chkconfig --list | grep 5:on | awk '{ print $1 }' | \
while read LINE; do chkconfig --level 12345 $LINE off; done
Tuesday, December 16, 2008
Change runlevel Settings for a Group of Services
The following command changes all services set to run at runlevel 5 and sets them to off.
Labels:
linux,
security,
system administration,
system hardening
Sunday, December 14, 2008
Network Access Control
Enterasys has a mature and unmatched product offering, today.
http://www.enterasys.com/products/index.aspx
http://www.enterasys.com/products/index.aspx
Fact Sheet NSA Suite B Cryptography [08dec2008]
Key length recommendations from the NSA for companies making products for Gov't use.
http://www.keylength.com/en/6/
http://www.keylength.com/en/6/
Friday, December 5, 2008
Apache Worker vs. Prefork
This is a good post.
http://www.camelrichard.org/apache-prefork-vs-worker
Good Hints:
Worker is superior in 2+ cpu applications
Compile PHP5 after installing Apache
http://www.camelrichard.org/apache-prefork-vs-worker
Good Hints:
Worker is superior in 2+ cpu applications
Compile PHP5 after installing Apache
Labels:
apache,
operations,
system administration,
web servers
Thursday, December 4, 2008
Restoring Hard Links to Protected Files in Linux
I got this syslog message today:
Dec 4 9:47:56 [hostname] restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) Invalid argument
Here is how I resolved it:
$ sudo ls -i /etc/resolv.conf # find innode
[inode number] /etc/resolv.conf
$ sudo find /etc -inum [inode number] # find hard links
$ /usr/sbin/lsof | grep resolv.conf # check if file is open
$ mv /etc/sysconfig/networking/profiles/default/resolv.conf ~ # move
$ sudo restorecon /etc/resolv.conf # set selinux defaults
$ sudo ln /etc/resolv.conf /etc/sysconfig/networking/profiles/default/resolv.conf #recreate hard link
Dec 4 9:47:56 [hostname] restorecond: Will not restore a file with more than one hard link (/etc/resolv.conf) Invalid argument
Here is how I resolved it:
$ sudo ls -i /etc/resolv.conf # find innode
[inode number] /etc/resolv.conf
$ sudo find /etc -inum [inode number] # find hard links
$ /usr/sbin/lsof | grep resolv.conf # check if file is open
$ mv /etc/sysconfig/networking/profiles/default/resolv.conf ~ # move
$ sudo restorecon /etc/resolv.conf # set selinux defaults
$ sudo ln /etc/resolv.conf /etc/sysconfig/networking/profiles/default/resolv.conf #recreate hard link
Wednesday, December 3, 2008
DDOS Incident Cheat Sheet
This is very well put together:
http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.pdf
http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.pdf
Tuesday, December 2, 2008
Using SSH Remote and Local Tunnels
The following example demonstrates how to use Remote and Local SSH tunneling to access a service on your highly secure home computer (that's not exposed explicitly through a firewall at your home) from a remote location.
For example:
On Home Computer, before traveling:
ssh -R 44444:localhost:22 user@remote.computer.ip.address
On Remote Computer, after arriving at work:
ssh -L 22222:localhost:44444 user@remote.computer.ip.address (possibly rfc1918 ip)
ssh user@localhost -p22222
Wa la, you now have a SSH session to your home computer from work.
For example:
On Home Computer, before traveling:
ssh -R 44444:localhost:22 user@remote.computer.ip.address
On Remote Computer, after arriving at work:
ssh -L 22222:localhost:44444 user@remote.computer.ip.address (possibly rfc1918 ip)
ssh user@localhost -p22222
Wa la, you now have a SSH session to your home computer from work.
Labels:
network,
security,
ssh,
system administration,
windows
Sunday, November 23, 2008
Wednesday, November 19, 2008
SSH Remote Command Execution
The following example allows you to execute a command on a remote system and return the results of the command without a shell session.
Simply include the command immediately after the normal ssh session request. Here's an easy one for a periodic secure rule integrity check on openBSD using pf.
ssh someuser@ip.add.re.ss 'pfctl -s rules | openssl sha1'
Simply include the command immediately after the normal ssh session request. Here's an easy one for a periodic secure rule integrity check on openBSD using pf.
ssh someuser@ip.add.re.ss 'pfctl -s rules | openssl sha1'
Monday, November 17, 2008
How to set up Apache, MySQL and PHP on FreeBSD
# cd /usr/ports/www/apache13-modssl
# make install
# echo 'apache_enable ="YES"' >> /etc/rc.conf
# echo 'apache_flags ="-DSSL"' >> /etc/rc.conf
# echo 'mysql_enable ="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/mysql-server start
# mysqladmin -u root password newpassword
# cd /usr/ports/www/mod_php4
# make install clean
# cd /usr/ports/lang/php4-extensions
# make install clean
# vi /usr/local/etc/apache/httpd.conf
AddType application/x- httpd-php . php
AddType application/x- httpd-php-source . phps
# /usr/local/etc/rc.d/apache.sh start
# whoami
root
# cd ~
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 \
-in /root/server.csr \
-signkey /root/server.key \
-out /root/server.crt
# cp ~/ ./server.key /usr/local/etc/apache/ssl.key/
# cp ~/ ./server.crt /usr/local/etc/apache/ssl.crt/
Labels:
apache,
freebsd,
mysql,
php,
system administration
Friday, November 14, 2008
Migrating from VMWare ESX 3.5 to VMWare Server 2.0 with VMWare Converter 3.0.3
The following is a brief account of how I got my vm's up and running in VMWare Server 2.0 that were originally running in ESX.
Short Story: I was able to load the vm into Workstation 5.5.5, fix the problems and bring it up in VMWare Server 2.0. Read on if you want a tiny bit more detail, there's not much to it.
In many cases I have encountered, sometimes you can't convert a ESX vm straight to VMWare Server 2.0. Some post-conversion modification is necessary. A number of VMWare forum threads elude to this fact, but I have found no further information on what it specifically entails. The OS's I have had the most problems with are CentOS and OpenBSD. The test image that I initially did when I was reviewing the possibility of this migration was a Win2k3 Standard image, and I was able to convert and run it with no problems.
In the specific conversion I attempted, the conversion process of the CentOS vm appeared successful. What I mean by this is that a vmx and vmdk file were generated. However, when I was going through the wizard, I encountered the following "Warning: Cannot configure the source image.". The vmdk file size seemed reasonable and the vmx file seemed like it was missing a few lines. I transferred these files from the win2k3 VMCS server, where I ran the VMWare Converter 3.0.3 software, to their new home, a win2k3 server with VMWare Server 2.0. I "Added a Virtual Machine to Inventory" in the VMWare Server 2.0 interface and the vm was reported to have been registered Successfully, but the vm showed up as "Unknown" in the inventory list, the controls to start the vm were greyed out, and no errors appeared to be logged or displayed anywhere.
Frustrating.
So, I tried bringing the vm up on another system that had VMWare Workstation 5.5.5 on it. An error was thrown, stating that the ide reference was incorrect and it thoughtfully suggested a change, which I made and worked. Then I was able to bring the image up and successfully reconfigured it for the new network environment it would call home. I shut the image down, copied it back the target host with VMWare Server 2.0 and successfully registered and ran the image. One last thing I needed to do was answer a question from the VMWare Server 2.0 before startup would occur. It was hidden on a pop-down on the Console tab, and wanted to know whether I had "moved it" or "copied it".
Tips:
Be sure to delete any snapshots the vm had, otherwise there may be problems later. Though, I have converted images successfully ignoring this step. The other bit that might be useful to know is that I was not able to successfully migrate any vm to VMWare Server 2.0 when selecting VMWare Workstation 6.x as the destination image format using VMWare Converter 3.0.3.
Another solution would be to avoid all these gui tools and export the VMDK with vmkfstools, then transfer the vmdk and create a new VM pointing to the VMDK. :)
Short Story: I was able to load the vm into Workstation 5.5.5, fix the problems and bring it up in VMWare Server 2.0. Read on if you want a tiny bit more detail, there's not much to it.
