Security Nut

RSA is in Trouble

2011-06-09T19:00:00.000-04:00

So what do you when your main product is broken into by hackers, your intellectual property is in the hands of the unknown, and customers are in an uproar....it's time to get serious. Back in March RSA admitted that hackers broke into their systems and compromised their RSA tokens. Then came an attempted hack into Lockheed Martin based on their use of RSA tokens. With the millions of customers that use RSA tokens people are starting to worry. While RSA has been tight lipped about the attack, what exactly has been compromised, and what customers can do....competitors are starting to take action.

First you need to ask yourself if you could possible trust RSA at this point in time? Their reputation has been tarnished because of the serious hack and clients are wavering because of the lack of response coming from RSA. Companies should now start asking themselves...is it time to switch vendors?

Google has implemented 2 factor authentication into their Gmail recently that makes use of mobile phones. There are a few open sources projects that also make use of this concept which is gaining in popularity. Another alternative for companies is to look at other vendors that can offer the same products as RSA, but at a much lower price. Entrust is a great company that claims to be able to offer great cost savings to customers that make the switch. In addition Symantec also offers 2 factor authentication via tokens and is giving away $5 for each token that clients trade in and move over to Symantec instead. With that kind of savings on trade ins how could you afford not to trade in?! EMC, the parent company of RSA also doesn't seem too concerned as RSA only makes up 7% of their total annual sales.

While it takes time and planning to make the change over to another vendor and product I think that there will be a major shift in 2 factor tokens coming. I'll be interested to see what vendor takes over as a leader in this space.

A Lack of Education

2011-06-07T08:34:00.000-04:00

About two weeks ago Rafal Los (aka Wh1t3Rabbit) posted a blog entry pondering the question of who is responsible for security; the business people or the security team? While I don't want to rehash a lot of what has been already said in his great blog post, I do want to bring up a point that was made during this awesome conversation (you should definitely read his blog post if you get a chance). Out of all the colleges in the US how many of them provide a course relating to network/web security? The answer is much less than you think. With all of the IT security professionals out there you would think that there would be some undergraduate and graduate courses in network and web security that deal with many of the issues plaguing businesses today. The sad truth is that rarely do such courses exist, and the ones that do don't seem to carry the education of students far enough. There are two issues which I see here that relate directly back to the Business vs. Security post; why are IT students the only one taking security courses when it is a common problem across all areas of study and how do we fix the lack of education in this area?

The first issue poses probably the greatest threat today because anyone outside of the "IT realm" tends to not understand why security is important (some people in the realm don't understand it either). When you look at the number of businesses in the US you will see that most of them don't have anything to do with IT. You have financial companies, real estate, retail, construction, and many more. The one thing they all have in common however is the fact that IT and computers are ubiquitous in the business world. People use web applications, Google, email, Microsoft Office, and tons of different applications and utilities to conduct business. So if more "business" people are exposed to IT why should the security professionals be the only ones responsible for understanding how it works? I'm not saying every single person should have formal IT security background, but a single course on security wouldn't kill anyone. In fact, I would go as far as to say that requiring a single course on security would decrease the amount of compromised accounts and identity theft in the US because of the higher level of education that students would be armed with. A "Business Security" course could explain to users the dangers of visiting any link that pops up in their email, or why the corporate ban on Facebook is actually imposed on them (there are many different topics that could be covered). We should stop relying on the security professionals and customized education programs of companies to train and educate users because it isn't working. This concept really doesn't work for smaller businesses that can't even afford to develop or implement such programs. We need students entering the workforce to be more educated about security to help protect the companies that they go work for when they graduate. Just because you are an English or History major doesn't mean you won't be touching a computer for the rest of your professional career. Why have we all been accepting of the fact that security is an "IT" related function?

The second issue here stems directly from the lack of choices those wanting to learn about security face. If an undergraduate in computer science or information systems major wants to enter the information security field they will be hard pressed to find anything that will really help them build a solid foundation in this area. The standard two courses that colleges offer are usually cryptography and a general network security course that touches lightly on a few different areas. While these are both good courses there is nothing currently available that will show students how to program securely, defend a network, implement services securely, or become a penetration tester. These are all topics that many IT professionals should know regardless if you are a security professional, developer, or system administrator. Most people you find in these roles today have been hired there from other positions they have held where they *hopefully* have gained some experience in these areas. There are many security professionals today that are so under qualified in the role that they are in, and yet we wonder why major corporations and people's personal data is hacked and stolen all the time?! Seriously though can you really blame the "security guys"? What training is available to them? Someone posed a question in a forum I'm a member of which asked for a recommendation on a training course. This person said their boss wanted the entire IT team to go to a security class on defending a network for system administrators (or something related). Do you know that after a week of suggestions and replies that there really was nothing available for them to attend? The current offerings deal with basic entry level security (like the Security+ classes) or hard core penetration testing (like CEH and SANS). What happened to providing quality education or education at all for that matter?!

I think that both of these problems are serious areas that need to be addressed before you can really answer the question Business vs. Security. If each person in the business had at least *some* knowledge of IT security and security professionals where better trained, companies would have an easier time defending themselves and not have to waste so much time on risk management and remediation from hacks. Companies would also benefit from not having to spend so much on customized training programs, security products, and audits which would in turn increase their bottom line. Seriously...find me a CEO who wouldn't be happy about that!

Lulz Security Strikes Again

2011-06-03T11:43:00.001-04:00

For those of you that have been following security news lately a group called Lulz Security has been hitting some big name targets lately. First they started off with FOX then moved on the PBS and the latest today includes Sony. First off let me make a note that this is the fourth time Sony or one of its subsidiaries has been hacked within the last 45 days.

While I don't condone hacking (unless you have permission first of course), can you really blame Lulz Security? Seriously....when you leave your house do you leave the front door open? If you run into the store for an hour do you leave your laptop and cell phone on the front seat of your car with the windows open?! It's not like Lulz Security is pulling off crazy insane hacks to compromise these sites...they used a basic SQL injection attack! Not to mention that everything they stole from Sony was stored unencrypted....let me say that again UNENCRYPTED! What is wrong with you Sony?!

Once the PS3 network was compromised and 77 million people had their personal information stolen don't you think that you should started encrypting your other databases? I mean seriously why would you take such a risk with peoples personal info like that?

Another thing that I wanted to point out is that Lulz Security has been hit hard by DDoS attacks since announcing that they have made the data they stole available for download on their site. As of this morning their site was unavailable although I'm sure it will come back up again later today. Why would I assume it is going to come back up...well because the team over at Lulz Security actually *knows* a thing or two about security and are leveraging a product from CloudFlare. This not only super charges their site providing them with more bandwidth, but also secures their data in the cloud. Lulz Security has also made mention in their Twitter postings that their F5 is warding off attacks like they are nothing.

Again while I don't condone hacking...kudos to Lulz Security for being able to leverage technology correctly showing companies like Sony what it means to implement a website securely and without issues :-P Companies really need to start asking themselves...if hackers can break into their networks and websites...why is it that their very skilled, highly paid, security team can't protect against these attacks? Many it is time for companies to start re-reevaluating their security staff and stop blaming people like Lulz Security for breaking into their site!

I will update here as more information about these particular hacks or more hacks from Lulz Security develop.

Zabbix Cross-Site Scripting Vulnerability

2011-05-23T17:20:00.003-04:00

Apparently it's my lucky day! Second vulnerability found in the Zabbix monitoring platform today. This is a non-persistent XSS vulnerability found in the acknow.php web page. The following bit of code is not sanitized or filtered at all:

When making a request to the acknow.php web page the "backurl" parameter is populated with a value but never checked to ensure it hasn't changed (think integrity checking here). By editing the "backurl" parameter and closing the JavaScript tag it is a part of you can complete a block of code. Notice the underlined bit in red...this closing tag allows us to end one code block and then create our own injecting the XSS script. Here is the initial web page:

You can go ahead and insert any text in the message field it is irrelevant. Use a proxy to capture the request and manipulate the "backurl" parameter:

The resulting web page should show you the XSS attack results:

I'm going to have to keep hunting to see if I can find anything else amiss in Zabbix ;-)

Zabbix Cookie Replay Vulnerability

2011-05-23T15:58:00.004-04:00

Everyone should be familiar with monitoring software to some extent. Zabbix is a distributed monitoring solution with an actually large support base. Recently I discovered that you can replay a user's cookie to log in as that specific user without knowing their username or password. The vulnerability works as follows:

Generating an email/phising site/etc you can send the end user a link which would require them to login to the fake site. Once they attempt to login you can log them into the zabbix portal via the API and pass the valid session off to the end user, but not before stealing a copy of the now valid cookie. As long as their session remains valid (ie. they don't instantly logout), you can pass the caputred cookie to the login page and become authenticated as the user. Obviously from here you can change the password and more depending on the permissions level. While this may not give you access to servers and systems directly you will be able to view anything that the Zabbix monitor is setup for and depending on your Zabbix configuration remotely execute commands on each agent.

Once you login the following cookie set on your system:

From the image above you can see there is only a single cookie and it is accessible via script. Once your end user has logged in go and visit the URL of the login page to obtain a cookie (a new value for the content field is generated but will be overwritten so it doesn't matter). Replace the content field with the value stolen from the user's cookie:

Once you save the cookie, just refresh the page, and you should be authenticated:

If the user logs out before you have had a chance to conduct the attack it won't work. The cookie is generated based on the sum of the following equation: MD5(username, password, current time). The session is then recorded in a data with the MD5 and changed every time your login/logout/close the browser. There is also a timeout value that you can set to force a session invalid, but it doesn't prevent this attack. Once you are logged in, change the user's password to maintain access.

Game Over.

Disclaimer: So far I have confirmed this works in all version of 1.8.x and 1.9.x of Zabbix. The vendor has also been notified of the issue. One idea would be to use a session ID to validate that only one session at a time can make use of a cookie value.

LinkedIn Cookie/Session Vulnerability

2011-05-23T09:39:00.000-04:00

Well it isn't *really* a vulnerability as much as it is a design / architectual flaw. When you visit a website that uses cookies, the cookie set when you login. When the cookie becomes set there is usually a time value associated with the cookie representing how long the cookie is valid for (which is essentially how long it will be until you need to re-authenticate to the site). Usually you will see a cookie set to expire 24 - 48 hours after it is set. Some sites like Google allow you to keep your cookie valid for a period of 30 days so you won't have to login every single time. Banks on the other hand usually only allow for a few hours with a 10 - 15 minute timeout of inactivity. Given all this what really is the problem with LinkedIn then? Well a cookie that has not yet expired can be used to authenticate to a site, possibly without knowing the username or password of the user. The question now remains, "how is LinkedIn Vulnerable then"?

I'm sure many of you are now looking up your LinkedIn cookie in the browser and reviewing some other cookies for other sites too. You may have noticed that many other sites don't expire their cookies for a year either. The issue here isn't that the cookie doesn't expire for a year; it's that the what is contained in the cooke doesn't expire for a year. For example here is what you might see:

Notice that the auth cookie is valid for one year. Normally this wouldn't be an issue because the web application should still expire the session and force a new login when an "old" cookie is pushed up to the server during login. With LinkedIn this isn't the case. Even if you change your password and/or logout...the "old" cookie is still considered valid and can be used to replay the session. If you copy the Content section of this cookie, then login/logout of LinkedIn, the value of content should change. Just paste back in the original value and the cookie should still work no problem.

This is actually a simple fix on LinkedIn's side in that they should not allow "old" cookies to be used after the session is expired or timed out. Hopefully they will update this soon, but in the meantime you can delete your cookie after visiting the site or ensure that no one steals your cookie until they perform an update.

Disclaimer: Rishi Narang is the person who discovered this vulnerability in LinkedIn's site. This post is just an explanation of the issue.

OWASP Challenge!

2011-04-26T11:15:00.002-04:00

If you haven't already signed up you should head over to the OWASP Hackedemic Challenge! OWASP has a fairly new open source project called OWASP Hackademic, which is really good for testing your web application security skills. The open source version of the project can be found at:

https://www.owasp.org/index.php/OWASP_Hackademic_Challenges_Project

In addition to the open source project there is a live version online! There is a new challenge every week with the online versioin and the challenges range from quick and easy to "really make you think". Take a look at the live version and see if you can complete each of the 3 challenges each week:

http://www.hackademic.eu/index.php

Are TV Shows Exposing Personal Data?

2011-04-24T21:51:00.000-04:00

Every Friday for the last few weeks I sit down to watch my new favorite show, "Shark Tank"! For those of you that don't know/follow the show let me give you a quick run down. There is a panel of 5 billionaire investors that hear sales pitches from entrepreneurs who think that they have the next big "thing". These investors, also called sharks, will either reject the deal presented to them or accept the deal and possibly fight the other sharks. The concept of the show is great and it's amazing to see the things that people think of! So what does this show have to do with your personal data?! Let me tell you...

According to recent information there are about 6 million people or so that are watching this show every Friday night. Now that is a fairly decent audience that is being exposed to whatever the entreprenuer is demonstrating that night and of course...their products. These 6 million viewers actually have a huge impact on the security of the small business that each entreprenuer has (I will explain how in a second). For those of you that aren't aware, small businesses make up 85% of the business in the USA. Unless you have a decent technical background, a good technical friend, or unlimited time on your hands; chances are you hire someone when it comes to the technology aspect of your small business. Here are the common items usually needed when setting up your technology for a small business:

Website
E-Commerce System (Shopping Cart or Ordering System)
Hosting provider (to host your website)
Possibly a database (to track orders / customer data)
Email

If you are like the average small business owner you are going to hire someone to help you put all this together. A web design company for your website and e-commerce, someone else to setup the website on the hosting provider, and yet another to configure your email and software. You could also hire the same company to do all of these things for you. So where exactly is the problem? Well...most of the small business owners are actually using other small businesses to setup/design/deploy the above items. Most small businesses also aren't trained properly to code/setup/design websites and e-commerce sites securely (largely in part to the fact that they are a small business and don't have a huge training budget or staff to train them properly).

So here is where TV and Shark Tank comes in. Last week a woman who makes cakes went on the show and pitched her cakes as "the best". It turns out that people really like cake and decided to visit her website and possibly buy a cake. Out of the 6 million people watching somewhere around 75,000 of them tried to access her website at the same time within an hour, inadvertently causing a Denial of Service (DoS) attack on her website (this is where the website goes down because of too many requests at the same time). Once the site came back up, Twitter was all buzzing about the tons and tons of people that ordered a cake from her site. Being intrigued myself I looked around her website and actually found an error or two. Then I checked the website of another small business owner that appeared on the show earlier that same day, and again found a few errors. My point here is that these websites shouldn't be causing errors and these errors could *possibly* be security holes due to quick or inexperienced technical persons setting up the site.

Imagine if you were one of the 75,000 people who ordered a cake only to find out that the website you ordered a cake from was compromised?! You name, credit card, etc. are now in the hands of a malicous user and you probably won't know because small businesses don't usually have the resources to detect these kinds of attacks. While I'm obviously talking in extremes at this point, the insecurity of small business websites and serious security concerns is not something we should just ignore. Shows like Shark Tank are exposing small businesses to the masses and customers are flocking quickly to check out the latest products. While small businesses are great and I'm a huge supporter of them, I strongly suggest that all small business owners take the time to invest in security for their websites and e-commerce platforms. Nothing is more embarressing then your entire customer list or credit cards being stolen/exposed...that is defintely one quick way to lose all your customers. Make sure as a small business owner you educate yourself to web attacks like Cross Site Scripting and SQL Injection. Even if you know nothing about technology you should invest the time to learn.

The best defense is a good offense, so small business owners should try the following:

Educate yourself on web application security (OWASP Top 10)
Ensure you use strong passwords when working with small business accounts (Strong Passwords)
Test (or hire a tester) for your website security

If you have any questions about website security or would like any recommendations on companies that can help you with security, you can check out ModLearning or email support [at] modlearning [dot] com. Small business owner questions always welcome.

**I'm not knocking on Shark Tank in any way and think the show is great! I totally feel it is the responsibility of the business owner to ensure website security. There are tons of other shows similar to Shark Tank that drive users to products.**

Password Suggestions?

2011-04-20T15:59:00.000-04:00

It's no wonder that people are choosing bad or commonly guessed passwords today. I was having a look over at Citibank's password policies and it seems that the passwords they suggest to customers aren't very secure. I'm sure Citibank isn't the only guilty party, but I've decided to pick on them today.

Here is what their password policy entails:

Notice the highlighted words they suggest as a combination for your password choice. Using http://www.passwordmeter.com/ as a reference to check the strength of the passwords they suggest, they all seem to score as "weak". While it isn't Citibank's fault when users choose poor passwords, Citibank could take a few extra steps to suggest passwords that are....you know....actually strong?

New Kickstart Module

2011-04-18T22:09:00.001-04:00

One of the most popular pages on this blog is for Kickstart setup and configuration. Now you can check out a new module that is available over at Modular Learning. This module provides step by step instructions to setting up a Kickstart server, Kickstart config file building, and testing a client installation. Also included is some sample config files.

Check out the new course @ http://modlearning.com/kickstart.php

A more advanced course for Kickstart is currently being developed as well.

