Thursday, 3 May 2018

How to block Viber ads on DD-WRT router





Rakuten Viber introduced commercials in newer verions of their app so users became products. Often , ads are displayed aggressively and interfere with the normal use of app. The solution to this problem is relatively simple: you just need to redirect the domains the Viber app uses to display ads to a non-existent addresses.
First of all make sure that you have enabled "Use DNSMasq for DNS" option under Setup\Basic Setup tab. Second, enable "Local DNS" option and disable "No DNS Rebind" option on Services tab. In "Additional DNSMasq Options" paste these host-record config directive:

host-record=ads.viber.com,127.0.0.1,2592000
host-record=ads.aws.viber.com,127.0.0.1,2592000
host-record=ads-d.viber.com,127.0.0.1,2592000
host-record=media.cdn.viber.com,127.0.0.1,2592000
This way you made simple DNS proxing :)  TTL of 2592000 seconds (one month) means that when the network device (iPhone, Android) once takes over the domain information, it will hold it for a month. Even when it roams to 3G/4G network you will see no ads on Viber. However, these preset settings only last until you restart your device.


Sunday, 6 November 2016

HOW TO: Setup proxy server on DDWRT router to block Ads

There is a very helpfull feature called Ad blocking on DDWRT (units with 16MB flash space and more) which can make your home network more secure and your internet expirience more pleasant. Very easy to setup with just fiew of a clicks. So, let's get started. In your internet browser enter this adress http://{your_router_IP}/Privoxy.asp and enable Privoxy. It's done:)
You want Transparent Mode disabled because it cannot intercept https connections. If you don't want your https traffic to pass privoxy keep Transparent Mode disabled. Now, you have to do fiew more clicks to be able to use Internet:) You have to tell your internet browser to use proxy server if want to go to the Internet. If you use Chrome you will do it this way. First, click on 3 dots in the upper right corner.
Now, go to Settings/Show advanced settings/Network/Change proxy setting:
Enter the IP of your router where Privoxy is enabled and port 8118. Save settings by clicking OK.
When you enter http://config.privoxy.org/ in your internet browser, you will get this kind of answer:
Now, you can enjoy browsing Internet safetly and without annoying ads:)
Tip: If you run Privoxy on unit within your LAN where WAN is disabled (e.g. wds station) you have to enter DNS for queries to be resolved.





Saturday, 27 August 2016

Enable passive FTP on DD-WRT's ProFTP with CT helpers

Most of the popular web browsers (Chrome, MS Edge, FFox) forces passive FTP mode on client side when connecting to FTP server. This can be a problem if you are using ProFTP on dd-wrt router and you want to access from the WAN port (from other locations). Main problem is NAT. To solve this problem developers (on some other systems such as Gargoyle and Tomato) uses nf_conntrack_ftp and nf_nat_ftp kernel modules. On kernels above 3.5 this is depricated and using connection tracking helpers (CT helpers) is more secure and recommended. These iptables directives can achive wanted.

First of all enable USB support, Storage support and Automatic Drive Mount.
Then, enable ProFTP without enabling WAN access (we will do it from command line), add mountpoint and create user.
At last place this iptables directives to your firewall:

iptables -I INPUT -i `get_wanface` -p tcp --dport 20 -j ACCEPT 
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -j ACCEPT 
iptables -I INPUT -i `get_wanface` -p tcp --dport 1024: -j ACCEPT 
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
iptables -I INPUT -m conntrack --ctstate RELATED -j ACCEPT
iptables -I INPUT -m helper --helper ftp -j ACCEPT
iptables -I OUTPUT -p tcp --sport 20 -j ACCEPT 
iptables -I OUTPUT -p tcp --sport 21 -j ACCEPT 
iptables -I OUTPUT -p tcp --sport 1024: -j ACCEPT 
iptables -t raw -I PREROUTING -p tcp --dport 20 -j CT --helper ftp 
iptables -t raw -I PREROUTING -p tcp --dport 21 -j CT --helper ftp 
iptables -t raw -I PREROUTING -p tcp --dport 1024: -j CT --helper ftp

To check if all is secure try some firewall test like GRC firewall test.

