Sunday, November 23, 2008
Wednesday, November 19, 2008
SSH Remote Command Execution
The following example allows you to execute a command on a remote system and return the results of the command without a shell session.
Simply include the command immediately after the normal ssh session request. Here's an easy one for a periodic secure rule integrity check on openBSD using pf.
ssh someuser@ip.add.re.ss 'pfctl -s rules | openssl sha1'
Simply include the command immediately after the normal ssh session request. Here's an easy one for a periodic secure rule integrity check on openBSD using pf.
ssh someuser@ip.add.re.ss 'pfctl -s rules | openssl sha1'
Monday, November 17, 2008
How to set up Apache, MySQL and PHP on FreeBSD
# cd /usr/ports/www/apache13-modssl
# make install
# echo 'apache_enable ="YES"' >> /etc/rc.conf
# echo 'apache_flags ="-DSSL"' >> /etc/rc.conf
# echo 'mysql_enable ="YES"' >> /etc/rc.conf
# /usr/local/etc/rc.d/mysql-server start
# mysqladmin -u root password newpassword
# cd /usr/ports/www/mod_php4
# make install clean
# cd /usr/ports/lang/php4-extensions
# make install clean
# vi /usr/local/etc/apache/httpd.conf
AddType application/x- httpd-php . php
AddType application/x- httpd-php-source . phps
# /usr/local/etc/rc.d/apache.sh start
# whoami
root
# cd ~
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 \
-in /root/server.csr \
-signkey /root/server.key \
-out /root/server.crt
# cp ~/ ./server.key /usr/local/etc/apache/ssl.key/
# cp ~/ ./server.crt /usr/local/etc/apache/ssl.crt/
Labels:
apache,
freebsd,
mysql,
php,
system administration
Friday, November 14, 2008
Migrating from VMWare ESX 3.5 to VMWare Server 2.0 with VMWare Converter 3.0.3
The following is a brief account of how I got my vm's up and running in VMWare Server 2.0 that were originally running in ESX.
Short Story: I was able to load the vm into Workstation 5.5.5, fix the problems and bring it up in VMWare Server 2.0. Read on if you want a tiny bit more detail, there's not much to it.
In many cases I have encountered, sometimes you can't convert a ESX vm straight to VMWare Server 2.0. Some post-conversion modification is necessary. A number of VMWare forum threads elude to this fact, but I have found no further information on what it specifically entails. The OS's I have had the most problems with are CentOS and OpenBSD. The test image that I initially did when I was reviewing the possibility of this migration was a Win2k3 Standard image, and I was able to convert and run it with no problems.
In the specific conversion I attempted, the conversion process of the CentOS vm appeared successful. What I mean by this is that a vmx and vmdk file were generated. However, when I was going through the wizard, I encountered the following "Warning: Cannot configure the source image.". The vmdk file size seemed reasonable and the vmx file seemed like it was missing a few lines. I transferred these files from the win2k3 VMCS server, where I ran the VMWare Converter 3.0.3 software, to their new home, a win2k3 server with VMWare Server 2.0. I "Added a Virtual Machine to Inventory" in the VMWare Server 2.0 interface and the vm was reported to have been registered Successfully, but the vm showed up as "Unknown" in the inventory list, the controls to start the vm were greyed out, and no errors appeared to be logged or displayed anywhere.
Frustrating.
So, I tried bringing the vm up on another system that had VMWare Workstation 5.5.5 on it. An error was thrown, stating that the ide reference was incorrect and it thoughtfully suggested a change, which I made and worked. Then I was able to bring the image up and successfully reconfigured it for the new network environment it would call home. I shut the image down, copied it back the target host with VMWare Server 2.0 and successfully registered and ran the image. One last thing I needed to do was answer a question from the VMWare Server 2.0 before startup would occur. It was hidden on a pop-down on the Console tab, and wanted to know whether I had "moved it" or "copied it".
Tips:
Be sure to delete any snapshots the vm had, otherwise there may be problems later. Though, I have converted images successfully ignoring this step. The other bit that might be useful to know is that I was not able to successfully migrate any vm to VMWare Server 2.0 when selecting VMWare Workstation 6.x as the destination image format using VMWare Converter 3.0.3.
