DNS Query “sl 0.0.0.0” in Mikrotik DNS Cache

Sounds like this could be from a potential scan. The record is useless as 0.0.0.0 doesn’t go to anything.

https://learn.microsoft.com/en-us/answers/questions/547092/what-is-the-sl(0)-in-dns-logs-as-host-name

We can block this type of behavior by blocking inbound DNS request. Change in-interface to your interface or change to an interface list.

ip firewall filter add chain=input protocol=6 dst-port=53 in-interface=ether1 action=drop
ip firewall filter add chain=input protocol=17 dst-port=53 in-interface=ether1 action=drop

How to Create a Self Signed TLS Certificate in Linux

Here is a quick way to create a self signed certificate in Linux.

Run the following command. Fill out the required info.

openssl req -x509 -sha256 -nodes -days 3652 -newkey rsa:4096 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
chmod 400 /etc/pki/tls/private/localhost.key

Now in your Apache or Nginx files, specify the path to the Key and the Certificate.

Note that if you’ll need to add the

https://www.linode.com/docs/guides/create-a-self-signed-tls-certificate/

Backup UISP Application Backup Files with Rsync

UISP runs inside of a docker container. To copy out the backup files we need to use the “docker cp” command.

sudo docker cp unms:/home/app/unms/data/unms-backups ./uisp-backups

This will copy the backups into ./uisp-backups directory.

On an Ubuntu system, docker needs sudo permissions. If you copy the backups with the above command, the backup files will be assigned to the root user and you will not be able to use your normal user to manipulate the files.

You can either add your current user to the Docker group, or change the files owner

sudo chown username:username -R ./uisp-backups/

We can now copy all the automatic backups with rsync

sudo rsync -a ./uisp-backups -e "ssh -p 22" backupuser@backuphost:/backups

You can also automate this with Cron by doing something like

1 1 * * 1 docker cp unms:/home/app/unms/data/unms-backups ~/uisp-backups && rsync -a ~/uisp-backups -e "ssh -p 22" backupuser@backuphost:/backups

Every Monday at 1:01AM, copy the current UISP automatic backups, then use rsync to copy them to a remote server.

This expects that the current user has permissions to call Docker without sudo.

Give Ubuntu User Access to Run Docker?

By default on Debian based systems, Docker needs the sudo command to run. We can add a normal user to the Docker group so we don’t have to.

sudo usermod -aG docker username

Change out the username to your Ubuntu username.

The -a option means append the group to the username. It does not remove the user from current groups.
the -G option means add the specified group.

LibreNMS Devices Disappeared from Web Interface

What do you do when all your devices disappear from the web interface?

Everything still appears to be working. Alerts work.

Running a MySQL command to check if the devices are in the database returns all the devices

mysql -u librenms -p librenms -e 'use librenms ; select hostname,sysName,status from devices where status=1'

If we try going to /addhost we are greeted with an Error You have insuffecient permissions to view this page.

Running ./validate.php returns everything good

Potentially it could be an issue with SElinux or with Apache/NGinx

Running

audit2why < /var/log/audit/audit.log

Doesn’t return anything

No errors pop up in the Logs

Could be something happened with the LibreNMS user.

Test a different LibreNMS user and all the devices show up.

We’ve now isolated the issue to being something with out user.

How to Install Mikrotik RouterOS on VirtualBox


Note that there are a couple of limitations of using the Cloud Hosted Router (CHR). The main issue is that the default license doesn’t allow for more than 1Mbps on each interface.

https://help.mikrotik.com/docs/display/ROS/Cloud+Hosted+Router%2C+CHR#CloudHostedRouter,CHR-CHRLicensing

Download the VDI version of CHR from the Mikrotik downloads page.

https://mikrotik.com/download

Mikrotik has instructions for installing CHR in VirtualBox, so this post is more of just a summary.

https://wiki.mikrotik.com/wiki/Manual:CHR_VirtualBox_installation

  1. Create a VM with Type Linux, Version Other Linux (64-bit)
  2. While setting up the VM, select the VDI downloaded from Mikrotik as the virtual disk.
  3. Start the VM and login with admin for the username and nothing for the password.

The easiest way to spin up more vm’s to right click on the VM and Clone.

GrapheneOS Default Network Connections

The testing methodology was practically the same as our LineageOS test.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of GrapheneOS (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS

Screenshot of Wireshark with DNS filter.

  • connectivitycheck.grapheneos.network
  • time.grapheneos.org
  • apps.grapheneos.org
  • releases.grapheneos.org

Total bandwidth sent and received for each IP

Some of the IP’s are used for different services. For instance the apps and releases sub domains use the same IP address.

  • connectivitycheck.grapheneos.network and time.grapheneos.org – 25.794 KiB
  • apps.grapheneos.org and releases.grapheneos.org – 39.468 KiB
  • Total – 65.262 KiB

Turning on GPS

After turning on the GPS toggle, there was a DNS query for

qualcomm.psds.grapheneos.org

This will download the files needed to speed up the GPS speed and accuracy. You can turn this off in the Settings -> Location -> Predicted Satellite Data Service (PSDS)

You can also enable/disable the Secure User Plan Location (SUPL)

You can read more about PSDS and SUPL on the GrapheneOS website https://grapheneos.org/faq#other-connections

LineageOS Default Network Connections

This was a fairly simple test to see what network connections a fresh LineageOS install on a Google Pixel 5 makes. During the initial setup, GPS was disabled. After we set it up and got a base line, we turned GPS on to see what DNS requests it made.

Testing methodology.

  • A Computer was used as a Hotspot running both Network Miner 2.8 and Wireshark to log all network request
  • Pixel 5 was installed with the latest version of LineageOS 20 (August 2023)
  • Setup was completed without connecting to WiFi or a cellular network
  • There was no SIM card in while installing, setting up, or testing
  • After setup was complete, WiFi was connected to the computer running the Hotspot
  • After a base line was logged, we turned on GPS
  • GApps were not installed.

Fresh Install Network Requests

After setup was complete, we connected the Pixel 5 to the PC running NetworkMiner and Wireshark. It immediately made a handful of requests to the following 5 domain names

  1. www.google.com
  2. connectivitycheck.gstatic.com
  3. time.android.com
  4. g.co
  5. firebaseinstallations.googleapis.com

connectivitycheck.gstatic.com is used to detect if the current network has internet and also to detect if there is a captive portal that you need to log into.

time.android.com would be to check the time and make sure it is correct.

Not sure what the extra 3 are used for. It is possible that firebaseinstallations.googleapis.com is used for the Android System Intelligence, or some other app that comes by default on LineageOS.

The following NetworkMiner screenshot shows all the IP addresses that were returned for the DNS queries. Note that a DNS query can return multiple IP addresses for a domain name, and then the device only use one of those IP addresses to transmit traffic.

A couple of normal network broadcast, multicast, and gateway addresses are blurred out as they are normal for devices on a local network.

Here is a Wireshark screenshot for all the DNS requests.

Total bandwidth sent and received for each IP

Using Wireshark, we were able to get a total amount of data sent and received for each of the domains.

  1. www.google.com – 12.976 KiB
  2. connectivitycheck.gstatic.com – 1.497 KiB
  3. time.android.com 270 bytes
  4. g.co – 21.883 KiB,
  5. firebaseinstallations.googleapis.com – 16.225 KiB
  6. Total for Pixel 5 – 52.851 KiB

Turning on GPS

Turning on GPS immediately led to a connection to xtrapath5.xboxprod.izatcloud.net.

The four lines are just different IP’s for the same domain.

From the Location settings, we can toggle on or off the “Use assisted GPS”.

The settings say the following about Assisted GPS “Download satellite assistance data from the internet which can greatly improve the GPS startup performance. For emergency calls, assisted GPS is always allowed”

Essentially, it will download some files that help your phone find satellites faster which will get you a faster GPS lock. Without it, it can take awhile to find your position.

During the initial setup (First screenshot below), you can toggle on/off Assisted GPS. By default, Android System Intelligence and the Browser are allowed to use Location.

Hopefully that is a helpful overview of the default LineageOS network connections and what some of them are used for.

How to SSH from a UI GPON

Ubiquiti’s or UI’s GPONs do not have a SSH client by default. Or do they?

If you type “ssh” and hit return, you’ll receive a “not found” error.

Typically on devices like home routers, GPONs, UniFi AP’s etc, ssh is handled by Dropbear. Dropbear provides a Secure Shell compatible server and client and is typically used in embedded systems.

To SSH from a GPON to another device, use dbclient

dbclient ubnt@192.168.1.20

dbclient is the Dropbear client. AKA, SSH client.