HOWTO: Properly install native VMware Tools in pfSense 2.0.3 (FreeBSD 8.1)

Tags: , , ,

pfSense logoIf you’re anything like me, you take security seriously. With all the recent news about the NSA and Prism and over-reach of surveillance, you’ll take this very seriously. I run several layers of nested firewalls, VPNs and other layers of security at my office.

One of the things I run in a virtualized environment (VMware ESXi), is pfSense. pfSense ibs an Open Source firewall distribution based on FreeBSD. It’s very full-featured, has a web-management console, and lots of add-on packages to enhance it’s capabilities.

“pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a single computer to large corporations, universities and other organizations protecting thousands of network devices.”

pfSense is currently using FreeBSD 8.1, which has been EOL’d by the BSD team last July. The pfSense team is diligently working on new versions, but they’re not out yet. For now, you can continue to use FreeBSD 8.1.

If you run pfSense inside a VM, you’ll want and need to get the base VMware tools installed within it, but that process isn’t straightforward. You want to make sure you install the VMware Tools dependencies and core modules before installing anything else, so you don’t get into package conflicts and other troubles.

I’ve been writing a lot of posts about VMware lately, because I’m finding myself using it more and more, and I’m teaching myself how to use it in a higher-volume capacity.

Here’s how to install pfSense and immedaitely get the correct version of VMware Tools (from VMware itself, not the Open Source ‘open-vm-toolbox‘ or ‘vmfs-tools’) installed within it.

Let’s get started (click any images below to view them full-size):

  1. First, create a new VM and attach your pfSense ISO to it, using whatever mechanism your hypervisor of choice provides. Boot it, and install pfSense into your VM. This part is easy and straightforward.
  2. Once fully installed, shut down (power off) your VM, and detach the CD, so it no longer boots, but keep the CD/DVD device configured for your VM, you’ll use that again in a moment.
  3. Boot your pfSense VM back up, configure networking (in my case the NIC was em0), and you’ll get to a screen that looks something like this:
    (click image to view full size)

    pfSense-2.0.3-main-screen

  4. From here, the first thing you want to do, is change your root password! Hit (8) to drop to a shell, and use the standard passwd(1) utility. Once changed, hit ^D (Control-D) to exit and return to the pfSense main menu.
  5. Next, we’re going to start SSHD, so we can log into the VM remotely, and manage it using a normal Windows, Mac or Linux terminal, vs. interacting with it using the VMware ESXi console (as in this example). Hit (14) to enable the SSH shell.
  6. In the previous screenshot, directly to the left of the (DHCP) part, was the IP of the pfSense server. SSH over to that now, as the root user, using whatever native terminal you prefer.
    $ ssh root@192.168.1.50
  7. Once SSH’d into pfSense remotely, you’ll need to set the PACKAGESITE environment variable, to make sure all core packging tools refer to the 8.1-release tag from the FreeBSD archive site, and not the 8.1-release-p13 that it will try to use by default from the primary site, which will fail, because FreeBSD 8.1 is EOL as I write this.
  8. [2.0.3-RELEASE][root@pfSense.localdomain]/root(1): setenv \
    PACKAGESITE \
    http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/

    Here’s what will happen if you do not set this variable:

    [2.0.3-RELEASE][root@pfSense.localdomain]/root(3): pkg_add -rv wget
    looking up ftp.freebsd.org
    connecting to ftp.freebsd.org:21
    Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/wget.tbz: 
    File unavailable (e.g., file not found, no access)
    pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8.1-release/Latest/wget.tbz' by URL
    pkg_add: 1 package addition(s) failed

    Once you set the variable to refer to the archive site, you’ll have success here:

    [2.0.3-RELEASE][root@pfSense.localdomain]/root(5): pkg_add -rv wget
    looking up ftp-archive.freebsd.org
    connecting to ftp-archive.freebsd.org:80
    requesting http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/wget.tbz
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/wget.tbz...x +CONTENTS
    x +COMMENT
    x +DESC
    x +MTREE_DIRS
    x man/man1/wget.1.gz
    x bin/wget
    ...
  9. Now we know we can get to the backup/archive site that holds the 8.1 RELEASE packages, let’s get the ones we need to get VMware Tools up and running. We’re going to need two core packages: compat6x-amd64 and perl to be able to run the script and dynamically load the VMware modules at kernel boot.
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(6): pkg_add -r compat6x-amd64 perl 
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/compat6x-amd64.tbz... Done.
    