Another solution would be to avoid all these gui tools and export the VMDK with vmkfstools, then transfer the vmdk and create a new VM pointing to the VMDK. :)
Short Story: I was able to load the vm into Workstation 5.5.5, fix the problems and bring it up in VMWare Server 2.0. Read on if you want a tiny bit more detail, there's not much to it.
In many cases I have encountered, sometimes you can't convert a ESX vm straight to VMWare Server 2.0. Some post-conversion modification is necessary. A number of VMWare forum threads elude to this fact, but I have found no further information on what it specifically entails. The OS's I have had the most problems with are CentOS and OpenBSD. The test image that I initially did when I was reviewing the possibility of this migration was a Win2k3 Standard image, and I was able to convert and run it with no problems.
In the specific conversion I attempted, the conversion process of the CentOS vm appeared successful. What I mean by this is that a vmx and vmdk file were generated. However, when I was going through the wizard, I encountered the following "Warning: Cannot configure the source image.". The vmdk file size seemed reasonable and the vmx file seemed like it was missing a few lines. I transferred these files from the win2k3 VMCS server, where I ran the VMWare Converter 3.0.3 software, to their new home, a win2k3 server with VMWare Server 2.0. I "Added a Virtual Machine to Inventory" in the VMWare Server 2.0 interface and the vm was reported to have been registered Successfully, but the vm showed up as "Unknown" in the inventory list, the controls to start the vm were greyed out, and no errors appeared to be logged or displayed anywhere.
Frustrating.
So, I tried bringing the vm up on another system that had VMWare Workstation 5.5.5 on it. An error was thrown, stating that the ide reference was incorrect and it thoughtfully suggested a change, which I made and worked. Then I was able to bring the image up and successfully reconfigured it for the new network environment it would call home. I shut the image down, copied it back the target host with VMWare Server 2.0 and successfully registered and ran the image. One last thing I needed to do was answer a question from the VMWare Server 2.0 before startup would occur. It was hidden on a pop-down on the Console tab, and wanted to know whether I had "moved it" or "copied it".
Tips:
Be sure to delete any snapshots the vm had, otherwise there may be problems later. Though, I have converted images successfully ignoring this step. The other bit that might be useful to know is that I was not able to successfully migrate any vm to VMWare Server 2.0 when selecting VMWare Workstation 6.x as the destination image format using VMWare Converter 3.0.3.
Another solution would be to avoid all these gui tools and export the VMDK with vmkfstools, then transfer the vmdk and create a new VM pointing to the VMDK. :)
Wednesday, November 12, 2008
macosx2windows
Focus Finder
Apple+K or Go | Connect To Server
In the Server Address field, enter:
smb://[Domain];[user]@ip.ad.dr.ess/c$
e.g.: smb://DOMAIN;miked@192.168.1.5/myshare
Apple+K or Go | Connect To Server
In the Server Address field, enter:
smb://[Domain];[user]@ip.ad.dr.ess/c$
e.g.: smb://DOMAIN;miked@192.168.1.5/myshare
Tuesday, November 11, 2008
Making real-time kernel adjustments in Linux
/proc/sys is an important directory in Linux, it contains many of the adjustable kernel values that can be changed while a system is running. it also provides a lot of information that can be collected and parsed by a script that might validate certain security settings. For instance, we have the file below, its contents (a zero or a one) would indicate whether or not the kernel is allowed to forward packets.
/proc/sys/net/ipv4/ip_forward
/proc/sys/net/ipv4/ip_forward
Monday, November 10, 2008
i.e. vs. e.g.
i.e.
"i.e." means "that is". In Latin it's "id est". "i.e." means "in other words,", "it is", or "that is". The intention is to give a specific example, of which there is only one correct precise example.
e.g.
"e.g." means "for example" and is derived from the Latin expression "exempli gratia" and means "for the sake of example". "e.g." is used to provide a possible example, or list of examples, of which there could be several others, including those not listed by the author.