Info Leakage through Web Site Stats

2011-04-05T18:14:00.000-04:00

I went to go check the stats for my blog today and noticed an unusual link listed as being monitored. Upon further research it seems that the link is actually a web page from the blog that someone had downloaded onto their desktop. Looking back at some hits to the site, I noticed that this isn't the first time that someone's local location has been disclosed to my stats counter (see Figure).

You can see that the location of the user's desktop is shown (even though there is no use in that), the person's username (and therefore their account) is being exposed. If you have high profile website that many people are pulling web pages from you could essentially put together a user list, which can be used later on for password guessing. This little flaw is a great example of information leakage.

The Unavoidable

2011-04-04T10:06:00.001-04:00

Ever notice that little fine print at the end of whatever service you are signing up for? It usually has some baloney about being secure, you having a right to privacy, and the that they may/may not share your information with a 3rd party. At the end of the day no one *really* halts the registration process because they are worried about who might be getting their data. While this isn't a huge concern or worry....it becomes a nightmare when you start to find that the 3rd party one company refers to is the same 3rd party another company is referring too.

Over the weekend a massive number of articles and postings about the company Epsilon being hacked. Epsilon, which provides emailing services for about 2500 companies worldwide (about 40 billion e-mails a year), disclosed that they had been hacked...with hackers taking only first names and email addresses (so far). The average person might be thinking at this point, "Who cares I've never even heard of Epsilon?! Stuff like this happens all the time". While normally I would agree with most of you, it turns out that Epsilon manages email for many big name companies including banks.

Here is a list of companies so far that have been affected and have been sending out notices to their customers:

Barclay
Kroger
Brookstone.com
Walgreens
U.S. Bank
New York & Co.
JP Morgan Chase
McKinsey Quarterly
TiVo
Capital One
City Market
Fred Meyer
Fry's
Marriott Rewards
Ritz Carlton
Smith Brands
Citi
Home Shopping Network
Dillons
Jay C
Food 4 Less
King Snoopers
QFC
Ralphs
Ameriprise
Disney Destinations
AbeBooks
RobertHalfTechnology

For those of your browsing this list...your eyes might be getting bigger by the second. These aren't small companies. The fact that so many companies are looking foolish because of placing their trust in the same 3rd party for email really makes me start to wonder why there aren't any audits or safeguards in place for things like these. While we can't be protected from everything it's pathetic that such a simple hack affects such high profile companies and the phising/spamming that is about to ensure is going to be unreal....

UPDATE - Add a few more to the list:

Target.com
Best buy

There are about 50 major companies on the list so far....

Official Book Announcement

2011-04-03T10:27:00.000-04:00

I know it's been a long time come and I'm sorry to all for the delay! The digital release of my book is now available at the InformIT website:

http://www.informit.com/store/product.aspx?isbn=0321767950

The hard copy of the book will also be available sooner than I anticipated as well (coming between April 20th and April 30th). You can purchase a hard copy through Amazon, InformIT, and others:

http://www.amazon.com/Hands--Guide-Red-Hat-Exams/dp/0321767950/ref=sr_1_3?ie=UTF8&qid=1301840369&sr=8-3

As more sites make the book available for order I will add them here.

Thanks to all those that have provided feedback so far and good luck to all that are preparing for either the RHCSA or RHCE exams!!

Screen Scraping (XSS Hunting)

2011-04-01T09:38:00.002-04:00

I was working with Damn Vulnerable Web App (DVWA) yesterday and the XSSMe plugin for Firefox and I wondered how hard it would be to write my own. While this is a great plugin and very useful, I'm more of a command line person. For those of you that haven't used the XSSMe plugin, it will search for all <input> tags on the current web page and then present you will a list of pre-defined strings you can use to exploit XSS.

I wrote up a quick demo of something similar on the command line which gives a little more info than the XSSMe plugin, but still accomplishes the same goal. Here is the code:

from HTMLParser import HTMLParser
from urllib2 import urlopen


sites = []


class Spider(HTMLParser):


 def __init__(self, url):
  HTMLParser.__init__(self)
  req = urlopen(url)
  self.feed(req.read())
 
 def handle_starttag(self, tag, attrs):
  if tag == 'form' and attrs:
   print ""
   print "---- Form Found ----"
   print "Num of attributes: " + str(len(attrs)) + "\n"


   for key, value in attrs:
    print "[" + str(key) + "] -> [" + str(value) + "]"


  if tag == 'input' and attrs:
   global sites
   for key, value in attrs:
    if key == "name" and value != "":
     sites.append(value)


print "Enter a URL (ie. http://example.com)"
start_url = raw_input()
print ""
print "***** Starting Scan *****\n"
print "URL: " + start_url + "\n"


Spider(start_url)
print ""
print "There are " + str(len(sites)) + " possible targets on this page:"
print sites
print ""

When you launch this little python script it will prompt you for a URL. The script will connect to the URL entered and hunt for any <form> elements. It will output the attributes associated with the elements allowing you to see what method is being used and what action is being performed. Once all the <form> elements are collected it will then move on to <input> tags. All entries found will then be displayed as "possible" targets. Although this isn't a complete script XSS automation tool...it is a good start to collect possible targets on a web page. Here is a sample:

Enter a URL (ie. http://example.com)
http://new.babbaco.com

***** Starting Scan *****

URL: http://new.babbaco.com

---- Form Found ----
Num of attributes: 5

[id] -> [search]
[class] -> [search]
[action] -> [http://babbaco.com/SearchResults/tabid/37/Default.aspx]
[method] -> [get]
[role] -> [search]

---- Form Found ----
Num of attributes: 4

[name] -> [news]
[form] -> [None]
[action] -> [/thanks]
[method] -> [GET]

---- Form Found ----
Num of attributes: 2

[action] -> [/thanks]
[method] -> [GET]

There are 4 possible targets on this page:
['Search', 'email', 'enter', 'email']

From the output here you will see that there are three forms on this page and four possible targets to examine. Each form uses the GET method so it should be pretty easy to send a response to the server with pre-defined XSS strings to test for vulnerabilites.

You could further extend this script by allowing it to spider across the entire site recursively and/or save the output to a file. Furthermore you could also define some XSS strings to GET/POST back to the site using the "possible" targets list generated (you will know which method to use based on the forms shown from screen scraping).

Compiling Snort

2011-03-30T14:38:00.000-04:00

Installing Snort is never an easy task, particulary on CentOS which has packages slightly older packages in their repositories. This post isn't a complete walk through of installing Snort, but will guide you through the compiling of Snort for the latest version of CentOS (5.5).

First off, you should take notice that the version of libpcap (required by Snort) is outdated in the CentOS repositories. They are only up to version 0.9.4.

# yum info libpcap

The latest version of Snort requires libpcap >= 1.0. The latest version of Snort (2.9.0.4), requires you to also install the daq-0.5.tar.gz files (you can grab these from the Snort.org website). This depends on libpcap >= 1.0 in order to compile as well. Strangely daq also doesn't look for libpcap in the correct place (it searchs /usr/local) so you will need to make an adjustment for that.

First remove the current version of libpcap since it is doing us no good:

# yum remove libpcap libpcap-devel -y

Download the latest version of libpcap, daq, and snort. While you are downloading things you should also grab a copy of libdnet because it's required for the latest version of Snort on CentOS as well. Next create a single directory structure for easy compiling:

# cd ~
# mkdir snort && cd snort

Put all your downloaded files into the ~/snort directory. Untar each of the files that you just downloaded (your directory should look as follows):

# ls ~/snort
daq-0.5 libdnet-1.12 libpcap-1.1.1 snort-2.9.0.4
daq-0.5.tar.gz libdnet-1.12.tgz libpcap-1.1.1.tar.gz snort-2.9.0.4.tar.gz

First compile the libdnet libraries because they are a straight forward ./compile, make, make install. Second you will need to do libpcap.

# cd libpcap-1.1.1

Use the following to change the default install directory:

# ./configure --prefix=/usr

Finish off with the standard make and make install. Once libpcap is done compiling successfully you will need to make sure that you export the newly created libaries or you will get errors when attempting to compile daq.

Export the new libraries:

# ldconfig

To verify you can run:

# ldconfig -p | grep libpcap
libpcap.so.1 (libc6,x86-64) => /usr/lib/libpcap.so.1
libpcap.so (libc6,x86-64) => /usr/lib/libpcap.so

Now you can move on to compiling daq:

# cd daq-0.5

This should also be a straight forward ./configure, make, make install. If everything was successful you should see the following:

Build AFPacket DAQ module.. : yes
Build Dump DAQ module...... : yes
Build IPFW DAQ module...... : yes
Build IPQ DAQ module....... : no
Build NFQ DAQ module....... : no
Build PCAP DAQ module...... : yes

If you are getting errors that the libpcap version <= 1.0 make sure that you have exported the libaries like I mentioned above. Finally you can move on to compiling Snort itself.

# cd snort-2.9.0.4

Since I'm on a x64 bit platform I will need to change my MySQL option slightly from the x86 version:

# ./configure --with-mysql-libraries=/usr/lib64/mysql/ --enable-dynamicplugin

For you x86 users just use:

# ./configure --with-mysql --enable-dynamicplugin

To finish off you can do the standard make, make install. Again, this isn't a full guide on how to install and setup Snort, but compiling it is usually the hardest part. Hopefully you will find this information useful when attemping this on CentOS 5.5. If I missed anything or you run into trouble just let me know.

Client Side Filtering - Don't do it!

2011-03-29T16:53:00.001-04:00

After perusing Twitter for my daily dose a few people were talking about the following site:

http://www.cadw.wales.gov.uk/

Now at first glance you wouldn't think that anything was wrong with this site. If you look a little deeper though (think evil hacker), you'd notice the cool little search field on the left side of the page. These kind of input boxes are generally filtered so as to not allow malicious users to inject anything into back end databases for perform cross-site scripting. When doesn't this work? When you put the filtering on the client side in the source code of the page!!! Viewing the source code of the page you will see the following snippet:

var IllegalChars=new Array("select", "drop", ";", "--", "insert", "delete", "xp_", "update", "/", ":", "char(", "?", "`", "|", "declare", "convert", "cast(", "@@", "varchar", "2D2D", "4040", "00400040", "[", "]");
var IllegalFound=new Array();
var IllegalCharsCount=0;

It doesn't take much to understand what this site is trying to *prevent* from happening here. What you could do to bypass is intercept the response to the server and re-include any filtered out web attack you'd like! Honestly people...if you are going to spend the time implementing security on your webstite; do it right.

Epic Fail...

Training Site Launch!

2011-01-11T14:01:00.000-05:00

The training site has launched! Check it out at http://modlearning.com and provide any feedback you might have. Hoping to have the first courses and modules live by the end of the month.

Quick Update

2011-01-10T07:59:00.001-05:00

So I know most of you are still waiting on the book. I have been wrapped up in a work project this week migrating our data center. The digital release (ebook) should be coming next week and the hardcover should be available in April. When the digital release comes out I will also post the scripts for the book along with the digital release.

On a separate note my training company will be going live in February so don't forget to check back for updates and the official launch.

** UPDATE: The rough cut edition of the book is available through Safari Online Books.

http://my.safaribooksonline.com/book/certification/linuxplus/9780132686075

10,000 Page Challenge (2011)

2011-01-02T17:19:00.001-05:00

For those that have been following along last year you know that one of the forums that I am a member of does a challenge every year to see if you can read 10,000 pages. It doesn't matter what books or topics. Since I read a lot throughout the year on a wide variety of topics I figured it would be easier to share here and others can see what I have read. It is time to kick off the 2011 10,000 page challenge. You can also view last years results here.

Books Read This Year

Too Big to Fail (640 pages)

NX-OS and Cisco Nexus Switching (480)

Total Pages: 1120

2010 Wrap Up

2010-12-23T11:20:00.001-05:00

First I want to say Happy Holidays to all!

Second I wanted to wrap up the year with a recap of a few projects that have been going on. The book that I am writing is finished (finally)! Hopefully I will have some more time now to devote to blogging. I will announce a release date for the book come January 3 2011. The digital edition will be available on Safari books online for those that prefer digital to physical books.

For anyone that has been following along with the 10K Challenge it is time to sum up your totals and see where you landed for the year. I didn't break the 10K mark although I was close. If you didn't get a chance to participate this year you can read about the details and hopefully join us next year for the 2011 10K Challenge.

Finally I wanted to announce that I will be starting an online training company! Inspired by writing my book I think that training in the IT field can be better (and cheaper). Starting mid January I will be launching an online training company that provides courses and modules for IT certification, sales, and other hot topics in the IT field. One of the most viewed pages on this blog is about kickstart...so naturally I will be starting with some great modules on kickstart. They will include videos, sample config files, troubleshooting, and more! You can bookmark the site Modular Learning and check back in January to see our launch and announcements!

Red Hat Exam Changes

2010-11-15T09:14:00.001-05:00

At the beginning of this month Red Hat announced the release of RHEL6. While everyone has been waiting a while for this release it includes a significant number of changes, updates, and fixes. The scalability for RHEL6, particularly in the data center, has been improved as well. One thing however that many people were not aware was coming is a complete change to the Red Hat certifications.

First up the RHCT has been immediately retired. It has been replaced with a new certification called the Red Hat Certified System Administrator (RHCSA). For those that already hold an RHCT certification will receive this new one in its place. Red Hat claims that being certified with a title of "System Admin" vs "Technician" makes a large difference when searching for a job (as well as peoples egos). While this may be true, the new exam also includes a completely revamped set of requirements. Also as a complete surprise the RHCSA is now a pre-req to anyone going for the more advanced RHCE exam (you can take the RHCE without an RHCSA, but you won't receive the actual certificate until you have your RHCSA). The cost for this new exam is $400. You can find the new exam objectives here:

https://www.redhat.com/certification/rhcsa/objectives/

Second, the RHCE exam has changed as well. While a great deal of material stayed the same (I'd say about 60%) for the RHCE, the services that you are required to know also became more detailed in the amount of topics you need to know. Due to this exam now having a pre-req the cost for the RHCE has dropped to $400 (down from $800), making it easier to obtain each exam for the price of $800. The downfall here is that you are required to know more for each exam. You can find the new exam objectives here:

https://www.redhat.com/certification/rhce/objectives/

For anyone that already has version 5 of either Red Hat exam already schedule I would recommend checking with your testing provider as there are conflicting reports of which version of the exam you will actually be allowed to sit for. According to Red Hat's website about 90% of testing centers will no longer allow you to book the old exam. While I welcome a revamp to the Red Hat certification program I think there could have been a warning to those in the process of studying. You can't change an entire program over night and expect that everyone will be alright with it, not to mention that the new exams are harder and cover more material. I think that the biggest downfall here is that there is currently no books or study material on the market for these new exams and while Red Hat has also re-done all of their training courses they are each about $3000 (there are three training courses covering all the material from RCHSA to RHCE for a total of about $6000). It is still too early to tell what kind of impact these exam changes will have, but I can tell that changing the exams and certification process without warning has left a bad taste in many peoples mouth.

Checkpoint CCSA Self Study Course Review

2010-10-29T13:29:00.001-04:00

There has been a few people talking about self study for Checkpoint lately and being lucky enough to have my job pay for the training materials I thought I'd do a quick review for everyone else considering this path. First I want to start off saying that Checkpoint's website for ordering is horrible! I tried ordering the latest version of this product in three different browsers and their site doesn't recognize their product as an item (not cool). So, instead of buying the R71 version I got the R70 version for $600 (they are similar enough). Also as a warning I paid for express 2 day shipping, yet the order took 10 business days to process...so that was pointless. Anyway on to content...

The self study training course includes:

1 Courseware book
1 Lab book
2 CDs that contain all the Checkpoint blade modules
1 Checkpoint backpack
1 Checkpoint mousepad (does anyone use these anymore?)

The course book is broken down into 12 chapters covering the following topics:

Checkpoint software blades
How to install/upgrade/manage an R70 security gateway
How to setup and manage a security management server
Licensing and centralized license management
User authentication (including external authentication against LDAP)
IPS
VPN concepts plus encryption

I read through the course book in 2 days (It's just shy of 500 pages cover to cover). The editing as far as image placement/quality and grammar checking could have been better. I found a handful of things completely mis-spelled and there are a few images that are just completely impossible to make out. The book is written by about 10 different engineers that contributed to different sections, so the book reads more like a compilation of study notes then an actual book. There are numerous references to R65 products and usage (which you can see in the screen shots as well), which isn't on this exam. You can also see that come of the screen shots have entries from 2006 while others from 2008...leads me to wonder how much of this book was really updated for R70 content to begin with.

I'd say if you know nothing about Checkpoint or their products this book might help you clear things up. That being said the book was written for those with 6 - 12 months of experience to take their exam...at which point you'd know how to do most of the tasks in the book. For someone that is seasoned or even some what experienced with Checkpoint products, I'd say forget this book as it is not worth $600, poorly written, and you can find most of the documentation for the products more useful than the content laid out in the book.

The lab book is decent for those that wish to practice or have no real world exposure to Checkpoint products. Although the lab book is about 300+ pages and includes 12 labs...much of the content is one liner directions or white space for page filling.