    *******************************************************************************
    *                                                                             *
    * Do not forget to add COMPAT_FREEBSD6 into                                   *
    * your kernel configuration (enabled by default).                             *
    *                                                                             *
    * To configure and recompile your kernel see:                                 *
    * http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig.html *
    *                                                                             *
    *******************************************************************************
    
    Fetching http://ftp-archive.freebsd.org/pub/FreeBSD-Archive/ports/amd64/packages-8.1-release/Latest/perl.tbz... Done.
    Removing stale symlinks from /usr/bin...
        Skipping /usr/bin/perl
        Skipping /usr/bin/perl5
    Done.
    Creating various symlinks in /usr/bin...
        Symlinking /usr/local/bin/perl5.10.1 to /usr/bin/perl
        Symlinking /usr/local/bin/perl5.10.1 to /usr/bin/perl5
    Done.
    cd: can't cd to /usr/include
    Cleaning up /etc/make.conf... Done.
    Spamming /etc/make.conf... Done.
    Cleaning up /etc/manpath.config... Done.
    Spamming /etc/manpath.config... Done.
    
  10. Now we need to mount the CD ISO for VMware Tools for FreeBSD. This is the step I mentioned earlier and why we needed to keep the CD/DVD device configured for this VM. In ESXi, you’ll need to do that from the console, by right-clicking on the VM, go to Guest and then to “Install VMware Tools”, as shown here:
    Installing VMware tools in pfSense 2.0.3

    Installing VMware tools in pfSense 2.0.3

  11. Now the drive is mapped to the VM, we need to mount it and access the vmware tarball within:
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(8): mkdir /tmp/cdrom/
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(9): mount_cd9660 /dev/acd0 /tmp/cdrom/
    [2.0.3-RELEASE][root@pfSense.localdomain]/root(10): cd /tmp/cdrom/
    [2.0.3-RELEASE][root@pfSense.localdomain]/tmp/cdrom(11): ls -l
    total 15030
    -r--r--r--  1 root  wheel        29 Mar 23 15:02 manifest.txt
    -r--r--r--  1 root  wheel  15390306 Mar 23 15:02 vmware-freebsd-tools.tar.gz
    [2.0.3-RELEASE][root@pfSense.localdomain]/tmp/cdrom(12): tar zxvf vmware-freebsd-tools.tar.gz -C /tmp/ 
    
  12. Now we can go into /tmp/vmware-tools-distrib and build the required interfaces for FreeBSD. For the most part, you’ll just accept the defaults to most of the questions. Read them carefully if you think you want something custom for your needs.
    [2.0.3-RELEASE][root@pfSense.localdomain]/tmp/vmware-tools-distrib(14): ./vmware-install.pl --clobber-kernel-modules=vmci    \
                      --clobber-kernel-modules=vsock   \
                      --clobber-kernel-modules=vmxnet3 \
                      --clobber-kernel-modules=pvscsi  \
                      --clobber-kernel-modules=vmmemctl
    Creating a new VMware Tools installer database using the tar4 format.
    
    Installing VMware Tools.
    
    In which directory do you want to install the binary files? 
    [/usr/local/bin] 
    
    In which directory do you want to install the startup script? 
    [/usr/local/etc/rc.d] 
    
    In which directory do you want to install the daemon files? 
    [/usr/local/sbin] 
    
    In which directory do you want to install the library files? 
    [/usr/local/lib/vmware-tools] 
    
    The path "/usr/local/lib/vmware-tools" does not exist currently. This program 
    is going to create it, including needed parent directories. Is this what you 
    want? [yes] 
    
    In which directory do you want to install the documentation files? 
    [/usr/local/share/doc/vmware-tools] 
    
    The path "/usr/local/share/doc/vmware-tools" does not exist currently. This 
    program is going to create it, including needed parent directories. Is this 
    what you want? [yes] 
    
    The installation of VMware Tools 9.0.5 build-1065307 for FreeBSD completed 
    successfully. You can decide to remove this software from your system at any 
    time by invoking the following command: 
    "/usr/local/bin/vmware-uninstall-tools.pl".
    
    Before running VMware Tools for the first time, you need to configure it by 
    invoking the following command: "/usr/local/bin/vmware-config-tools.pl". Do you
    want this program to invoke the command for you now? [yes] 
    
    Initializing...
    
    
    Making sure services for VMware Tools are stopped.
    
    Stopping VMware Tools services in the virtual machine:
       Guest operating system daemon:                                      done
    
    
    The vmblock enables dragging or copying files between host and guest in a 
    Fusion or Workstation virtual environment.  Do you wish to enable this feature?
    [no] 
    
    No X install found.
    
