Announcement

**tek_heretik** · Oct 25, 2013, 04:58 AM

This is just a wild guess Mr. McGraw but I think maybe the dots, periods, whatever you want to call them may have something to do with it, can't you give it a 'local' label? Are you confusing local network naming with host naming? Just another wild guess, we are talking about a router here.

**Feathers McGraw** · Oct 25, 2013, 05:14 AM

Yeah, the plan is to change the hostname to "samhobbs", just worried it will mess up Apache and my Mail server... not sure whether the host name is important for deciding whether to accept incoming and outgoing emails to foo@hostname or if it's completely unrelated.

The value of /etc/hostname is definitely what shows up on my router's admin page, don't think I've set the values anywhere else.

Feathers

**oshunluvr** · Oct 25, 2013, 07:44 AM

hostname = name of the host, i.e. the name of the computer you're on.
FQDN a.k.a. "Fully Qualified Domain Name" = host + DNS domain
hosts = ip mapping of all known hosts and their ip's, host alias names, re-directs, etc.

hostname should give these sort of outputs:

stuart@office:~$ hostname -a
office
stuart@office:~$ hostname -A
office.local
stuart@office:~$ hostname -I
192.168.1.199

IMO, a change would only mess up things where you have them define statically, like within a hosts file. Here, I have sever computers with static IP's and several without. As long as hostname is defined, I can find the machines using their hostnames. A post scan should reveal IP's and hostnames, if defined.

sudo nmap -sP 192.168.1.*

a portion of the outut:

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-25 06:37 PDT
Nmap scan report for fios_router.home (192.168.1.1)
Host is up (0.0011s latency).
MAC Address: (Actiontec Electronics)
Nmap scan report for 192.168.1.2
Host is up (0.00050s latency).
MAC Address: (Unknown)
Nmap scan report for NP-K0A0DR008303.home (192.168.1.6)
Host is up (0.00062s latency).
MAC Address: (Roku)
Nmap scan report for new-host-2.home (192.168.1.7)
Host is up (0.00049s latency).
MAC Address: (Ooma)
Nmap scan report for android-6c57ff8c44491305.home (192.168.1.8)
Host is up (0.041s latency).
MAC Address: (Unknown)
Nmap scan report for android-bdc7a09b7472c051.home (192.168.1.14)
Host is up (0.23s latency).
MAC Address: (Wistron)
Nmap scan report for android-521ddae72453b19d.home (192.168.1.15)
Host is up (0.25s latency).
MAC Address: (HTC)
Nmap scan report for vostro.home (192.168.1.16)
Host is up (0.23s latency).
MAC Address: (Intel Corporate)
Nmap scan report for HDHR-103CCBC4.home (192.168.1.17)
Host is up (0.00032s latency).
MAC Address: (Silicondust Engineering)
Nmap scan report for HDHR-103B852B.home (192.168.1.20)
Host is up (0.00041s latency).
MAC Address: (Silicondust Engineering)
Nmap scan report for 192.168.1.199
Host is up.
Nmap scan report for server (192.168.1.250)
Host is up (0.00010s latency).
MAC Address: (Micro-star Int'l CO.)
Nmap done: 256 IP addresses (12 hosts up) scanned in 9.63 seconds

The bold highlights show the hostnames of two computers, one is static IP (server) the other is not because it's a laptop (vostro).

**Feathers McGraw** · Oct 25, 2013, 10:30 AM

Thanks, I think I get it now.

I changed the hostname in /etc/hostname on the Pi, it didn't cause any problems with apache or my mail server.

Regarding the /etc/hosts thing, OpenWrt has a GUI option to add hosts to its system with corresponding IP addresses. I wasn't using this before but have had a play around with it, I think it is changing /etc/hosts. I've added "owncloud" and its local IP, and now any machine on the LAN that asks to ssh user@owncloud gets pointed in the right direction, which is cool. Easier than configuring the /etc/hosts file of each client machine.

Feathers

**SteveRiley** · Oct 26, 2013, 01:08 AM

Messing around with /etc/hosts on every machine in your network can become a chore. You've conquered email, now you should learn how to set up a DNS server!

**Feathers McGraw** · Oct 26, 2013, 02:34 AM

Is that not what OpenWrt is doing?

Feathers

**SteveRiley** · Oct 26, 2013, 04:31 PM

Originally posted by Feathers McGraw View Post

Is that not what OpenWrt is doing?

