#!/bin/bash
shopt -s -o nounset
shopt -s extglob

declare APNIC="ftp://ftp.apnic.net/public/stats/apnic/delegated-apnic-latest"
declare AFRINIC="ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest"
declare LACNIC="ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest"
declare RIPENCC="ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest"
declare IP=unset
declare CACHE_MAX_AGE=30 #Number of days to rely on the cached list of networks
declare USE_CACHE=false  #Do not use cache by default

#Wipe out any existing iptables rules before proceeding
iptables -F

checkcache() {
if [ `find /tmp/ -maxdepth 1 -iname "cached_IP_addresses" -mtime +$CACHE_MAX_AGE` ]; then
        rm -f /tmp/cached_IP_addresses
elif [ -f /tmp/cached_IP_addresses ]; then
        USE_CACHE=true
fi
}

ipfeeder() {
if [ "$USE_CACHE" = "true" ]; then
        cat /tmp/cached_IP_addresses
else
        curl -s $APNIC $AFRINIC $LACNIC $RIPENCC |\
                awk -F'|' '{print $4}'|\
                fgrep ".0.0.0" |\
                sed -e 's:$:/8:g'
fi
}

checkcache

ipfeeder | tee /tmp/cached_IP_addresses | {
        while read IP; do
                #Drop inbound packets from $IP
                iptables -A INPUT -s $IP -j DROP 
                #Drop outbound packets to $IP
                iptables -A OUTPUT -d $IP -j DROP
        done
}       

#Rate limit some protocols

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 1800 --hitcount 10 -j DROP

This is fairly self-explanatory. Basically, you’re telling iptables to drop any inbound and outbound packets to any of the networks listed in the ipfeeder() function, and just for good measure, we rate limit new incoming ssh connections to 10 every 30 minutes. (If you have port 22 opened to the outside world, have a look in /var/log/secure or /var/log/auth — there’s probably a shitload of break-in attempts that have been logged; grep for sshd and you’ll see what I mean.)

Remember, iptables rules don’t survive reboots! So make sure that this script runs on system startup (e.g., insert a call to the script in /etc/rc.local.)

For detailed lists of all networks in the apnic, afrinic, lacnic, and ripe-ncc registries, visit the following urls:

ftp://ftp.apnic.net/public/stats/apnic/delegated-apnic-latest
ftp://ftp.apnic.net/public/stats/afrinic/delegated-afrinic-latest
ftp://ftp.apnic.net/public/stats/lacnic/delegated-lacnic-latest
ftp://ftp.apnic.net/public/stats/ripe-ncc/delegated-ripencc-latest

At first glance, this seems as though the server ran out of TS CALS (Terminal Server Client Access Licenses). I was pretty sure that the server was configured to use the “Per User” licensing mode. However, a Windows Server 2003 Terminal Server operating in the “Per User” licensing mode can’t run out of licenses to the extent that it prevents the user from connecting (and instead, giving them the aforementioned error message). To the best of my knowledge, it can only do this when it is operating in “Per Device” mode. So this was the assumption that I ran with — that somehow, this server was never configured for “Per User” -or- it was, but the setting was either changed, reset, or corrupted somehow.

So, even though I wasn’t able to connect to TERMSVR01 via Remote Desktop, I was able to “Manage” it remotely by doing the following:

1. Open “Active Directory Users and Computers” on any Domain Controller
2. Expand the “Computers” node
3. Right-click TERMSVR01 and select ‘Manage’

Now we can do a few things (not many) on the server. One thing I wanted was to have a look at the Event Viewer. There were a few error messages like the following:

The more of these I saw, the more confident I was that my assumption was correct — the server was operating in “Per Device” mode and it had finally run out of licenses. I had the following options:

1. Wait for someone to go onsite and reconfigure the licensing mode (easy, but it would have to wait until tomorrow) or…
2. Attempt to reconfigure this setting and restart the service remotely (so that the setting takes takes effect) … all without having “Remote Desktop” access to the server.

Care to guess which option I chose?

Step #1: Override the licensing mode setting using group policy

1. Click ‘Start’
2. Click ‘Run’
3. Type the following command:
   gpedit.msc /gpcomputer:TERMSVR01
4. Click ‘OK’

Those four steps open the group policy (remotely) for TERMSVR01. Next we need to actually change the setting:

1. In the left-hand panel, expand “Administrative Templates”
2. Expand “Windows Components”
3. Click on “Terminal Services”
4. Locate the following setting in the right-hand panel:
   Set the Terminal Server licensing mode
5. Double-click the aforementioned setting
6. Change the option (directly below the heading) to “Enabled”
7. Select “Per User” from the drop-down box (below the heading: “Specify the licensing mode for the terminal server”.)
8. Click ‘OK’
9. Close the “Group Policy Object Editor” window

Great. The licensing mode has been changed but the setting won’t take effect until the service is restarted. We could open ’services.msc’ and connect to ‘TERMSVR01′ by using the ‘Connect to another computer …’ option in the ‘Action’ menu. This will allow us to administer almost all running services on TERMSVR01 … almost all. You’ll notice immediately that you cannot start/stop the ‘Terminal Services’ service from this management console, so we need to find another way to do it.