"i.e." means "that is". In Latin it's "id est". "i.e." means "in other words,", "it is", or "that is". The intention is to give a specific example, of which there is only one correct precise example.
e.g.
"e.g." means "for example" and is derived from the Latin expression "exempli gratia" and means "for the sake of example". "e.g." is used to provide a possible example, or list of examples, of which there could be several others, including those not listed by the author.
Saturday, November 8, 2008
Friday, November 7, 2008
Use sshfs to Securely Mount Remote File Systems
The following commands can be used on *BSD systems.
# pkg_add -r fusefs-sshfs
# kldload /usr/local/modules/fuse.ko
# sysctl vfs.usermount=1
# mkdir /mnt/docs
# sshfs user@x.x.x.x:/some/remote.dir /mnt/local.dir
# pkg_add -r fusefs-sshfs
# kldload /usr/local/modules/fuse.ko
# sysctl vfs.usermount=1
# mkdir /mnt/docs
# sshfs user@x.x.x.x:/some/remote.dir /mnt/local.dir
Tuesday, November 4, 2008
Using iphone ringtones on the blackberry
I have the Blackberry 8310 and I love it. I refuse to submit to the iphone on the general rule that I avoid fanboyism at all costs, despite the fact the iPhone cant do what my blackberry does right now. Recently I have been having a marvelous time in the morning, on the quiet train, getting all the iPhone owners to expose themselves when they hear the exciting and distinctive iPhone ringtone that could be their next incoming call. :)
Its easy to put the iPhone ringtones on your Blackberry, and here's how you do it.
First, get the ringtone. There's a posting here that has the one from the commercial. You can download it, unzip it and rename the 32K .m4r file to an .mp3 file. Then, either with the data cable or with your browser, save it to the ringtones directory and go change your ringtone. done.
The other location where you'll find all the iPhone ringtones, is on an iPhone, of course. Its located in the '/Library/Ringtones' folder. Connect your iPhone to your mac and use the Terminal application to get in there through the /Volumes mount point.
The method of getting it with your blackberry internet browser involves copying the file up to a website (presumably yours) and typing in the full url to where the file has been placed in the website. the blackberry internet browser will download it and automatically suggest that you place it into your ringtones.
Its easy to put the iPhone ringtones on your Blackberry, and here's how you do it.
First, get the ringtone. There's a posting here that has the one from the commercial. You can download it, unzip it and rename the 32K .m4r file to an .mp3 file. Then, either with the data cable or with your browser, save it to the ringtones directory and go change your ringtone. done.
The other location where you'll find all the iPhone ringtones, is on an iPhone, of course. Its located in the '/Library/Ringtones' folder. Connect your iPhone to your mac and use the Terminal application to get in there through the /Volumes mount point.
The method of getting it with your blackberry internet browser involves copying the file up to a website (presumably yours) and typing in the full url to where the file has been placed in the website. the blackberry internet browser will download it and automatically suggest that you place it into your ringtones.
Monday, November 3, 2008
Increase the size of the history buffer in openBSD
Add the following lines to ./.profile
HISTSIZE=50;export HISTSIZE
HISTFILE=.ksh_history;export HISTFILE
List of Network Security Tools I Use
aide BASE curl dban dsniff etherApe EventSentry Foundstone Tools fping google.com search trends groups hping nbtscan nessus netcat | netcraft.com netstat nikto nfcapd nfdump nfSen nmap ntop openssl openssh p0f pads pf pftop pgp/gpg ps | Retina sguil snort snortlog solarwinds splunk sqlping stunnel sysinternals tcpdump Tor TrueCrypt tshark whois w Wireshark/Ethereal/sniff wget |
Sunday, November 2, 2008
snort / barnyard restart script
snortpid=`cat /var/run/snort_sis0.pid`
barnyardpid=`cat /var/run/by.pid`
if [ -e /var/run/snort_sis0.pid ]; then
color red
echo 'killing snort'
kill `cat /var/run/snort_sis0.pid`
color off
fi
if [ -e /var/run/by.pid ]; then
color red
echo 'killing barnyard'
kill `cat /var/run/by.pid`
color off
fi
if [ -x /usr/local/bin/snort ]; then
color cyan
echo 'starting snort'
/usr/local/bin/snort \
-i sis0 \
-c /etc/snort/snort.conf \
-u snort \
-g snort \
-d \
-D
color off
fi
if [ -x /usr/local/bin/barnyard ]; then
color cyan
echo 'starting barnyard'
/usr/local/bin/barnyard \
-c /etc/snort/barnyard.conf \
-p /etc/snort/classification.config \
-s /etc/snort/sid-msg.map \
-g /etc/snort/gen-msg.map \
-w /etc/snort/barnyard.waldo \
-d /var/log/snort -f snort.log \
> /dev/null 2>&1
color off
sleep 3
fi
if [ -e /var/run/snort_sis0.pid ]; then
color yellow
echo "snort running and pid is $snortpid"
color off
fi
if [ -e /var/run/by.pid ]; then
color yellow
echo "barnyard running and pid is $barnyardpid"
color off
fi
Decent writeup on current Cybercrime
Actually this article is probably obsolete by a year or so.