I took a closer look at what you wrote earlier:

Originally posted by Feathers McGraw View Post

OpenWrt has a GUI option to add hosts to its system with corresponding IP addresses. I wasn't using this before but have had a play around with it, I think it is changing /etc/hosts. I've added "owncloud" and its local IP, and now any machine on the LAN that asks to ssh user@owncloud gets pointed in the right direction, which is cool.

I missed the part where you wrote "...any machine on the LAN..." Because, in fact, you are achieving LAN-wide resolution, I suspect that OpenWrt is, in fact, running an internal DNS server. I don't have OpenWrt myself, so I can't verify what's going on. Obviously, editing the GUI stores those entries someplace. DNS servers do not use /etc/hosts to store entries; instead, they create zone files.

Can you SSH into your router? If so, what's inside /etc/hosts? Another experiment: run nmap against your router. What do you see?

**Feathers McGraw** · Oct 27, 2013, 04:39 AM

Yep I can SSH to the router (part of the reason I switched to OpenWrt from DD-WRT is that SSH was broken on the build of DD-WRT I was using).

I think you're right, /etc/hosts contains only the standard "127.0.0.1 localhost".

This is the first time I've used nmap, did you have a particular option in mind?

Code:

feathers-mcgraw@62-West-Wallaby-Street:~$ nmap 192.168.1.1

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-27 10:12 GMT
Nmap scan report for OpenWrt.lan (192.168.1.1)
Host is up (0.0043s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
9100/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 38.70 seconds

Code:

feathers-mcgraw@62-West-Wallaby-Street:~$ nmap samhobbs.co.uk

Starting Nmap 6.00 ( http://nmap.org ) at 2013-10-27 10:26 GMT
Nmap scan report for samhobbs.co.uk (195.166.151.235)
Host is up (0.83s latency).
rDNS record for 195.166.151.235: samhobbs.plus.com
Not shown: 989 closed ports
PORT     STATE SERVICE
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
2222/tcp open  EtherNet/IP-1
5222/tcp open  xmpp-client
9100/tcp open  jetdirect

Nmap done: 1 IP address (1 host up) scanned in 38.53 seconds

I'm surprised that you can see my printer from a WAN scan. I hope it isn't possible to print to it from WAN, I thought I set it up to be LAN only.

Feathers

**SteveRiley** · Oct 27, 2013, 04:14 PM

Here's what I see:

Code:

steve@t520:~$ [B]nmap samhobbs.co.uk[/B]

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-27 15:01 PDT
Nmap scan report for samhobbs.co.uk (195.166.151.235)
Host is up (0.18s latency).
rDNS record for 195.166.151.235: samhobbs.plus.com
Not shown: 988 closed ports
PORT     STATE    SERVICE
25/tcp   filtered smtp
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered microsoft-ds
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
2222/tcp open     EtherNet/IP-1
5222/tcp open     xmpp-client

Nmap done: 1 IP address (1 host up) scanned in 44.76 seconds

My results show you what a "true" outsider sees -- and, you'll note, that I have no access to your printer. (If I did, I would have sent you a nice letter! LOL.)

When you're sitting behind your router and try to make connections to your network via the external address of your router, you're creating a path called a "hairpin." There is no standard procedure for how routers handle hairpins. Some will ignore that the source is internal and present a true view of the outside. Others will acknowledge that the source is internal and present a view that would reflect some kind of mix of internal and external destinations.

Note that your router is listening for incoming connections on 53/tcp. This indicates the presence of a DNS server. Normally, DNS answers questions on port 53/udp. However, whenever an answer is longer than 512 bytes, the server will instruct the client to resend the question to 53/tcp, and the client will receive the full answer over TCP rather than UDP.

Next: let's find out what kind of DNS daemon is running on the router. Please SSH into the box and run:

Code:

uname -a

ps -ef

**Feathers McGraw** · Oct 27, 2013, 05:22 PM

Originally posted by SteveRiley View Post

My results show you what a "true" outsider sees -- and, you'll note, that I have no access to your printer. (If I did, I would have sent you a nice letter! LOL.)

That would have scared the s#*t out of me, the printer is on a shelf above my head, very glad you didn't (couldn't!) send start printing random things - it's not Halloween yet!

I remember reading that that's just one type of DDoS attack people use to cost corps money - send loads of faxes that are just blocks of ink to waste money...lol. Clever, but such a dick move.

So just for the record, what would I do if I wanted to get an outsider view of my own network? Is it possible, without either using a different network or using SSH to connect to an external server and run nmap from there?

