Sunday, March 16, 2014

Redirect HTTP for Block Customers on Mikrotik

One common question I see on forums and other places is how you can use Mikrotik to redirect non-paying users to a “pay me now” page.  This tutorial will cover one of the methods that you can use to accomplish this seemingly confusing function.

The easiest method to accomplish this function is using the web proxy (in transparent mode).  We will use an address list to keep a list of users who will be redirected.  If you are using PPPoE, you can just as easily create a profile for disconnected users that pulls IP addresses from a pool of addresses that will be redirected.  This approach is much easier for PPPoE users for whom you currently provide dynamic IP addresses.

So first, let’s look at creating the address list.  This is very easily done via command line as follows:

/ip firewall address-list

add disabled=no list=disconnected address=10.10.10.10 comment="disconnected user 1"

add disabled=no list=disconnected address=10.10.1.22 comment="disconnected user 2"

It’s as easy as that.  As you can see, there are 2 addresses being added to the list we will later use to redirect to the proxy server.  If you are running PPPoE server and wish to create a pool of addresses to redirect, you first need to create the pool as follows:


/ip pool

add name=disconnected-pool ranges=10.10.10.1-10.10.10.253


Then, you create the profile as follows:


/ppp profile

add name=disconnected local-address=10.10.10.254 remote-address=disconnected-pool

Once this profile is created, you simply change the user you wish to disconnect to use the profile called “disconnected”.  How you accomplish that is dependant upon whether you use the local database of users (/ppp secrets) or radius.  It is beyond the scope of this tutorial to discuss how to do this in a radius server, as there are a number of server platforms and each will have it’s own unique methods.

At this point, you should build the web page that you want users to see.  It is very important that you pay careful attention to securing the proxy.  I recommend securing the proxy both by web proxy configuration AND ensuring nothing gets past by using IP Firewall Filters (not covered in this tutorial).  Here is the configuration for web-proxy:


/ip proxy set enabled=yes port=8080

/ip proxy access
add action=allow disabled=no dst-host=www.example.com dst-port=80
add action=deny disabled=no dst-port=80 \
  redirect-to=www.example.com/nonpayers.html
add action=deny disabled=no

This configuration configures the proxy to operate on port TCP/8080.  Additionally, any user redirected to this proxy will have their port tcp/80 traffic redirected to the page www.example.com/nonpayers.html.  The like that allows access to www.example.com is there in order to permit the loading of images from that server by the proxy clients.  The final configuration denys ALL other access to the proxy.  As stated earlier, you will want to add the firewall filters to further secure the proxy, but this is the only configuration that is necessary.  Also, you will need to alter the above configuration to point to the page you created and wish users to see.

Finally, the only remaining configuration is to actually redirect users to the proxy and corral their traffic.  We do this in the firewall under filters to corral the traffic and under nat to redirect.  Let’s look at the filter first:


/ip firewall fitler

add chain=disconnected protocol=udp dst-port=53 action=accept comment="Users need DNS to work"
add chain=disconnected protocol=tcp dst-port=80 action=accept comment="We need port 80 to work"
add chain=disconnected action=drop comment="NOTHING ELSE for disconnected users"
add chain=forward src-address-list=disconnected action=jump jump-target=disconnected \
  comment="Redirect disconnected users to the disconnected chain"

If you are redirecting users from the PPPoE pool INSTEAD of disconnected address list, then replace “src-address-list=disconnected” with “src-address=10.10.10.0/24” (assuming you are using the same pool I described above) in that last command.  These commands will permit ONLY port 80, the default http port, to function for these users.  Additionally, we permit their DNS to work, as this is necessary for them to access any web pages.  If you look under IP->Firewall->Filter (in winbox), you should be able to drag that last rule to the top of the list.  Be certain you don’t alter the order of the other rules in the disconnected chain.

Finally, all that’s left is to actually perform the redirect.  As I stated earlier, this is done in NAT.  Specifically, it is dst-nat.  The rule looks like this:


/ip firewall nat

add chain=dstnat protocol=tcp dst-port=80 src-address-list=disconnected action=redirect to-ports=8080

Again, replace the src-address-list argument with the src-address as in the forward chain if you need to.  This rule will send all http (tcp port 80) traffic from users in the disconnected address list to the proxy.  The proxy is configured to “deny all activity from users by redirecting them to your nonpayers.html page”.  The end result is users will see your nonpay page no matter WHAT they try to view in their browser.  It should be noted that if the user has an SSL page (https) as their home page, they will get an error in their browser, since we are dropping all traffic except tcp port 80.