    Starting VMware Tools services in the virtual machine:
       Switching to guest configuration:                                   done
       Guest memory manager:                                               done
       Guest operating system daemon:                                      done
    The configuration of VMware Tools 9.0.5 build-1065307 for FreeBSD for this 
    running kernel completed successfully.
    
    You must restart your X session before any mouse or graphics changes take 
    effect.
    
    You can now run VMware Tools by invoking "/usr/local/bin/vmware-toolbox-cmd" 
    from the command line.
    
    Please remember to configure your network by adding:
    ifconfig_vxn0="dhcp"
    to the /etc/rc.conf file and start the network with:
    /etc/netstart
    to use the vmxnet interface using DHCP.
    
    Enjoy,
    
    --the VMware team

That’s it. You’ve now got a working VMware Tools install using the native, VMware-provided kit, inside your VM. If you’re running ESXi, you’ll now notice that it correctly reports its version, status and IP back to the console, which was missing before we started.

VMware ESXi pfSense tools installed

Good luck!

DomainSite: This is Not the Way to Manage Passwords

Tags: , ,

As per my end-of-month processing, I update and rotate/change the passwords and login credentials for the hundreds of websites and logins I own and use on a regular basis.

I reached my domain registrar, DomainSite, and successfully changed my password to something nice and secure, and their system happily accepted it.

I logged out, and attempted to log in with that new password to verify that it was a successful change, and was denied. I tried again, denied again, and then I received this message from their system:

“For security reasons, if you enter an incorrect password for this account more than 10 times, you will be blocked from this website and will be required to pay a fee to regain access.”

DomainSite Password Reset Policy

Not only is this an unhelpful message, but it also puts the burden on the owner of the account to pay up if someone else decides to try to lock out their account.

In other words, I can attempt to log into DomainSite as another user more than 10 times, and now that user will have to pay Domainsite to restore their password.

Seriously, who thought this up? In my multi-decade experience of using the Web, I’ve never heard of a single case of someone attempting to charge the owner of a valid login credential, for an account that was locked out and had to be reset or restored.

DomainSite, tsk, tsk! You should know better!

If you’re going to permit someone to change their password legitimately, verify the password or at least describe the password policy so we can decide how complex we can make our passwords, before we lock ourselves out, because your system fails to clarify this on both sides.

Facebook Does It Again, Silently Sending GPS Coordinates with Every Message

Tags: , ,

Yes, they’ve done it again.

The most-recent update of the Facebook mobile application (Android and iPhone) reverses and resets the default settings for “Location Services”, so that every single Facebook message you send, also sends your exact GPS coordinates to the recipient (and to Facebook’s own messaging servers), even if you have your GPS disabled on your phone. When the GPS is disabled, they fall back to AGPS to determine your coordinates with incredible accuracy.

Yes, even if you’ve had it disabled before, a recent update of the mobile app resets these preferences to expose your location when you’re using their Messenger app to send or receive messages through the app.

This is so specific, it actually revealed that I was in my kitchen (in the rear of my house), and not just my approximate street address on my road. Zooming into the map they helpfully provide, shows where inside my house my phone is when I sent the test messages that revealed this issue.

To prevent your phone from exposing your location with every message, go into your Facebook mobile application settings, and disable “Messenger Location Services”, as below. When you disable it here, your messages will just show “Sent from Messenger” or “Sent from Web” inside the app, instead of showing a map and GPS coordinates.

Click on the images below to see them full-size.

Facebook Mobile Messaging PrivacyFacebook Mobile Messaging Privacy GPS Maps

They may still be sending GPS coordinates with each message to their messaging servers, but not exposing it to the recipients when you disable this feature, but there’s no confirmed way to tell.

I don’t use the native Facebook mobile app to send or receive messages, opting instead to use Trillian Mobile for Android, which does not pass the GPS coordinates with each message. In addition, I can use all of my IM and chat services at once, in one interface, including Facebook, seamlessly. They have desktop apps and a web interface also, for those who wish to use those natively on any platform. Highly recommended.

Facebook, I’m not impressed with your complete lack of understanding of core security and privacy issues. This is 2013, and no application should be sending GPS coordinates to message or email recipients. Imagine what would happen if a random, unknown person were to message me, and I replied back to them. I’ve now exposed my personal location, which could include my home address, to a level of accuracy that includes where inside my home I am when I’ve responded.

In a word: Disgusting.

HOWTO: Block “SongPop” game updates and events on Facebook

Tags: , ,

Facebook logoI’m a big fan of keeping my Facebook feed, news and wall clean and filtered, no junk and no noise that I don’t need or want to read.