In closing I wouldn't recommend the self study course to anyone...it's not worth the $600, you can do better through research or having someone teach you (a friend or co-worker maybe), and the mistakes/outdated references just add negative feelings toward this course as a whole. There are also no sample test questions to help you actually prepare for the exam either. I'm still on the fence about buying the CCSE course given the quality of this one, however I might just to review it. Maybe someone will step up and write a book for this exam although that hasn't been done since the R65 version came out in 2006.

Cisco CCSP Exam Change

2010-10-20T19:27:00.001-04:00

For those of you in the networking world (or looking to get into it), Cisco is making some changes to their professional level security track. The CCSP exams will be changing over to the CCNP:Security. Personally I think this is a good refresh for this track as it has long been plauged as a hard track to follow with no real resources available. With the change over Cisco will be releasing official books for each exam in the new track as opposed to leaving it up to us to hunt down the appropriate resources. There is also a new focus on the exams to shift away from products like Cisco CNAC and Cisco MARS. It's not clear if these products will go end of life soon or not, but focusing on more core security aspects seems like a good way to go.

The new exams for the CCNP:Security track are as follows:

642-637 SECURE
642-617 FIREWALL
642-647 VPN
642-627 IPS

Thse four exams will be required to obtain the new CCNP:Security certification. Along with the new exams the following books are being released as well:

Secure Quick Reference (eBook) - Coming January 2011
Secure Official Certification Guide - Coming Feburary 2011

Firewall Quick Reference (eBook) - Coming January 2011
Firewall Official Certification Guide - Coming March 2011

VPN Quick Reference (eBook) - Coming January 2011
VPN Official Certification Guide - Coming January 2011

IPS Quick Reference (eBook) - Coming January 2011
IPS Official Certification Guide - Coming March 2011

I've been waiting for a refesh on this track for a long time so it will be good to start hitting the books as they come out. Hopefully others will take on this new track as well.

New Twitter XSS

2010-09-21T07:52:00.005-04:00

This morning I was looking around Twitter and I noticed that a few people were working on testing a persistent XSS script. Finally someone got it right (not sure who discovered it originally). I was able to recreate what they did for a demo. It seems that when parsing an HTTP link the javascript is executed directly on Twitter. Here is working example:

http://twitter.com/#@"onmouseover="javascript:alert('xss');"/

When you tweet this and then "mouseover" the link you will get a javascript alert provided you aren't blocking scripts (some browsers also block this too). I tested this on Google Chrome (latest release). This goes to show that nothing is 100% secure. I suggest that everyone not use the twitter.com web client until they fix this issue as you can only imagine the amount of attacks that are forth coming.

**Update: The issue is apparently fixed although I have only seen 1 person confirm that. Still waiting for an "official" announcement from Twitter that the issue has been resolved. The code that was vulnerable is actually open source for anyone that wants to take a look.

http://github.com/mzsanford/twitter-text-rb/commit/cffce8e60b7557e9945fc0e8b4383e5a66b1558f

Google Me

2010-08-31T20:59:00.000-04:00

Ever wonder what is out there on the internet about you? Every new and then I "Google" myself just to see what comes up under my name. It is interesting to see what gets reported and also how many "reconnect now" sites are there willing to sell you your entire life history. Make sure you take some time to check that there is nothing out there that is inaccurate about you.

For those looking I am NOT on Facebook!

ShmooCon 2011

2010-08-30T19:08:00.000-04:00

For those of you that are interested the ShmooCon 2011 Call For Papers is now open.

http://www.shmoocon.org/?page=57

If anyone is going let me know, hoping to get a meet up going....

Starting Out With SQL Injection

2010-08-11T21:23:00.006-04:00

Straight from Wikipedia, "SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application". Usually this exploit is because the user's input is not sanitized when it's submitted to a web form or application. On a virtual machine I have DVWA (Damn Vulnerable Web App) setup, which will help us with understanding the more hands-on approach. For those of you that haven't used DVWA before, it is a web application that is full of security holes for you to practice solidify your understanding of web application security. You can grab a copy to follow along.

http://www.dvwa.co.uk/download.php

Normally you won't look at any code when attacking DVWA, however since we are just starting out and learning how SQL injection works I will give you an example to work with. For our injection to be successful we will need to understand just how SQL works. We know from looking over this server that the back end for DVWA is MySQL although the back end database doesn't really matter for this basic example. Suppose you want to query the firstname and lastname of users in your database and the key value would be the user's ID. Your query might look something like:

SELECT first_name, last_name FROM users WHERE user_id = 'jsmith';

The results should come back as follows provided that the user exists:

First Name: John
Last Name: Smith

This is simple enough. What if I wanted to enumerate all the users though without having to check each individual userid by hand? Let's look at a PHP code sample.

<?php

if(isset($_GET['submit'])){

     // Get the user's ID from the submitted form field  
     $id = $GET['userid'];    

     // Build the query  
     $q = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";    

     // Run the query and store the results  
     $r = mysql_query($q);    

     // Check if there were results from the query
     $num = mysql_numrows($r);
 
 if ($num > 0){
 
  $i = 0;
  
  while ($i < $num){
  
   $fname = mysql_results($r, $i, "first_name");
   $lname = mysql_results($r, $i, "last_name");
   
   // Print out the info for the user
   echo 'ID: '. $id .'<br />';
   echo 'First Name: '. $fname .'<br />';
   echo 'Last Name: '. $lname .'<br />';
   
   $i++;
  }
 }
}

This code should be self explanatory. The query ($q) looks for the first name and last name of the user whose id is submitted to the form. Now let's look a little deeper at how we can manipulate this query a little bit. When I enter "jsmith" in the form and hit submit my query is evaluated out to:

SELECT first_name, last_name FROM users WHERE user_id = 'jsmith';

Just like we saw originally. What if I entered a character instead of a user_id? Suppose I put in a single quote (') and submitted the form, what do you think will happen? Turns out that the page displays the following message:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1"

This may seem a little weird at first, but the SQL is actually telling you that the single quote " ' ", which is surrounded by double quotes is causing an error when expanding out the query. The one thing that you will learn with SQL injection is that errors are always a good thing. How can we get the database to display the information of all users? We would have to build an SQL statement that would have to be valid for not only my user_id, but for all user_id fields. Actually the trick isn't to manipulate the field it is to ignore it all together. To perform our first SQL injection we will want to submit the following in the web form:

jsmith' OR 1='1

When you do this you will essentially be submitting an expression as your user_id variable. The SQL query is now going to expand and give you the following:

SELECT first_name, last_name FROM users WHERE user_id = 'jsmith' OR 1='1';

Well we definitely have a user_id named jsmith so that will evaluate to true, however we have also introduced an OR statement. When evaluated the SQL will check to see if there is a user_id = jsmith OR if 1 = 1, which is always true! Since it is always true the results should always be returned and you should now see a list of the first name and last name of all users in the database! Let's look again at how this actually works. Instead of just a user_id being queried for, we created an input so that the first case is either true or false (user_id = 'jsmith') and a second case that will always be true (1=1). Also because of the way we crafted the statement the SQL is well formed (notice the single quote after the user_id to close the first item and the single quote in front of the 1 to close the second item). So our crafted jsmith' OR 1='1 gets dropped into the WHERE clause to form:

WHERE user_id = 'jsmith' OR 1='1';

This is just the beginning of SQL injection and there are tons of different variables to take into consideration when trying to exploit a target. Not all database back ends understand the same syntax, comments for databases are different, and different software prevents certain SQL injections all together! Now that you have seen and done an example though you will have to get familiar with the different types of injection that you can perform. In the next post I'll talk more about SQL injection and in particular how you can use it to map fields in the schema of the database.

LAMP Security - A Case Study of a LAMP Appliance

2010-08-11T19:05:00.001-04:00

Today in this world of cloud computing everyone wants to migrate their applications to some type of hosting platform. The goal is to get your web application up and running quickly without the need for over complicating the configuration of different services (Right now every single security person is probably yelling at me for that last statement). While it is true that you'd want to deploy your application quickly so as to have your customers start using it, you don't want to blow off the configuration details or lack of security. Many of these applications are housed on a LAMP stack, and for those of you that don't know: Linux Apache MySQL PHP. Let's look at a sample deployment scenario, which involves setting up a LAMP stack.

Since I would like to hit the ground running I want a LAMP stack that is pre-configured to start off with. It just so happens that Turnkey Linux makes a pre-made LAMP appliance and ISO. This image is based on Ubuntu 8.04LTS and is updated to include security patches and additional features (see the changelog for complete details). You can run the ISO as a Live CD to test out the product, which is what I'm going to do instead of installing it into the could. By default the following connections are available when the system boots up (all IP addresses are based on a DHCP address my system received during boot).

Web           http://192.168.1.6
              https://192.168.1.6
Web Shell     https://192.168.1.1:12320
Webmin        https://192.168.1.1:12321
PHPMyAdmin    https://192.168.1.1:12322
SSH/SFTP      root@192.168.1.6 (port 22)

This is a large number of connections available for a preconfigured appliance and helpful for those that want many different ways to connect in and work on their system.

Problem #1

Each connection is configured with a login that uses the username 'root' and NO PASSWORD!

Right away we can see that there is an issue with the way logins are configured here. First of all the root user should never be able to connect remotely, let alone have a blank password. Secondly, had the system been configured with a normal user they still should not use a blank password. Many new system administrators that don't always check the connections to their system (sometimes because they may not have even learned how), may forget to shutdown a particular connection or change the password. With a blank password configured on the root account (or any account for that matter), it is only a matter of hours or minutes before you get picked up by malicious users scanning the internet.

Mitigation

Setup default LAMP installs with a specific user that can be used for testing if you are building an appliance, or only create accounts for users that need them. All access to the root account should be cut off and a random strong password should be set. All users accounts on the system should have a password even if just for demo purposes. The following list should also be avoided when choosing a password even if for demo purposes:

admin
password
root
toor

Now that our system is up and running we can start to look around at the default settings and software that comes with it. The most obvious choice is to check out the homepage that the web server displays. Navigating to http://192.168.1.6 brings us to a custom made index.html that presents us with the different ways that we can log into the system. First let us take a look at the PHP info page, which will show us all the information about PHP for this appliance.

Now for those of you that have viewed this page before you already know the wealth of knowledge you can learn about your PHP installation from this page. For those that haven't seen it before you should look through carefully and see what this page exposes about your setup (pretty much everything). We will notice that the version of PHP being used here is 5.2.4, which sadly is out of date.

Problem #2

The current version of PHP is 5.3.3 and if you do a quick check the Ubuntu repositories have version 5.3.2 available. Understandibly no appliance can keep up with the latest versions of everything, but the changelog and Turnkey's site indicate that the last date the appliance was compiled was April 2010 (fairly recently). There was a patch that went into PHP as of version 5.2.6 to prevent SQL Injection as well. Magic quotes are also disabled in this version of PHP however they are in the most recent version of PHP (5.3.3) as well to encourage better programming habits. They depreceated the option in hopes that developers will start escaping their input.

Mitigation

The ISO could have updated their version of PHP to a more recent one. They also could warn users that magic quotes are no longer used for PHP web applications.

Looking elsewhere on this page we can also see that the default server headers show all information about the server, software, and their versions. This is just like opening the door to hackers looking to exploit specific software versions on your LAMP stack.

Problem #3

A few options within the Apache configuration could have provided better security and not caused an information leak of your LAMP software.

Mitigation

Change the ServerToken option in the apache config for the appliance.

To finish up I'm just going to point out a few more details I found when analyzing the Turnkey LAMP stack.

phpMyAdmin is outdate and vulnerable to a number of remote attacks
there is no firewall rules at all to protect the system
root user login is allowed through SSH
the root user for MySQL has no password

This should serve as a good indication that security and configuration of any LAMP stack should be taken seriously, regardless of whether you use a Turnkey product or not. I also want to not that I'm not out to get Turnkey Linux in any way, it just happens to be packaged nicely for analysis and widely used. You can also look at things like Red Hat, which has an even older version of PHP in their repository!! If I ever get some time I'd like to start an open source project that provides a secure LAMP stack. This would provide system admins a hardened and secure platform to build upon and deploy web applications to.

The btrfs File System

2010-08-10T18:57:00.002-04:00

One of the great things that I love about Ubuntu is there 6 month release cycle. It allows you to try out features that you normally would need to integrate into your distrobution yourself. This post isn't about Ubuntu however, it's about the up and coming file system...btrfs. I will start by saying that it isn't currently stable so please if you try implementing it, back up your system first! The file system is being built as a replace for the ext family file system that is used as a default in a majority of Linux distrobutions. Having a new file system however will allow for the integration of missing features from current Linux distros. Let's look at some of the features that btrfs provides.

Online volume growth and shrinking
Online block device addition and removal
Snapshots (w00t w00t!)
Subvolumes
In-place conversion + rollback features

While this isn't all of the features that btrfs offers it is some of the most important improvements that this new file system can offer. The developers are also looking to work data deduplication into the feature set for the stable release. The reason that I mentioned Ubuntu at the beginning of this post is that the developers are currently working toward making btrfs the new default file system for Ubuntu. Since Red Hat has an 18 month release cycle (which is more like 3 years at the moment), and that RHEL 6 is coming out in October of this year it won't have the new file system. The good news though is that you can upgrade any ext family file system to btrfs, which is a huge plus! Another big benefit is that you will be able to run file system checks online and offline. This reduces the downtime needed during maintenance (making your customers happier).

Personally I think that the addition of snapshots to the file system is the best feature. Things like volume shadow services have been around in Windows for a while and it is nice to see that Linux is finally getting support for something similar. This will help many admins with their users that tend to "delete things". As of right now there is still no release date set for the stable release however there are many users that have been running the btrfs file system with no issues. I will warn you again however not to use this on production systems as it is not stable (QA or DEV is always a good choice). Between the large feature set and scalability that this file system provides I'm looking forward to the stable release as it will be a welcome upgrade to the current file systems in use today.

Here is the link showing how the conversion alogrithm works and how you can convert your ext3/4 file system to btrfs (and roll back if you'd like too).

https://btrfs.wiki.kernel.org/index.php/Conversion_from_Ext3

Additional Reading

https://btrfs.wiki.kernel.org/index.php/Main_Page
http://en.wikipedia.org/wiki/Btrfs

Pen Test Audits

2010-08-04T18:53:00.001-04:00

This month I'm looking at auditing. Almost every company has some type of audit process and has to keep records of when they are audited (including the results). I'm running a poll as to how often your company is audited. Here I'm defining the term audit to include: pen testing and/or web application testing. You can vote on the right and we will have a write up on the results at the end of the month.

Got FIOS? Check your router and your connections....

2010-08-04T00:09:00.000-04:00

Recently there has been some controversy about home routers and default passwords. It seems particularly that on Verizon routers users aren't changing their default password and it makes them vulnerable with some of the new attacks coming out. To counter act this Verizon is logging into the routers remotely (using a service port that they have open on your router) and changing the password for you!! By default they have been setting it to the serial number of the router, but seriously talk about privacy invasion?! Disabling this port on your router will help keep Verizon out, but I'm sure it will only infuriate them as well. So if you use FIOS or any other Verizon internet service you may want to check if your password has been changed.

On a similar note I bring this up because aside from passwords being changed firmware is being remotely installed on user's routers as well. While everyone loves a good software update to keep them secure, we don't like it when they break things that were previously working. The new firmware update seems to break Checkpoint's VPN-1 client software, so you'll have to rollback your firmware in order to get it functioning again. I'm all for security, but this is going a little to far...

Site Update

2010-07-28T09:35:00.000-04:00

It's been a busy last two months and I just wanted to give an update that I haven't been posting because I've been working on a book, which has taken up most of my time. I have a bunch of new topics that I will add shortly to try and get back up to speed with blogging. In the mean time I hope to finish up with my book soon.

Disk Partitioning

2010-05-24T15:14:00.000-04:00

Working with disks is an important part to maintaining storage space on your system. When adding more storage or creating it for the first time you will want to partition your disk space into a logical format for use later on. Many installers come with an "automated" partitioning option for those that don't need a custom layout, however most system admins like to layout their own partitions. In my virtual environment I have a server that requires more space which already has Redhat install. To start I created two new IDE disks and made them 4GB each (I'm using virtual box). After the disk creation, boot the server and sign in. The first thing to look at is the amount of disks that are available.

# cat /proc/partitions | grep hd
   3     0   10485760 hda
   3     1     104391 hda1
   3     2   10377990 hda2
   3    64    4194304 hdb
   3    65    4194256 hdb1
  22    64    4194304 hdd

If you are using SCSI disks instead of IDE disks you can just change the command to:

# cat /proc/partitions | grep sd

As you can see we get a listing of three different disks. These are hda, hdb, and hdd. Now that we know there are three disks we want to check out which partitions are currently created on those disks. We can use the fdisk command to view the current information.