The easiest way I know to accomplish this task is to use the WMIC command from the command prompt.

Step #2: Restart a remote service using WMIC

1. Open a command prompt
2. Type the following command (then hit enter) to stop the service:
   wmic /node:TERMSVR01 service where “caption=’Terminal Services’” call StopService
3. Then, type the following command to start the service:
   wmic /node:TERMSVR01 service where “caption=’Terminal Services’” call StartService
4. Close the command prompt

If everything was successful (and my assumption about the nature of the problem was correct), then I should be able to connect to the server using the Remote Desktop client. I fired up the client and voilà! It worked perfectly.

Good news though, the upgrade process on Ubuntu is pretty easy:

If you haven’t already done so, enable the ‘backports‘ repo by editing your /etc/apt/sources.list file and uncommenting (or, inserting) the following two lines:

deb http://us.archive.ubuntu.com/ubuntu/ intrepid-backports main restricted universe multiverse
deb-src http://us.archive.ubuntu.com/ubuntu/ intrepid-backports main restricted universe multiverse

Then, resynchronize the package index files with the following command:

sudo apt-get update

Next, upgrade ClamAV:

sudo apt-get install clamav-daemon

This command will [sometimes] install apparmor as well; I don’t use apparmor so I uninstall it afterwards:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

That’s all there is to it!

root@localhost:~# clamd -V
ClamAV 0.95.2/9874/Thu Oct  8 06:24:12 2009

However, this can have unintended consequences for users who require the use of websites that employ ActiveX, javascript, etc. because, by default, ESC does not allow those items to run. Sometimes, this means that the site in question will only be partially non-functioning. Other times, the entire site will be completely unusable. Furthermore, most users on terminal services have only a limited ability to actually modify the settings for an entire zone. Normally the best thing they can do is add the site to their trusted sites zone, if in fact the site is legitimate (i.e., “trusted”).

Originally, I explained to the users the steps involved in adding a site to their trusted sites, however many of the users used many of the same websites that other users were using. Also, new users needed to be trained on how to do this as well. Needless to say, it got very repetitive, very fast; so I came up with a “global” list of sites that can be trusted, and imported them to the registry on each terminal server. The list consisted of about 40+ sites, and I was able to generate the list mostly by exporting the following registry key:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

…from a few user accounts who had already added most of the sites to their trusted sites zone. After grepping out the duplicates (among other things), I had my list.

Now, I’m going to cover two ways of making this list of domains “globally trusted”—both of them involve writing to the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains

Pay attention! This is not the same key as previously mentioned. This key resides in the ‘HKEY_LOCAL_MACHINE’ hive, whereas the previous key resides in the ‘HKEY_CURRENT_USER’ hive.

The first way is via the following visual basic script:

Option Explicit

Dim DomainArray(5), strComputer, strHTTP, strHTTPS
Dim dwordZone, regPath, objReg, counter, subkeyPath
Dim subkeyValue
Const HKEY_LOCAL_MACHINE = &H80000002

DomainArray(0) = "testdomain0.com"
DomainArray(1) = "testdomain1.com"
DomainArray(2) = "testdomain2.com"
DomainArray(3) = "testdomain3.com"
DomainArray(4) = "testdomain4.com"

strComputer = "."
strHTTP = "http"
strHTTPS = "https"
dwordZone = "2"
regPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings" &_
        "\ZoneMap\EscDomains\"
Set objReg = GetObject("winmgmts:{impersonationLevel = impersonate}!\\" & _
        strComputer & "\root\default:StdRegProv")

For counter = 0 to 4
        subkeyPath = regPath & DomainArray(counter)
        objReg.CreateKey HKEY_LOCAL_MACHINE,subkeyPath
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTP,dwordZone
        objReg.SetDWORDValue HKEY_LOCAL_MACHINE,subkeyPath,strHTTPS,dwordZone
Next

This script will insert ‘testdomain0.com’, ‘testdomain1.com’, [...] into IE’s trusted sites zone when run on any machine. It must be run by an Administrator (or another user who has access to write to the HKEY_LOCAL_MACHINE registry hive), and the changes are global (to the machine).