http://www.securecomputing.net.au/Opinion/123664,eugene-kaspersky-on-the-cybercrime-arms-race.aspx
http://www.securecomputing.net.au/Opinion/123664,eugene-kaspersky-on-the-cybercrime-arms-race.aspx
Saturday, November 1, 2008
Purge Master Logs in MySQL
If the files '/var/log/mysql/server.bin.xxx' are large, you can manage them:
log into mysql as root. this is not the systems' root user, this is a different root user that is local to mysql.
# mysql -u root -p
mysql> purge master logs before 'xxxx-mm-dd 00:00:00';
To get today's date: `date +"%Y%m%d %H:%M:%S"`
log into mysql as root. this is not the systems' root user, this is a different root user that is local to mysql.
# mysql -u root -p
mysql> purge master logs before 'xxxx-mm-dd 00:00:00';
To get today's date: `date +"%Y%m%d %H:%M:%S"`
Adding / Removing Routes in Linux
Add or Delete the Default Route
# route add default gw 10.10.1.1
# route del default gw 10.10.1.1
Add or Delete a Route for a Host
# route add -host x.x.x.x gw x.x.x.x
# route del -host x.x.x.x gw x.x.x.x
Add or Delete a Route for a Network
# route add -net 172.18.1.0/24 gw 10.10.1.43
# route del -net 172.18.1.0/24 gw 10.10.1.43
# route add default gw 10.10.1.1
# route del default gw 10.10.1.1
Add or Delete a Route for a Host
# route add -host x.x.x.x gw x.x.x.x
# route del -host x.x.x.x gw x.x.x.x
Add or Delete a Route for a Network
# route add -net 172.18.1.0/24 gw 10.10.1.43
# route del -net 172.18.1.0/24 gw 10.10.1.43
Labels:
configuration,
linux,
route,
system administration
SSH pubkey on a NetScaler Application Switch
I like to take a backup of all my device configurations on a regular basis. Its usually pretty straight-forward, simply add a scp command to cron, but with the NetScaler there's a little gotcha.
The default location of the authorized_keys file is in '/flash/nsconfig/ssh'. After you append your public key into the file, you'll need to copy the 'authorized_keys' file to '/root/.ssh/'.
This filecopy will need to be done after every reboot of the NetScaler because the / mount point is on volatile media.
If you want to script this action, or any other post-boot commands on a NetScaler device, create or edit the file '/flash/nsconfig/rc.netscaler', set the perms on the file to 755, and start adding commands to the file.
The default location of the authorized_keys file is in '/flash/nsconfig/ssh'. After you append your public key into the file, you'll need to copy the 'authorized_keys' file to '/root/.ssh/'.
This filecopy will need to be done after every reboot of the NetScaler because the / mount point is on volatile media.
If you want to script this action, or any other post-boot commands on a NetScaler device, create or edit the file '/flash/nsconfig/rc.netscaler', set the perms on the file to 755, and start adding commands to the file.
