Geeksters #150 – Sesquicentennial

Direct MP3 Download: Geeksters #150 – Sesquicentennial


Martin Obando, Tim Bowermeister, and Mitch Haman talk about computer repair

Episode 150 Show Notes

Title — Sesquicentennial

Hosts:

Tim Bowermeister
Mitch Haman
Martin Obando

http://sourceforge.net/p/clonezilla/news/

* Lenovo admits security issues with Superfish, releases removal too
http://www.zdnet.com/article/lenovo-admits-security-issues-with-superfish-releases-removal-tool/
http://www.gfi.com/blog/its-time-for-devices-not-to-ship-with-unwanted-risky-software/
http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html
https://www.grc.com/sn/SN-496-Notes.pdf
https://filippo.io/Badfish/

* Truecrypt Phase Two Audit Announced
https://cryptoservices.github.io/fde/2015/02/18/truecrypt-phase-two.html

* A deeper look at Outlook for iOS and Android
http://blogs.office.com/2015/01/29/deeper-look-outlook-ios-android/

*********************
E-mail

Good evening Martin,

I was just listening to the last Geeksters show.  After a little thought, here is how I would solve your problem with selectively blocking traffic on port 53.

1  Choose compatible routers and install DD-WRT
2  Modify the tables with iptable commands in command line to block port 53 with exceptions for specific devices.
3  After testing, save as a startup script so that a reboot of the router won’t clear the rules.

This should only cost you about fifty to sixty dollars per device, though Trendnet has a DD-WRT compatible device for just over one hundred dollars. Below are a few links that may be useful.

Here is a link describing the DD-WRT iptables commands.
http://www.dd-wrt.com/wiki/index.php/Iptables_command

Link for DD-WRT startup scripts
http://www.dd-wrt.com/wiki/index.php/Startup_Scripts

Trendnet wireless router  http://www.trendnet.com/store/products/proddetail.asp?prod=100_TEW-811DRU&cat=35

Buffalo router
http://www.newegg.com/Product/Product.aspx?Item=N82E16833162086&nm_mc=KNC-GoogleAdwords-PC&cm_mmc=KNC-GoogleAdwords-PC-_-pla-_-Wireless+Routers-_-N82E16833162086&gclid=COuHoL6o7cMCFRBffgodkW0AmQ&gclsrc=aw.ds

This should work for you.  Hope it helps, If you need a device for testing I have one that I can send you (Dlink DIR632).  Let me know if I can be of any help.

Cheers,

Tim

***************
Hello Geeksters,

I have been listening to episode 149 and have had to deal with the same problem as the IT guy at a public library that Marin was having with open wifi access and opendns.  I have a few possible solutions for you.

You can totally lock down your dns through the firewall on pfsense (open source freebsd based router appliance).  This software doesn’t requite much in the way of hardware specs.  But for best performance I would try to get a coupld of intel NICs.

What I did here was as you described by locking down ports 53 to only allow opendns ips through.  Also, under the Services->Dynamic DNS one of the options you can select is opendns so I’m guessing that this will update your external IP once you’ve put your username and password in.

A couple of other things to watch out for are you’ll probably want to block ports 6881:6999 to stop other bit torrent traffic because even with dns locked down if someone has started a torrent elsewhere, they are able to resume the torrenting w/o dns at that point.

I have created a specific pool of addresses that I call my “wifi-prison” for repeat offenders.  When I get a repeat offender I temporarily block their connecting  to the wifi AP by blocking their MAC address.

Then I assign a static DHCP mapping based on their MAC address that assigns them an IP in the “wifi-prison” range.  I then block all traffic for addresses in that range.  Once I have assigned the static mapping I can clear the block on the AP (This is nice b/c most AP only allow you to block a few MAC addresses at a time).  It works pretty well, It’s not fool proof, but it will keep most people at bay.

If you didn’t want another box you could look at getting a Buffalo WIFI router that comes with DD-WRT as its firmware.  I’ve heard that the firmware that it comes with is a little dumbed down, but you can flash them with the full dd-wrt.  The models that work are listed here. http://www.dd-wrt.com/site/support/router-database and search for “Buffalo.”  I’m willing to bet that these will also lock down the firewall like you’re wanting.

DD-WRT also has a new feature called Optware (http://www.dd-wrt.com/wiki/index.php/Optware)  these are additional programs that you can run right on the router.  One of these programs is ddclient which will report the external IP to opendns.  I would try to get the buffalo router with the most internal memory if you want to do down this router.

A final option would be to bypass the optware and just use the ddclient software on an raspberry pi attached to the network.

Hopefully some of the suggestions help! 🙂

Ron
***************
Hi Martin,

Can you pass this on to the Mitch and Tim.Just listen to Show #149

I would recommend a Mikrotik routerboard for your DNS issue, Something like a

http://routerboard.com/RB750

These are fully feature packed router/firewalls just like a cisco firewall/router. You can do Firewall rules on them, Nat, DHCP,VPN,Router and some come with wifi as well.

More can be found out about the routeros at: http://download2.mikrotik.com/what_is_routeros.pdf

It can be can be configure by command line or a nice little program called Winbox (Sorry it only a windows software, but have heard people running under wine)

It has a fully fledge Firewall so you could block DNS request expect for opendns, it just taken a bit of getting your head round how the policy work on the router but if you have done any ip tables/forwarding in linux you should be able to pickup quickly. But there is loads of resource and great mikrotik forum on the web.

I don’t know if your ISP let you turn the ISP router into a modem, so you can configure the Mikrotik  as PPPOE client so you can present the static public IP address to one of the Mikrotik interface if not you would have to configure some kind of double nat.

Even better look like you can configure the mikrotik, so that if it see any DNS request comeing through the router it will redirect it to open DNS for you!!

http://forum.mikrotik.com/viewtopic.php?t=53062
http://wiki.mikrotik.com/wiki/Force_users_to_use_specified_DNS_server

Hope this help

Al

******************

geeksters@podnutz.com

To send a voicemail call 707-6PODNUT (707-6763688)

www.facebook.com/geeksters.tv

To support Podnutz please use the following links, and remember you don’t pay any extra for using the links !

 

Podnutz Amazon link (http://www.podnutz.com/amazon)

Podnutz Newegg link (http://www.podnutz.com/newegg)

Podnutz Ebay (http://www.podnutz.com/ebay)

Podnutz Deals (http://www.podnutz.com/deals)

Podnutz Clothing (http://www.podnutz.com/clothing)