In many cases I have encountered, sometimes you can't convert a ESX vm straight to VMWare Server 2.0. Some post-conversion modification is necessary. A number of VMWare forum threads elude to this fact, but I have found no further information on what it specifically entails. The OS's I have had the most problems with are CentOS and OpenBSD. The test image that I initially did when I was reviewing the possibility of this migration was a Win2k3 Standard image, and I was able to convert and run it with no problems.
In the specific conversion I attempted, the conversion process of the CentOS vm appeared successful. What I mean by this is that a vmx and vmdk file were generated. However, when I was going through the wizard, I encountered the following "Warning: Cannot configure the source image.". The vmdk file size seemed reasonable and the vmx file seemed like it was missing a few lines. I transferred these files from the win2k3 VMCS server, where I ran the VMWare Converter 3.0.3 software, to their new home, a win2k3 server with VMWare Server 2.0. I "Added a Virtual Machine to Inventory" in the VMWare Server 2.0 interface and the vm was reported to have been registered Successfully, but the vm showed up as "Unknown" in the inventory list, the controls to start the vm were greyed out, and no errors appeared to be logged or displayed anywhere.
Frustrating.
So, I tried bringing the vm up on another system that had VMWare Workstation 5.5.5 on it. An error was thrown, stating that the ide reference was incorrect and it thoughtfully suggested a change, which I made and worked. Then I was able to bring the image up and successfully reconfigured it for the new network environment it would call home. I shut the image down, copied it back the target host with VMWare Server 2.0 and successfully registered and ran the image. One last thing I needed to do was answer a question from the VMWare Server 2.0 before startup would occur. It was hidden on a pop-down on the Console tab, and wanted to know whether I had "moved it" or "copied it".
Tips:
Be sure to delete any snapshots the vm had, otherwise there may be problems later. Though, I have converted images successfully ignoring this step. The other bit that might be useful to know is that I was not able to successfully migrate any vm to VMWare Server 2.0 when selecting VMWare Workstation 6.x as the destination image format using VMWare Converter 3.0.3.
Another solution would be to avoid all these gui tools and export the VMDK with vmkfstools, then transfer the vmdk and create a new VM pointing to the VMDK. :)
Wednesday, November 12, 2008
macosx2windows
Focus Finder
Apple+K or Go | Connect To Server
In the Server Address field, enter:
smb://[Domain];[user]@ip.ad.dr.ess/c$
e.g.: smb://DOMAIN;miked@192.168.1.5/myshare
Apple+K or Go | Connect To Server
In the Server Address field, enter:
smb://[Domain];[user]@ip.ad.dr.ess/c$
e.g.: smb://DOMAIN;miked@192.168.1.5/myshare
Tuesday, November 11, 2008
Making real-time kernel adjustments in Linux
/proc/sys is an important directory in Linux, it contains many of the adjustable kernel values that can be changed while a system is running. it also provides a lot of information that can be collected and parsed by a script that might validate certain security settings. For instance, we have the file below, its contents (a zero or a one) would indicate whether or not the kernel is allowed to forward packets.
/proc/sys/net/ipv4/ip_forward
/proc/sys/net/ipv4/ip_forward
Monday, November 10, 2008
i.e. vs. e.g.
i.e.
"i.e." means "that is". In Latin it's "id est". "i.e." means "in other words,", "it is", or "that is". The intention is to give a specific example, of which there is only one correct precise example.
e.g.
"e.g." means "for example" and is derived from the Latin expression "exempli gratia" and means "for the sake of example". "e.g." is used to provide a possible example, or list of examples, of which there could be several others, including those not listed by the author.
"i.e." means "that is". In Latin it's "id est". "i.e." means "in other words,", "it is", or "that is". The intention is to give a specific example, of which there is only one correct precise example.
e.g.
"e.g." means "for example" and is derived from the Latin expression "exempli gratia" and means "for the sake of example". "e.g." is used to provide a possible example, or list of examples, of which there could be several others, including those not listed by the author.
Saturday, November 8, 2008
Friday, November 7, 2008
Use sshfs to Securely Mount Remote File Systems
The following commands can be used on *BSD systems.
# pkg_add -r fusefs-sshfs
# kldload /usr/local/modules/fuse.ko
# sysctl vfs.usermount=1
# mkdir /mnt/docs
# sshfs user@x.x.x.x:/some/remote.dir /mnt/local.dir
# pkg_add -r fusefs-sshfs
# kldload /usr/local/modules/fuse.ko
# sysctl vfs.usermount=1
# mkdir /mnt/docs
# sshfs user@x.x.x.x:/some/remote.dir /mnt/local.dir
Tuesday, November 4, 2008
Using iphone ringtones on the blackberry
I have the Blackberry 8310 and I love it. I refuse to submit to the iphone on the general rule that I avoid fanboyism at all costs, despite the fact the iPhone cant do what my blackberry does right now. Recently I have been having a marvelous time in the morning, on the quiet train, getting all the iPhone owners to expose themselves when they hear the exciting and distinctive iPhone ringtone that could be their next incoming call. :)
Its easy to put the iPhone ringtones on your Blackberry, and here's how you do it.
First, get the ringtone. There's a posting here that has the one from the commercial. You can download it, unzip it and rename the 32K .m4r file to an .mp3 file. Then, either with the data cable or with your browser, save it to the ringtones directory and go change your ringtone. done.
The other location where you'll find all the iPhone ringtones, is on an iPhone, of course. Its located in the '/Library/Ringtones' folder. Connect your iPhone to your mac and use the Terminal application to get in there through the /Volumes mount point.
The method of getting it with your blackberry internet browser involves copying the file up to a website (presumably yours) and typing in the full url to where the file has been placed in the website. the blackberry internet browser will download it and automatically suggest that you place it into your ringtones.
Its easy to put the iPhone ringtones on your Blackberry, and here's how you do it.
First, get the ringtone. There's a posting here that has the one from the commercial. You can download it, unzip it and rename the 32K .m4r file to an .mp3 file. Then, either with the data cable or with your browser, save it to the ringtones directory and go change your ringtone. done.
The other location where you'll find all the iPhone ringtones, is on an iPhone, of course. Its located in the '/Library/Ringtones' folder. Connect your iPhone to your mac and use the Terminal application to get in there through the /Volumes mount point.
The method of getting it with your blackberry internet browser involves copying the file up to a website (presumably yours) and typing in the full url to where the file has been placed in the website. the blackberry internet browser will download it and automatically suggest that you place it into your ringtones.
Monday, November 3, 2008
Increase the size of the history buffer in openBSD
Add the following lines to ./.profile
HISTSIZE=50;export HISTSIZE
HISTFILE=.ksh_history;export HISTFILE
List of Network Security Tools I Use
aide BASE curl dban dsniff etherApe EventSentry Foundstone Tools fping google.com search trends groups hping nbtscan nessus netcat | netcraft.com netstat nikto nfcapd nfdump nfSen nmap ntop openssl openssh p0f pads pf pftop pgp/gpg ps | Retina sguil snort snortlog solarwinds splunk sqlping stunnel sysinternals tcpdump Tor TrueCrypt tshark whois w Wireshark/Ethereal/sniff wget |
Sunday, November 2, 2008
snort / barnyard restart script
snortpid=`cat /var/run/snort_sis0.pid`
barnyardpid=`cat /var/run/by.pid`
if [ -e /var/run/snort_sis0.pid ]; then
color red
echo 'killing snort'
kill `cat /var/run/snort_sis0.pid`
color off
fi
if [ -e /var/run/by.pid ]; then
color red
echo 'killing barnyard'
kill `cat /var/run/by.pid`
color off
fi
if [ -x /usr/local/bin/snort ]; then
color cyan
echo 'starting snort'
/usr/local/bin/snort \
-i sis0 \
-c /etc/snort/snort.conf \
-u snort \
-g snort \
-d \
-D
color off
fi
if [ -x /usr/local/bin/barnyard ]; then
color cyan
echo 'starting barnyard'
/usr/local/bin/barnyard \
-c /etc/snort/barnyard.conf \
-p /etc/snort/classification.config \
-s /etc/snort/sid-msg.map \
-g /etc/snort/gen-msg.map \
-w /etc/snort/barnyard.waldo \
-d /var/log/snort -f snort.log \
> /dev/null 2>&1
color off
sleep 3
fi
if [ -e /var/run/snort_sis0.pid ]; then
color yellow
echo "snort running and pid is $snortpid"
color off
fi
if [ -e /var/run/by.pid ]; then
color yellow
echo "barnyard running and pid is $barnyardpid"
color off
fi
Decent writeup on current Cybercrime
Actually this article is probably obsolete by a year or so.