# fdisk -l

Disk /dev/hda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          13      104391   83  Linux
/dev/hda2              14        1305    10377990   8e  Linux LVM

Disk /dev/hdb: 4294 MB, 4294967296 bytes
16 heads, 63 sectors/track, 8322 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hdb1               1        8322     4194256+  83  Linux

Disk /dev/hdd: 4294 MB, 4294967296 bytes
16 heads, 63 sectors/track, 8322 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes
Disk /dev/hdd doesn't contain a valid partition table

You could have also run this command first to gain information about both disks and their current partitions, but it is good to know different ways of obtaining the same information. Based on the current information above we can see a few things about the different disks. The first line specifies the disk and the total amount of storage available for it (IE. Disk /dev/hda: 10.7 GB). Under the disk info we can see the current partitions layed out for the disk. Notice the last line however about "Disk /dev/hdd". It gives information about the disk (it has 4GB of space), however there are currently no partitions on it. Using the fdisk utility we will partition the 3rd disk and create two partitions which we will use later on.

# fdisk /dev/hdd

Command (m for help): m
Command action
   a   toggle a bootable flag
   b   edit bsd disklabel
   c   toggle the dos compatibility flag
   d   delete a partition
   l   list known partition types
   m   print this menu
   n   add a new partition
   o   create a new empty DOS partition table
   p   print the partition table
   q   quit without saving changes
   s   create a new empty Sun disklabel
   t   change a partition's system id
   u   change display/entry units
   v   verify the partition table
   w   write table to disk and exit
   x   extra functionality (experts only)

First we will use the 'p' command to print out the current partition table (which shouldn't exist but let's just verify).

Command (m for help): p

Disk /dev/hdd: 4294 MB, 4294967296 bytes
16 heads, 63 sectors/track, 8322 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot      Start         End      Blocks   Id  System

As you can see there is nothing here. However we can see that we have 4294 MB of space to work with when dividing up the partitions on this disk. For ease of use we are going to cut this disk directly in half. We will create two paritions each with half of the disk space available, verify they are correct, and then write the changes to the disk.

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 1
First cylinder (1-8322, default 1): 
Using default value 1
Last cylinder or +size or +sizeM or +sizeK (1-8322, default 8322): +2147M

Since we are cutting the disk in half based on the MB available we use the +sizeM syntax (as shown above). We could have divided the disk based on KB or cylinders if we wanted too. This creates the first partition, now lets make the second.

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)
p
Partition number (1-4): 2
First cylinder (4162-8322, default 4162): 
Using default value 4162
Last cylinder or +size or +sizeM or +sizeK (4162-8322, default 8322): [Press Enter]
Using default value 8322

For this partition we don't need to specify a partition size because by default it will grow the partition to the size remaining on the disk. When asked what the size should be, pressing enter will just allocate the remaining disk space available. Next let's verify our newly created partitions:

Command (m for help): p

Disk /dev/hdd: 4294 MB, 4294967296 bytes
16 heads, 63 sectors/track, 8322 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hdd1               1        4161     2097112+  83  Linux
/dev/hdd2            4162        8322     2097144   83  Linux

You can see here the two partitions that we just created and based on their block size they are almost identical in size (there is some variation because of reserved space, superblocks, and other factors). Finally let's write the changes to disk.

Command (m for help): w

The partition table has been altered!

Calling ioctl() to re-read partition table.

Syncing disks.

And verify one last time:

# fdisk -l

Disk /dev/hda: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hda1   *           1          13      104391   83  Linux
/dev/hda2              14        1305    10377990   8e  Linux LVM

Disk /dev/hdb: 4294 MB, 4294967296 bytes
16 heads, 63 sectors/track, 8322 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hdb1               1        8322     4194256+  83  Linux

Disk /dev/hdd: 4294 MB, 4294967296 bytes
16 heads, 63 sectors/track, 8322 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/hdd1               1        4161     2097112+  83  Linux
/dev/hdd2            4162        8322     2097144   83  Linux

It is important to note that the default is to create the partition using a Linux System ID. Should you want to create the partition in a different format you can use the 'l' option to list all the supported System IDs and the 't' option to change the partition type. The fdisk utility is quiet useful and quick if you'd like to divide the disk in a hurry. There is another utility called "parted" that offers similar functionality and more options as well. I would advise looking into both fdisk and parted, using both to create partitions, and seeing which one you are more comfortable with. The last utility that I would mention as well is the "partprobe" command. When run it forces the kernel to re-read the partition tables. While utilities like fdisk and parted do a decent job of updating the partition tables if you ever find something off after making changes to partitions, try running partprobe and letting the kernel update the partition tables.

Redhat Client Networking & DNS

2010-05-24T15:07:00.000-04:00

Networking in Centos/Redhat is pretty straight forward. First we will look at our ip address configuration and the files used to edit this information. Each network interface has its own config file that follows the format ifcfg-ethX where X is the number of the network card. We can use any editor to make changes to the configuration file.

# cd /etc/sysconfig/network-scripts/

# nano ifcfg-eth0

Our config file looks like the following:

DEVICE=eth0

BOOTPROTO=dhcp

HWADDR=00:11:22:33:44:55

ONBOOT=yes

TYPE=Ethernet

We can see here that the DHCP protocol is in use and that it is active during the boot process. We can determine then that this client is using DHCP to obtain an ip address from a DHCP server. We can verify this with:

# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:11:22:33:44:55  
          inet addr:172.168.1.203  Bcast:172.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a00:27ff:fe30:74aa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19942 errors:8 dropped:0 overruns:0 frame:0
          TX packets:966 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2056708 (1.9 MiB)  TX bytes:176542 (172.4 KiB)
          Interrupt:10 Base address:0xd020

Perhaps though we want to change this network interface to have a static ip address that will never change. We can edit the network interface config file to look like the following:

DEVICE=eth0

BOOTPROTO=none

HWADDR=00:11:22:33:44:55

ONBOOT=yes

TYPE=Ethernet

USERCTL=no

IPV6INIT=no

PEERDNS=yes

IPADDR=172.168.1.1

NETMASK=255.255.255.0

GATEWAY=172.168.1.1

Once complete you will need to restart the networking service for the changes to take effect.

# service network restart

or bring down just the eth0 interface (if you have multiple adapters):

# ifdown eth0

# ifup eth0

You can verify with the ifconfig command again to make sure that your static ip address is set correctly. Aside from ip addresses you might also want to specify the DNS server for the client to use. This config file is contained in /etc/resolv.conf.

# cat /etc/resolv.conf

search mydomain.com

nameserver 172.168.1.1

nameserver 172.168.1.2

This config file is pretty easy to understand. The first line is the domain which we want the client to search when making requests (the domain that the client belongs too). The nameserver directive tells the client what the primary and secondary DNS servers are that it should use when making queries.

Editing config files by hand however is not always the most efficeint way of doing things. We can use some built in tools to help us configure ip addresses, gateways, and DNS information faster.

# system-config-network-tui

This will open a menu driven configuration utility on the command line, which will allow you to configure the network interfaces, add a new network interface, and edit the client DNS information. This method is much faster and easier to use. You still will need to restart the networking service in order for these changes to take effect. You can verify these changes however by checking the contents of the config files.

# cat /etc/sysconfig/network-scripts/ifcfg-eth0

# cat /etc/resolv.conf

# ifconfig eth0

PXE + Kickstart, Automating CentOS/RedHat Installs

2010-04-15T13:00:00.010-04:00

***UPDATE - Check out the new module for Kickstart @ http://modlearning.com/kickstart.php. It includes images, sample kickstart files, and more. A more advanced course for Kickstart is currently being developed as well.***

In a previous post we looked at the install and setup of a kickstart server. One of the last steps that had to be taken as the client was to use an "append" at the boot prompt to assign the client a static ip address. This time we are going to look at setting up PXE services for clients to create a truly "hands-off" approach to installing desktops and servers with kickstart. I will be using the HTTP protocol again for my kickstart and I must say resources out there for the PXE/Kickstart/HTTP are really limited. It took a lot of trial and error to get this working, however the FTP and NFS method are much easier to implement.

You should already have a working kickstart server in place before setting up anything else in this post. For those that don't as a quick refresh you should have the following directory structure:

/var/www/pub
|-- CentOS
|-- images
    `-- pxeboot
|-- isolinux
    `-- isolinux.cfg
|-- kickstart
|-- repodata

In the pxeboot folder should be vmlinuz and initrd.img files, and the kickstart folder should contain your kickstart file (test.cfg in our case). You can also refer to this earlier post to setup this up. Next you will need to setup a DHCP server first.

# yum -y install dhcp

# cp /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample /etc/dhcpd.conf

# vi /etc/dhcpd.conf

## /etc/dhcpd.conf file ##
ddns-update-style interim;
ignore client-updates;
authoritative;
allow booting;
allow bootp;

subnet 172.168.1.0 netmask 255.255.255.0 {
   # default gateway
   option routers    172.168.1.1;
   option subnet-mask   255.255.255.0;
   option domain-name   "mydomain.org";
   option domain-name-servers 172.168.1.1;
 
   # EST Time Zone
   option time-offset   -18000; 
 
   # Client IP range
   range dynamic-bootp 172.168.1.100 172.168.1.1.200;
   default-lease-time 21600;
   max-lease-time 43200;
 
   # PXE Server IP
   next-server 172.168.1.1;
   filename "pxelinux.0";
 
}

## END FILE ##

Now you will need to save the file and set the service to start on boot.

# chkconfig dhcpd on

# service dhcpd restart

Now your DHCP server should be setup and working properly. You can test this if you'd like by allowing a client to lease an ip address from the server to verify that it is working (run the dhclient command on any linux box). Next we will need to setup a TFTP server to server up the PXE file to clients. We will need to install the server and configure it run with xinetd service. Essentially all you need to do is change the "disable" option to "yes".

# yum -y install tftp-server

# vi /etc/xinetd.d/tftp

## /etc/xinetd.d/tftp file ##

service tftp
{
        socket_type           = dgram
        protocol              = udp
        wait                  = yes
        user                  = root
        server                = /usr/sbin/in.tftpd
        server_args           = -s /tftpboot
        disable               = no
        per_source            = 11
        cps                   = 100 2
        flags                 = IPv4
}

## END FILE ##

Save the file and restart the service for it to take effect:

# service xinetd restart

Next is going to be the install of syslinux which is required to allow the clients to actually PXE boot.

# yum -y install syslinux

Simple enough. Next we will need to create the TFTP directory layout for the clients to PXE boot from.

# cd /

# mkdir tftpboot

# cd tftpboot

# mkdir images

# mkdir pxelinux.cfg

# cp /usr/share/syslinux/menu.c32 .

# cp /usr/share/syslinux/pxelinux.0 .

* Some will have to use /usr/lib/syslinux

Now your directory structure should be in place with the required files. Last we will just copy over the kernel for the clients to use when booting.

# cd images

# cp /var/www/pub/images/pxeboot/vmlinuz .

# cp /var/www/pub/images/pxeboot/initrd.img .

Finally we just need to make the PXE file that directs the clients where you boot from.

# cd /tftpboot/pxelinux.cfg

# vi default

## /tftpboot/default ##

default menu.c32

prompt 0

timeout 10

MENU TITLE PXE Menu

LABEL CentOS 5.4 x32

MENU LABEL CentOS 5.4 x32

KERNEL images/vmlinuz

append initrd=images/initrd.img linux ks=http://172.168.1.1/pub/kickstart/test.cfg

## END FILE ##

Once you save and close this file you are done with the setup! There is one small change I forgot to mention...you will need to adjust your firewall settings for these new services.

# vi /etc/sysconfig/iptables

# -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 67 -j ACCEPT

# -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 68 -j ACCEPT

# -A RH-Firewall-1-INPUT -m udp -p udp --dport 69 -j ACCEPT

#service iptables restart

That should do it. Now if many of you haven't guessed by now I use the following addresses on my "lab" network to perform these test installs:

DHCP Server: 172.168.1.1
DNS Server: 172.168.1.1
PXE Server: 172.168.1.1
Clients: 172.168.1.100 - 172.168.1.200

Most of this should be obvious from following this tutorial. Now try PXE booting your client and it should pickup all that it needs from the PXE server, boot the linux kernel into RAM, and begin executing your kickstart file for installation. I will note for those of you that are note using the HTTP protocol (NFS or FTP) there are very few changes that need to be made to this tutorial to make PXE booting work for you. In particular you will have a different directory layout when starting and the /tftpboot/default file will need to have the last line changed to the format of the protocol you are using.

SSH Hardening (Part II)

2010-04-08T15:43:00.000-04:00

Previously we looked at ways to harden the SSH service and reviewed a number of options that can be used in the config file. Here we are going to look at public and private keys to make the SSH service more secure and possibly easier to use. With key authentication users will have a private key (on their local client machines) and a private key (on the server which they want to connect to). When the user goes to log into the server the two keys are used (with an optional passphrase) to allow the user to log in. There are a few steps involved with settings this up, and most importantly is knowing where the keys will be located:

~/.ssh/ -> is the location on the client machine where the private key is located

~/.ssh/authorized_keys -> is the location on the server where the public key is located

Lets look at the steps for setting up key authentication. Login to your client machine and execute the following:

$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/tc_user/.ssh/id_rsa): [Press Enter]

Created directory '/home/tc_user/.ssh'.

Enter passphrase (empty for no passphrase): [Enter a STRONG password]

Enter same passphrase again:

Your identification has been saved in /home/tc_user/.ssh/id_rsa.

Your public key has been saved in /home/tc_user/.ssh/id_rsa.pub.

The key fingerprint is:

8f:a2:03:e9:5b:df:52:a4:8d:80:ad:3b:50:01:7e:23 tc_user@localhost.localdomain

Here you can see both the private and public key being generated. You should cd over into ~/.ssh and use ls -l to check and make sure that you are the only user that has read/write access to your private key.

$ cd ~/.ssh
$ ls -l
total 8
-rw------- 1 tc_user tc_user 1743 Apr  8 10:32 id_rsa
-rw-r--r-- 1 tc_user tc_user  411 Apr  8 10:32 id_rsa.pub

Now that your private key is in place and secured from other users viewing it you will need to take your public key and give it to your system admin. We are going to assume that you are the admin, so you will take the public key of the user and copy the contents of it into the users account on the server under the authorized_keys file. You should also secure this file:

$ cat ./id_rsa.pub >> /home/tc_user/.ssh/authorized_keys

$ chmod 600 /home/tc_user/.ssh/authorized_keys

There is one final change that you should make on the server. In the /etc/ssh/sshd_config file change the following two options:

PasswordAuthentication no

PubKeyAuthentication yes

This will prevent users from logging on with anything but their public/private key combination. Reload the SSH server for the settings to take effect. Now you should be all set! Assuming that you are not currently logged into the server remotely, go ahead and log in. You should now be asked for a passphrase (which pertains to your password created above and not your system password).

Command line:

$ ssh -i /home/tc_user/.ssh/id_rsa tc_user@ssh_server_ip

Putty:

Under Connection -> SSH -> Auth specify the private key file and then login normally

In one more post we will look at a final program that can be used to take hardening the SSH service one step further.

SSH Hardening (Part I)

2010-04-08T15:39:00.000-04:00

One of the most common uses of remote management in the Linux world is SSH. In another post I talked about setting up an SSH server including a few tweaks to make it more secure. Today though I want to talk about SSH Hardening. Being that it is the most common way into a system it is important that you take the time to harden the service and review any log messages that may be produced. The first thing to look at when hardening SSH is the server's config file which can be found at /etc/ssh/sshd_config.

Lets look at a few options that should be changed in config file:

# Disallow users to forward ports from the server

AllowTcpForwarding no

# Explicitly allow only the follow users

AllowUsers
# The root user should never be able to log in remotely
DenyUsers root
DenyGroup root
PermitRootLogin no
# Don't read the rhosts file of clients
IgnoreRhosts yes
# Display a banner for users
Banner /etc/ssh_banner # You must create /etc/ssh_banner if it doesn't exist
# Send info to the syslog service
LogLevel INFO
# Don't allow anyone to log in without a password
PermitEmptyPasswords no
# Enforce using the more secure protocol (v2)
Protocol 2
# Don't allow X11 to forward anything
X11Forwarding no
# Change the default port to listen on
Port 222

This is a good set of options to configure your sshd_config file with to make the SSH service more secure. On top of locking down the service itself however there are other steps we can take to ensure more security for SSH. We can setup TCP Wrappers to only allow particular hosts or subnets to be able to access the SSH server remotely. The following assumes that I'm only allowing connections from the 172.168.1.x /24 network:

echo "sshd: 172.168.1." >> /etc/hosts.allow
echo "ALL: ALL" >> /etc/hosts.deny

This will allow all clients within the 172.168.1.x subnet to connect into the SSH server (provided they have a valid user account), and it will disallow anything else. One mistake that some people make is assuming this is a firewall, it is not! Conveniently the next topic to touch on is iptables however. For those that prefer the GUI interface there are dozens of utilities that interface with iptables to configure ports and services. Essentially you are going to need to create a rule which allows access to whatever port you have defined the SSH service to run on (port 222 for the example given above). For those following this guide and the command line oriented:

# -A RH-Firewall-1-INPUT -s 172.168.1.0/24 -m state --state NEW -p tcp --dport 222 -j ACCEPT

At this point you should be all set with the hardening for SSH. You will want to restart the iptables service and the SSH service so that all the new settings take effect, and then test out your connections.