On Google Chrome, I use the “Social Fixer” extension to block ads, drop columns and other unnecessary items from the pages, but this doesn’t work on Firefox Nightly builds because of a Javascript Sandbox change that the Social Fixer author hasn’t been able to find and fix yet.

But “Social Fixer” can only block some of the noise that Facebook renders, not all of it. Firefox is my preferred browser, so I needed to find a better solution here. Even SongPop’s own Support Page misunderstands the need of hundreds (nigh, thousands?) of Facebook users.

Most-recently, some of my friends have been playing a game called “Song Pop” on Facebook, and their status updates fill up my news feed on the right side. Last year it was Farmville, and this year it’s SongPop.

Here’s how to stop the noise from taking over your Facebook feed.

  1. First, search for “SongPop”, no spaces, in the Facebook search box at the top. Make sure you pick the Game page, not the App page. If you search for “Song Pop” with the space, you’ll get the wrong page.
    Search for SongPop on Facebook
  2. Now you should see the SongPop page, which looks like this:
    Facebook SongPop page
  3. Down on the lower-right side of that page, is a link labeled “Block”, and looks like this:
    Facebook block SongPop link
  4. Click that link, and you’ll get a popup to confirm your choice:
    Facebook block SongPop confirm
  5. Click “Confirm” on that link, and you’ll see the following success dialog:
    Facebook block SongPop successful
  6. Now to confirm this, go to your “Privacy Settings” in the upper-right corner, scroll down to “Blocked People and Apps” and click “Manage Blocking”. Scroll down again to the bottom and you’ll see:
    Facebook BlockApps SongPop

That’s it. Now if you go back and reload your Facebook Feed, you’ll see that the SongPop posts that were there moments ago, are now gone, stripped from your feed. If you want them back, just go back into the “Blocked People and Apps” and click the “Unblock” link shown in the image above.

Good luck!

Graphing an active SPAM attack in progress

Tags: , , , , ,

I woke up this morning to very slow response time on my server, and decided to check the statistics. I graph these things with a great deal of detail so I can see precisely when it happened and begin narrowing down where I need to go to fix it or report it upstream.

In this case, my incoming connections went from under 500/second to well over 3,000/second. Owch!

You can see the “wall” of traffic growing from our normal traffic rate to this enormously-increased rate:

Before the attack was stopped

Layered statistics before the attack

I checked all of the services, logs and protocols and didn’t see anything out of the ordinary. I started shutting down services one at a time and regenerated the graphs, to see if I could see any change.

One thing I noticed was that I had poppassd open on the public port. Not a huge problem, but it was something that was unnecessary on the public interface. I locked that down with iptables:

$IPT -A INPUT -s ! 127.0.0.1 -d ! 127.0.0.1 -p tcp -m tcp --dport 106 -j DROP

But as I looked further, I noticed even more:

netstat -tulpn | grep LISTEN

This showed that I had Squid listening on the public interface as well (0.0.0.0:3128). I jumped to the squid logs and was shocked to see that they were scrolling so fast that I couldn’t even read them. Ut oh!

Apparently some enterprising young spammer found my squid instance and decided to try to hijack it for his own needs. It was already locked down internally in my squid.conf to restrict use from only my block of IPs, but he was hammering it with 8,466 separate IPs trying to use it to send spam on port 25.

# cat access.log* | cut -b20-300 | grep ':25' | perl -lne 'print /((?:\d+\.){3}\d+)/' | sort | uniq  | wc -l
8464

Damn! There goes a few gigabytes of bandwidth that were eaten in the last 11 hours while I was sleeping.

I locked that down in a similar fashion:

$IPT -A INPUT -s ! 127.0.0.1 -d ! 127.0.0.1 -p tcp -m tcp --dport 3128 -j DROP

A bit more poking around with nmap, netstat, Webmin, HotSanIC and other tools allowed me to lock down some other services that incorrectly bind to the public interface and not the internal interface.

The result is that we’re back to normal:

After the attack was stopped

One last piece needed my attention. Because this was an active spam attack, propagated using the IP of my server as a vector, I had to make sure to check my mail logs and delist myself from the various RBLs who had listed me as a spammer for sending out 43,745 separate spam attempts through my IP in a matter of hours.

SpamCop originally listed me, but I corrected that, and a few others. I also reported it to my provider so they can be sure to keep a closer eye on it.

Layered statistics after the attack

You can see the drop-off on the far right of the last two graphs above and in the traffic graph below.

Ethernet statistics after the attack

Problem solved.

Bad Behavior has blocked 367 access attempts in the last 7 days.