http://www.securecomputing.net.au/Opinion/123664,eugene-kaspersky-on-the-cybercrime-arms-race.aspx
http://www.securecomputing.net.au/Opinion/123664,eugene-kaspersky-on-the-cybercrime-arms-race.aspx
Saturday, November 1, 2008
Purge Master Logs in MySQL
If the files '/var/log/mysql/server.bin.xxx' are large, you can manage them:
log into mysql as root. this is not the systems' root user, this is a different root user that is local to mysql.
# mysql -u root -p
mysql> purge master logs before 'xxxx-mm-dd 00:00:00';
To get today's date: `date +"%Y%m%d %H:%M:%S"`
log into mysql as root. this is not the systems' root user, this is a different root user that is local to mysql.
# mysql -u root -p
mysql> purge master logs before 'xxxx-mm-dd 00:00:00';
To get today's date: `date +"%Y%m%d %H:%M:%S"`
Adding / Removing Routes in Linux
Add or Delete the Default Route
# route add default gw 10.10.1.1
# route del default gw 10.10.1.1
Add or Delete a Route for a Host
# route add -host x.x.x.x gw x.x.x.x
# route del -host x.x.x.x gw x.x.x.x
Add or Delete a Route for a Network
# route add -net 172.18.1.0/24 gw 10.10.1.43
# route del -net 172.18.1.0/24 gw 10.10.1.43
# route add default gw 10.10.1.1
# route del default gw 10.10.1.1
Add or Delete a Route for a Host
# route add -host x.x.x.x gw x.x.x.x
# route del -host x.x.x.x gw x.x.x.x
Add or Delete a Route for a Network
# route add -net 172.18.1.0/24 gw 10.10.1.43
# route del -net 172.18.1.0/24 gw 10.10.1.43
Labels:
configuration,
linux,
route,
system administration
SSH pubkey on a NetScaler Application Switch
I like to take a backup of all my device configurations on a regular basis. Its usually pretty straight-forward, simply add a scp command to cron, but with the NetScaler there's a little gotcha.
The default location of the authorized_keys file is in '/flash/nsconfig/ssh'. After you append your public key into the file, you'll need to copy the 'authorized_keys' file to '/root/.ssh/'.
This filecopy will need to be done after every reboot of the NetScaler because the / mount point is on volatile media.
If you want to script this action, or any other post-boot commands on a NetScaler device, create or edit the file '/flash/nsconfig/rc.netscaler', set the perms on the file to 755, and start adding commands to the file.
The default location of the authorized_keys file is in '/flash/nsconfig/ssh'. After you append your public key into the file, you'll need to copy the 'authorized_keys' file to '/root/.ssh/'.
This filecopy will need to be done after every reboot of the NetScaler because the / mount point is on volatile media.
If you want to script this action, or any other post-boot commands on a NetScaler device, create or edit the file '/flash/nsconfig/rc.netscaler', set the perms on the file to 755, and start adding commands to the file.
How to Manually Install the Ports Collection
# cd /usr
# ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.4/ports.tar.gz
# tar zxvf ./ports.tar.gz
# ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.4/ports.tar.gz
# tar zxvf ./ports.tar.gz
Solaris Commands
# mrstat
# prstat
# iotop
# listusers
# du -ah
# df -k
# truss -c [app_name]
# truss [app_name]
Here are some useful links:
Basic Commands
Cool Commands
Handy Solaris Commands
Harman Research
Process Mgmt Commands
Tom's Hardware
# prstat
# iotop
# listusers
# du -ah
# df -k
# truss -c [app_name]
# truss [app_name]
Here are some useful links:
Basic Commands
Cool Commands
Handy Solaris Commands
Harman Research
Process Mgmt Commands
Tom's Hardware
Reset the root password on OpenBSD or FreeBSD
Start or reboot the system.
At the boot prompt:
At the boot prompt:
boot> boot -s
# mount -uw / #make / writable
# mount /usr #mount /usr
# passwd #change the password
#reboot
How to add a permanant route in OpenBSD
add a line to /etc/hostname.[if_name]
!route add -net [network_ip/cidr] [gateway_ip]
!route add -host [host_ip] [gateway_ip]
# Add a network
!route add -net 10.10.1.0/24 172.18.1.1
#Add a host
!route add -host 10.10.1.18 172.18.1.1
!route add -net [network_ip/cidr] [gateway_ip]
!route add -host [host_ip] [gateway_ip]
# Add a network
!route add -net 10.10.1.0/24 172.18.1.1
#Add a host
!route add -host 10.10.1.18 172.18.1.1
How to use Ports
If you want to add packages to FreeBSD or OpenBSD (others?), you'll want to use the package collection called 'ports'.
# mkdir /usr/ports && cd /usr/ports
# portsnap fetch
# portsnap extract
This creates the directory heirarchy under /usr/ports and downloads the header files among other files for each package. When installing new packages, after the ports collection has been created on a given system, execute the following command to update the collection.
# portsnap fetch update
for more information, go here.
# mkdir /usr/ports && cd /usr/ports
# portsnap fetch
# portsnap extract
This creates the directory heirarchy under /usr/ports and downloads the header files among other files for each package. When installing new packages, after the ports collection has been created on a given system, execute the following command to update the collection.
# portsnap fetch update
for more information, go here.
Making Your Own Loopbacks
Its pretty easy to make your own loopbacks. Take an icecube and a two 3" lengths of telephone wire.
Ethernet
1 <--> 3
2 <--> 6
T1
1 <--> 4
2 <--> 5
Ethernet
1 <--> 3
2 <--> 6
T1
1 <--> 4
2 <--> 5
How to Span a Port on a Cisco Switch
Analyzing network traffic on network segments is an interest and goal of all Network Administrators, Network Security Engineer, or System Administrators. A switch creates virtual connections between hosts connected to the switch. In order to analyze all traffic on a Vlan, you'll need to 'mirror', or in Cisco parlance, 'SPAN' a port. What this means is that the traffic of all private virtual connections made between all ports belonging to a given Vlan is mirrored or 'span'ned to a designated port on the switch. Typically, you'd connect an IDS or system with a sniffer/traffic analyzer to the 'span'ned port.
# monitor session 1 source vlan 1
# monitor session 1 destination interface gi0/44
Show spanned ports:
# show monitor
To terminate the span:
# no monitor session 1
If you're really serious about analyzing traffic, especially in large volumes, you'd want to buy a "network tap". Here is a little more detail.
Here's a tap reseller.
# monitor session 1 source vlan 1
# monitor session 1 destination interface gi0/44
Show spanned ports:
# show monitor
To terminate the span:
# no monitor session 1
If you're really serious about analyzing traffic, especially in large volumes, you'd want to buy a "network tap". Here is a little more detail.
Here's a tap reseller.
Labels:
cisco,
configuration,
mirror,
network tap,
sniff,
span
Wednesday, October 29, 2008
Exporting vm's from ESX to VMWare Server 2.0
Well, I hate to say it, but VMWare Server 2.0 is a little clunky. I don't get a lot of confidence using Internet Explorer to admin my vm's, but I can live with it. I also don't like how the vm admin service runs as a network service. It seems like it should be an optional install, in case IT policy allows remote administration of virtual environments. It just seems like its just one more thing to manage and watch for, an unnecessary increase in network attack surface with an application that may be very easily subverted.
What I can't live with is the mouse control, or lack of it, at the console of a windows OS running in VMWare Server 2.0...and it's running on a system with 4GB ram, a decent proc and win2k3 Std R2. Using the vm over RDP is reasonable and works well.
I was able to successfully import a ESX 3.5 image with Converter 3.0.3 to a VMWare Workstation 5.x compatiable image into VMWare Server 2.0. It didn't work with a VMWare Workstation 6.x compatiable image.
I wonder if VMWare has a security group that tries to crack its own apps?
What I can't live with is the mouse control, or lack of it, at the console of a windows OS running in VMWare Server 2.0...and it's running on a system with 4GB ram, a decent proc and win2k3 Std R2. Using the vm over RDP is reasonable and works well.
I was able to successfully import a ESX 3.5 image with Converter 3.0.3 to a VMWare Workstation 5.x compatiable image into VMWare Server 2.0. It didn't work with a VMWare Workstation 6.x compatiable image.
I wonder if VMWare has a security group that tries to crack its own apps?
Labels:
converter,
esx,
migration,
virtualization,
vmware
Tuesday, October 28, 2008
Screen
Screen is probably my favorite application. It's a perfect example of the unix philosophy.
It's simply a window manager for terminal sessions, a great tool for developers, engineers and researchers that use multiple ssh sessions to perform their work.
Install it:
# pkg-add -r screen
The way I use it is by (re)connecting to a server where screen is installed, usually in a openbsd or freebsd vm that I run on a desktop or server machine. During the time I was disconnected (travelling to/from work, etc) screen maintained my many ssh sessions for me, and when reconnect I execute the following command:
# screen -d -r
-d : any existing screen processes are detached
-r : screen then reattaches the detached screen session and attaches it to your current tty/ssh session.
Most useful commands while using screen:
Crtl - A, Shift - C : Create a new tty session
Crtl - A, Shift - A : Edit the name for display in session manager
Crtl - A, Crtl - " : invokes the session manager, use arrow keys
Ctrl -A, Ctrl -A : Toggle between two tty sessions
See the manpage for lots more on commands and customization.
It's simply a window manager for terminal sessions, a great tool for developers, engineers and researchers that use multiple ssh sessions to perform their work.
Install it:
# pkg-add -r screen
The way I use it is by (re)connecting to a server where screen is installed, usually in a openbsd or freebsd vm that I run on a desktop or server machine. During the time I was disconnected (travelling to/from work, etc) screen maintained my many ssh sessions for me, and when reconnect I execute the following command:
# screen -d -r
-d : any existing screen processes are detached
-r : screen then reattaches the detached screen session and attaches it to your current tty/ssh session.
Most useful commands while using screen:
Crtl - A, Shift - C : Create a new tty session
Crtl - A, Shift - A : Edit the name for display in session manager
Crtl - A, Crtl - " : invokes the session manager, use arrow keys
Ctrl -A, Ctrl -A : Toggle between two tty sessions
See the manpage for lots more on commands and customization.
Friday, October 24, 2008
carp configuration on openbsd/pf
Typically, when a service provider gives you your IP's (say, for a T1 service) they give you both a WAN and LAN range. This can be confusing, because typically a LAN-range would imply private (RFC1918) IP addressing, however telcos dont think of it that way. The WAN range is typically a /30, which is appropriate for a point-to-point topology. Its implied that this IP be used on the CPE, which has been traditionally a router. The LAN range is typically a /27, and these IP's could be used for services that may be exposed through the router/firewall, but it could be done the same with the WAN IP and use port redirection to anything we place in the dmz in the future. This latter design approach is the one I chose. The less IP's the smaller the attack surface and therefore less to manage. The important part to note about this configuration is that the CARP IP address and the real ip of the physical NIC do not need to be in the same subnet or related in any way. Another thought I had was that instead of using the LAN IP's as the real IP's on the public facing interfaces of the firewall, you could instead use RFC1918 addressing and it would ensure that any mistake (unlikely) in routing traffic outside of the interface would be dropped at the next hop.
The specific service I contracted was through XO, its a 10Mb pipe to the Internet with an Ethernet hand-off. They gave me a Hatteras 408-CPi. I decided that we didn't need an extra hop on our side, so I eliminated the router and plugged the XO service straight into my firewall (basically) The blue cable coming into the switch is from the Hatteras unit. The yellow cables goto the outside nic's on each firewall. The grey goto the firewall's dmz nic's. The single yellow cable on the second switch goes to a ethernet port on a router that figures out what network the traffic is truly destined for. The orange, as you probably guessed, is a crossover cable, all pfsync data is transmitted on this interface.
In this implementation I used two DL360's, one more powerful than the other, both with 2GB ram. I also used two Cisco 2960G-24TS switches.
Configuration steps for both hosts for CARP with pf
Edit /etc/sysctl.conf
Permit forward routing of IP packets
net.inet.ip.forwarding=1
Allow CARP to function
net.inet.carp.allow=1
net.inet.carp.log=1
If one interface fails, then failover to second host
net.inet.carp.preempt=1
Kernel will not respond to incoming connections to unbound network ports
net.inet.tcp.blackhole=2 # Drop incoming packets to unbound tcp ports
net.inet.udp.blackhole=1 # Drop incoming packets to unbound udp ports
Force a reboot if the kernel panics
ddb.panic=0
Individual Host Configuration for CARP with pf
REXFW01 - Primary
-------------------------
bge0: [private_ip]
bge1: 222.222.222.221 + multicast
bge2: 10.10.2.2
#> ifconfig pfsync0 syncdev bge1
#> ifconfig pfsync0 up
#> ifconfig carp0 create
#> ifconfig carp0 vhid 1 pass xxx carpdev bge0 [carp_ip] netmask 255.255.255.252
#> ifconfig carp1 create
#> ifconfig carp1 vhid 2 pass xxx carpdev bge2 10.10.2.1 netmask 255.255.255.0
Create the permanent config files
#> create /etc/hostname.pfsync0 up syncdev bge1
#> create /etc/hostname.carp0 inet [carp_ip] 255.255.255.252 [gateway] vhid 1 pass xxx carpdev bge0
#> create /etc/hostname.carp1 inet 10.10.2.1 255.255.255.0 10.10.2.255 vhid 2 pass xxx carpdev bge2
REXFW02 - Secondary
-------------------------
bge0: [private_ip]
bge1: 222.222.222.222 + multicast
bge2: 10.10.2.3
#> ifconfig pfsync0 syncdev pcn1
#> ifconfig pfsync0 up
#> ifconfig carp0 create
#> ifconfig carp0 vhid 1 pass xxx advskew 100 carpdev bge0 [carp_ip] netmask 255.255.255.252
#> ifconfig carp1 create
#> ifconfig carp1 vhid 2 pass xxx advskew 100 carpdev bge2 10.10.2.1 netmask 255.255.255.0
Create the permanent config files
#> create /etc/hostname.pfsync0 up syncdev bge1
#> create /etc/hostname.carp0 inet [carp_ip] 255.255.255.252 [gateway] vhid 1 advskew 100 pass xxx carpdev bge0
#> create /etc/hostname.carp1 inet 10.10.2.1 255.255.255.0 10.10.2.255 vhid 2 advskew 100 pass xxx carpdev bge2
-------------------------
pf.conf - for both primary and secondard firewalls
-------------------------
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#Interface Macros
loopback="lo0"
ext_if="bge0"
int_if="bge2"
pfsync_if="bge1"
ext_carp="carp0"
int_carp="carp1"
# Allowed incoming ICMP types
icmp_types = "{ echorep, echoreq, timex, paramprob, unreach code needfrag }"
# Private networks (RFC 1918)
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Internal Networks
our_nets = "{ 10.10.2.0/24, 10.10.1.0/24 }"
#DNS Servers
dns_srv = "{ x.x.x.x, x.x.x.x }"
#table <spamd-white> persist
#set skip on lo
scrub in all
#NAT outgoing traffic
nat on $ext_if from $our_nets to any -> ($ext_carp)
#nat on $ext_if from $int_if:network to any -> ($ext_carp)
rdr pass log on $ext_if inet proto tcp from any to $ext_carp port 44 -> $int_if port 22
# Block all incoming traffic from external interface
block log all
block drop in on $ext_if all
block drop in quick from urpf-failed
# Block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any
# Block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets
#Allow CARP and pfsync protocols
pass quick on $pfsync_if proto pfsync
pass quick proto carp
pass quick on $loopback inet proto tcp from $loopback to $loopback port smtp keep state
#Allow outgoing traffic
pass in on $int_if from $our_nets to any
pass out on $int_if from any to $our_nets
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { icmp, udp } all keep state
# Allow ICMP echos
pass in on $int_if inet proto icmp icmp-type 8 code 0 keep state
pass out on $int_if inet proto icmp icmp-type 8 code 0 keep state
#Allow DNS lookups
pass in on $ext_if proto udp from $our_nets to any port 53 keep state
pass out on $ext_if proto udp from $our_nets to any port 53 keep state
#Allow SNMP
pass quick on $int_if proto udp from $our_nets to $int_if port 161 keep state
antispoof log quick for $int_if
antispoof log quick for lo
The specific service I contracted was through XO, its a 10Mb pipe to the Internet with an Ethernet hand-off. They gave me a Hatteras 408-CPi. I decided that we didn't need an extra hop on our side, so I eliminated the router and plugged the XO service straight into my firewall (basically) The blue cable coming into the switch is from the Hatteras unit. The yellow cables goto the outside nic's on each firewall. The grey goto the firewall's dmz nic's. The single yellow cable on the second switch goes to a ethernet port on a router that figures out what network the traffic is truly destined for. The orange, as you probably guessed, is a crossover cable, all pfsync data is transmitted on this interface.