As you can notice, there are green, blue and red squares on the picture above. Green squares means that ports are stealth (invisible?) to hackers. Packets are DROPed on WAN interface on those ports. On port 21 (ProFTP port) our ddwrt unit is listening and waiting for connections so it is marked as red because packets are being ACCEPTed if credentials (username/password) are ok. We have in firewall:

iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --set
iptables -I INPUT -i `get_wanface` -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

this will limit hackers on 4 tries per minute.

Blue squares on port 20 and ports 1024:65565 meaning that packets are REJECTED if they are not RELATED meaning our ProFTP server is secured.
Now, check your WAN ftp access by connecting with Chrome to ftp://{public_IP} from another location. 





Sunday, 21 August 2016

Бројанице и Исусова молитва

Први текст који сам написао а који је био негде објављен био је текст из наслова. Написан је давне 2002.-ге године у Вршцу током редовног служења војног рока. Објављен је у ВОЗ-у (војнички забавник) марта 2002.-ге године у броју 26. Као студент Богословског факултета СПЦ  био сам замољен од стране једног од уредника ВОЗ-а Зденка Лаутера да напишем текст за "духовну радионицу" јер се у то време јављало све веће интересовање за бројанице. Текст преносим у целости.
У Србију, бројанице су дошле са свете Горе Атоске. Уско су повезане са Исихазмом и Светом Гором. У Хиландару српски монаси су "држали правило" сталне молитвене будности изговарањем Исусове молитве. Ово правило светогорских тиховатеља, остало је неизмењено до данашњих дана, па је зато и последњи српски монах на Спасовој води (отац Георгије Витековић - наш савременик) свој духовни живот ујашњавао сталним изговарањем Исусове молитве која гласи: "Господе Исусе Христе, Сине Божији, помилуј ме грешнога (грешну)".
Светогорски монаси, посебно пустиножитељи, данас служе правило Исусове молитве уместо полуноћнице, јутрења и првог часа. Монах тад изврши 33 пута ("изброји" (изговори Исусову молитву)) над 100 куглица/чворова колико има једна велика бројаница. Дакле изговори 3300 пута Исусову молитву.
Број куглица (или "чотки" како их зову руски монаси) у бројаници, као и број пуних кругова целокупне бројанице, уз изговарање Исусове молитве, одређује духовни старац (духовник).
Код бројаница од 100 чотки молитвено правило се врши на следећи начин: за првих 25 чотки обавља се метанија до земље за сваку чотку посебно када се изговори Исусова молитва, за других 25 врши се мала метанија за сваку чотку посебно када се изговори Исусова молитва, онда се за следећих 25 чотки врши осењавање крсним знаком са сваку чотку посебно када се изговара Исусова молитва; за последњих 25 чворова бројанице Исусова молитва је умна и без крштења - онда цео круг на исти начин и то 33 пута!
војник инструктор Х.М.

Thursday, 11 August 2016

Enhance your DD-WRT security with additional iptables rules

This howto will help you to block some of most TCP-based DDoS attcks. Although ddwrt has very good firewall it does not hurt to add some extra rules as long as you know what are you doing.
iptables -t mangle -I PREROUTING -m conntrack --ctstate INVALID -j DROP
This rule blocks all packets that are not a SYN packet and don't belong to an established TCP connection.
iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
This blocks all packets that aren't new (don't belong to an established connection) and don't use SYN flag. This rule is similar to the above rule but I found that it catches some packets that other ones doesn't.

iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
The above rule blocks new packets (only SYN packets can be new packets) that use a TCP MSS value that is not common.


To chek if you caught something do from CLI
iptables -vnL -t mangle

Friday, 29 July 2016

Hotspotsystem on separate dd-wrt interface

This post is for troubleshooting. Not working fully, yet! Clients are not redirected to splash page!

