Dropbox 21 – Errata

I’ll post changes I’ve made to the original pages here based on lessons learned from real-world deployments and your generous feedback. 20161021: Previously I’d taken a standard Kali image and migrated to LXDE. With the new 2016.2 LXDE ISO that’s no longer necessary, but it is now necessary to install network manager for some of the scripts to …

Dropbox 19 – Dropbox Client (Linux)

To port forward on Linux your SSH config file should look something like the following. Dropbox Client 01 Host DBOX* AddressFamily inet User dbox-relay Port 22 IdentityFile /root/.ssh/dbox_client ServerAliveInterval 10 LocalForward 11095 127.0.0.1:11095 LocalForward 11096 127.0.0.1:11096 LocalForward 11097 127.0.0.1:11097 LocalForward 11098 127.0.0.1:11098 Host DBOX-tunnels-SSH HostName <FQDN of Dropbox Relay> StrictHostKeyChecking yes UserKnownHostsFile /root/.ssh/known_hosts Host DBOX-tunnels-SSL …

Dropbox 18 – Dropbox Client (Windows)

For Dropbox Clients running Windows we’ll be using Putty. There are two ways that we can connect to our Dropbox Relay to establish our tunnels. Since we likely aren’t as restricted as our client environments we can connect directly through SSH. We can also connect just like the Dropbox Server over SSL/TLS to the HAProxy …

Dropbox 17 – Dropbox Server (Hardening)

We’ve been hardening as we go, so there really wasn’t much to do here in the first iteration when I was using Kali 2016.1. By default RPCBIND was bound to all interfaces on port 111 so I ran the following commands to disable it. systemctl stop rpcbind.service systemctl disable rpcbind.service Now there’s even less to do as …

Dropbox 16 – Dropbox Server (Logging)

We can fix a lot of issues by modifying our dynamic configuration files, but not if we don’t know what the problem is. Did the client give us the wrong gateway? Did they forget to enable our credentials on their proxy? Or, did we fat-finger the static IP? We’ll log a good deal of information to the …

Dropbox 15 – Dropbox Server (Boot Parameters)

By placing the configuration settings on a USB, we can dynamically change how the system boots. If necessary, we can send the client replacement files via email. This is critical if things don’t work after the device has already been deployed and we are still not able to connect. We can also use this functionality if we need to …

Dropbox 14 – Dropbox Server (Tunnels as a Service)

We are going to create monitored services for each of our tunnels. If they go down for any reason the system will restart them. Create dbox-ssh-tunnel service vi/vim/nano /etc/systemd/system/dbox-ssh-tunnel.service [Unit] Description=Create tunnel for SSH server on dbox-relay After=network.target [Service] User=root ExecStart=/usr/bin/ssh -NT -F /root/.ssh/config dbox-ssh-tunnel RestartSec=10 Restart=always [Install] WantedBy=multi-user.target Create dbox-vnc-tunnel service vi/vim/nano /etc/systemd/system/dbox-vnc-tunnel.service [Unit] Description=Create tunnel for …

Dropbox 13 – Dropbox Server (SSH Tunnels)

To connect to the Dropbox Server we need to have it establish reverse SSH tunnels on the Dropbox Relay. First we need to upload our Dropbox Server’s public key to the Dropbox Relay. Since we can’t access the relay directly – it requires key authentication – you can copy the file to a USB and move it over …

Dropbox 12 – Dropbox Server (HTTP Proxy / Squid)

Squid is one of the most highly configurable software packages available, but we’re going to use the absolutely simplest deployment possible. Install squid3 apt-get install squid3 Backup the original 7,930 line Squid configuration file (not an exaggeration). mv /etc/squid/squid.conf /etc/squid/squid.conf.old Create a new Squid configuration file with everything we need. echo -e “http_port 127.0.0.1:3128\nhttp_access allow all” > …