How do you know the router is listening on 53/tcp, it wasn't on the list? Is that just so standard that it isn't included in the output?

I've looked up the port numbers on the Wikipedia list of TCP and UDP port numbers, and still don't understand some of them. The ones I do get are 25, 80, 143, 443, 465, 587, 993, 2222, and 5222, because I opened them on purpose.

Regarding port 139, the Wiki page for Netbios says this:

NetBIOS /ˈnɛtbaɪ.oʊs/ is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. Older operating systems[clarification needed] ran NetBIOS over IEEE 802.2 and IPX/SPX using the NetBIOS Frames (NBF) and NetBIOS over IPX/SPX (NBX) protocols, respectively. In modern networks, NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both an IP address and a NetBIOS name corresponding to a (possibly different) host name.

So, why does it show up on a WAN scan?

135 is puzzling me. I'm assuming that the OpenWrt devs put them in just for Windows users, or does it have a function even if your aren't connecting lots of Windows machines?

Anddd, I just don't understand 445 at all:

Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is a system administrator or normal user.[1]
Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

Why on earth would you leave password authentication to the router, and not implement it on the Windows device itself? If this is just a tool for sys admins and not something that your average home windows user would need, then why is it already running on my router?

Code:

feathers-mcgraw@62-West-Wallaby-Street:~$ ssh root@192.168.1.1
root@192.168.1.1's password: 


BusyBox v1.19.4 (2013-03-14 11:28:31 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 ATTITUDE ADJUSTMENT (12.09, r36088)
 -----------------------------------------------------
  * 1/4 oz Vodka      Pour all ingredients into mixing
  * 1/4 oz Gin        tin with ice, strain into glass.
  * 1/4 oz Amaretto
  * 1/4 oz Triple sec
  * 1/4 oz Peach schnapps
  * 1/4 oz Sour mix
  * 1 splash Cranberry juice
 -----------------------------------------------------
root@OpenWrt:~# uname -a
Linux OpenWrt 3.3.8 #1 Sat Mar 23 16:49:30 UTC 2013 mips GNU/Linux
root@OpenWrt:~# ps -ef
ps: invalid option -- e
BusyBox v1.19.4 (2013-03-14 11:28:31 UTC) multi-call binary.

Usage: ps 

Show list of processes

        w       Wide output

That greeting cracks me up every time. I've yet to try it but I'm sure it's tasty. Doesn't look like ps went to plan, I tried "ps -Af" too but got the same result.

Feathers

**SteveRiley** · Oct 30, 2013, 02:10 AM

Originally posted by Feathers McGraw View Post

So just for the record, what would I do if I wanted to get an outsider view of my own network?

Ask me. You can also ask me if you want an insider's view, too. hehehehe.

Originally posted by Feathers McGraw View Post

Is it possible, without either using a different network or using SSH to connect to an external server and run nmap from there?

You need to be able to issue commands from a machine on the outside of your router. So, to directly answer your question, no. There are some sites on the Internet that will perform scans for you; consult Google. It's likely you'll run across Shields Up! from Gibson Research; that guy is a moron. You can safely ignore most of the scareifying junk he writes.

Originally posted by Feathers McGraw View Post

How do you know the router is listening on 53/tcp, it wasn't on the list? Is that just so standard that it isn't included in the output?

The output of your nmap runs tells me this. You'll note that it's missing from my nmap run; this is fine. Your router is advertising DNS only to your local subnet, not to the rest of the world.

Originally posted by Feathers McGraw View Post

Regarding port 139...why does it show up on a WAN scan? 135 is puzzling me...does it have a function even if your aren't connecting lots of Windows machines? And, I just don't understand 445 at all...Why on earth would you leave password authentication to the router, and not implement it on the Windows device itself?

I see a little nmap tutorial is in order. nmap sends a TCP SYN probe to each port in the range 1..1000 by default. The scanner will report one of three results after a probe:

open: the host responded to a probe with a TCP ACK; a service is listening for and accepting incoming connections
closed: the host responded to a probe with a RST; no service is listening on the specified port
filtered: the host did not respond to a probe

You have nothing to worry about here. My suspicion is that your router has built-in filters for these ports and is dropping inbound SYNs from the outside. This was a reasonable security measure to take several years ago, when Windows computers were routinely connected to the Internet without firewalls. It really isn't necessary anymore, since the firewall present since Windows XP service pack 2 (and in all versions of Windows after that) automatically drops unsolicited inbound connections to any port.