Hotspotsystem


What is Hotspotsystem?

HotspotSystem is captive portal management and billing service for companies or individuals who want to provide internet for their customers. While giving out free Wi-FI, you can promote your bussines by redirecting your customers to your web page or Facebook page where they need to "like" it to gain internet access. This increases you business visibility, customer engagement and sales. Also, it can be used in home purposes to show off in front of your friends:)

How much does it costs?

About pricing see this page. Good news is that they have FREE BASIC package (with splash/landing web page) with no monthly fee only limited with 500 logins per month / location. You can have unlimited number of locations (hotspots).


How does it works?

DD-WRT uses software called coova chilli to establish connection to Hotspotsystem radius server where all authentication is done. After that you can manage your clients through cloud based software on Hotspotsystem web page (setting quotas, bandwidth limit, vouchers, data capture etc.).



Setup guide


We'll do it in 3 steps:

  • create Hotspotsystem account
  • setup DD-WRT unit
  • manage your clients on Hotspotsystem Cloud

Creating Hotspotsystem account is very easy and fast. Just fill out this form and submit. Be careful when choosing operator username because it will appear in the URL your guests see when they open HotSpot start page. Choose your business plan (Free Basic or Social) and proceed to setup dd-wrt unit.





  • Setup DD-WRT unit: 


Before we proceed make sure you backed up your working configuration (Administration > Backup > nvram.bin). If something goes wrong just reset your unit and restore working configutaion. Make sure that you are using build 30342 and later. You can download it from here. It is important because BS did some fixies and updated coova in 30136. Also, go to dd-wrt forum and ask about specific build before flashing your unit. These are all test builds!!!
Go to Setup>Basic setup page. Uncheck Use DNSMasq for DHCP and Use DNSMasq for DNS. This is very important because you need uDHCPd for working HSS at the moment.

IMPORTANT: The router has to be in the same time zone as HotSpotSystem authentication servers so you won't get sync error. Set Greenwich (ETC - GMT+00) as your time zone regardless your local time.


DNSMasq and Local DNS should be turned on.



Now, on the WirelessBasic Settings>Virtual Interfaces Add Virtual Interface. Unbridge it from the LAN (br0) and assign IP adress to the interface (192.168.182.1/255.255.255.0).

Apply settings! Wait about 30 seconds and you will see that new interface ath0.1 appeared on sysinfo page. You will se new VAP (Virtual Access Point) and SSID will apear in the list of wifi networks. Note: naming of the interface can varie by chipset vendor, and can be any of the following: wl0.1 (Broadcom), ath0.1 (Qualcomm Atheros former Atheros), ra1 (Mediatek former Ralink). 

If you are using PPPoE to connect to your ISP, your ppp0 MTU (e.g. 1492) link could be lower then tun0 (1500) link to HSS wich could lead to problem when opening certain web pages. To avoid this on Administration/Commannds add this directive as your firewall rule and Firewall Save:



iptables -t mangle -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1421:65535 -j TCPMSS --clamp-mss-to-pmtu

Now, go to Services>Hotspot tab and enable Hotspotsystem service like on the screenshot below:
Apply settings and wait about 90 seconds to renew want IP and chilli optware to be loaded, You are ready to go. Try your Hotspot by connecting to it.



Manage your splashpage and clients on Hotspotsystem Cloud: When you login to your Hotspotsystem control center here, go to Manage/Locations/Modify Hotspot Data & Settings.


Click on the Splash Page Settings and choose your skin. This will be your landing page that customer will see when they login.

In Hotspot data you can enter Latitude and Longitude if you wan your HS to be visible on the map.


Enjoy!
Mile-Lile

Additionaly you can use dd-wrt QoS to set interface priority. Set LAN&WLAN (br0) to maximum and ath0.1 to bulk. This way your HS won't affect your internet speed!







How to block Viber ads on DD-WRT router

Rakuten Viber introduced commercials in newer verions of their app so users became products. Often , ads are displayed aggressively a...