# service iptables restart
# service sshd restart

Below is just a sample sshd_config file to show what it looks like with all the changes made. Most sshd_config files will be longer and have more options to set or choose from. Check the official documentation for a full list of options.

### Sample sshd_config File ###

# General Options
Port 222
Protocol 2
AllowTcpForwarding no
Banner /etc/ssh_banner
IgnoreRhosts yes
X11Forwarding no

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO

# Authentication
PermitEmptyPasswords no
DenyUsers root
DenyGroups root
PermitRootLogin no
AllowUsers jsmith
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL

In a separate post we will talk about the use of public/private keys with SSH making the service even more secure and for home users, easier.

An Interesting XSS

2010-04-07T12:29:00.000-04:00

Reading another blog (SkullSecurity) the poster was talking about XSS attacks. While these are a common in many web applications today it is hard to find an XSS that will provide useful. There was also a discussion about creating an XSS within the HTML img tag. Curious I decided to see if I could replicate this, so on my Apache server I created a simple "Hello World" page. In it I put the following:

    <img src="" />

I pulled up Google Chrome and loaded the web page to find nothing more then the words "Hello World" and a broken image. Now I went back and adjusted the page with the following:

    <img onload="alert('XSS')" src="" />

Save and reload the page. Sure enough I'm greeted with the pop up! Now before you go plotting world domination there are some things to consider with this. This may be a quick and dirty XSS trick but it isn't as easy to get img tags into a web page. I spent some time looking around for forums or other posting sites where I might be able to try this out more effectively and there aren't many that I can find. However, like the poster at SkullSecurity mentions, image getting this into a webpage without anyone detecting it. This could cause alot of damage and just goes to show why we should all take security seriously. This won't work in IE8 or Firefox 3.6 which is why I used Chrome. It will probably work however if you have an older browser however.

Getting Started With SELinux

2010-04-07T12:26:00.000-04:00

One topic that I have tried to stay away from is SELinux. Why? It is a large, time consuming, and complex topic that you really need to work with to gain a good understanding of how it works and how to effectively create policies. Many people that work with it usually turn it off as a first step when building a server. Another way to use SELinux more effectively would be to enable it, but set it to "permissive". This way while everything will still be allowed it will be logged. While it isn't imperative to have it running it does add another layer of security when used properly. I finally decided that it was time to start taking a look into this topic. I am currently using SELinux for my Apache servers, which allow me to add security and flexibility with controls.

First lets check to see if SELinux is running and what the status is set too. You will need to be the root user and then you can run the following:

# sestatus
SELinux status:               enabled
SELinuxfs mount:              /selinux
Current mode:                 permissive
Mode from config file:        permissive
Policy version:               21
Policy from config file:      targeted

Here we see that SELinux is enabled and the current mode is set to permissive. If you do not have SELinux enabled or you want to change the settings of it, you will need to edit the /etc/selinux/config file and reboot your machine. It will relabel the drive and its files to match the new policy and remain persistent across all further reboots. Next I want to look at what the Apache process is running under for SELinux. This can be done by:

# ps -ZC httpd
LABEL                            PID TTY       TIME CMD
system_u:system_r:httpd_t        2180 ?        00:00:00 httpd
system_u:system_r:httpd_t        2184 ?        00:00:00 httpd
system_u:system_r:httpd_t        2190 ?        00:00:00 httpd
system_u:system_r:httpd_t        2191 ?        00:00:00 httpd
system_u:system_r:httpd_t        2192 ?        00:00:00 httpd
system_u:system_r:httpd_t        2193 ?        00:00:00 httpd
system_u:system_r:httpd_t        2194 ?        00:00:00 httpd
system_u:system_r:httpd_t        2195 ?        00:00:00 httpd
system_u:system_r:httpd_t        2196 ?        00:00:00 httpd

There are few things to notice here. First you can see normal information about each process (9 in total), including the process ID and its label. The labels are what we need to focus on to better understand how SELinux is handling the Apache process. This should be fairly easy to understand from looking at it; the system_u means that the process is a system user and the system_r means that it is a process and not a file. The third column represents the type however we will hold off on talking about that for the moment. Everything looks good here so far for setting up Apache so lets go ahead and start adding files to the web server.

# cd /var/www/html

# touch selinux_web_ref

# touch index.html

Here we are going into the web directory and creating two files (assuming they don't exist already). The selinux_web_ref leave alone for the moment, but the index.html should contain some test code that you can use to test that the web server works (you can leave the default index.html if you prefer). Now lets look at how SELinux defines access control. There are five fields which you need to know:

user:role:type:sensativity:category

User -> system_u for system users, user_u for normal users

Role -> object_r for files, system_r for system or user processes

Type -> used for access control

Sensitivity -> used by government agencies

Category -> used to allow/deny access even for root user

To understand how these work we look at our index.html file that we just created:

# ls -Z

-rwxr--r-- apache apache system_u:object_r:httpd_sys_content_t index.html

-rwxr--r-- apache apache system_u:object_r:httpd_sys_content_t selinux_web_ref

Looking at the reference above we can see that both of these files are owned by the apache user and apache group, they are labeled as files belonging to a system user, and their type is httpd_sys_content_t. So far so good, next we will need to check which boolean values are set in SELinux either enabling or disabling certain things from running on our web server. We can check with the following command:

# getsebool -a | grep httpd

allow_httpd_anon_write --> off

allow_httpd_bugzilla_script_anon_write --> off

allow_httpd_cvs_script_anon_write --> off

allow_httpd_mod_auth_pam --> off

allow_httpd_nagios_script_anon_write --> off

allow_httpd_prewikka_script_anon_write --> off

allow_httpd_squid_script_anon_write --> off

allow_httpd_sys_script_anon_write --> off

httpd_builtin_scripting --> on

httpd_can_network_connect --> off

httpd_can_network_connect_db --> off

httpd_can_network_relay --> off

httpd_can_sendmail --> on

httpd_disable_trans --> off

httpd_enable_cgi --> on

httpd_enable_ftp_server --> off

httpd_enable_homedirs --> on

httpd_rotatelogs_disable_trans --> off

httpd_ssi_exec --> off

httpd_suexec_disable_trans --> off

httpd_tty_comm --> on

httpd_unified --> on

httpd_use_cifs --> off

httpd_use_nfs --> off

As you can see there are many different options which can be modified. Some research will be required to gain a better understanding of each option and allow you to set your policies correctly. The defaults should work for most that are just starting out with SELinux. You can also modify these settings using the setsebool command. The final thing I wanted to touch on was why we made the selinux_web_ref file. Most admins won't just allow users to create web content in their /var/www/html directory, they expect users to develop files on their own machines and then they will send the files to the admin to be uploaded. This will make the security context of each file/folder different however when they are uploaded to the correct directories. With SELinux you will want to keep all your web files/folders the same context so that the same policies apply to them. SELinux has a nice feature where you can copy or "reference" another file for its settings and apply them. Using the chcon command we can change the SELinux settings of the selinux_web_ref file until we are satisfied with it then apply it as the reference file for our /var/www/html directory. I changed the context of the index.html file just as an example here:

# ls -Z

-rw-r--r-- apache apache user_u:object_r:httpd_sys_content_t index.html

-rwxr--r-- apache apache system_u:object_r:httpd_sys_content_t selinux_web_ref

# chcon --reference selinux_web_ref index.html

# ls -Z

-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t index.html

-rwxr--r-- apache apache system_u:object_r:httpd_sys_content_t selinux_web_ref

You can see above that the index.html file was set as a user file, but was changed to a system file after referencing the context of selinux_web_ref. This can obviously be scripted to make life easier for the system admin. As a final note it is worth mentioning that SELinux by default shouldn't have any trouble with .html pages, but will deny or disallow most scripts. You will need to adjust the policy and settings to fit your needs.

Additional Reference:
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
http://wiki.centos.org/HowTos/SELinux

Installing OSSEC

2010-04-05T15:50:00.001-04:00

After hearing some great reviews about OSSEC I have decided to give this a go. From what I have seen so far it is very flexible and works with databases, syslog servers, splunk, and more. OSSEC is a HIDS so it offers you file integrity checking, root-kit detection, real-time alerts, active responses, and more. I did a basic local installation although you can setup OSSEC to follow the client/server model and have all your clients report back to the master server. Here are the steps for the install:

Download files

wget http://www.ossec.net/files/ossec-hids-latest.tar.gz

wget http://www.ossec.net/files/ossec-hids-latest_sum.txt

Check the MD5 or SAH1 to make sure they are legit (Don't skip!!)

md5sum ossec-hids-latest.tar.gz

cat ossec-hids-latest_sum.txt

Extract the files from the tar

tar zxvf ossec-hids-latest.tar.gz

Cd into the directory and run the installer **

cd ossec-hids-latest/

./install.sh

If you are not running a local install make sure to adjust the firewall

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p udp --dport 1514 -j ACCEPT

Start the service

/var/ossec/bin/ossec-control start

**Before you install this program you will need to make sure that you have a compiler installed, such as gcc.

That's all there is to it! You should see the service start successfully and the monitoring will begin. My recommendation from here would be to looking through /var/ossec/logs/ to see what the system is reporting as well as /var/ossec/etc to make any adjustments to the configuration files as you see fit. I'm sure there are going to be directories and files that you don't want monitored because they change so frequently. Currently I'm using this on my Apache servers which sit in the DMZ so its good to see the reporting from OSSEC as well as the firewall rules you can tune within the program.

Shift Cipher

2010-04-04T09:55:00.000-04:00

While working on a coding challenge one of the requires was to create a shift cipher. As a quick introduction to this you will usually be given a clue that looks like a dictionary in Python. One character will represent another:

A --> C
E --> G

Here we can see that if all 'A' is 'C' and all 'E' is 'G' then we can count the shift and tell this is a shift 2 cipher. This isn't too hard to calculate by hand however when the text becomes longer and the shifts are much larger this process can become very tedious. Here I used a Python script as it is quick and easy to perform what we are looking for.

#!/usr/bin/python

from string import maketrans

plaintext = raw_input("Enter your text: ")
shift_num = int(raw_input("Enter number to shift by: "))

alphabet = 'abcdefghijklmnopqrstuvwxyz'

code_string = alphabet[shift_num:] + alphabet[:shift_num]
encode = maketrans(alphabet + alphabet.upper(), code_string + code_string.upper())
print '\n'
print "Encoded text is: " + plaintext.translate(encode)

The code_string line will rearrange the alphabet to look like the cipher alphabet making translation easier. The maketrans function will then replace each character in the string or text provided with its equal in the shift alphabet. the alphabet.upper() is to make sure that upper and lower case characters don't break the script. An additional challenge for this script might be to add a decode function. This can be done by checking the frequency of occurring letters in the cipher text and then making a guess at the number used for the shift in the cipher.

Needle In a Haystack

2010-04-04T09:46:00.000-04:00

Recently I was working through a coding challenge online which involved Python coding. One challenge required the user to parse a string of text for rare characters. After studying a cryptography course in college I knew the challenge was looking for frequencies, or the number of times each character appear in the string. Given the parameters that they want only the rare characters in the string I was looking for the characters that appeared the least. A quick Python script and i was good to go:

#!/usr/bin/python

string_to_search = raw_input("Enter text to search: ")

print ''.join(filter(lambda x: x.isalpha(), string_to_search))

Here we are asking the user to enter the text or string that they want to search through. The second line can be a little more confusing. We are using the join command as an append function to add together any alpha characters that are returned. The filter function will only filter out what is define in the function following it, the lambda function. The lambda x is way to create inline function within Python and in this case to search for anything that is an alpha character. This function will work for relatively long string however if you are parsing a really long text item or one that contains special characters which the bash shell will attempt to interpret, I suggest you modify this script slight to read the characters from a text file and parse from there.

Locked Out User Accounts

2010-04-03T21:39:00.000-04:00

In the process of coming up with daily/weekly checklists one thing that we wanted to check for was locked out user accounts. This would tell us if someone accidentally locked out their account or if an account got locked out due to a brute force attack. I threw together a perl script that would parse the /etc/shadow file for locked out user accounts and then made a cron job for it to check every six hours.

#!/usr/bin/env perl

# Open the /etc/shadow file for reading
open(my $in, "<", "/etc/shadow") or die "Can't open the file: $!";

# Parse each line looking for locked out accounts
while (<$in>){

        # File Format username:password:0:99999:0:::
        if ($_ =~ m/:!/){

                # If a locked out user is found print their username
                @user = split (/:/);
                print "Found locked out account: $user[0]\n";

        }

}

Windows 7 vSphere Issues

2010-04-02T09:25:00.007-04:00

Here is common scenario in IT. You just got a new laptop at work as the company is upgrading and you decide to move over your applications from your old Windows XP laptop. You begin reinstalling each application and tweaking it to your liking. Finally you run across "the application", you know the one that is going to give you trouble because you are on a new operating system. You check the vendors website and sure enough it says Windows 7 support, but installer throwing error messages at you begs to differ. Well for me it just happens to be vSphere.

Apparently there is a Windows 7 version of the client however there is an issue with using the .NET 3.5 SP1 framework on Windows 7 and the program. So what's the fix? You need to download and install the .NET 3.5 SP1 framework on Windows XP!! Seriously?! Anyway to resolve this issue isn't too complicated but does require a little work.

1. First you will need to install the vSphere client, but don't run it just yet.

2. Download the following system.dll to replace the broken one in Windows 7 [Download Here].

3. Go to C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher and create a folder called "lib".

4. Copy the system.dll to lib.

5. Going back to the launcher directory rename VpxClient.exe.config to VpxClient.exe.old and open it for editing.

6. Add the following line right before the close of the "configuration" tag and "Save As" VpxClient.exe.config.


[runtime] 
   [developmentMode developerInstallation="true"/]
[/runtime]

* Replace [ with >

7. Open the advanced tab of system properties and create a new environment variable.
Variable Name: DEVPATH
Variable Value: C:\Program Files (x86)\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\Lib

Finished! You should now be able to launch the vSpphere client with no problems, however there are some reports that you must "Run as Administrator" if it still gives you errors. This isn't a huge fix to get the application working however VMware is a big enough company where they should put some time into researching why things like this don't work.

Building a Kickstart Install Server (CentOS/Redhat)

2010-04-01T10:27:00.003-04:00

***UPDATE - Check out the new module for Kickstart @ http://modlearning.com/kickstart.php. It includes images, sample kickstart files, and more. A more advanced course for Kickstart is currently being developed as well.***

In a recent project I needed to build a kickstart server which would be used to automate the deployment of some new servers that were being setup. We will build a simple kickstart server offering installs over HTTP to the clients. I will also post a sample kickstart script that I used to accomplish the installs of the servers. This little project actually turned out to be quiet easy, and the most difficult part was writing the custom scripts to execute after the installation of the server completed. First we are going to install/setup the kickstart server itself. I will be using Virtualbox as my test environment to demonstrate here. Using the CentOS install DVD, walk through the install instructions to get the system up and running. This should be fairly simple although I will make one note; I only install the base packages and the Gnome desktop manager to keep the install quick and easy. If you'd like to add other packages to your install just be aware that it can raise the amount of time that the install takes (my install time was about 10 minutes). After the installation of the server is complete you will be brought to the desktop for the first time. When performing network installations with kickstart you can actually offer up the install files via NFS, HTTP, or FTP. I choose to use HTTP because it was the quickest and slightly easier than the other two methods. It also requires less configuration for those attempting this for the first time.

While you don't need Gnome in order for this server to work properly it is easier to use and saves time in the configuration aspects. Once you have a desktop go to System -> Administration -> Security Level & Firewall. Here you can make changes to SELinux and the Firewall. First we will need to check off the boxes for NFS, SSH, and HTTP (don't disable the firewall unless you are in a totally isolated environment). In the second tab change the SELinux setting to permissive or disabled (I choose disabled because I have no need for it on this server). Confirm all the changes and allow the settings to take effect. Next we will need to install Apache which will serve up the installation files. Open a shell, change to the root user, and install Apache with: yum install httpd. Once the install has completed verify that the service is running with: service httpd status. The last part of the configuration will be to create the directory structure we will use to serve the installation files and populate them. You will need to make sure that the install DVD for CentOS is in the CD-ROM drive. In the same shell use the following commands to create directories and copy over the files for installation.

cd /var/www
mkdir pub
cd pub
mkdir kickstart
cp -vr /media/CentOS_5.4_Final/ /var/www/pub/

You should now have a pub directory that is filled with the install files from the CentOS 5.4 install DVD, which will be used to install clients via kickstart. For the last steps we will need to build a kickstart file and copy it into /var/www/pub/kickstart where the clients will pull it from during install. Below I will paste a basic kickstart files (with comments) that you can copy & paste into a file called test.cfg, which will need to be moved to /var/www/pub/kickstart. Kickstart files can get very complex with scripts and custom settings which is why we are going to use this basic template.

