My almost free dynamic dns replacement (AWS route53)

I use amazon route53 for DNS, it is easy, cheap, portable since it is separate from my domain registrar, and they have a pretty nice API.  There is a nice CLI tool for changing DNS called cli53, the official tool, awscli, would work too but I’d have to make JSON requests my self if I used that over cli53. See the last code block for the final script and you’ll see why cli53 is just easier than aws route53 change-resource-record-sets commands.

Just run

sudo pip install cli53

to get cli53 (install pip first if you’re missing that obviously)
Next login to Amazon Web Services IAM and restrict a new group/user to only have permission to route53 + your domain. My policy looks like this, update with your route53 hosted zone:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListResourceRecordSets"
            ],
           "Resource": [ 
               "arn:aws:route53:::hostedzone/ZENV1B2ABCDEF"
            ]
        },
       {
         "Effect":"Allow",
         "Action":[
            "route53:GetHostedZone",
            "route53:ListHostedZones"
         ],
         "Resource":"*"
      }
    ]
}

Your web host needs a simple application to return external IPs, or you can use a openly free one (the only free one I found was throttled), something like this works on a PHP webserver:

<?php print $_SERVER['REMOTE_ADDR']; ?>

Finally here is the script to do the real work. This will need to be installed on a computer with cli53 and curl installed (sorry, I know a router would be more convenient). I setup a user called dyndns setup cli53’s .boto configuration AWS credentials file, see CLI53’s docs for more on that. Then just put it in the crontab to run every 5 minutes and perform some basic tests to confirm it works. Like deleting the ip_address.log and make sure cron re-generates it…the real test comes when your IP address changes…I suppose I should have tested that before posting 🙂 oh well.

#!/bin/bash
 
SCRIPTPATH=$( cd $(dirname $0) ; pwd -P )
IP_LOG="${SCRIPTPATH}/ip_address.log"
if [ ! -f $IP_LOG ] ; then touch $IP_LOG ; fi;
LAST_IP=`tail -1 ${IP_LOG} | cut -d' ' -f3`
CURRENT_IP=`curl http://yourdomain.com/whatismyip.php`
 
if [ "$CURRENT_IP" != "$LAST_IP" ]; then
cli53 rrcreate yourdomain.com myip A $CURRENT_IP --replace --ttl 300
echo "$(date '+%F %T') $CURRENT_IP" &gt;&gt; $IP_LOG
fi;

Using fail2ban to open back door ports in your iptables [Port Knocking]

The opposite of fail2ban would probably be called auth2allow (authenticate to allow) or fail2allow – but that’s not necessary because fail2ban’s configs can be customized to do exactly what I’m talking about. What am I talking about you ask? Basically what I’ve done and am about to explain how to do is setup fail2ban to look for a successful login on a FTP to allow the authenticated IP to get access to another port that isn’t as secure as FTP so is usually 100% black listed in IPTables. It’s just a hack of a security mechanism to allow your self or others into places securely through obscure means. Like most security it’s not perfect but it seems pretty solid in my mind.

If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.

So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.

Continue reading

GNUmp3d init.d with PIDs for running multiple instances of GNUmp3d

I made some modifications to my original gnump3d init.d script when I needed more than one instance of GNUmp3d running (for multiple folders completely separated). I still haven’t quite figured out how to get the tag database to work for my second GNUmp3d instance, if anyone can help please leave a comment. Here’s the script and some brief instructions:

Continue reading

Setting up my HDTV HTPC with xUbuntu 8.10

Here my chronicle of fixes and tasks I had to go through while setting up my HDTV HTPC / home server.

I upgraded from an older xUbuntu to xUbuntu 8.10 64-bit and the first thing I had to do is restore the windows file share where I backed up configurations, samba shares, and my Adaptec SATA Raid 1210SA. Then I had to conquer ATI’s proprietary drivers and restore my previous install’s server functionality. Next time I’ll be finishing up the HTPC portion by configuring my TV Tuner with mythTV and installing Boxee as well – and maybe integrating the two together if possible.
Continue reading