The descriptions you quoted are written for people who already understand Windows networking, alas. Since you seem curious, I'll offer the following explanations:

135/tcp,udp: RPC endpoint mapper. Remote Procedure Call (RPC) is an application-level mechanism for clients and servers to communicate. RPC-based services run on ephemeral ports, and the portmapper helps clients find specific services. RPC is commonly used in many Microsoft products. For example, when Outlook talks to Exchange, it connects to 135/tcp on the server and says, "Hey, server, what's the port number and UUID for the Exchange mailbox service?" Outlook then makes a new connection to the server on the port number it received in response to that question. RPC is a very common communications method used by lots of operating systems.
137,138,139/tcp,udp: NetBIOS name service, datagram service, session service. NetBIOS is a session API that defines how computers in a LAN communicate. NetBIOS performs host discovery (name service), application state establishment (session service), and information exchange (datagram service), but actually has to rely on something else for the transport. In the early days these were NBF (frames) and NBX (IPX/SPX); on modern LANs it's NBT (TCP/IP). It is correct that NetBIOS is only for LANs. Blocking it from the WAN is a must if you have Windows machines older than XP SP 2.
445/tcp: Microsoft directory services and SMB. In a Windows network, file/printer sharing relies on an application protocol known as Server Message Block (SMB). Pre-Windows 2000, NetBIOS over NBF and NBX were the only mechanisms that Windows computers could use to talk with each other. SMB was implemented on top of NetBIOS. Starting with Windows 2000, Microsoft began moving to native TCP/IP (which is a requirement for Active Directory). Microsoft created another implementation of SMB that works directly on TCP/IP without needing NetBIOS. That service uses port 445/tcp. The same service is also used for NTLM/NTLMv2 (but not Kerberos) authentication. Similar to the NetBIOS stuff, 445/tcp should be blocked from the WAN if you have Windows machines older than XP SP 2.

Originally posted by Feathers McGraw View Post

why is it already running on my router?

To repeat (just to be sure): none of these filtered services are running on your router. I suspect your router has built-in rules that simply drop incoming connections to these ports. Silence is always better than replying with a RST, really.

Originally posted by Feathers McGraw View Post

Code:

root@OpenWrt:~# ps -ef
ps: invalid option -- e

Looks like your only options are ps and ps w, then. Note: no hypen before the w.

Originally posted by Feathers McGraw View Post

That greeting cracks me up every time. I've yet to try it but I'm sure it's tasty.

Yeah, I'm thirsty!

**Feathers McGraw** · Oct 30, 2013, 04:44 AM

Thank you for taking the time to give me such a complete reply, I feel like I have a much better understanding now.

Here's the output from those commands:

Code:

root@OpenWrt:~# ps
  PID USER       VSZ STAT COMMAND
    1 root      1504 S    init
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    5 root         0 SW   [kworker/u:0]
    6 root         0 SW<  [khelper]
   65 root         0 SW   [sync_supers]
   67 root         0 SW   [bdi-default]
   69 root         0 SW<  [kblockd]
  100 root         0 SW   [kswapd0]
  148 root         0 SW   [fsnotify_mark]
  178 root         0 SW<  [ath79-spi]
  189 root         0 SW   [mtdblock0]                                                         
  194 root         0 SW   [mtdblock1]                                                         
  199 root         0 SW   [mtdblock2]                                                         
  204 root         0 SW   [mtdblock3]                                                         
  209 root         0 SW   [mtdblock4]
  214 root         0 SW   [mtdblock5]
  282 root         0 SW   [kworker/0:1]
  453 root         0 SW   [kworker/0:2]
  509 root         0 SW   [khubd]
  520 root         0 SW   [scsi_eh_0]
  521 root         0 SW   [usb-storage]
  522 root         0 SW   [kworker/u:2]
  544 root         0 SW   [jbd2/sda1-8]
  545 root         0 SW<  [ext4-dio-unwrit]
  566 root      1504 S    init
  601 root         0 SW<  [cfg80211]
  691 root      1508 S    /sbin/syslogd -l 8 -C16
  693 root      1492 S    /sbin/klogd
  695 root       876 S    /sbin/hotplug2 --override --persistent --set-rules-file /etc/hotpl
  701 root       872 S    /sbin/ubusd
  705 root      1528 S    /sbin/netifd
 1251 root      1500 S    /sbin/watchdog -t 5 /dev/watchdog
 1390 root      1436 S    hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostapd-phy0.conf
 1539 root      1432 S    hostapd -P /var/run/wifi-phy1.pid -B /var/run/hostapd-phy1.conf
 1927 root      1152 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 192.168.1.1:22
 1931 root       780 S    {p910nd} /usr/sbin/p9100d -b -f /dev/usb/lp0 0
 1951 root      1148 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -t 60 -T 30 -A
 2013 nobody    3180 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf
 2026 root      1504 S    /usr/sbin/ntpd -n -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.
 2311 root      1620 S    /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan nodefaultrout
 6702 root         0 SW   [kworker/0:3]
 6733 root         0 SW   [kworker/0:0]
 6734 root      1220 R    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 192.168.1.1:22
 6735 root      1504 S    -ash
 6740 root      1496 R    ps

