scalable file-uploader focusing on scalability and simplicity. It is a little hobby project I’ve been working on over the last weekends.

The only requirement for GoSƐ is a S3 storage backend which allows to it to scale horizontally without the need for additional databases or caches. Uploaded files a divided into equally sized chunks which are hashed with a MD5 digest in the browser for upload. This allows GoSƐ to skip chunks which already exist. Seamless resumption of interrupted uploads and storage savings are the consequence.

And either way both upload and downloads are always directed directly at the S3 server so GoSƐ only sees a few small HTTP requests instead of the bulk of the data. Behind the scenes, GoSƐ uses many of the more advanced S3 features like Multi-part Uploads and Pre-signed Requests to make this happen.

Users have a few options to select between multiple pre-configured S3 buckets/servers or enable browser & mail notifications about completed uploads. A customisable retention / expiration time for each upload is also selectable by the user and implemented by S3 life-cycle policies. Optionally, users can also opt-in to use an external service to shorten the URL of the uploaded file.

Currently a single concurrent upload of a single file is supported. Users can observe the progress via a table of details statistics, a progress-bar and a chart showing the current transfer speed.

GoSƐ aims at keeping its deployment simple and by bundling both front- & backend components in a single binary or Docker image. GoSƐ has been tested with AWS S3, Ceph’s RadosGW and Minio. Pre-built binaries and Docker images of GoSƐ are available for all major operating systems and architectures at the release page.

GoSƐ is open-source software licensed under the Apache 2.0 license.

Live Demo

Screencast

Features

  • De-duplication of uploaded files based on their content-hash
    • Uploads of existing files will complete in no-time without re-upload
  • S3 Multi-part uploads
    • Resumption of interrupted uploads
  • Drag & Drop of files
  • Browser notifications about failed & completed uploads
  • User-provided object expiration/retention time
  • Copy URL of uploaded file to clip-board
  • Detailed transfer statistics and progress-bar / chart
  • Installation via single binary or container
    • JS/HTML/CSS Frontend is bundled into binary
  • Scalable to multiple replicas
    • All state is kept in the S3 storage backend
    • No other database or cache is required
  • Direct up & download to Amazon S3 via presigned-URLs
    • Gose deployment does not see an significant traffic
  • UTF-8 filenames
  • Multiple user-selectable buckets / servers
  • Optional link shortening via an external service
  • Optional notification about new uploads via shoutrrr
    • Mail notifications to user-provided recipient
  • Cross-platform support:
    • Operating systems: Windows, macOS, Linux, BSD
    • Architectures: arm64, amd64, armv7, i386

Roadmap

I consider the current state of GoSƐ to be production ready. Its basic functionality is complete. However, there are still some ideas which I would like to work on in the future:

Also checkout the GitHub Issue Tracker for a detailed overview.

noteblok.{de,net,org,dn42}

noteblok2Dies ist das neue Logo und Name meines Blogs.

Bisher gab es hier nur wenige persönliche Beiträge. Da ich das auch so beibehalten möchte, habe ich mich entschlossen meinen Namen aus dem Titel zu streichen. Vielleicht findet so auch mal der ein oder andere Gastbeitrag seinen Weg hierher.

DomainsWorld_IPv6_launch_badge_256

Mit dem neuen Namen hat sich auch die Domain geändert. Der Blog ist nun erreichbar unter noteblok.{de,net,org,dn42}. Über meine persönliche Domain gelangt man nun direkt zu ein paar Infos über mich.

Neben den neuen Domains sind nun auch alle Websiten/Blogs über IPv6 erreichbar 🙂

dn42dn42

Zudem ist der Blog auf über des dn42 Darknet erreichbar. Das dn42 ist ein dezentrales und dynamisches VPN Netzwerk. Es besteht aus einem Verbund von Freiwilligen Admins, die jeweils Peer-to-Peer Verbindungen über VPNs herstellen. Es baut damit auf dem bestehenden Internet auf. Zudem nutzt das dn42 mit BGP das gleiche Routing Protokoll.

Mit ein paar Freunden betreiben wir (/dev/nulll) das Autonome System AS 76100 und unterhalten Verbindungen (engl. peerings) mit zur Zeit 5 anderen Knoten.

 

Schreibblockade?!

So, nun geht es auch hier wieder weiter! Nach 7 Monaten Pause neigt sich auch mein 3. Semester an der RWTH nun dem Ende entgegen und ich möchte hier wieder etwas regelmäßiger schreiben!

Dass es hier lange keine Beiträge gab, sollte nicht darauf schließen lassen, dass ich nichts zu berichten hatte 😉 In den vergangenen Monaten hat sich viel getan. Ich habe unter anderem an vzlogger und HIDeKey gewerkelt. Ab diesem Semester arbeite arbeite ich beim Institut für Mensch-Maschine-Interaktion. Dort betreue ich die Mikrocontroller-AG und das Praktikum Informatik 1. Den Blog habe ich mal etwas aufgeräumt nutze nun Amazon Cloudfront als CDN.

In den nächsten Beiträgen möchte ich euch Erlang, eine funktionale Sprache zur parallel Programmierung, vorstellen und über meine ersten Erfahrungen mit digitalen Schaltungsentwurf auf FPGA’s berichten.