Thursday, February 6, 2014

Setup SYSLOG with LogAnalyzer on Ubuntu Server

In this post I will cover.
1) Setting up a syslog server to log messages from local and remote sources.
2) Setup a GUI front end showing syslog items.
I’ve done this on Ubuntu Server 12.04.
First we need to get some items loaded. We will load these right from the repository.
agp-get update
apt-get install build-essential apache2 php5 php5-gd libapache2-mod-php5 mysql-server php5-mysql rsyslog
Edit /etc/rsyslog.conf and uncomment or add the following. This will set the server to accept inbound syslog messages on UDP port 514.
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
Next, since the log analyzer runs on php, we need to tell apache how to handle php pages. Edit /etc/apache2/apache2.conf and add in the following item underneath “DefaultType None”
DefaultType text/plain
Addtype application/x-httpd-php .php
Note: If this step is not done properly, you will get a message when loading the syslog web page prompting you to save the file instead of Apache displaying the file.
Now on to the LogAnalyzer.
Download the latest log analyzer from the adiscon web site at http://loganalyzer.adiscon.com/downloads
cd /opt
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz
Unzip and extract the file.
gunzip loganalyzer-3.6.5.tar.gz 
tar -xvf loganalyzer-3.6.5.tar 
Copy the LogAnalyzer /src/ folder to the Apache www root or subfolder, copy the install script, make executable, and run the install scripts. It’s important to run the configure script from the same directory that will hold the syslog php files.
mkdir /var/www/syslog
cp -r /opt/loganalyzer-3.6.5/src/* /var/www/syslog
cp -r /opt/loganalyzer-3.6.5/contrib/*.sh /var/www/syslog
chmod +x /var/www/syslog/*.sh
cd /var/www/syslog/
./configure.sh
Grant Apache access to syslog.
usermod -G adm www-data
Use a web browser to hit the new web service at http://syslogserverip/syslog/index.php. The page will show a message stating the service is not configured. Follow the steps to setup your syslog front end.

Thursday, October 24, 2013

Fix Incorrect Clock Settings in Windows When Dual-Booting with OS X or Linux

If you dual boot your Windows PC with OS X or Linux, you may have experienced a problem in which your clocks reset themselves incorrectly every time you boot into Windows. Here's a simple registry edit to fix that.P
Essentially, the incorrect clock setting happens because OS X and Linux use GMT time while Windows tries to synchronize with your local time zone, getting confused when you reboot between the two. Apple's own Boot Camp drivers for Windows are supposed to fix this problem, though some users have noticed that it still happens even with the drivers installed, and some Linux users are left out in the cold. Furthermore, if you have a Hackintosh, you can't install the Boot Camp drivers, so you'll need to find another way around the problem.P
To fix it, just hit Start and type regedit.exe in the search box. Hit Enter and navigate toHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation. Right click anywhere in the right pane and hit New > DWORD (32-bit) Value. Name itRealTimeIsUniversal, then double click on it and give it a value of 1.P
Lastly, reboot into OS X, then reboot back into Windows. You should now notice that your clock actually displays the correct time.

Thursday, September 12, 2013

Switching from IDE to AHCI mode AFTER Windows 7 Installation

I am receiving a lot of emails from users who installed Windows 7 in IDE mode and then realize they need AHCI mode for faster HDD performance. Once you enable that in the BIOS during Windows 7 boot up, the OS will crash.

The common question is, is there a solve for this ?

To answer that question (and I do this safely with all Intel ICHR9/10 chipsets) there is a way to safely enable AHCI mode. Here we go:

1. Startup "Regedit
2. Open HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlset / Services
3. Open msahci 
4. In the right field left click on "start" and go to Modify 
5. In the value Data field enter "0" and click "ok"
6. exit "Regedit" 
7. Reboot PC and enter BIOS

In your BIOS change SATA Mode to AHCI from IDE.

You now boot into windows 7, the OS will recognize AHCI and install the devices. Now the system needs one more reboot and voilla .. enjoy the improved HDD performance.