Code:

root@OpenWrt:~# ps w
  PID USER       VSZ STAT COMMAND
    1 root      1504 S    init
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    5 root         0 SW   [kworker/u:0]
    6 root         0 SW<  [khelper]
   65 root         0 SW   [sync_supers]
   67 root         0 SW   [bdi-default]
   69 root         0 SW<  [kblockd]
  100 root         0 SW   [kswapd0]
  148 root         0 SW   [fsnotify_mark]
  178 root         0 SW<  [ath79-spi]
  189 root         0 SW   [mtdblock0]
  194 root         0 SW   [mtdblock1]
  199 root         0 SW   [mtdblock2]
  204 root         0 SW   [mtdblock3]
  209 root         0 SW   [mtdblock4]
  214 root         0 SW   [mtdblock5]
  282 root         0 SW   [kworker/0:1]
  453 root         0 SW   [kworker/0:2]
  509 root         0 SW   [khubd]
  520 root         0 SW   [scsi_eh_0]
  521 root         0 SW   [usb-storage]
  522 root         0 SW   [kworker/u:2]
  544 root         0 SW   [jbd2/sda1-8]
  545 root         0 SW<  [ext4-dio-unwrit]
  566 root      1504 S    init
  601 root         0 SW<  [cfg80211]
  691 root      1508 S    /sbin/syslogd -l 8 -C16
  693 root      1492 S    /sbin/klogd
  695 root       876 S    /sbin/hotplug2 --override --persistent --set-rules-file /etc/hotplug2.rules --set-coldplug-cmd /sbin/udev
  701 root       872 S    /sbin/ubusd
  705 root      1528 S    /sbin/netifd
 1251 root      1500 S    /sbin/watchdog -t 5 /dev/watchdog
 1390 root      1436 S    hostapd -P /var/run/wifi-phy0.pid -B /var/run/hostapd-phy0.conf
 1539 root      1432 S    hostapd -P /var/run/wifi-phy1.pid -B /var/run/hostapd-phy1.conf
 1927 root      1152 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 192.168.1.1:22
 1931 root       780 S    {p910nd} /usr/sbin/p9100d -b -f /dev/usb/lp0 0
 1951 root      1148 S    /usr/sbin/uhttpd -f -h /www -r OpenWrt -x /cgi-bin -t 60 -T 30 -A 1 -n 3 -R -p 0.0.0.0:80
 2013 nobody    3180 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf
 2026 root      1504 S    /usr/sbin/ntpd -n -p 0.openwrt.pool.ntp.org -p 1.openwrt.pool.ntp.org -p 2.openwrt.pool.ntp.org -p 3.open
 2311 root      1620 S    /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan nodefaultroute usepeerdns persist maxfail 1 user sam
 6702 root         0 SW   [kworker/0:3]
 6733 root         0 SW   [kworker/0:0]
 6734 root      1220 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 192.168.1.1:22
 6735 root      1504 S    -ash
 6745 root      1496 R    ps w

On a slightly off-topic note, I eventually got that /etc/hosts file script to run on the router. Had to reboot before it took effect, and changed the hosts file on my laptop back to default so that I could test it. As far as I can tell it works exactly the same as it would on the laptop, but also affects all the other devices in the home (tablets etc, nice to offload some of the work from them).

Feathers

**SteveRiley** · Oct 30, 2013, 12:52 PM

Originally posted by Feathers McGraw View Post

Code:

 2013 nobody    3180 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf

Yep, that there's a DNS server.

Originally posted by Feathers McGraw View Post

As far as I can tell it works exactly the same as it would on the laptop, but also affects all the other devices in the home (tablets etc, nice to offload some of the work from them).

Exactly as I suspected.

Announcement

Hostnames

Hostnames

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment