Safer Internet e campagna elettorale.

Ormai siamo in campagna elettorale.

Prima che si scatenino le campagne social dei vari schieramenti ricordate che:

  • di fatto siamo lo schieramento opposto alla Russia che scatenerà tutta la potenza della disinformazione sui nostri media mescolandosi ai troll su Internet e sui social.
  • verificate sempre le fonti come attendibili ed ufficiali prima di strobazzare notizie a destra e a manca. (basta veramente poco)
  • il numero di view e commenti non rende una opinione (anche autorevole) un fatto, tantomeno quando proviene da #amiocuggino
  • I motori di ricerca hanno annunci pagati molto spesso il primo link è sponsorizzato quindi occhio dove cliccate.
  • Le discussioni sono belle le risse no (per cosa poi
    ..) e pagare un avvocato per difendersi dalla diffazione su media non è economico
  • il vostro interlocutore potrebbe non essere umano.. (sentito mai parlare di AI bot)
  • è inutile che usate pseudonimi se poi nella foto del profilo mettete qualcosa di personale oppure, peggio, fate post pubblici pure quando andate in bagno. (è facilissimo sapere molto di voi)
  • usate un secondo fattore di autenticazione per il vostro account ed un secondo media di verifica per le richieste di amicizia/follow etc
  • usate la biometria dove possibile
  • smettete di spegnere il GPS sul vostro telefono (non è con quello che vi localizzano..)
  • non mandate foto vostre o di chiunque altro a qualche simpatica App che vi invecchia/ringiovanisce o vi fa diventare il cloun di hit…
  • ricordatevi che il posto più tracciato al mondo è internet usato dai comuni mortali. Gli hacker, se non protetti da stati e/o agenzie, prima o poi li prendono..

Ve lo dice uno che:
“.. ne ho viste cose che voi umani non potreste immaginarvi: navi da combattimento in fiamme al largo dei bastioni di Orione..”

Stay safe on line

Azure Monitor NSG Monitoring

Basic understanding of NSG Logging

According to https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-nsg-manage-log
NSG Logs 2 kind of data: GroupsEvent and GroupRuleCounter

GroupEvent
The event log contains information about which NSG rules are applied to VMs, based on MAC address. The following data is logged for each event.

GroupRuleCounter
The rule counter log contains information about each rule applied to resources.

What can I monitor

Based on the previous assumptions you can monitor

  • The event of an NSG rule hits by network traffic
  • The number of time a single rule was applies to a resource

Note

The GroupEvent table fields can be misleading. You are not able to know which source IP is hitting the rule unless the rule contains a single source IP condition. (That’s the real meaning of the field conditions_sourceIP_s)
Things get tricky even more if you start with a set of rules that contain a single source IP with Deny Action and then switch to a rule with Deny for Any source with a single Allow rule for source IP allowed.

In this scenario you are unable to indentify IP address that will hit the rule with Deny Action.

Let’s demostrate this in practice.
I used the Application Gateway demo from Azure quick start template library to deploy a full infrastructure made up 2 webservers (with NSG) into a vNet with a Application Gateway to balance the traffic between 2 machines.

NSG had both same settings as below picture

Let’s concentrate for a while on the very first rule.
I set the Source IP to my IP and I trying to establish an SSH connection.
Everything worked fine and you get trace of the connection in the log with the below query:

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK"
| where Category == "NetworkSecurityGroupEvent"
| where direction_s == "In"
| where type_s == "allow"
| project-away systemId_g, SourceSystem, _ResourceId, TenantId, ResourceId, ResourceGroup //just to concentrate on fields value that are important

with the below results:


All good. What if we change the rule to disallow access from my IP?
Will be able to track who is trying to connect to SSH?
The short answer is not. Let demonstrate it:

  • I changed the ssh-rule source IP to an address that is different from mine
  • tried to access by ssh to the vm

the only thing I can find in is that the DefaultRule_DenyAllInboud was hit with no information about the IP tried to access.

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK"
| where Category == "NetworkSecurityGroupEvent"
| where direction_s == "In"
| where type_s == "block"
| summarize by ruleName_s

NSG simple doesn’t care about anything else but their rules.
If a rule is matched you have a record with all information (IP Address and MAC address of the NIC) where the rule was applied. But nothing about the source IP.

