how to block OpenVPN access using MAC address - mac-address

I have been tasked to block our openvpn access to specific devices using MAC address, It seems possible to do this with the openvpn access server but i'm using the community edition, would there be a way to perform this task?
or would there be any suggestions on how to do it using a different method?

This can be done on the community addition with the client-connect cmd, but it is necessary for the client to have push-peer-info in the local vpn config. That will force the client to report the MAC address of its default gateway to the environment variable IV_HWADDR on the OpenVPN server. The script can then retrieve that value and compare it to a list of authorized MAC addresses in whatever language and manner you see fit. To allow the connection your script needs to exit with a value of 0, conversely to drop the connection it needs to exit with any non-zero number.

Related

How to prevent running program on Win or Unix via command line

After a long research here on Stackoverflow and on net I didn't found nothing talking about it. As the title say, how can I do that?
For example: I am owner of a hosted website that allow me to manage the database via PhpMyAdmin. When I try to connect to my database via prompt, the connection never go fine. It could be because of OS settings (right?).
How can I do that (in both OSs).
Thanks in advance.
If I understand your question correctly:
You have a website with a MySql database hosted on your providers servers.
When you try to use your local PC installation of MySql from a command prompt, it will not let you connect.
I use dreamhost.com and have a similar setup. If I want to use database tools from my local PC to connect to the database, I have to enter my IP address in the db configuration page under "allowed hosts".
Restricting remote database connections to specific IP addresses protects your database from random hacking attempts.
As for your question about restricting command line execution of a program, that is usually just caused by missing configuration information in the environment variables - leaving the path to the executable out of the PATH variable is a common one. You would still be able to run the program if you enter the full path to it.
It really depends on the error message you get when trying to run the program from the command line.

windows cmd connection to remote mysql dbf

is there a way of how to connect to mysql dbf on a remote server and run sql queries using windows command line?
Yes, you can connect to a different host by running mysql -h 123.45.67.89.
Please note that there are a few security implications:
You will have to grant yourself access. You will need to run something like GRANT ALL on db_name.table TO user#your_ip IDENTIFIED BY 'password'. db_name, table and your_ip can be * but beware of opening your server to hackers.
You will have to open your server's firewall if you are not on the same LAN. Again, ymmv and you should be aware not to open the door to exploits.
You may want to use SSL and use secure-auth in order to protect your traffic and credentials.
Hope that helps.
MySQL has a command-line client, where you can run queries. If you don't want to allow remote connections to the database on the server, you can still script things into a batch. There are command-line telnet/ssh clients, that either accept external file as a list of commands to run remotely, or you can pass it with the input stream redirection (less then symbol) to them.
When opening a connection to server - most clients are programmed so that the only way to specify the login password is by typing it in from keyboard (yeah, they don't use default input stream). Things like that make it hard to script it. However, it may be possible to set up a certificate based login on SSH - you'd actually have to research that.
If the server that's hosting the MySQL database is also a web server - you could also think about putting some script (PHP, Perl, Python, Ruby - whatever you like) on the password protected area, that would allow you to execute queries by simply making a HTTP(S) queries on that script. Although, Windows doesn't have a command-line HTTP(S) client, you can always get something like wget.exe and perform queries with it. Note, that if you choose this approach - I strongly advice to put that script under HTTPS - if discovered by malicious user, it could be lethal to your data.
You could use telnet, or SSH if you want to be more secure.
If the MySQL is running on Linux or BSD, you need a Telnet or SSH connection through something like putty
This will open a command line on the remote server. The command is mysql. There will be issues around authentication of remote users (as you would expect).
If the remote server is running Windows, you have a whole different set of issues.
I'm not sure you can connect to a remote Windows server and control it this way.
I should say I'm not sure HOW you could connect to a remote Windows server and use it this way. But no doubt it's possible.

launch X windows on client machine

I have a shell script on a Unix box which when executed sets the DISPLAY variable dynamicaly to the clients ip address and if the client has some sort of x windows up and running then it launches say a program ike xcalc.
I would want the shell script to launch the x windows say like exceed session on the winodws client when the shell script is executed is this possible if so how ?
regards
Edwards
The general answer to that is "no, not unless you explicitly enable it."
Think about this in a general sense. Your questions is "Is my PC security so weak that external computers can connect in start programs on it, without a password or certificate?"
Clearly this effectively would mean that your PC had zero security. So for your sake, I sincerely hope that the answer to your question is "No".
If in your case the answer is "Yes", then perhaps it's time to abandon Windows 98?
This might be something worth asking on ServerFault too, since it's somewhat of a gray area between programming and system administration.
Are clients logged in via a shell to the server? Rather than setting the DISPLAY variable to their IP address, I highly recommend using SSH and some sort of client (openssh on Linux, PuTTY on Windows) that will automagically set the DISPLAY variable when you login.
The procedure would look like this:
Start an X server the client (eXceed, Xorg, etc)
Use PuTTY/SSH to login to the server with X11 forwarding turned on (-X for openssh, Connection | SSH | X11 for PuTTY)
Start the X11 program
The nice thing about this setup is that it's easy to tell if the client has an X server running - the DISPLAY variable will be set if so, but unset if not.
You say that you want to start a session on the Windows client when they login - do you want to see, for example, a login similar to what you would see if you were at the machine? In that case, you might want to use XDMCP.