# Kickstart file for a basic install.

install
url --url http://192.168.1.100/pub/
lang en_US.UTF-8
keyboard us

# Assign the client a static IP upon first boot & set the hostname
network --device eth0 --bootproto static --ip=192.168.1.105 --netmask=255.255.255.0 --gateway=192.168.1.1 --nameserver=192.168.1.1 --hostname RHEL01 --noipv6

# Set the root password
rootpw --iscrypted

# Enable the firewall and open port 22 for SSH remote administration
firewall --enabled --port=22:tcp

# Setup security and SELinux levels
authconfig --enableshadow --enablemd5
selinux --permissive

# Set the timezone
timezone --utc America/New_York

# Create the bootloader in the MBR with drive sda being the drive to install it on
bootloader --location=mbr --driveorder=hda

# Wipe all partitions and build them with the info below
# ***hda may be different on your machine depending on the type of drives you use***
clearpart --drives=hda --all --initlabel
part /boot --fstype ext3 --size=100
part / --fstype ext3 --size=5000
part swap --size=2000
part /home --fstype ext3 --size=100 --grow

# Install the Base and Core software package groups for a minimal install, plus OpenSSH server & client
%packages
@Core
@Base
openssh-clients
openssh-server

Now everything is in place. The kickstart server has been built, the kickstart file is in place, and you are ready to boot up your client to start testing a kickstart installation. For our test we will kick off another virtual machine and boot from the netinstall.iso (available from the CentOS downloads page). This will boot off the CD and give us a prompt for parameters to be passed to the kernel during boot up. We will use the following command:

$ linux text ks=http://192.168.1.100/pub/kickstart/test.cfg append ip=192.168.1.105 netmask=255.255.255.0

This command tells the client to boot the kernel, look for the 192.168.1.100 server (our kickstart server), retrieve the test.cfg file from /pub/kickstart/, and assign the client a static address of 192.168.1.105. There are two things to note here; one is that in order to not use a static address you will need a functional DHCP server with specific settings configure (this will be detailed in another post), two the static ip assignment can actually take place in the kickstart file however there is a bug in CentOS currently which prevents this from happening, which is why we must specify a static ip via kernel boot parameters. If you typed the command correctly and the server is setup properly you will see the client begin to install the system automatically. When finished you will be prompted to reboot and your system will be ready for use! While the install is happening you can view log files in the background by switching virtual terminals. Alt+F2 will give you a shell once the system is installed, Alt+F3 will show command line logs, Alt+F4 shows the kernel logs. This process to automatically install servers and clients via kickstart is extremely helpful in rolling out new systems and fairly easy to accomplish. Hopefully you will take this further and work on customizing your installations and post install scripts. For a reference on kickstart files see the documentation:

http://www.centos.org/docs/5/html/Installation_Guide-en-US/s1-kickstart2-options.html

For a more automated approach to kickstart check out my other posting for PXE booting, hands free install:

http://secnut.blogspot.com/2010/04/pxe-kickstart-automating-centosredhat.html

Network Documentation

2010-03-29T20:27:00.000-04:00

Every time I have started a new job over the last few years I have always gone in hoping to get a look at the companies network documentation, which would enable me to get up to speed and working with the team in no time. Sadly I have always been told the same thing, "What documentation"?! I think that network documentation is an important aspect of any network and should be taken seriously. There are many benefits to documenting your network which include:

Ease in troubleshooting
Helping with new hires
Makes project planning easier
Helps with collaboration between different departments

Being that I have had to start from scratch with network documentation every time I thought I would share some tips that I have put together over the years. First you will need a good IP scanner which can pull live IP addresses from the network. Personally I use NMAP or Angry IP Scanner as both are very quick and provide valuable information. NMAP is also useful later on when you want to run port scans against a machine to find out what services are running. Angry IP Scanner will allow you to dump the output of the scan to an excel spreadsheet making it easier to reference later on. You should also start by locating and looking through the DHCP scopes on your network. This will help you weed out "client" addresses when looking for servers and network devices from your scan. I usually start to draw out some diagrams by hand when starting to get an idea of what goes where on the network. As I start to get a better idea and can put IP to device I will move my diagram over into Microsoft's Visio (one of the better programs they have produced). Many vendors out there produce stencils for Visio making it easy to put together documentation, diagrams, and subnet depictions.

When working on your documentation look through the different subnets and VLANs that your network holds. You may also need to work with other departments to acquire all the information that you need. You should also look through and document configuration files for routers, switches, and firewalls. This might also include mapping switch ports to VLANs and making sure that your firewall/router interfaces are configured properly. I must say that I continuously use my own documentation to work through projects and they have always been worth the effort. Below is just a quick list of places to acquire information from when putting together your documentation that I have used in the past.

Active Directory (Site Replication, Group Policy)
DHCP Servers (Scopes, DHCP Options, Subnets, PXE Options)
Routers/Switches (VLANs and Subnets)
Firewalls (Security Policies, Access rules)
DMZ (IDS servers/appliances, Web Servers)
PING & TRACEROUTE
Nmap & Angry IP Scanner
www.maxmind.com (IP address lookup for remote offices)
VPN Configs (IPSEC & Site-to-Site)
Model & Serial Numbers

Automating Outlook Signatures

2010-03-16T16:38:00.000-04:00

Recently I was tasked with a way to standardize our signatures in Outlook. I came up with the follow script that was applied as a group policy to all users. There are a few things to note however:

The script works on Outlook 2003/2007
Other then IE, Webmail, and Outlook other browsers or Operating System will distort the layout of the signature
The script pulls all information from Active Directory

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
strUser = objSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)

strConfidS = "Confidentiality Note:"
strConfid = "Notice goes here"
strFname = objUser.FirstName
strLname = objUser.LastName
strInitial = objUser.Initials
strTitle = objUser.Title
strWebsite = "www.mycompanieswebsite.com"
strCompany = objUser.Company 
strPhone = objUser.telephoneNumber
strFax = objUser.facsimileTelephoneNumber
strStreet = objUser.streetAddress
strCity = objUser.l
strState = objUser.st
strZip = objUser.postalCode
strEmail = objUser.mail

Set objWord = GetObject(, "Word.Application")
If objWord Is Nothing Then
Set objWord = CreateObject("Word.Application")
blnWeOpenedWord = True
End If
Set objDoc = objWord.Documents.Add()
Set objSelection = objWord.Selection
Set objEmailOptions = objWord.EmailOptions
Set objSignatureObjects = objWord.EmailOptions.EmailSignature
Set objSignatureEntries = objSignatureObjects.EmailSignatureEntries
objSelection.Style = "No Spacing"


'Name
objSelection.Font.Size = "11"
objselection.Font.Bold = true
objSelection.TypeText vbTab & " " & strFname & " "
if strInitial then 
objSelection.TypeText UCase(strInitial) & ". "
end if
objSelection.TypeText strLname
objselection.Font.Bold = false

objSelection.Font.Size = "8"
objSelection.TypeText Chr(11)
objSelection.TypeText vbTab & " " & strCompany
objSelection.TypeText Chr(11)
if strTitle then 
objSelection.TypeText vbTab & " " & strTitle
end if

objSelection.TypeText Chr(11)
objSelection.TypeText Chr(11)
objSelection.TypeText vbTab & " " & strStreet & Chr(11)
objSelection.TypeText vbTab & " " & strCity & ", " & strState & " " & strZip & Chr(11)
objSelection.TypeText vbTab & " " & "tel. " & strPhone & Chr(11)
objSelection.TypeText vbTab & " " & "fax. " & strFax & Chr(11)
objSelection.TypeText Chr(11)

objSelection.TypeText vbTab & " " & "email. " & strEmail & Chr(11)
objSelection.TypeText vbTab & " " & "website. " & strWebsite & Chr(11)
objSelection.TypeText Chr(11)

objSelection.Font.Bold = True
objSelection.TypeText strConfidS & " "
objSelection.Font.Bold = False
objSelection.TypeText strConfid
Set objSelection = objDoc.Range()

Set objShape = objDoc.Shapes
objShape.AddPicture("\\server\netlogon\logo.png")

objSignatureEntries.Add "AD Signature", objSelection
objSignatureObjects.NewMessageSignature = "AD Signature"
objSignatureObjects.ReplyMessageSignature = "AD Signature"

objDoc.Close 0
If blnWeOpenedWord Then
objWord.Quit
End If

Red Hat Package Management

2010-03-04T09:11:00.001-05:00

A package in linux contains files and directories of the software we wish to use. There are two different package types, .rpm used by Red Hat/CentOS/Fedora and .deb used by Debian/Ubuntun. We are going to focus on the Red Hat version. Each package in Red Hat is broken down into the following format:

package_name-version-release.arch.rpm

postfix-2.3.3-2.1.el5_2.i386.rpm

To download and install packages you obtain them from repositories. Needless to say you should only use repositories and files from trusted sources. The Red Hat Network (RHN) also provides packages and software updates from Red Hat clients. It also provides a web interface which allows for snapshots, scheduled commands, and kickstart installations. Instead of going into every single detail relating to rpm and yum (the frontend to rpm), we will look at common tasks and commands for system administration.

Querying Packages

To list all install packages on the system:

$rpm -qa

- or -

$rpmquery -a

Use commands like sort, grep, and wc to filter the results.

Check to see if Apache is installed:

$rpm -qa | grep httpd

If it returns the package then it is installed, otherwise nothing will be returned meaning it is not installed.

Also available is the yum commands which produce alot of output so make sure to pipe them:

$yum list | grep httpd

httpd.i386 2.2.3-31.el5.centos.2 installed

Searching for Packages

To find a package to install:

$yum search httpd

Installing Packages

To install Apache with no prompts:

$yum -y install httpd.i386

You can also use rpm to install packages that you have downloaded:

$rpm -ivh mypackage.rpm

Removing Packages

To uninstall Apache:

$yum remove httpd

You can also do the same with the rpm command:

$rpm -e mypackage

Some other commands that may be useful include updating, upgrading, obtaining information on packages, and group installs.

$yum update

$yum check-update

$yum info

$yum groupinstall

$yum clean all

For those of you can don't like the command line you can also use the GUI tool that comes with Red Hat called pirut. This is the package manager which can perform all the same commands that we have discussed via the command line. The last part of package management that we will discuss deals with YUM repositories. When handling a large number of systems and installs you will probably want to configure a local package repository (unless you happen to have a massive bandwidth pipe to the internet). It also will help with dependency issues because it will make certain that all packages are using the versions. to create a local repository follow these steps:

1) Download the needed package

$yum -y install createrepo

2) Create a directory for the repors

$mkdir -p /var/yum/repos.d && cd /var/yum/repos.d

3) Move all packages that you wish to be made available

4) Execute the createrepo command to convert the packages to local distribution

$createrepo -v .

5) Create the repo file for the repository

$nano /etc/yum.repos.d/server01.repo

[server01]
name=yum repository for server01
baseurl=ftp://server01/var/yum/repos.d/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

Finally you will need to make sure that your main yum configuration file is in order and specifies you local repositories as well. You can find the file in /etc/yum.conf. You now should have a pretty good handle on managing packages for your system. There are obviously many other commands and options that you can use with yum or rpm however it is better to have a foundation and then work through the --help parameters. This will show you all the options available and as always use the man pages for clarification of anything you may need.

Working with Linux Processes

2010-03-04T09:06:00.000-05:00

Each time a program or command is run a process is created for it. These processes are all unique and identified by the process identification (PID) which becomes allocated to it. System processes, or daemons, are critical to keeping the system up and running or providing services to clients. To work with processes we have two commands available to us. The first is ps which can list information about processes helping us to manage them. If using the ps command with no arguments it will just show the processes specific to the terminal that it is run in. This isn't very useful, so we can look at some of the commonly used arguments.

-e shows all processes
-u shows the user related to the process
-f shows full output
a shows all processes including other users
x shows processes without a controllering ttys

These particular arguements are important because they help you identify which processes are running, who they are ownered by, processes that normally aren't seen (because they aren't associated to a terminal), and other information. The following is a partial example (because the output can be quite large):

$ps aux

Looking here you can see the header which details what the different columns mean. You can also do ps -ef which will show the PPID column, representing the parent process. While this output is useful there is always multiple ways to obtain information. A second way to view process information, in more of "real time" use can use the top command. Top is also interactive so once you launch it you can manipulate processes through different keys.

$top

As you can see here there is some extra information that you get with using top as well as being able to set the refreash rate for the program. These are just two programs that you can use to view processes at the command line. For those of you that like the GUI you can use the system monitor in Gnome (or launch gnome-system-monitor) or Ktop for the KDE environment.

If you would like specific information about processes there are two more commands that you should know. The first is pidof, which takes a process name as a parameter. It will return the PID of that particular process, however you must obviously know the name of the process in order to use this command. Next we have pgrep that can be used to list all processes owned by a particular user using the -U argument or list all processes owned by a particular group using the -G argument. Similar to pidof it will only list the PID of the processes.

$pidof sshd

2208 1982

$pgrep -U apache

2258
2259
2260
2261

Now that we have multiple ways to look up information about processes we shuold also know how to manage them. everytime that a process is created it receives a priority, or nice value. By default this value is set to 0, with -20 being the highest and +19 being the lowest. Using our commands from above you can use ps -el to view a list of processes and also view their nice value. If you want to create a process or launch a program with a different priority you can use the nice command. If the program is already in execution then you can use the renice command to change it.

$nice --2 firefox #Launch the firefox program with a higher priority

$renice -5 2208 #Change priority of process 2208 from its current value to -5

The final part to processes is how to kill them. Suppose you have a run away process that is hogging all the system resources or a process that no longer has a parent (called a zombie), you will need some way to stop them. You can use the kill command for a single process ID or use the killall command if you want to use a program name. This will kill the running process allowing you to recreate it or figure out what happened.

$killall apache #Kill all apache processes

Clearly process management is important for system stability and helping maintain server uptime as well.

WSUS Troubleshooting

2010-03-04T09:00:00.001-05:00

A useful set of tools that I ran across when working on a WSUS problem are available on Microsoft's website. They provide utilities for the server and client to troubleshoot each individually and report back results for basic functionality tests. You can check out the site here:

http://technet.microsoft.com/en-us/wsus/bb466192.aspx

Most of the time it is enough to just run the client tool and it will give you an indication as to where the update is failing. Downloading the utility you can double click to run it. Here is an example output of what the utility produces.

Here you can see that two areas failed when checking out the client. The last setting is clear that the WSUS isn't even configured on this client. This would mean that instead of policy the client is dependent on the settings under the Automatic Updates tab to direct it for Windows Updates. We can also see here though that the first setting which failed shows that the Automatic Updates options are turned off as well. Browsing through the output though you can see that there are other options that will alert you too different settings either being disabled or not functioning properly. The server utility produces the same type of output only based on server (WSUS) settings instead of the client. I would recommended that anyone dealing with WSUS and updates always use a seperate well labeled policy just for WSUS and updates. This way it is easier to troubleshoot when something goes wrong. You should never make this part of the default domain policy because it just leads to trouble down the road when attempting to diagnose whats wrong.

The /proc Filesystem

2010-02-23T11:29:00.003-05:00

Most of the /proc filesystem is read only, however there are some directories and files like /proc/sys which can be edited to modify the kernel. Lets look into each area of the /proc filesystem.

/proc/apm -> used for checking the battery status and gaining information about a system's battery

/proc/buddyinfo -> used to diagnose fragmentation issues in memory

/proc/cmdline -> parameters that were passed to the kernel during boot

/proc/cpuinfo -> identifies the CPU and information about it on the system

/proc/crypto -> lists all installed cryptographic ciphers used by the kernel

/proc/devices -> displays information on various character and block devices

/proc/dma -> contains a list of registered ISA DMA channels

/proc/fb -> contains a list of frame buffer devices

/proc/filesystems -> shows a list of file system types that are currently supported by the kernel

/proc/interrupts -> lists the number of interrupts per IRQ

/proc/iomem -> shows a current map of the system's memory for each physical device

/proc/ioports -> contains a list of currently registered port regions

/proc/loadvg -> contains load average of the CPU and IO over time, as well as the number of running processes

/proc/mdstat -> contains information about multi-disk RAID configurations

/proc/meminfo -> contains information about memory usage on the system

/proc/modules -> contains the modules currently loaded into the kernel

/proc/mounts -> contains a list of all mounts in use by the system (similar to /etc/mtab)

/proc/partitions -> contains partition block allocation information

/proc/pci -> lists all pci devices on the system, use /sbin/lspci -vb for a more readable version

/proc/slabinfo -> detailed information about system memory

/proc/stat -> information about the system since last reboot

/proc/swaps -> shows swap space and utilization

/proc/uptime -> shows amount of time system has been up (uptime command is better)

/proc/version -> shows kernel version information as well as gcc

These are just some of the files contained in the /proc directory which provide information useful for troubleshooting and maintanence. There are also a number of directories listed in the /proc directory which are numbered. These numbers represent the process ID (PID) of different programs and stores the information of them within these directories.

$ ls -l | grep apache

dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4427
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4324
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4387
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4426
dr-xr-xr-x 5 apache apache 0 Feb 23 09:54 4427

You can see from the example that these directories are owned by the apache process and the folders are numbered after the processes running them. This makes it easier for troubleshooting to hunt down information about particular processes. There are a few other directories worth noting in the /proc filesystem as well.