The next way involves creating a “registry entries” (.reg) file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain0.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain1.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain2.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain3.com]
"http"=dword:00000002
"https"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\testdomain4.com]
"http"=dword:00000002
"https"=dword:00000002

Just like the previous script, this must also be run by a user with Administrator privileges and any changes will be global to all users on the machine.

(Of course, you would want to customize these snippets of code to suit your needs.)

For more information, please visit the following sites:

Internet Explorer Enhanced Security Configuration changes the browsing experience
Enhanced Security Configuration for Internet Explorer
Internet Explorer security zones registry entries for advanced users

http://www.dailykostv.com/w/002008/

Just a point of order before I get too far into this; throughout this post, I’ll use the terms “warning banner”, “warning message”, “logon banner”, “network banner” and “privacy statement” interchangeably… they all refer to just about the same thing and serve the same purpose.

Now if you are to take Beck at his word, this is scary shit right? Wrong. First of all, don’t take beck at his word [ever], he’ll give you brain herpes. Here’s the deal, that disclaimer that he’s taking such a big issue with? Yeah, it’s a pretty standard warning message actually. Take the U.S. Army’s website for example (warning, you’ll have to confirm a security certificate exception); one of the “scary issues” that Beck has with the warning on the cars.gov website is that it’s too broad (never mind the fact that it has to be… we’ll get to that in a second). If you read the security warning on the Army’s site, it too is broad and so is their terms of service. Moreover, all this bullshit about “America, do not try this at home.” is just silly fucking nonsense, meant only to scare people who do not know any better. This security message that Beck is all up in arms about is what is known as a “warning banner”. Warning banners are common on just about all corporate and government computers that are accessible from the Internet (…and have been common for a looooong time). Even some private computers, such as someone who runs a web, e-mail, ftp, etc. server from their home for personal use will have warning banners. In addition to those, it’s also common to see similar, broadly worded messages at the bottom of some e-mails (pursuant to the “e-mail” policy of some organizations). Their purpose is to cast a wide legal net so that in the event that someone abuses the system in question, legal action can be taken. The basic purpose of any warning banner should be to make the following point: If you attempt to circumvent the security measures employed by this system, succeed in doing so, and/or abuse this system in any way, legal action will be taken against you. Not to belabor the point, but here’s what the DOJ has to say about warning banners:

Network banners are electronic messages that provide notice of legal rights to users of computer networks. From a legal standpoint, banners have four primary functions. First, banners may be used to generate consent to real-time monitoring under Title III. Second, banners may be used to generate consent to the retrieval of stored files and records pursuant to ECPA. Third, in the case of government networks, banners may eliminate any Fourth Amendment “reasonable expectation of privacy” that government employees or other users might otherwise retain in their use of the government’s network under O’Connor v. Ortega, 480 U.S. 709 (1987). Fourth, in the case of a non-government network, banners may establish a system administrator’s “common authority” to consent to a law enforcement search pursuant to United States v. Matlock, 415 U.S. 164 (1974).

If my name were Glenn Beck, I’d be throwing a tantrum upon reading eliminate any Fourth Amendment “reasonable expectation of privacy” … and I wouldn’t read the rest before running to the camera with a story about how the Communist-terrorist Obama administration wants to eliminate our Fourth Amendment rights (never mind the fact that the referenced DOJ website was in existence well before Obama took office)… but I digress.

Warning banners, such as the one Beck is holding up as an example of “scary shit that the Obama administration is doing” shouldn’t frighten anyone except for those who plan on doing exactly what the warning message tells them not to do. Warning banners are passive security measures; they need to be broad in order to apply to any/all possible cases of abuse. They don’t actually make the computer/network/website/etc. more secure (with the exception of causing would-be “crackers” to think twice before trying anything). Their real power comes from the fact that they can be used in court to show that the defendant had been warned in advance and knew full and well they were doing something that they shouldn’t have been doing.

In regard to this particular warning banner, I went to the cars.gov website to see what I could find out about it… it turns out, that the only way you’ll ever see the message that Beck is ranting about is if you are a car dealer participating in the CARS program. Given the potential for fraud on behalf of unscrupulous car dealers, I’d say that the strong wording of the warning banner/privacy message (whichever you choose to call it) is entirely appropriate. Meanwhile, ordinary citizens looking for information about the CARS program only consent to have their IP address tracked (which is something that all webservers do by default anyway).

This is just another example of fearmongering on behalf of a fanatic who cannot reconcile his world-view with reality.

### Update! Here’s some more information about this from Daily Kos, enjoy.