In this implementation I used two DL360's, one more powerful than the other, both with 2GB ram. I also used two Cisco 2960G-24TS switches.
Configuration steps for both hosts for CARP with pf
Edit /etc/sysctl.conf
Permit forward routing of IP packets
net.inet.ip.forwarding=1
Allow CARP to function
net.inet.carp.allow=1
net.inet.carp.log=1
If one interface fails, then failover to second host
net.inet.carp.preempt=1
Kernel will not respond to incoming connections to unbound network ports
net.inet.tcp.blackhole=2 # Drop incoming packets to unbound tcp ports
net.inet.udp.blackhole=1 # Drop incoming packets to unbound udp ports
Force a reboot if the kernel panics
ddb.panic=0
Individual Host Configuration for CARP with pf
REXFW01 - Primary
-------------------------
bge0: [private_ip]
bge1: 222.222.222.221 + multicast
bge2: 10.10.2.2
#> ifconfig pfsync0 syncdev bge1
#> ifconfig pfsync0 up
#> ifconfig carp0 create
#> ifconfig carp0 vhid 1 pass xxx carpdev bge0 [carp_ip] netmask 255.255.255.252
#> ifconfig carp1 create
#> ifconfig carp1 vhid 2 pass xxx carpdev bge2 10.10.2.1 netmask 255.255.255.0
Create the permanent config files
#> create /etc/hostname.pfsync0 up syncdev bge1
#> create /etc/hostname.carp0 inet [carp_ip] 255.255.255.252 [gateway] vhid 1 pass xxx carpdev bge0
#> create /etc/hostname.carp1 inet 10.10.2.1 255.255.255.0 10.10.2.255 vhid 2 pass xxx carpdev bge2
REXFW02 - Secondary
-------------------------
bge0: [private_ip]
bge1: 222.222.222.222 + multicast
bge2: 10.10.2.3
#> ifconfig pfsync0 syncdev pcn1
#> ifconfig pfsync0 up
#> ifconfig carp0 create
#> ifconfig carp0 vhid 1 pass xxx advskew 100 carpdev bge0 [carp_ip] netmask 255.255.255.252
#> ifconfig carp1 create
#> ifconfig carp1 vhid 2 pass xxx advskew 100 carpdev bge2 10.10.2.1 netmask 255.255.255.0
Create the permanent config files
#> create /etc/hostname.pfsync0 up syncdev bge1
#> create /etc/hostname.carp0 inet [carp_ip] 255.255.255.252 [gateway] vhid 1 advskew 100 pass xxx carpdev bge0
#> create /etc/hostname.carp1 inet 10.10.2.1 255.255.255.0 10.10.2.255 vhid 2 advskew 100 pass xxx carpdev bge2
-------------------------
pf.conf - for both primary and secondard firewalls
-------------------------
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#Interface Macros
loopback="lo0"
ext_if="bge0"
int_if="bge2"
pfsync_if="bge1"
ext_carp="carp0"
int_carp="carp1"
# Allowed incoming ICMP types
icmp_types = "{ echorep, echoreq, timex, paramprob, unreach code needfrag }"
# Private networks (RFC 1918)
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# Internal Networks
our_nets = "{ 10.10.2.0/24, 10.10.1.0/24 }"
#DNS Servers
dns_srv = "{ x.x.x.x, x.x.x.x }"
#table <spamd-white> persist
#set skip on lo
scrub in all
#NAT outgoing traffic
nat on $ext_if from $our_nets to any -> ($ext_carp)
#nat on $ext_if from $int_if:network to any -> ($ext_carp)
rdr pass log on $ext_if inet proto tcp from any to $ext_carp port 44 -> $int_if port 22
# Block all incoming traffic from external interface
block log all
block drop in on $ext_if all
block drop in quick from urpf-failed
# Block incoming traffic from private networks on external interface
block drop in quick on $ext_if from $priv_nets to any
# Block outgoing traffic to private networks on external interface
block drop out quick on $ext_if from any to $priv_nets
#Allow CARP and pfsync protocols
pass quick on $pfsync_if proto pfsync
pass quick proto carp
pass quick on $loopback inet proto tcp from $loopback to $loopback port smtp keep state
#Allow outgoing traffic
pass in on $int_if from $our_nets to any
pass out on $int_if from any to $our_nets
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { icmp, udp } all keep state
# Allow ICMP echos
pass in on $int_if inet proto icmp icmp-type 8 code 0 keep state
pass out on $int_if inet proto icmp icmp-type 8 code 0 keep state
#Allow DNS lookups
pass in on $ext_if proto udp from $our_nets to any port 53 keep state
pass out on $ext_if proto udp from $our_nets to any port 53 keep state
#Allow SNMP
pass quick on $int_if proto udp from $our_nets to $int_if port 161 keep state
antispoof log quick for $int_if
antispoof log quick for lo
Thursday, October 23, 2008
VMWare Server 2.0 installation error
Today I built a new Windows Server 2003 R2 (@patch-level) production server and attempted to install VMWare Server 2.0 and I ran into the following error.
I found a few discussions on the web that lead me to this patch:
http://support.microsoft.com/kb/925336
I installed it, rebooted and completed my work.
I found a few discussions on the web that lead me to this patch:
http://support.microsoft.com/kb/925336
I installed it, rebooted and completed my work.