Sunday, August 18, 2013

Create Windows To Go on any edition of Windows 8

Create Windows To Go on any edition of Windows 8:

1. Launch an administrative level command prompt.

2. Make sure that your USB Drive is plugged in and then type in diskpart and hit Enter. 

3. List the available disks by running "list disk" and you should see your usb device.

4. Select your USB drive by typing "select disk #" and hit Enter. For example, “select disk 3”.

5. Clean the partitions on the disk by typing "clean" and hit Enter.

6. Now create the boot partition by running the following command:

create partition primary size=350

7. Now create the OS partition by running the following command to create a partition taking up all remaining space:

create partition primary

8. The boot partition needs to be formatted, configured and assigned a drive letter, run the following commands:

select partition 1
format fs=fat32 quick
active
assign letter=b

(if the b drive letter is already in use on your PC, substitute a different letter and replace b with your letter throughout the rest of this guide)

9. The same must be done for the OS partition, run the following different commands:

select partition 2
format fs=ntfs quick
assign letter=o

(if the o drive letter is already in use on your PC, substitute a different letter and replace o with your letter throughout the rest of this guide)

10. Exit Diskpart by typing Exit.

11. Extract the install.wim file from the \sources\ directory of the Windows 8 install ISO to c:\wim\. OnWindows 8 you can just double click an ISO to mount and then browse it. 

12. Use DISM to deploy the Windows 8 files to the OS partition of the USB device by running:

dism /apply-image /imagefile:c:\wim\install.wim /index:1 /applydir:o:\

13. The boot manager needs to be installed on the boot partition with the help of the bcdboot utility. Run the following command:

o:\windows\system32\bcdboot o:\windows /f ALL /s b:

14. Reboot your computer and test your new Windows 8 To Go device built on Windows 8. Make sure the PC is configured to boot to USB before your local hard drive.


Credit: Steve Sinchak

Sunday, May 12, 2013

Configure Squid to block HTTP request to specific web sites


This article show step to configure Squid proxy server to block client from accessing specific web address (to block URL address).  Open and edit the configuration file of Squid proxy server that usually located under /etc/squid/squid.conf..

1.  Find and edit ACCESS CONTROL part and put in the ( acl bad_url dstdomain "/etc/squid/bad-sites.squid" ) as shown in example below.

# ACCESS CONTROLS-------------------------------------- **** +++++
#Examples

#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
#acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 2083 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 2083 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl FTP proto FTP
acl bad_url dstdomain "/etc/squid/bad-sites.squid"

2.  Then put the (http_access deny bad_url) on http_access part.

# TAG: http_access
# Allowing or Denying access based on defined access lists
#
# Access to the HTTP port:
# http_access allow|deny [!]aclname ...
#
# NOTE on default values:
#
# If there are no "access" lines present, the default is to deny
# the request.
#
# If none of the "access" lines cause a match, the default is the
# opposite of the last line in the list. If the last line was
# deny, the default is allow. Conversely, if the last line
# is allow, the default will be deny. For these reasons, it is a
# good idea to have an "deny all" or "allow all" entry at the end
# of your access lists to avoid potential confusion.
#
#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
http_access deny bad_url

3.  Then save and exit the Squid configuration file.

4.  Create file new file called bad-sites.squid and then enter sites URI that clients not suppose to access, save and exit the file:.

[root@cempakasari ~]# cat /etc/squid/bad-sites.squid
...
.fanfiction.net
.meebo.com
.playboy.com
.myspace.com
[root@cempakasari ~]#

5.  Restart or reload the Squid proxy server to make sure the new configuration apply.

RESTART:
[root@linux fedora]# /sbin/service squid stop
[root@linux fedora]# /sbin/service squid start

RELOAD:
[root@linux fedora]# /sbin/service squid reload

6.  Then point the browser URL adrress to the site that you put in the bad site list to verify the changes that you made, if nothing goes wrong you should see the ERROR page that say "The requested URL could not be retrieved".

Monday, January 28, 2013

My Experience with Lifebushido

Lifebushido is a company that offers Virtual Assistance jobs to those who looks for genuine work from home assignments. I first heard about this company from a classified website. Using the information provided with website, I applied for a job and they mail be details for further recruitment process. It was about one month and one week ago I have applied for a job. My first communication with Lifebushido started from 12/12/12. They have got a unique way of application process. I uploaded my application and resume in the given portal site, Quickbase.com. Llifebushido tied up with Quickbase.com for managing prospective applicant's application data and other relevant information online.

After few weeks, I received a mail from Lifebushido, explaining about the application process and tasks that I need to complete to take my application process to the next level. These tasks are assigned to new applicants only, and it takes about 5 hours to complete. During the same time, I received my next mail from them that explained about Lifebushido Triangle process and its importance. I was also informed that once these tasks were completed, the applicants would be given another set of tasks and then eventually would be taken to the next level of process and Lifebushido Triangle finally.

  So far, I have completed most of the first set of tasks that have been assigned to me. I gets response on each task that I completed and they update me with details. I came to know that Lifebushido offers varieties of Virtual Assistance assignments online for people who wants to do part time work from home. I look forward a very fruitful association with this company and a rewarding career ahead.