The bottom line is that you will be able to track explicitly denied or allowed single IP rules but to track who is trying to use something unauthorized you can’t rely on NSG Logging. You have to use something else.
(Hint NSG Flow Logs.)

The following query can help understand in a quantitative way is someone is trying to connect and isn’t successful.

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK"
| where Category == "NetworkSecurityGroupRuleCounter"
| where type_s == "block"
| summarize count() by Resource, ruleName_s, type_s, direction_s, primaryIPv4Address_s

Integrating Vodafone FWA with my home network

While constantly checking for the arrival of an FTTH connection I had to face the reality. Isn’t coming soon (or never). Despite being surrounded by High-speed fibers in my street they are not available to consumer market.

In the last 5 years, I relayed completely on a wireless connection provided by air2bite that growth up to the current capacity of 30Mbps in download, 3Mbit/s in upload. Overall, a nice connection since backed by a high-speed fiber network with low latency (well, not in the same class of the FTTH but better than ADSL latency. It served me very well to play on-line with friends and work from home thanks to the Adaptive QoS of my Asus AX-11000 router. Large downloads and medium uploads were a bit painful but doable.

Pandemic added new workload on an already fully utilized WAN connection and despite the exceptionally good QoS of my router, I had to ask family members to stop watching movie by Netflix or other streaming services while doing some meetings or customer presentation. The maximum capacity was reached and with all three of us working or studying remotely we desperately need two things: more capacity and a backup connection.

I started exploring the dual WAN connection feature of the ASUS AX-11000 and started with the cheapest option available at time. Adding an USB LTE Dongle (Huawei E3372h-y320 LTE) to the USB port of the router to start having at least a backup connection in case of problem. HyperLan connection, the one used by air2bite, doesn’t play well with snow :-).

One of the finest features of this router is the ability also to use the secondary connection even in balanced mode. I tried for a while but too many connection errors arise due to IP change on the client side. I switched back to Failover and the data connection provided by Ho Mobile worked well a couple of time, when needed.

The availability problem is solved but still need to continue yelling to other family members to stop watching streaming movies during my calls with colleagues on the West Coast. Usually that kind of call happened when they have done with school or work and decide to watch something on TV…

While regularly checking the availability of FTTH connection in my zone on the OpenFiber website, still no connection available

even if i can spot at least a couple of manholes no farer than few hundreds meter from my house, that mysteriously turn into an empty street where no one live. 😡

I started considering the Vodafone FWA connection as a viable alternative especially when the 500GB traffic subscription started to be available.

The question was: how can I put into my network without having a fifth(!) Wi-Fi network in my house and retain control over consumption?

Vodafone is very cryptic about how to integrate their connection onto an existing and for that reason I tried to spot any article on the internet about how to use it as my WAN connection. I wasn’t lucky. Even worst going to a Vodafone shop asking about connecting to my exiting network; the answers was, no isn’t going to work.

I thought for a while about it and dismissed the shop’s employee claim (well, they are sellers not network engineers, they could simply don’t know) and started evaluating upsides and downsides.

Based on the usage data of my router 500GB aren’t enough for my current usage and considering the 100Mbps speed, you can easily consume all the capacity in few days. So, I must keep both connection and cherry-picking which device can use the fastest connection and when.

Again, the investment I made on the ASUS AX11000 pays off. The Asus router is able, while dual WAN connection is used, to balance traffic between connection also using Routing Rules to allow a specific client IP to use a specific WAN connection while connecting to a specific IP (or netmask).

Based on that and the consideration that Vodafone can’t put a limit on MAC address on their ethernet port without having lot of support call, I decided to subscribe this new kind of connection for my house.

At the shop, I received the SIM and in less than a week the router arrived at my house. The day after I received the SMS that my line was ready and the problems begin.

First, they forgot to tell in their instruction that your SIM still have a PIN and without it modem can establish a connection. I decided (strangely for me) to carefully follow instructions and I put the SIM into the modem hoping for a blue light on the connection led.