Labels:
installation,
microsoft,
patch,
policies,
prevent,
system administrator,
vmware
Wednesday, October 22, 2008
Using passwords that are good only once (OTP)
Using One Time Password (OTP) is a good idea these days. Luckily, its very easy to set up.
make sure /etc/skey directory exists
jack:/jack:37# sudo skeyinit -E
jack:/jack:38#skeyinit
in the output of the second command is a command that's been generated for you similar to:
otp-md5 100 bdsd523700
execute that command, adding the -n switch such that a list of passwords are generated that you can take with you.
jack:/jack:39# otp-md5 -n 50 100 bdsd523700
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase:
51: JILT YARD DARE WORM LARK CASE
52: GOOD VOTE NAN ITCH PUP DAM
53: BETH WAKE LACK MIT HANS DARE
54: MORT MAIL BANE LAP RODE YANG
[...snip...]
when you attempt to log in, use the following command structure.
ssh -l jack:skey [ip.ad.dr.ess]
a special prompt will also appear when the server recognizes that your user has a skey configuration. it will tell you which password to enter, counting down from 100.
jack/jack:45#> ssh -l jack:skey 10.200.1.254
otp-md5 97 bdsd29579
S/Key Password:
its asking for the password on line 97.
i don't quite understand the method of he counting, but it doesn't really matter much.
I got all this info from here
I wonder if I can restrict sshd to only accept skey authentication?
make sure /etc/skey directory exists
jack:/jack:37# sudo skeyinit -E
jack:/jack:38#skeyinit
in the output of the second command is a command that's been generated for you similar to:
otp-md5 100 bdsd523700
execute that command, adding the -n switch such that a list of passwords are generated that you can take with you.
jack:/jack:39# otp-md5 -n 50 100 bdsd523700
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase:
51: JILT YARD DARE WORM LARK CASE
52: GOOD VOTE NAN ITCH PUP DAM
53: BETH WAKE LACK MIT HANS DARE
54: MORT MAIL BANE LAP RODE YANG
[...snip...]
when you attempt to log in, use the following command structure.
ssh -l jack:skey [ip.ad.dr.ess]
a special prompt will also appear when the server recognizes that your user has a skey configuration. it will tell you which password to enter, counting down from 100.
jack/jack:45#> ssh -l jack:skey 10.200.1.254
otp-md5 97 bdsd29579
S/Key Password:
its asking for the password on line 97.
i don't quite understand the method of he counting, but it doesn't really matter much.
I got all this info from here
I wonder if I can restrict sshd to only accept skey authentication?
Tuesday, October 21, 2008
How to configure a iSCSI Volume using ZFS on opensolaris
This is just too easy. for example:
> mkfile 1000m /disk1 /disk2 /disk3
> zpool create zfs01 /disk1 /disk2 /disk3
> iscsitadm modify admin -d /zfs01/
> iscsitadm create target -z 1000m iscsizfs01
> /usr/sbin/iscsitgtd restart
I now have a 1 gig volume available over the network. Cool!
iscsi works well for applications requiring 400Mb/sec or less.
Other helpful commands:
> zpool list
> zpool status -v
> zpool upgrade #shows version info
> iscsitadm list target -v
> iscsitadm show admin
> mkfile 1000m /disk1 /disk2 /disk3
> zpool create zfs01 /disk1 /disk2 /disk3
> iscsitadm modify admin -d /zfs01/
> iscsitadm create target -z 1000m iscsizfs01
> /usr/sbin/iscsitgtd restart
I now have a 1 gig volume available over the network. Cool!
iscsi works well for applications requiring 400Mb/sec or less.
Other helpful commands:
> zpool list
> zpool status -v
> zpool upgrade #shows version info
> iscsitadm list target -v
> iscsitadm show admin
Monday, October 20, 2008
Cart of Confidential Files left on corner in SF Financial District
Today, I went to get some coffee, and I came across these carts full of sensitive files owned by a financial company which I wont name. The carts were left right out in the open on the main corner of the San Francisco Financial District, 101 California & Davis St., San Francisco, CA.
What a dream for an identity thief!
Labels:
documentation,
goodluckwiththat,
offsite,
security
Friday, October 17, 2008
Double-Hop SSH
Sometimes I need to access a server that's behind two or more firewalls. I use SSH tunneling to accomplish this, and in this example I show port specifics for MySQL.
First, I establish a ssh session with a local tunnel to 'Server A' that's NAT'd through a firewall. 'Server A' sits in a DMZ.
Second, I establish another ssh session with a local tunnel from 'Server A' to 'Server B' that's NAT'd through another firewall. 'Server B' sits on the INSIDE network. The local port of the tunnel in the first session on 'Server A' corresponds to the referenced port on 'Server B' in the second session. A "plumbing" of sorts has been configured.
Session 1 - Client to 'Server A'
> ssh -L 44444:localhost:9999 user@serverA
Session 2 - 'Server A' to 'Server B'
> ssh -L 9999:ServerC:3306 user@serverB
As you can see, to get to 'Server C', the client application would connect to localhost:44444, sshd would bitpump traffic from TCP:44444 on the client to TCP:9999 on 'Server A'. Then through the second ssh tunnel between 'Server A' and 'Server B', sshd would bitpump traffic arriving at port TCP:9999 on 'Server A' and bitpump traffic to TCP:3306 on 'Server C' through 'Server B'.
Be responsible, make good choices. Have fun and don't kill anybody.
Wednesday, October 15, 2008
OpenIDS 1.9 released!
This project is simply awesome, I highly recommend it.
The new 1.9 version is based on OpenBSD 4.3
http://prowling.nu
The new 1.9 version is based on OpenBSD 4.3
http://prowling.nu
Sunday, September 28, 2008
Using PKI with SSH
If you're concerned about the global increase in brute-force SSH login attempts, you can use PKI to prohibit successful unauthorized authentication through password guessing.
Generate key pair
# keygen -b 1024 -t rsa -f ./rsa_id_clientname
Add/append public key to ~/.ssh/authorized_keys file on the target
Add/append a few lines to ~/.ssh/config on the client
Host
User
IdentityFile ~/.ssh/
Attempt new SSH session
Generate key pair
# keygen -b 1024 -t rsa -f ./rsa_id_clientname
Add/append public key to ~/.ssh/authorized_keys file on the target
Add/append a few lines to ~/.ssh/config on the client
Host
User
IdentityFile ~/.ssh/
Attempt new SSH session
Saturday, September 13, 2008
Troubleshooting MS SQL Server
/* DO NOT JUST EXECUTE THIS SCRIPT. HIGHLIGHT THE COMMAND AND RUN IT */
select @@servername
/* returns name of server. */
select @@version
/* returns the version. */
select @@connections
/* returns number of connections since restarted. */
select @@packet_errors
/* returns number of packet errors since restarted. */
select dbid, DB_NAME(dbid) AS DB_NAME FROM sysdatabases
/* Returns the database name. */
sp_tables
/* Returns a list of objects (table names) that can be queried in the current environment (any object that can appear in a FROM clause). */
sp_helplogins
/*Provides information about logins and the associated users in each database */
Friday, August 22, 2008
PF State info via shell script
I use the following script to generate state info on my pf firewalls. The output is placed in a file and transferred to a directory beneath the DocumentRoot of a secured internal web server.