How to capture your username on Box A after you have SSHed onto Box B?

Maybe not the best worded question, but hopefully it's a straightforward problem.
The scenario is SSHing from a personal account on box A to a generic account on box B. The script running on box B needs to capture the personal account name for logging purposes. Is there any way of capturing this, either via SSH itself or some information captured by the shell? We are using ssh2 (Reflections), and KornShell (ksh) on Solaris.
If you have full control of the client machine, you can deploy identd to get the username.
Full procedure to get name from script:
Walk up process tree, find sshd
Walk netstat -p to find the remote IP and port.
Connect to client on port 113 and ask.
You may have to disable privilege separation for this to work as-is; however it should be trivial to modify to work w/o it.
You can't log the remote username reliably
You can log the IP of the connection (see the SSH_CONNECTION variable)
You could have a standard where they use an alias for ssh that logs the remote username as part of the login process, or where they store their username in a .ssh/environment file (but allowing environments to be set may require ssh/sshd config changes).
alias sshblah='ssh blah "REMOTEUSER=$USER; bash'
(Except that doesn't work, and I haven't tried to figure out why - and it would be different if you use tcsh, etc).
You can use environment passing in this manner, and select which variables you allow to be set. You'd have to get the users to set some alternate to $USER, like $REMOTE_USER=$USER, and then allow $REMOTE_USER to pass through. And you're trusting they don't set it incorrectly, or forget to set it (you can handle that case with a little annoyance by modifying this mechanism).
Note that you almost have to trust the client connecting to tell you who the user is - you can make it hard/annoying to spoof the username, but unless you use per-user certificates instead of a generic login/password they all know, you can't verify who connected.

Is an SSH tunnel through Citrix Client possible?

I know it is not strictly a programmer question, on the other hand, I would really like to be able to do a simple svn up on the production servers, which would save us a lot of hassle.
Or production servers are within a corporate network, and access is only allowed through a gateway server. From that we can access the actual servers via Remote Desktop. Because of this maintenance unfriendly setup we use a sftp server to get our files to the production server (where the ftp server alwys resets last modified date), so it is complicated to determine which files have changed.
So if it would be possible to setup a ssh tunnel from the actual server through the citrix connection, it would ease the whole update process.
(On further option which I consider is to use bazaar to push our updates to the sftp server and then pull the updates from there, but unfortunately there is no working svn plugin for bazaar available [on windows])
Okay, not wanting this to remain unsolved, I posted the following on the usenet in alt.os.citrix:
G'day everyone
Someone asked me this question. I haven't a clue. Any ideas?
"the connection I have is PC -> Citrix Access Gateway -> actual Server. My question is, if it is possible to establish a ssh connection from my PC to the actual Server."
The response I got from a Catherine Jefferson was:
Should be. I do this all the time using an Access Gateway VPN, then ssh to servers inside the company LAN.
What version of the Access Gateway is this user running? I work for Citrix, might be able to get a more specific answer for him or her.
So may I suggest you hook into alt.os.citrix (probably via Google Groups if you don't have an NNTP tool) and buy into the conversation.
--Bruce
I do this a lot. The tunnel is like:
ssh -nvCXAN -L 1494:10.0.2.39:1494 www.starshipping.com &
Then, you need an ICA file that points to localhost.
[WFClient]
Version=2
[ApplicationServers]
Connection To Citrix Server=
[Connection To Citrix Server]
WinStationDriver=ICA 3.0
TransportDriver=TCP/IP
ClientAudio=Off
DesiredColor=8
Username=yourusername
Domain=yourdomain
Password=xxxxxxxxx ; has to be encrypted. I pulled from another ICA file generated internally
ScreenPercent=97
TWIMode=OFF
Address=localhost
This all worked very fine on OSX until Citrix gave out a new version of the Citrix client which is now called the Citrix Online Plugin. Haven't been able to get it to work since then. Meanwhile, our VPN has been working fine, so haven't worried too much about it.
Citrix over SSH, How to Create a Key Pair for SSH Authentication Using PuTTYgen, Terminals. It seems that the answers are "out there" but not readily found. That was just five minutes in Google. HTH.

Resources