/proc/bus -> this directory contains information relating to the various buses available on the system
/proc/driver -> contains information relating to drivers in use by the kernel
/proc/fs -> this directory shows which file systems are exported if an NFS server is running
/proc/ide -> this directory contains information about each IDE device, each channel has a directory
/proc/irq -> each IRQ has its own directory which contains configuration for each IRQ
/proc/net -> provides details about system networking including parameters and statistics
/proc/scsi -> same as /proc/ide but for SCSI drives
/proc/sys -> this directory is unique in that it allows you to tune the kernel and its features
/proc/sys/dev -> contains parameters for particular devices
/proc/sys/fs -> contains information relating to filesystem parameters and features

The one particular directory to note here is the /proc/sys directory. This directory contains files that can be used to tune the kernel in its running state. You can use the echo command to insert changes into the different files and change the paremeter of the kernel, however note that a reboot to the system will restore any changes made with the echo command. An easy way to see which files can be modifed is to use the ls -l command and look for the 'w' write access to the particular file. There is another command sysctl which can be used in place of directing echo output to files. The sysctl command will also change parameters in the kernel. In order for the changes to be permanent you must edit them in the /etc/sysctl.conf file which is executed during system boot. This would be used more after testing is done with the echo command to tune the kernel the way you want. You shouldn't try to memorize all the locations and files in the /proc directory. An administrator should have an understanding of where the files are and an idea of what they do in order to troubleshoot or tune their system. There are also other utilities including lspci, top, free, apm, lsusb, and other which can produce the same output of many of the /proc files.

CentOS SSH Server

2010-02-22T23:06:00.002-05:00

We all know that at some point or another we will need to be able to administer our servers remotely, and we wouldn't want to do this without some sort of security in place...right? SSH can protect the traffic that passes from your computer to a remote computer making the tunnel secure for administration. It is a fairly easy thing to setup and useful in many different ways. On CentOS the SSH server comes install by default which we can verify with:

rpm -qa | grep sshd

To get started we will need to configure the settings for the SSH server. The configuration is located at /etc/ssh/ssh_config and before doing anything you should make a backup copy of the original file incase something happens to the configuration file later on. After you make a back of the configuration file there are only a few options you should change before using the server. First you should change the configuration file to not allow the root user to log in, for obvious reasons this is a bad idea. Next, unless you really want to use X11 forward (where you can run X programs remotely) you should disable this. Finally if you wish you can restrict access by user or by user from a particular host, gaining access to the system. By default the SSH server runs on port 22, however if you'd like to increase the security of the server you can change the port that the SSH server wil listen on for connections.

$ cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
$ nano /etc/sshd.conf

# Disable Root Login
PermitRootLogin no

# Disable X11 Forwarding
X11Forwarding no

# Only allow user John to login
AllowUsers john

Once your settings are configured you just need to restart (or start) the service for the changes to take effect. Personallu I think that SSH is one of the most useful tools in Linux making it easy to jump from server to server and remotely administer everything securly and efficiently. Once the SSH server is fully setup you can test it by connecting from the remote machine.

# The general syntax is ssh user@host
$ ssh jsmith@192.168.1.50

You will be prompted for a password for the user. Once you login you are good to go. SSH keys will be logged in ~/.ssh/config for remote connections. Should you connect to a remote server where the keys don't match what you have on file the SSH client will warn you that the SSH server is possibly being spoofed and you should check that the connection or server hasn't changed.

CentOS DHCP Server Setup

2010-02-22T22:18:00.000-05:00

One of the basics elements found on all networks in a DHCP server, making it an important part of any network. DHCP makes network administration easy because you can make changes to a single point (the DHCP server) on your network and let it filter down to the rest of the network. To begin setting up a DHCP server we are going to first need to configure our machine with a static ip address. As the root user you will need to open the following file, /etc/sysconfig/network-scripts/ifcfg-eth0 (assuming you want the eth0 interface to distribute ip addresses to the network). Configure the following:

TYPE=Ethernet
DEVICE=eth0
BOOTPROTO=
IPADDR=192.168.1.50
NETMASK=255.255.255.0
USERCTL=yes
IPV6INIT=no
PEERDNS=yes
ONBOOT=yes

Once finished you will need to restart the networking service: service networking restart

Now that you have static ip address setup you will need to install the dhcpd package which contains the DHCP server software. After this package is installed there are two important files which we will need to work with. The first is /etc/dhcpd.conf which is the configuration file for the DHCP server. This file may not exist in which case you will need to create it. You can find a sample to work off of (recommended) at /usr/share/doc/dhcp-/dhcp.conf.sample. Copy this over to the main configuration file and then edit the main configuration file to your specifications. This is the easiest and fastest way to setup the DHCP. The second file to take note of is /var/lib/dhcpd/dhcpd.leases which stores all the client leases for the DHCP server.

$ yum install dhcp.i386

$ cp /usr/share/doc/dhcp-3.0.5/dhcp.conf.sample /etc/dhcpd.conf
$ nano /etc/dhcpd.conf

# Sample DHCP Config File
ddns-update-style interim;
authoritative;

subnet 192.168.1.0 netmask 255.255.255.0 {


     # Parameters for the local subnet
     option routers                                192.168.1.254;
     option subnet-mask                            255.255.255.0;


     option domain-name                            "testbed.edu";
     option domain-name-servers                    192.168.1.50;


     default-lease-time       21600;
     max-lease-time       43200;


     range dynamic-bootp 192.168.1.100 192.168.1.200;
}


$ service dhcpd restart

As we can see above looking through the configuration file, there is only one subnet for this network. The gateway has been defined by the "option routers" paramters, the DNS information by the "option domain-name" parameters, and the leases for the client by the "range" parameter. Restarting the DHCP service will allow the configuration file to be loaded into the server and it will begin to lease ip addresses to clients. One other configuration parameter that you should know if how to setup reserved ip addresses.

# In the configuration file
host client01 {


 option host-name “client01.example.com”;
 hardware ethernet 02:B4:7C:43:DD:FF;
 fixed-address 192.168.1.109;


}

This basically reserves this ip address for the client01 host with the specified MAC address. This can be usefu for printers or particular addresses that you wish to reserve. You can now watch as clients should begin leasing their ip addresses from the server as they connect to the network. Some other ideas you might want to consider implementing with a DHCP server is a failover server, relay servers, and backing up the configuration file and/or the lease database. As a tip, instead of editing the dhcpd.conf file and then restarting the server to make changes you can use the omshell command which will allow you to connect to, query, and change the configuration while the server is running.

The Boot Process

2010-02-22T17:03:00.000-05:00

When a computer boots the BIOS is the first program that is run. Once loaded the BIOS will begin to test the system through the power on self test (POST), and then begin loading peripherials. The BIOS will then look to whatever is contained in the first sector of this device. This usually contains the master boot record (MBR) which will start to boot the machine via the boot loader. Once the boot loader has been loaded, the BIOS yields control to it. The default boot loader for most systems these days is GRUB. From here GRUB will look to boot into the kernel that is labeled as the "default". Finally the Kernel will call the init process which boots up the rest of the system. Understanding how the system boots is essential to troubleshooting should the system ever have a problem booting, or if you are working with a kernel.

GRUB

GRUB has become the default boot loader for Red Hat & Debian as well. GRUB can be used to boot into different operating systems (usually called a multiboot system), for system recovery, and to boot the kernel using special parameters. When GRUB loads you are given a list of kernels from which you can choose to boot from. There is also a list of commands which you can select from.

e -> edit the commands before booting
a -> modify the kernel arguments before booting
c -> grub command line

Although working with GRUB can save you time to diagnose system boot issues make sure that you record all changes to /boot/grub/grub.conf otherwise your changes will be lost on next boot. On Red Hat the /etc/grub.conf is actually a link to /boot/grub/grub.conf so all changes will be made to the same file.

The Kernel

After GRUB has loaded the kernel takes over and begins to initialize and configure the computer's hardware. depending on how your GRUB configuration file is setup you may or may not see anything during this process. The "quiet" parameter in GRUB hides this process from the user (usually a gaphic of some sort is shown in its place). All the information gathered during this processes is logged to /var/log/dmesg. You can also use the dmesg tool to query information about bootup messages. Once the systems drivers are in place the kernel will execute the /sbin/init program.

The init Program

The init program is the first process that is created by the kernel. It is responsible for the rest of the boot process and setting up the environment for the user. First it will call /etc/rd.d/rc.sysinit which is responsible for a number of tasks including setting the system clock, networking, user environment, and others. After is it finished, the init command then runs the /etc/inittab script. This script defines how all services should be handle in each runlevel as well as which run level to boot the system into. In Red Hat and CentOs the default runlevel is 5 while Debian is 2. The last thing you will see is the screen to login, which will either be a virtual terminal (if no X window is configured) or a GUI login.

Runlevels

The runlevel system helps organize services which create a standard for controlling system services. There are six runlevels which can be found in /etc/inittab.

0 - Halt
1 - Singe-user mode
2 - Multi-user with partial services
3 - Full multi-user with networking (text mode)
4 - Not used
5 - Full multi-user graphical mode (provides a GUI desktop login)
6 - Reboot

Located in the /etc/rc.d/ directory there are different directories containing which services should be started or stoped at each runlevel. There are three utilities that are provided to manage services during system boot. The first is the chkconfig command.

chkconfig --list [service-name]

If you specify no service it will list all services and their status at each run level. You can narrow this down and look at a particular service by specifing the service name. You will see that each service is either "on" or "off" at each runlevel respresenting a started or not started state. This utility can also be used to enable or disable services at each runlevel.

chkconfig --level

The second utility is ntsysv. Instead of modifying each indivual service at the command line you can use this command to modify multiple services at multiple runlevels at once.

ntsysv [--level ]

For example if I wanted to modify all services at runlevels 3 & 4 I would type:

ntsysv --level 34

This utility produces a list of all services which can be checked or unchecked to either start or stop that at the runlevels that you specified. That last utility that you can use is system-config-services. This utility is a GUI program that can't be launch from a system that without a GUI. Similar to ntsysv it provides a listing of services which can be easily modified to each runlevel. You should now be pretty comfortable with the boot process and have an idea of how you can go about troubleshooting should your system not boot correctly.

Cisco Standard Access Lists

2010-02-17T22:35:00.002-05:00

One thing that can help filter traffic on your network is access control lists (ACL). Cisco uses these in a variety of ways to filter traffic, restrict access, and block certain protocols on a network. We are going to look specifically at standard ACLs. There are others that Cisco has, but we will save those for another day. There are two different types of standard access lists that you can have; named and numbered. First let us look at the syntax of a numbered standard ACL:

access-list <#> {permit | deny} [wildcard mask] [log]

There are a few different things going on here. First we have the access-list command and a number that we will use to identify this access list. For standard access lists you must choose a number between 1-99 and 1300-1999. Next we can choose if we want to permit or deny the traffic, followed by the source ip address that we want to permit or deny traffic to/from. The next field may be a little different to those that haven't worked with access lists before, the wild card field is used much like a subnet mask to determine which traffic should be allowed or denied. To figure out what the wildcard mask should be you can use a little trick. Determine what you want the subnet to be and just take the inverse of each octet to equal 255. The easiest way to understand is with an example. Suppose you want to block all traffic coming from a particular subnet, say 192.168.5.0/24. We know looking at this that there are 255 addresses that we want to block. Let's calculate what the wildcard mask should be and then apply it to the full command to use in order to block all traffic coming from this network.

192.168.5.0/24

Subnet Mask: /24 or 255.255.255.0

- Inverse for wildcard mask -

Wildcard Mask: 0.0.0.255

ACL is: access-list 5 deny 192.168.5.0 0.0.0.255

Another example would be:

192.168.3.0/22

Subnet Mask: /22 or 255.255.252.0

- Inverse for wildcard mask -

Wildcard Mask: 0.0.3.255

ACL is: access-list 5 deny 192.168.5.0 0.0.3.255

You can see that the original subnet mask has a 255. in the first two octets which makes the first two octets of the wildcard mask 0. The third octet is 252 and the inverse needs to be what would bring it to 255, which is where we get the 3 from. The final octet is a 0 in the subnet mask so the inverse would be 255. Another point you should notice about wildcard masks is that a 0 means to match specifically, while a 255 means "any". So the above wildcard mask can be read as specifically deny all ip address that are 192.168.1.0 - 192.168.1.255. If you omit a wildcard mask in the ACL all together it will default to 0.0.0.0 meaning a specific host. Next we will jump back and look at the syntax of a named standard ACL:

ip access-list standard

{permit | deny} {source [wildcard] | any} [log]

As you can see this is slightly different from the "numbered" approach. Again lets take the example of want to block all traffic coming from 192.168.5.0/24.

192.168.5.0/24

Subnet Mask: /24 or 255.255.255.0

- Inverse for wildcard mask -

Wildcard Mask: 0.0.0.255

ACL is:

ip access-list standard deny5

deny 192.168.5.0 0.0.0.255

Although this syntax is slightly different the concept of the command is similar. Once you have built your ACL and included all the statements needed the last thing that you will need to do is apply your ACL to a particular interface. The rule for applying access lists to interfaces is, ACLs which filter based on source (standard ACLs) should be placed closest to the destination. You will have to examine your particular topology to determine where that will be. To apply the ACL to an interface once you have decided where it will go is done with:

interface fastethernet 0/1

ip access-group <# or name> {in | out}

Based on the numbered ACL above:

ip access-group 5 in

Based on the named ACL above:

ip access-group deny5 in

This is just an introduction to access lists. There are other types and they can become complex as they start to grow in size. Standard access lists also have some limitations, which include only being able to filter traffic based on the source port and only being able to inspect layer 3 traffic. They are however much easier to setup and normally used to restrict access to things like the vty and aux ports. In another post we will look at extended access lists, which offer us more flexibility at slightly more complexity.

Working With RPM

2010-02-15T15:37:00.000-05:00

Red hat uses the rpm command to manage packages for the system. This tool is broken down into five major categories:

Install
Uninstall
Upgrading
Querying
Verifying

By breaking RPM down into these subsections it makes using the package manager much easier. If you’d like detailed information about the rpm utility you can check the man pages. First we can look at how rpm packages are structured and then an example of using each of the five categories.

Sample Package: foo-1.0-1.i386.rpm

Package Name: foo

Package Version: 1.0

Package Release: 1

Package Architecture: i386

As you can see there is a lot of information that can be derived just from looking at the package. Now lets see an example of the five categories.

Install

Syntax: rpm -i [install-options]

ie. rpm -i foo-1.0-1.i386.rpm

Uninstalling

Syntax: rpm -e

ie. rpm -e foo-1.0-1.i386.rpm

Upgrading

Syntax: rpm -U

ie. rpm -U foo-1.0-1.i386.rpm

Querying

Syntax: rpm -q

ie. rpm -q foo-1.0-1.i386.rpm

Verifying

Syntax: rpm -V

ie. rpm -V foo-1.0-1.i386.rpm

As you can see the rpm utility is pretty easy to use. Lets also just quickly look at three useful examples that you might use.

Verify all packages on your system: rpm -Va

Find the package that owns a specific file: rpm -qf

Find a programs documentation: rpm -qdf

There are tons of different ways to use rpm and I suggest a read of the man pages to familarize yourself with some of the different commands. In another post we will look at another utility called yum which offers an interactive, rpm based, package manager.

FTP

2010-02-15T11:23:00.003-05:00

Ports Used: TCP 20, 21

Function: Allows users to transfer files from one host to another. It has a mechanism for user authentication via username and password combination. There are two modes which FTP can function in; PORT mode (sometimes called active mode) and PASV mode (somtimes called passive mode).

Active mode is less secure because the FTP server initiates the data channel. Also, port 20 must be open to the outside world which is inherently less secure than just using port 21. The source port on the client is random generated above 1023.

Passive mode is initiated from the client to the server in both the control and data channel. The source port on the server is negotiated with the client above 1023. There is less of a chance for data compromise when using passive mode.

TFTP

2010-02-15T11:22:00.003-05:00

Ports Used: UDP 69

Function: Allows transfer of files from one device to another using a connectionless protocol. There is no method to authenticate users. TFTP uses directory security on the TFTP server itself by predefining file security prior to client use.

Configuration Examples:

To Copy an IOS Image from a TFTP Server
copy tftp flash
 
To Backup an IOS Image to a TFTP Server
copy flash tftp

DNS

2010-02-15T11:17:00.004-05:00

Ports Used: TCP/UDP 53

Function: DNS is used for domain lookups, and zone transfers. When doing domain lookups and browsing the UDP protocol is used. When performing zone transfers the TCP protocol is used.

Configuration Examples:

Disable Domain Lookups
no ip domain lookup
 
Local IP Host Mapping
ip host  
ie. ip host Router1 192.168.1.1
 
Set the Domain Name
ip domain-name 
ie. ip domain-name example.com
 
Set the DNS Server
ip name-server 
ie. ip name-server 192.168.1.10

10,000 Page Challenge (2010)

2010-01-30T08:43:00.008-05:00

One of the forums that I am a member of does a challenge every year to see if you can read 10,000 pages. It doesn't matter what books or topics. Since I read a lot throughout the year on a wide variety of topics I figured it would be easier to share here and others can see what I have read.