How to Manually Install the Ports Collection
# cd /usr
# ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.4/ports.tar.gz
# tar zxvf ./ports.tar.gz
# ftp ftp://ftp.openbsd.org/pub/OpenBSD/4.4/ports.tar.gz
# tar zxvf ./ports.tar.gz
Solaris Commands
# mrstat
# prstat
# iotop
# listusers
# du -ah
# df -k
# truss -c [app_name]
# truss [app_name]
Here are some useful links:
Basic Commands
Cool Commands
Handy Solaris Commands
Harman Research
Process Mgmt Commands
Tom's Hardware
# prstat
# iotop
# listusers
# du -ah
# df -k
# truss -c [app_name]
# truss [app_name]
Here are some useful links:
Basic Commands
Cool Commands
Handy Solaris Commands
Harman Research
Process Mgmt Commands
Tom's Hardware
Reset the root password on OpenBSD or FreeBSD
Start or reboot the system.
At the boot prompt:
At the boot prompt:
boot> boot -s
# mount -uw / #make / writable
# mount /usr #mount /usr
# passwd #change the password
#reboot
How to add a permanant route in OpenBSD
add a line to /etc/hostname.[if_name]
!route add -net [network_ip/cidr] [gateway_ip]
!route add -host [host_ip] [gateway_ip]
# Add a network
!route add -net 10.10.1.0/24 172.18.1.1
#Add a host
!route add -host 10.10.1.18 172.18.1.1
!route add -net [network_ip/cidr] [gateway_ip]
!route add -host [host_ip] [gateway_ip]
# Add a network
!route add -net 10.10.1.0/24 172.18.1.1
#Add a host
!route add -host 10.10.1.18 172.18.1.1
How to use Ports
If you want to add packages to FreeBSD or OpenBSD (others?), you'll want to use the package collection called 'ports'.
# mkdir /usr/ports && cd /usr/ports
# portsnap fetch
# portsnap extract
This creates the directory heirarchy under /usr/ports and downloads the header files among other files for each package. When installing new packages, after the ports collection has been created on a given system, execute the following command to update the collection.
# portsnap fetch update
for more information, go here.
# mkdir /usr/ports && cd /usr/ports
# portsnap fetch
# portsnap extract
This creates the directory heirarchy under /usr/ports and downloads the header files among other files for each package. When installing new packages, after the ports collection has been created on a given system, execute the following command to update the collection.
# portsnap fetch update
for more information, go here.
Making Your Own Loopbacks
Its pretty easy to make your own loopbacks. Take an icecube and a two 3" lengths of telephone wire.
Ethernet
1 <--> 3
2 <--> 6
T1
1 <--> 4
2 <--> 5
Ethernet
1 <--> 3
2 <--> 6
T1
1 <--> 4
2 <--> 5
How to Span a Port on a Cisco Switch
Analyzing network traffic on network segments is an interest and goal of all Network Administrators, Network Security Engineer, or System Administrators. A switch creates virtual connections between hosts connected to the switch. In order to analyze all traffic on a Vlan, you'll need to 'mirror', or in Cisco parlance, 'SPAN' a port. What this means is that the traffic of all private virtual connections made between all ports belonging to a given Vlan is mirrored or 'span'ned to a designated port on the switch. Typically, you'd connect an IDS or system with a sniffer/traffic analyzer to the 'span'ned port.
# monitor session 1 source vlan 1
# monitor session 1 destination interface gi0/44
Show spanned ports:
# show monitor
To terminate the span:
# no monitor session 1
If you're really serious about analyzing traffic, especially in large volumes, you'd want to buy a "network tap". Here is a little more detail.
Here's a tap reseller.
# monitor session 1 source vlan 1
# monitor session 1 destination interface gi0/44
Show spanned ports:
# show monitor
To terminate the span:
# no monitor session 1
If you're really serious about analyzing traffic, especially in large volumes, you'd want to buy a "network tap". Here is a little more detail.
Here's a tap reseller.
Labels:
cisco,
configuration,
mirror,
network tap,
sniff,
span
Subscribe to:
Posts (Atom)