clyang

** 僅在全新的Ubuntu 14.04下測試過 **

1. apt-get update && apt-get install golang git mercurial
2. cd && mkdir go
3. 編輯~/.bashrc檔, 把下列兩行加到底端:  vim ~/.bashrc
   export GOPATH=$HOME/go
   export PATH=$PATH:$HOME/go/bin:/usr/local/go/bin
4. source ~/.bashrc
5. go get github.com/google/skicka
6. skicka init

clyang

HOSTNAME="$(hostname)"
HOSTNAME_SHORT="${HOSTNAME%%.*}"
HISTFILE="${HOME}/.history/$(date -u +%Y/%m/%d.%H.%M.%S)_${HOSTNAME_SHORT}_$$"

clyang

(all instruction need root permission)

0. Create a droplet with Ubuntu 14.04 image

1. wget -q -O - http://multipath-tcp.org/mptcp.gpg.key | sudo apt-key add - 

2. vim /etc/apt/sources.list.d/mptcp.list , add line:
  deb http://multipath-tcp.org/repos/apt/debian trusty main

3. apt-get update && apt-get install linux-mptcp

clyang

auto eth0
iface eth0 inet static
  address 198.51.100.87
  netmask 255.255.255.0
  gateway 198.51.100.1
  post-up ip route add 198.51.100.0/24 dev eth0 table 1
  post-up ip route add default via 198.51.100.1 table 1
  post-up ip rule add from 198.51.100.87/32 table 1 priority 100
  post-up ip route flush cache
  pre-down ip rule del from 198.51.100.87/32 table 1 priority 100

clyang

network={
        ssid="MYWEAKLYENCRYPTEDWLAN"
        key_mgmt=NONE
        wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
        wep_tx_keyidx=0
}

clyang

*** Nginx / Apache / IIS / Tomcat / Postfix / Sendmail / Dovecot / HAProxy使用者請參考 https://weakdh.org/sysadmin.html ***
*** 這邊有現成的tool可以掃 .. https://github.com/GDSSecurity/SSH-Weak-DH ***

這兩天很紅的weak DH的Logjam攻擊也是會影響到ssh key exchange的, 最簡單的解法就是強迫自己的client不用prime-field Diffie-Hellman的key exchange algorithm.

在 .ssh/config 中加上下面設定即可:
Host *
  KexAlgorithms [email protected],ecdh-sha2-nistp256  # 如果你要連到很古老的機器, 那可以多加一個 diffie-hellman-group14-sha1

自己有server也可以在 /etc/ssh/config中加上 `KexAlgorithms [email protected],ecdh-sha2-nistp256` 然後restart ssh server

clyang

configure
edit firewall

edit ipv6-name WAN6_IN
set default-action drop
set rule 10 action accept
set rule 10 description "Allow established/related"
set rule 10 state established enable
set rule 10 state related enable
set rule 20 action drop

clyang

#!/bin/sh

/sbin/ifconfig switch0 | grep -ivE 'fe80' | grep 'inet6' | awk '{print $3}' | while read -r ipv6addr ; do
    echo "Removing $ipv6addr from switch0" >> /tmp/ipv6_remove.log
    /sbin/ip -6 addr del $ipv6addr dev switch0
done
/etc/init.d/radvd restart

clyang

(本操作需要有基本使用vi的能力)
1. ssh登入Edgerouter後, sudo vi /etc/ppp/ip-down.d/remove_invalidv6.sh 貼上下列內容
#!/bin/sh

/sbin/ifconfig switch0 | grep -ivE 'fe80' | grep 'inet6' | awk '{print $3}' | while read -r ipv6addr ; do
    echo "Removing $ipv6addr from switch0" >> /tmp/ipv6_remove.log
    /sbin/ip -6 addr del $ipv6addr dev switch0
done
/etc/init.d/radvd restart

clyang

http://download.xs4all.nl/test/10GB.bin
http://ftp.iinet.net.au/test500MB.dat
http://lg-tor.fdcservers.net/10GBtest.zip
http://lg.ams2-c.fdcservers.net/10GBtest.zip
http://lg.chi2-c.fdcservers.net/10GBtest.zip
http://lg.den2-c.fdcservers.net/10GBtest.zip
http://lg.fra2-c.fdcservers.net/10GBtest.zip
http://lg.la2-c.fdcservers.net/10GBtest.zip
http://lg.lon-c.fdcservers.net/10GBtest.zip
http://lg.mad-c.fdcservers.net/10GBtest.zip