Nothing…

Waited a night then decided that line should be ok, is definitely something related to modem or SIM, let’s hunt for the problem:

  • Connected to the wireless network, and then used the browser to connect to the Modem Administration interface
  • Modem was waiting for the PIN and on the same screen opted to unlock the SIM
  • Connection led turned blue and finally getting the speed I expected
Few initial speed tests with Vodafone FWA

The next natural step was to integrate this new connection with my home network that has more than thirty devices connected, connections span over 5 WiFi networks (both 2.4 and 5 Ghz) and three physical ethernet gigabit switches. All of this, while still able to choose which device is going to use some of the 500GB of data allowance over the FWA network.

Poking around the management interface, I didn’t find any limitation over connected devices and decide to try it.

I plugged the ethernet cable that comes with the Vodafone FWA device (a Huawei 8818-263 with lightly customized firmware) inside the 2.5G WAN connection of the ASUS router, configured it as the second WAN on the AX-11000 and turned off the Vodafone’s router Wi-Fi connection.

At this point, I moved from Failover to Balanced the kind of Dual WAN used by the router with a connection distribution ratio of 3:1

This setup resulted in the following screen on the Vodafone Router that testify that ASUS router is connected to the internet also using the FWA connection.

Connected Device page

The flipside of this new configuration is that Adaptive QoS, Traffic Analysis and few other functions, which helped manage connection efficiently for critical workloads like collaboration and learning, aren’t any more available.

Now is time to solve two remaining problems:
– choose which device will use and when the 100Mbit/sec and which the 30Mbit/s
– avoid problems with NAT

Thankfully, the routing problem can be easily solved by the custom routing rules that could be enabled on per-IP basis. The only problem is that you must configure static IP assignment on the DHCP services to use the give address to create the routing rule.

To keep all things simpler as possibile I decided to use only rules to ‘all destinations’ instead of trying to route traffic between connection based also on destination.

Given the fact that many services use many IPs behind a DNS name, I thought that the added complexity isn’t useful considering both the 32 rules limit and the inability to use network masks.

This was the result of the first iteration: single IP reservation and rooting rule on the router.

Sooner the drawbacks of this kind of configuration became extremely uncomfortable and I started wondering if I can simplify it.

I did with the following configuration steps:

  • Reserved under .65 for network device or important services with static IP addresses (like in the good old times :-D)
  • Subnetted the address using netmasks using a x.x.x.x/26
  • Implemented single name, multi-standard Wi-Fi Network using Access Point as it should be
  • Kept a separated WiFi 2.4Ghz network for appliances
  • Whatever possible wired MAC addresses are statically assigned to the fastest connection and wireless connection are bind to subnets that connects to slowest connection.
  • Last but not least, to avoid problems with multiplayers and other software that doesn’t play well with NAT i made the IP of the AX11000 a DMZ IP for the FWA connection.

With all these configurations, I’m able to quickly move one client from one kind of network to especially in case of large download that can easily consume all the capacity in the FWA connection if left uncontrolled (Xbox, PS5, PC games..)

This configuration is working really well, simply disabling one network card on the PC you can switch from one kind of connection to the other without touch the network configuration.

In case of failure, in less than a minute the router switch to the other connection all the devices and let you seamlessly continue to work (even with reduced bandwidth).

Funny story, air2bite upgraded its offering with a booster that doubled (or even more) the capacity of their network so I currently have two 100Mbit/sec connections.

I will continue to have both, just-in-case.

Sudoers adventures and how VM Extensions can save the day

Using a Linux based Azure VM you may need to access the console to do special operations and VM Azure Extensions are the right tool to do it.
This is expecially true when you do something really weird like, such as putting file in /etc/sudoers.d folder without checking it beforehand with visudo. If the file is not 100% perfect you can loose the entire VM and there isn’t much you can do to recover it since all the privileged action are locked down by the error in the file that is included in the sudoers file.
One possible solution is to use a VM Extensions called “Custom Script for Linux”


In my case, it was super-useful to run a script with elevated rights that deleted the faulty file from /etc/sudoers.d to solve a mess.
Remember that, since it can download very complicated scripts from your computer (or many other sources) ) to your VM, we can easily say that “the sky is the limit”
You can read here all the details on how to use this extension.