Clear ARP / Neighbour cache on Linux

Posted on .

I am trying to diagnose why out-of-scope ARP requests are being sent (ARP requests for addresses that should be on the default gateway). I thought I had figured it out, but my ARP table was still full of 100’s of incomplete entries. “arp -d” just marks an entry as incomplete, so does “ip neigh del“. I wanted to flush the entire cache.

What finally worked was to flip ARP on/off.

Hide Dropbox File Explorer Icon


I use dropbox but it isn’t my main sync app. Dropbox doesn’t give you the option to remove the icon from File Explorer, and if you manually remove the registry entries that are related to it, they are recreated at each automated update of Dropbox.

Another way of removing the icon is to add an entry to Windows “NoEnum” registry key. This tells Windows to not process matching keys, so Dropbox just gets ignored.

Add the following registry entries:

Download reg file
  dropbox-removal.reg (476 bytes, 2,170 hits)

Self-Hosted Dynamic DNS with BIND9 & PHP

Posted on .

There are several free Dynamic DNS services available, but the ones I have used require the user to respond to an email every 30-days to confirm the account is still in use. DynDns no longer offer free accounts, and some recent news that no-ip.com domains have been ceased by US courts and handed over to Microsoft means I felt relieved I was now running my own system for some time now. And so could you.

This system uses BIND9 to host the DNS and PHP to handle the update requests. Setting up BIND and Apache/Nginx/PHP is outside the scope of this guide.

A user updates their IP by visiting a unique link. In the guide you will find methods of automating dns updates with Linux, OSX and Windows.

I suggest hosting the script on HTTPS or a non-standard port as some Internet Providers (I know Virgin does) use transparent cache proxies for web traffic meaning the web server doesn’t see the correct IP.

In my examples I am creating a domain named dyndns.example.com and have a webserver at web1.example.com, and a nameserver at ns1.example.com. Guide is based on Debian Wheezy, but should be distribution independent.

Creating DNSSEC keys
First you will need to create a set of DNSSEC keys for the 2 systems to authenticate with.

Note: Using “-r /dev/urandom” tells the command to use the less secure non-blocking random generator. Without it, you may find the command blocks until enough random entropy has been gathered to generate the keys.

You will then have 2 new files, in my case Kweb1.example.com.+165+60641.key and Kweb1.example.com.+165+60641.private

In the .private file there is a field “key”:

Kweb1.example.com.+165+60641.private

Adding BIND config
You then need to add this key to BIND and create the zone config. I personally create a new file /etc/bind/named.conf.dyndns and add an extra include directive in /etc/bind/named.conf

Add to /etc/bind/named.conf

Create /etc/bind/named.conf.dyndns

Note: I point zonefiles to /etc/bind/db/, either edit the location or create the directory (remember to give bind write permissions to this directory)
Example zone file
You will need to start your zonefile with the basics.

Create /etc/bind/db/dyndns.example.com

Setting up the web server
This code relies on the program nsupdate. On Debian this is available in the dnsutils package. On Redhat based systems it is in the bind-utils package.

The PHP code has settings and user authentication in the first 2 arrays, $settings and $acl.

The array $acl is made up of 2 fields. These are used as the ID and KEY for authentication. The ID is the subdomain to be updated (ie. customer1.dyndns.example.com).

In order to authenticate and update the IP, a user only needs to visit the page with the correct details. (ie. https://web1.example.com/update.php?id=customer1&key=YRnog2nMaXyzumya2VQX)

The script needs access to the key files generated earlier. I placed them in a new directory include/.

The ttl setting determines how long the internet should cache each DNS entry. A lower TTL would make changes propagate quicker, but would increase the number of requests for busy entries.

The script will attempt to create a log/ directory. If your webserver doesn’t have permission to do this, you would need to do it manually and give the webserver write permission.

You should deny public access to the include and log directories. If using Apache, you can add a .htaccess file to each directory to deny access.
.htaccess

The script logs failed requests and successful updates to log/access_YEARMONTH.log

Automatic Updates on Linux/OSX
Because this system just visits a URL to update the IP, there is no need for special software. All you need to do is visit the link.

You can make this automatic by adding an entry to your systems crontab that will visit the link for you on a regular basis.
crontab

Note: It is important to include the link in quotes as the & symbol has a special meaning on some shells.

Automatic Updates on Windows
For Windows I have written a small VBScript program that can be ran by a scheduled task. The script has been tested on XP/Vista/7/8.

  dynamic-dns.vbs (478 bytes, 3,150 hits)

The PHP code

  update.php (3.8 KiB, 8,576 hits)

Using VBScript to Create Dated Backups with 7-Zip

Posted on .

I needed a simple method to backup a small folder using 7-Zip on a regular basis without installing extra software. I wanted to be able to leave it running daily and have it remove old backups.

I chose VBScript to complete this task, re-learning a few things from the last time I used the language.

The script shall backup C:\Customer to S:\Backup\backup_DATE.7z. It will also delete old backups, only keeping the first 5. The directories and number of kept backups are variables, check the code comments.

Download
  backup-folder.vbs (3.4 KiB, 3,168 hits)

Adding extra fields to Fail2Ban mails

Posted on .

I needed fail2ban to give the full hostname in an email and not just the short system name to reduce ambiguity.

To do this I copied the action “sendmail-whois” to “local_sendmail-whois”

And then adjusted /etc/fail2ban/actions.d/sendmail-whois.conf by editing the actionstart, actionstop and actionban sections. These simply run the sendmail command with the given Subject, Date, From, To and body. I swapped uname -n with <hostname> and adjusted the format for each section.

I then added this new action to jail.conf

By default I use the “action_” action, which doesn’t send an email. And then in the jails that I do want an email I just put