#!/bin/sh
echo \
scp /tmp/pfstate.txt opsbsd@x.x.x.x:/portal.sv/monitoring/opsbsd001/pfstate.html
#!/bin/sh
echo \
> /tmp/pfstate.txt>> /tmp/pfstate.txt
date 1>> /tmp/pfstate.txt
echo --------------------------------------------------------- >> /tmp/pfstate.txt
pfctl -s state | grep ESTABLISHED | sort 1>> /tmp/pfstate.txt
echo --------------------------------------------------------- >> /tmp/pfstate.txt
pfctl -s info 1>> /tmp/pfstate.txt
echo \
scp /tmp/pfstate.txt opsbsd@x.x.x.x:/portal.sv/monitoring/opsbsd001/pfstate.html
Monday, July 21, 2008
Create and Self-Sign Certs on the Netscaler Application Switch
#Create CA
create ssl rsakey ops-ca.key 1024
create ssl certreq ops-ca.csr -keyfile ops-ca.key
create ssl cert ops-ca.crt ops-ca.csr ROOT_CERT -keyfile ops-ca.key
shell
echo '01' > ops-ca-serial.srl
exit
#Create a Server cert for the NetScaler (for testing, if required)
create ssl rsakey ops-vip.key 1024
create ssl certreq ops-vip.csr -keyfile ops-vip.key
create ssl cert ops-vip.crt ops-vip.csr SRVR_CERT -CAcert ops-ca.crt -CAkey ops-ca.key -CAserial serial.srl
#create key and csr on the apache web servers
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out opswebserver_01.csr
#copy the csr back to the netscaler
#sign csr's from the web servers with the CA created on the netscaler
create ssl cert /nsconfig/ssl/opswebserver_01.crt /nsconfig/ssl/opswebserver_01.csr SRVR_CERT -CAcert /nsconfig/ssl/ops-ca.crt -CAkey /nsconfig/ssl/ops-ca.key -CAserial /nsconfig/ssl/ops-ca-serial.srl
#copy the crt back to the apache server and put it in the appropriate place and edit ssl.conf
#add the in-memory cert object that holds the SSL server certificate information for SSL handshakes
add ssl certkey ops-certkey -cert ops-vip.crt -key ops-vip.key
#bind the certkey to a vserver
bind ssl certkey Ops_VIP ops-vip.key [ -vserver | -service ]
#dont forget to copy all files in /nsconfig/ssl to the second netscaler
Final Key
#create new csr
create ssl certreq opsportal.someurl.com.csr -keyfile opsportal.someurl.com.key
#copy key file to second netscaler
#passphrase: xxxxx
#Submit csr to verisign
#Copy verisign cert into text file
#Copy cert file to both netscalers
#Create certkey on netscaler
add ssl certKey portal.cert -cert ops-portal.someurl.com.crt -key opsportal.someurl.com.key
#add Verisign intermediate cert
add ssl certkey vrisgn.intmed.cert -cert /nsconfig/ssl/verisign.intermediate.cert.crt
#link intermediate cert to portal-certkey
link ssl certkey portal.cert vrisgn.intmed.cert
#bind certkey to vserver
bind ssl certkey ops_vip opsportal.someurl.com.key -vserver
create ssl rsakey ops-ca.key 1024
create ssl certreq ops-ca.csr -keyfile ops-ca.key
create ssl cert ops-ca.crt ops-ca.csr ROOT_CERT -keyfile ops-ca.key
shell
echo '01' > ops-ca-serial.srl
exit
#Create a Server cert for the NetScaler (for testing, if required)
create ssl rsakey ops-vip.key 1024
create ssl certreq ops-vip.csr -keyfile ops-vip.key
create ssl cert ops-vip.crt ops-vip.csr SRVR_CERT -CAcert ops-ca.crt -CAkey ops-ca.key -CAserial serial.srl
#create key and csr on the apache web servers
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out opswebserver_01.csr
#copy the csr back to the netscaler
#sign csr's from the web servers with the CA created on the netscaler
create ssl cert /nsconfig/ssl/opswebserver_01.crt /nsconfig/ssl/opswebserver_01.csr SRVR_CERT -CAcert /nsconfig/ssl/ops-ca.crt -CAkey /nsconfig/ssl/ops-ca.key -CAserial /nsconfig/ssl/ops-ca-serial.srl
#copy the crt back to the apache server and put it in the appropriate place and edit ssl.conf
#add the in-memory cert object that holds the SSL server certificate information for SSL handshakes
add ssl certkey ops-certkey -cert ops-vip.crt -key ops-vip.key
#bind the certkey to a vserver
bind ssl certkey Ops_VIP ops-vip.key [ -vserver | -service ]
#dont forget to copy all files in /nsconfig/ssl to the second netscaler
Final Key
#create new csr
create ssl certreq opsportal.someurl.com.csr -keyfile opsportal.someurl.com.key
#copy key file to second netscaler
#passphrase: xxxxx
#Submit csr to verisign
#Copy verisign cert into text file
#Copy cert file to both netscalers
#Create certkey on netscaler
add ssl certKey portal.cert -cert ops-portal.someurl.com.crt -key opsportal.someurl.com.key
#add Verisign intermediate cert
add ssl certkey vrisgn.intmed.cert -cert /nsconfig/ssl/verisign.intermediate.cert.crt
#link intermediate cert to portal-certkey
link ssl certkey portal.cert vrisgn.intmed.cert
#bind certkey to vserver
bind ssl certkey ops_vip opsportal.someurl.com.key -vserver
Monday, May 26, 2008
Install and Configure Snort on CentOS
The following has been laying around in some text file I got tired of keeping, so I figured I put it here.
groupadd snort
useradd -g snort snort –s /sbin/nologin
passwd snort
chkconfig apmd off
chkconfig cups off
chkconfig isdn off
chkconfig netfs off
chkconfig nfslock off
chkconfig pcmcia off
chkconfig portmap off
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4
yum -y update
chkconfig yum on
service yum start
yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++
# In the /etc/ssh/sshd_config file change the following lines (if it is commented out remove the #):
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
service sshd restart
chkconfig httpd on
chkconfig mysqld on
service httpd start
service mysqld start
cd /var/www/html
wget http://www.internetsecurityguru.com/index.php.txt
mv ./index.php.txt ./index.php
cd /root
mkdir /root/snortinstall/
cd /root/snortinstall/
wget http://www.snort.org/dl/current/snort-2.6.1.5.tar.gz
tar xvzf snort-2.6.1.5.tar.gz
cd snort-2.6.1.5
./configure --with-mysql --enable-dynamicplugin
make
make install
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
cd /root/snortinstall/snort-2.6.1.5/etc/
# (make not this is not /etc. it is the etc dir under the snort source code)
cp * /etc/snort
#Download BASE
cd ~/snortinstall/
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.tar.gz
cd /var/www/html
tar xvzf /root/snortinstall/base-1.2.6.tar.gz
mv base-1.2.6/ base/
mkdir /root/snortinstall/rules
cd /root/snortinstall/rules
wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
tar xvzf /root/snortinstall/rules/snortrules-pr-2.4.tar.gz
cd /root/snortinstall/rules/rules
cp * /etc/snort/rules
#Copy the signatures into the BASE application directory
cd ~/snortinstall/rules/
mv ./doc/signatures/ /var/www/html/base/
#Modify your snort.conf file
var HOME_NET 10.0.0.0/24 (make this what ever your internal network is, use CIDR.
var EXTERNAL_NET !$HOME_NET (this means everything that is not your home net is external to your network)
#change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
#After the line that says “preprocessor stream4_reassemble” add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
output database: log, mysql, user=snort password=
dbname=snort host=localhost
#Change directory to /etc/init.d and type:
cd /etc/init.d
wget http://internetsecurityguru.com/snortinit/snort
chmod 755 snort
chkconfig snort on
===========
mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('r3m0t3c0ntr0l');
>Query OK, 0 rows affected (0.25 sec)
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('sn0rt');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
mysql> exit
>Bye
===========
mysql
SET PASSWORD FOR root@localhost=PASSWORD('r3m0t3c0ntr0l');
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('sn0rt');
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
exit
mysql -u root -p < ~/snortinstall/snort-2.6.1.5/schemas/create_mysql snort
#Hand configure the firewall:
cd /etc/sysconfig/
#edit the iptables file
#and delete the lines
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#change the line
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#to
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#change the line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#to
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j DROP
service iptables restart
cd /root/snortinstall
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
#Download ADODB
cd ~/snortinstall/
wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
cd /var/www/
tar xvzf /root/snortinstall/adodb480.tgz
cp /var/www/html/base/base_conf.php.dist /var/www/html/base/base_conf.php
#Edit the “base_conf.php” file and insert the following perimeters
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "sn0rt";
service snort start
#goto here to finish setting up the database
https://ip_address/base
#Secure BASE
mkdir /var/www/passwords
/usr/bin/htpasswd -c /var/www/passwords/passwords base
#Edit the httpd.conf (/etc/httpd/conf/httpd.conf). I put it under the section that has:
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user base
service httpd restart
groupadd snort
useradd -g snort snort –s /sbin/nologin
passwd snort
chkconfig apmd off
chkconfig cups off
chkconfig isdn off
chkconfig netfs off
chkconfig nfslock off
chkconfig pcmcia off
chkconfig portmap off
rpm --import http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-4
yum -y update
chkconfig yum on
service yum start
yum –y install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++
# In the /etc/ssh/sshd_config file change the following lines (if it is commented out remove the #):
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
service sshd restart
chkconfig httpd on
chkconfig mysqld on
service httpd start
service mysqld start
cd /var/www/html
wget http://www.internetsecurityguru.com/index.php.txt
mv ./index.php.txt ./index.php
cd /root
mkdir /root/snortinstall/
cd /root/snortinstall/
wget http://www.snort.org/dl/current/snort-2.6.1.5.tar.gz
tar xvzf snort-2.6.1.5.tar.gz
cd snort-2.6.1.5
./configure --with-mysql --enable-dynamicplugin
make
make install
mkdir /etc/snort
mkdir /etc/snort/rules
mkdir /var/log/snort
cd /root/snortinstall/snort-2.6.1.5/etc/
# (make not this is not /etc. it is the etc dir under the snort source code)
cp * /etc/snort
#Download BASE
cd ~/snortinstall/
wget http://easynews.dl.sourceforge.net/sourceforge/secureideas/base-1.2.6.tar.gz
cd /var/www/html
tar xvzf /root/snortinstall/base-1.2.6.tar.gz
mv base-1.2.6/ base/
mkdir /root/snortinstall/rules
cd /root/snortinstall/rules
wget http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-2.4.tar.gz
tar xvzf /root/snortinstall/rules/snortrules-pr-2.4.tar.gz
cd /root/snortinstall/rules/rules
cp * /etc/snort/rules
#Copy the signatures into the BASE application directory
cd ~/snortinstall/rules/
mv ./doc/signatures/ /var/www/html/base/
#Modify your snort.conf file
var HOME_NET 10.0.0.0/24 (make this what ever your internal network is, use CIDR.
var EXTERNAL_NET !$HOME_NET (this means everything that is not your home net is external to your network)
#change “var RULE_PATH ../rules” to “var RULE_PATH /etc/snort/rules”
#After the line that says “preprocessor stream4_reassemble” add a line that looks like
preprocessor stream4_reassemble: both,ports 21 23 25 53 80 110 111 139 143 445 513 1433
output database: log, mysql, user=snort password=
dbname=snort host=localhost
#Change directory to /etc/init.d and type:
cd /etc/init.d
wget http://internetsecurityguru.com/snortinit/snort
chmod 755 snort
chkconfig snort on
===========
mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('r3m0t3c0ntr0l');
>Query OK, 0 rows affected (0.25 sec)
mysql> create database snort;
>Query OK, 1 row affected (0.01 sec)
mysql> grant INSERT,SELECT on root.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> SET PASSWORD FOR snort@localhost=PASSWORD('sn0rt');
>Query OK, 0 rows affected (0.25 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
>Query OK, 0 rows affected (0.02 sec)
mysql> grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
>Query OK, 0 rows affected (0.02 sec)
mysql> exit
>Bye
===========
mysql
SET PASSWORD FOR root@localhost=PASSWORD('r3m0t3c0ntr0l');
create database snort;
grant INSERT,SELECT on root.* to snort@localhost;
SET PASSWORD FOR snort@localhost=PASSWORD('sn0rt');
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort@localhost;
grant CREATE, INSERT, SELECT, DELETE, UPDATE on snort.* to snort;
exit
mysql -u root -p < ~/snortinstall/snort-2.6.1.5/schemas/create_mysql snort
#Hand configure the firewall:
cd /etc/sysconfig/
#edit the iptables file
#and delete the lines
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
#change the line
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#to
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#change the line
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
#to
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j DROP
service iptables restart
cd /root/snortinstall
pear install Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
#Download ADODB
cd ~/snortinstall/
wget http://easynews.dl.sourceforge.net/sourceforge/adodb/adodb480.tgz
cd /var/www/
tar xvzf /root/snortinstall/adodb480.tgz
cp /var/www/html/base/base_conf.php.dist /var/www/html/base/base_conf.php
#Edit the “base_conf.php” file and insert the following perimeters
$BASE_urlpath = "/base";
$DBlib_path = "/var/www/adodb/ ";
$DBtype = "mysql";
$alert_dbname = "snort";
$alert_host = "localhost";
$alert_port = "";
$alert_user = "snort";
$alert_password = "sn0rt";
service snort start
#goto here to finish setting up the database
https://ip_address/base
#Secure BASE
mkdir /var/www/passwords
/usr/bin/htpasswd -c /var/www/passwords/passwords base
#Edit the httpd.conf (/etc/httpd/conf/httpd.conf). I put it under the section that has:
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "SnortIDS"
AuthUserFile /var/www/passwords/passwords
Require user base
service httpd restart
Thursday, April 17, 2008
Netscaler Configuration Backup Script
This one is for a Windows system. We're using Backup Exec, so I used the backup server as an aggregation point before running it all to tape.
----------
for /f "tokens=2-4 delims=/ " %%a in ('DATE/T') do set mdate=%%c%%a%%b
mkdir f:\backup\netscaler\ns01\%mdate%
scp -i c:\cygwin\home\Administrator\.ssh\id_backup01_rsa -r nsroot@172.18.1.20:/nsconfig/* /cygdrive/f/backup/netscaler/ns01/%mdate%
----------
for /f "tokens=2-4 delims=/ " %%a in ('DATE/T') do set mdate=%%c%%a%%b
mkdir f:\backup\netscaler\ns01\%mdate%
scp -i c:\cygwin\home\Administrator\.ssh\id_backup01_rsa -r nsroot@172.18.1.20:/nsconfig/* /cygdrive/f/backup/netscaler/ns01/%mdate%
Sunday, March 23, 2008
Citrix Presentation Server Basic Requirements
The pre-req's are pretty straight-forward...here they are.
Add/Remove Programs
- Terminal Services
- IIS+ASP.Net
- SNMP
- .Net 2.0 Framework
Windows Update
When starting a new ICA session make sure that the user, or a group that the user is a member of, is in the servers local group named "Remote Desktop Users"
Add/Remove Programs
- Terminal Services
- IIS+ASP.Net
- SNMP
- .Net 2.0 Framework
Windows Update
When starting a new ICA session make sure that the user, or a group that the user is a member of, is in the servers local group named "Remote Desktop Users"
Sunday, February 3, 2008
Configuring two Netscaler Application Switches as a High Availability pair
On Primary NS (172.18.1.20):
add node 2 172.18.1.22
set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/8 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
On Secondary NS (172.18.1.22):
set node -hastatus STAYSECONDARY
add node 1 172.18.1.20
set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/8 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set node -hastatus ENABLE
add node 2 172.18.1.22
set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/8 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
On Secondary NS (172.18.1.22):
set node -hastatus STAYSECONDARY
add node 1 172.18.1.20
set interface 1/1 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/2 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/3 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/4 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/5 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/6 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set interface 1/8 -speed AUTO -duplex AUTO -autoneg ENABLED -hamonitor OFF -state DISABLED
set node -hastatus ENABLE
Thursday, January 10, 2008
Policy-driven Content Filtering on the Netscaler Application Switch
I have a server with two separate web services on it. Both services are available through the same web application server, so port restriction isnt going to work in this case. I wanted to prevent remote users from accessing one of these load balanced services, so I used content filtering to drop any requests for this url.
> add expression e1 url == /dts
> add expression e2 url == /DTS
> add filter dts_filter -reqrule "e1||e2" -reqaction RESET
> add action dts_action Forward /dts /
> show action
> show filter
> bind lb vserver somename_vip -policyName dts_filter
> add expression e1 url == /dts
> add expression e2 url == /DTS
> add filter dts_filter -reqrule "e1||e2" -reqaction RESET
> add action dts_action
> show action
> show filter
> bind lb vserver somename_vip -policyName dts_filter
Subscribe to:
Posts (Atom)