Books Read This Year

MCSE: 70-293 Exam Cram  (504 pages)
MCSE: 70-293 Study Guide, Sybex Edition  (888 pages)
RHCE Red Hat Certified Engineer Linux Study Guide  (848 pages)
LPI Linux Certification in a Nutshell (In a Nutshell (O'Reilly))  (922 pages)
CCSP Securing Cisco IOS Network Study Guide (544 pages)
Red Hat Certified Technician & Engineer (746 pages)
Hacking Red Hat Enterprise Linux (180 pages)
Web Security Testing Cookbook, 1st Ed (300 pages)
LPIC-1 in Depth (499 pages)
The Girl with the Dragon Tattoo (568 pages)
Red Hat Enterprise Linux 6 Documentation (834 pages)

Total Pages: 6833

Cisco Switch Hardening

2010-01-26T14:53:00.003-05:00

Some quick little tips that should be used when hardening Cisco switches.

First and foremost should always be to change the default passwords and set a strong password on all interfaces that someone can login on. There are many interfaces and passwords can easily be forgotten so you may want to also device a simple algorithm to remember or to easily regenerate the password in your head.
If you are going to be monitoring switches in your environment (which is always a good idea) you will probably be using SNMP. Make sure that you use SNMPv3 as it is the most secure. If you aren't using v3 make sure to use a long community string because sooner or later someone will compromise it (even if only gaining read access it is still a compromise).
Setup some type of logging. Even if you have tons of switches and want to be that insane person that logs everything locally...local logging is better then no logging.
Documentation! Enough said.
Not everyone wants to sit there banging out commands on the cli, so for those of you using the web interface of the switch make sure to enable SSL. For those that do prefer the command line make sure to disable the web interface.
For remote access, which everyone will want, make sure to use SSHv2 and disable telnet. Nothing is worse then logging into a switch to check something "suspicious" only to have your credentials snagged over the wire.
Separate your network traffic. Setup a management VLAN to use for all switches (and other network devices). Use VLANs and maybe some ACLs to lock down and segment traffic on your network. You will be thankful later as it will contain virus outbreaks and makes troubleshooting that much easier.

This is not a finite list but a good start to steps to take when hardening Cisco switches. If you Google it, the NSA has an entire guide (very large document) on hardening Cisco switches as well that you may want to flip through for more ideas.

Working With Error Logs

2010-01-26T07:42:00.000-05:00

One thing that I have learned when working with Microsoft products is that no matter how convoluted the error message given to you is, the answer is always right there in front of you. Recently while working on our primary domain controller I noticed a single error in the logs that was constantly happening every 3-4 minutes. As you can image this will fill the logs up with messages rather quickly if left alone for a few days. I looked at the event and saw the following information:

Application Log
Source: SceCli
Event ID: 1202
Level: Warning
User: N/A
OpCode: [Blank]

Right off the bat this information is useless. I can google for the source type and event id and try to figure out what is going on. Instead Windows 2008 has some new layouts in the logs which make troubleshooting these kinds of things much easier! Scrolling further through the information available I come across the following information:

Security policies were propagated with warning. 0x534: No mapping between account names and security IDs was done.

Now based off this we are getting somewhere. Here I can tell that there is an issue with a user account being mapped to a SID. Since information "usually" don't get corrupt in an AD environment without some sort of other related issue, it lead me to believe that either the account was missing or had been from the path the policy was looking for. Now I don't know about you but I have hundreds of users and we don't really track which ones are added, deleted, disabled, etc. So now the question becomes how do I find the missing or damaged user? Well it turns out that Windows 2008 new log features can help us out again. As I continue to keep reading through the same log Windows has some recommendations on how I might be able to solve this issue (instead of the usual, "go to this Microsoft article which is usually irrelevant to the issue at hand"). The first suggestion on the list is that I look through security logs to find out which user the system "Cannot find". Windows 2008 even goes a step further to provide you with a command to use:

FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log

Sure enough I run this command and it spits out:

Cannot find TsInternetUser.

Well now we are getting somewhere! I quickly do a search through our Active Directory and sure enough that user is no where to be found. A quick google check (now that I know exactly what I'm looking for) reveilles that this account is for Windows 2000 servers and Terminal Server use, and that it should actually be disabled on newer server. Just to verify I also pull up my group policies and quickly comb through a few select policies and notice that sure enough, some of them are trying to apply settings to that specific user for a legacy Windows 2000 terminal server that we have! I recreate the account in the built-in users folder, assign a strong password, then disable the account. Five minutes later I refresh the logs and what do you know:

Event ID: 1704
"Security policy in the Group policy objects has been applied successfully."

Problem solved. I think that in Windows 2008 the reporting in the logs and the ability to create custom filters is a big improvement. As you can see by this post it makes troubleshooting easier and System Admins can spend less time hunting down event IDs on google and more time managing their systems.

Windows Printer Tidbits

2010-01-21T08:25:00.000-05:00

Some tricks that I have learn when troubleshooting / dealing with Windows printers and print servers. There is a screen where you can delete the print drivers on the client computers (which isn't well documented in any Microsoft book). When you open printers and faxes where you can see all the current printers, go to File --> Server Properties. Here you will see a listing of all the currently installed print drivers which you can remove and clear out old or non-functioning print drivers. Sometimes when trying to delete them you will get an error that they are in use, you can either kill all print related tasks through the task manager or (what I find easier) just reboot the computer and it will release hold of the driver for deletion.

Another quick tip is one which I recently discovered. On our client machines they have multiple connections to different printers on the print server. Once of the connections became "stuck" and would not allow us to delete the connection. We would get errors saying "Access Denied", "The printer is in use", etc... To fix this you can actually remove the printer connection right out of the registry. Open the registry (regedit) and go to HKEY_Current_User\Printers\Connections. Under this key just look for the connection that you are trying to remove and delete that key. You can now re-establish the connection to the same printer or reconnect to a new one.

Apache & PHP Security

2010-01-20T13:37:00.002-05:00

Working on setting up some new LAMP stacks there are a few things that I do to harden the servers. Although none of these are huge security improvements they can help overall with the security of the systems. First we will look at apache. While most of the settings in apache are pretty secure there are a few tweaks which we can make to secure it a little further. You will need root privileges to make these changes as you will need to edit the main config file for apache. In Ubuntu the file is locate in /etc/apache2/apache2.conf. Add the following lines to the configuration file at the bottom:

# Prevent apache from giving away information about itself
ServerTokens ProductOnly
ServerSignature Off

# Disable the TRACE function
TraceEnable Off

The first two prevent the server from giving out its version and other information in the header of any web request. This can be used to enumerate what version (major and minor) you are running and help attackers narrow down on specific attacks against you. There are other options for "ServerTokens" which can be found in apache's documentation however the "ProductOnly" is the most secure. The second option doesn't really make your system more secure but all vulnerability scanners complain when TRACE is left on. It is basically for debugging purposes against the server, but again why give out any more information then it totally necessary to an attacker.

Next we look at PHP which only requires a single change. When you disable apache from sending out information about itself, requesting php web pages still reveals information about the version of php that you are using. Again you should protect yourself from handing out information to attackers. For this you will once more need to be root, and you should look for /etc/php5/apache2/php5.ini. This file is pretty big so make sure you know how to search using vi or nano. Search for the following variable: "expose_php", and once found make the following modification.

# Disable information disclosure
expose_php = Off

This will now prevent php from giving out any information when php pages are queried. Once you make these changes to apache and php you will need to reload/restart the apache web service in order for them to take effect. Lets take a look at the output from the server based on the changes that we made.

Before:

HEAD http://10.0.0.206/helpdesk/index.php
200 OK
Connection: close
Date: Wed, 20 Jan 2010 18:32:53 GMT
Server: Apache/2.2.11 (Ubuntu) PHP/5.2.6-3ubuntu4.4 with Suhosin-Patch mod_perl/2.0.4 Perl/v5.10.0
Vary: Accept-Encoding
Content-Type: text/html
Client-Date: Wed, 20 Jan 2010 18:32:53 GMT
Client-Peer: 10.0.0.206:80
Client-Response-Num: 1
X-Pad: avoid browser bug
X-Powered-By: PHP/5.2.6-3ubuntu4.4

After:

HEAD http://10.0.0.206/helpdesk/index.php
200 OK
Connection: close
Date: Wed, 20 Jan 2010 18:31:05 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Client-Date: Wed, 20 Jan 2010 18:31:05 GMT
Client-Peer: 10.0.0.206:80
Client-Response-Num: 1
(PHP line is completely removed)

Hopefully this gives you some security tips on apache and php hardening for your server. This also protects against information disclosure which is always a good way to stop attackers from getting information about your system.

Ubuntu Kernels

2010-01-20T10:00:00.000-05:00

Today we are looking at the kernel in Ubuntu and the different types
that are included with each version of Ubuntu. Currently I am using the
server version although most of you will be using the desktop version. To locate the current version of the kernel that you are running open a shell and type:

uname -a

For me I get:

Linux DOCSRV 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:48:10 UTC 2009 i686 GNU/Linux

From here you can determine a few things. First we have the hostname of the server that I'm on, DOCSRV. Second we can see the current kernel version which is 2.6.28-11-server. This shows that I am running the server version of the kernel (more on that later). The SMP signifies that multiprocessor support is enabled and the i686 is the architecture of the machine. This is all the information you really need. On a desktop version of ubuntu you would see the word "generic" instead of "server". Whats the difference? The generic kernel includes more support for hardware (particularly video and wireless), how it sacrifices some performance benefits because it needs to be able to run across all different types of hardware.

Another difference in the two kernels is the I/O scheduler that is used. For the desktop the kernel is set to use CFQ scheduling and for the server it uses deadline scheduling. The difference here is that deadline scheduling optomizes disk "read" for better performance, while the desktop kernel optomizes for read/writes which allows for multiple applications to be running at one time seem to flow smoother (having music playing, surfing the web, word processing, etc...).

One last difference I want to point out is a memory limit on the two different kernels. For the generic kernel which is used on desktops there is a 4GB memory limit on 32bit machines. This is actually more like 3 - 3.5 in reality. In order to get around this we can use a PAE (Physical Address Extension) enabled kernel. This will allow you to break the 4GB barrier on the 32bit machines. The other alternative is to use the 64bit version of the operating system. To get the PAE kernel installed we can run the following commands:

sudo apt-get install linux-image-generic-pae

This should pull down and install the correct PAE enabled kernel for your machine. After the install is complete you need to reboot and select the newly installed kernel. You should now be able to verify that you machine recognizes more then 4GB of memory using the "free -m" command.

There are other differences between the kernels and you can even compile a custom kernel if you wanted to however there just isn't enough room to discuss all the options or steps here. As just a quick bulletlist I will point out a few other differences:

Preemption is disabled on the server kernel
The server kenel includes support for PAE
Virtualization is better supported on the server kernel
The timer interrupt is set to 100 Hz in the server kenerl and 250 Hz in the dekstop kernel

In the end the kernel that comes with the installed version of the operating system will do for 90% of people using it. Those that want to tweak their operating system or have a better understanding can try different kernels to understand the differences. Just be aware that working with kernels can leave your system in an unstable or unusable state, so have a backup plan or know what you are doing in advance!

User Management on Ubuntu

2010-01-09T12:31:00.002-05:00

Creating users is on of those everyday things that we all have to deal with. In Windows Active Directory there is a nice little wizard that walks you through the creation of a user and some of their basic settings. While this may be useful it doesn't always allow for customization or flexibility. If you have used Ubuntu desktop (or Ubuntu server with a GUI installed) you will notice a similar setup which walks you through user creation. However we all know that every environment is different and at some point everyone wants to customize the user creation process. In Linux the advantage that you have is being able to create and manage users from the command line. This allows for scripting and complete flexibility. I mostly work with Ubuntu/Debian servers so we will look at the user creation process on there.

The first thing to note is that there are two commands that will add a user to the system, useradd and adduser. What's the difference? Well on Ubuntu adduser is actually a perl script which utilizes useradd to create users. If you would really like a deeper understanding of user creation I suggest spending some time reading the adduser script (its in perl). Although a little lengthy it is full of information of how users are created, and the checks that go into making a user. It is important to understand that during user creation each user is given a UID and a GID. This allows the system to uniquely identify users and groups. For Ubuntu the first UID is 1000 and the last is 29999, GID is also the same. These are the range allocated for "user" accounts and groups. There is another range of UIDs and GIDs (100 - 999) which are allocated for "system" accounts and groups. While logged into your Ubuntu system you can use the "id" command to get information on your UID/GID as well as groups that you are also a member of.

While some system admins spend time developing their own scripts using the useradd command this will take some work to get it down right. Again this is also a good way to build a better understanding of users and groups though. The adduser script on the other had takes a lot of the work out of making users by automating many tasks through the command line with only a little information needed. I would suggest make a few users with the adduser script and then trying to recreate the same users using your own scripts. There are two other commands which can help in user creation as well, usermod and groupmod which both edit properties of users and groups.

User management is an important part of system administration and having a good standard and handle of how users are managed and created on your system makes the administration of them much easier. When I get some time I will post some of the user creation scripts that I use for my own systems.

Ubuntu & The Nobody User

2009-11-21T20:59:00.000-05:00

There are certain programs that run on linux which require a nobody user in order to work. It's also a good idea to have a nobody account if you want to assign files to someone that no long needs access on the system and you don't want to delete their files just yet. With Ubuntu their default for the nobody user is to assign them a shell. This is a bad idea as it leaves a user account open to brute force attack. This may also be the case on other distros as well however I have only been using Ubuntu as of late. A quick for this is to just change the login shell of the nobody user. We can do this by editing /etc/shells and adding the following line to the end:

/dev/null

Save the file and run the following command to change the shell of the nobody user.

sudo chsh -s /dev/null nobody

While this doesn't bring a huge overhaul to system security it does help prevent attacks against the nobody account.

MySQL Security

2009-11-18T21:53:00.000-05:00

Yesterday I talked about SSH security in relation to a security audit that I was conducting of our internal network. I also know that we have database systems on our network (MySQL) and I needed a way to also check for either default credentials that were left when the system was setup or a way to bruteforce weak passwords. Well a little time with python and I managed to write a script that will do everything I needed. The script requires the MySQLdb package in python (which throws a warning that it is deprecate, but it still works fine). You might also want to put together some word lists for username/password combination's if you plan to use the brute forcing feature.

import MySQLdb
import sys

user_list = []
pass_list = []

def mysql_connect(u, p, ip):
        try:
                print "[+] Attempting Connection..."
                db = MySQLdb.connect(user = u, passwd = p, host = ip, connect_timeout = 5)
                print "[+] Connection Successful!\n"
                print "[+] ----------------------------------------"
                print "[+] Username: ", u, "  Password: ", p
                print "[+] IP: ", ip
                print "[+] Server Info: ", db.get_server_info()
                print "[+] ----------------------------------------"
                db.close()
                print "[-] Connection Closed\n"
                exit(0)
        except Exception:
                print "Access denied\n"
                print u, " | ", p
                print ip
                pass

# Begin main program
print ""
print "+--------------------+"
print "| MySQL Scanner v1.0 |"
print "| Written by Damian  |"
print "+--------------------+"

if(len(sys.argv) == 2):
        print "[+] Setting up default credentials list\n"
        user_list = ["admin", "administrator", "root"]
        pass_list = ["password", "admin", "", "locked"]
elif(len(sys.argv) == 4):
        print "[+] Building word list\n"
        f = open(sys.argv[2], 'r')
        for line in f.readlines():                     
                user_list.append(line)
        f.close
        print "[+] Building password list\n"
        f = open(sys.argv[3], 'r')
        for line in f.readlines():
                pass_list.append(line)
        f.close()

else:
        print "\nUsage:"
        print "\tsql_scanner.py [host]"
        print "\tsql_scanner.py [host] [word_list] [password_list]\n"
        exit(0)

ip_address = str(sys.argv[1])

for x in user_list:
        for y in pass_list:
                mysql_connect(x, y, ip_address)

print "Scan Complete\n"

SSH Security

2009-11-17T15:43:00.000-05:00

While working on an internal security audit I was looking for everything that I can relating to SSH. SSH is used on all our non-windows servers for remote management and therefore we needed to make sure that everything is secure and updated frequently. The best way I find to go about auditing things is to always have a plan in place first. First thing on the list was to perform a visual inspection of the config files to make sure that things were configured correctly. I was looking for the following during visual inspection:

A copy of the original config file accessible by only the root user
The listen address was configured correctly
The protocol was set to 2 (version 1 has many vulnerabilities)
The port which the SSH server is listening on (for extra security make it non-standard)
For security reasons, also ensure that X11 forwarding is off unless absolutly necessary

After these things have been confirmed and documented, I moved on to password cracking to ensure that all users are using strong passwords. For this I used brutessh which you can grab [http://www.edge-security.com/edge-soft.php]. This program is written in python and is very quick and efficient. For input you will need a username and a password list for the program to use. I ran this against all our severs with SSH providing the list of our users:

python brutessh.py -h 192.168.1.10 -u [username] -d [wordlist.txt]

After a few runs it returned only one user that was using a dictionary password. If it does find a password for a user it will return green text along with the password that worked. I was also careful to take note of the log messages that it was producing given that it was attempting to brute force user accounts. For here again I documented my finds and also promptly emailed the user to change his password (or I would "kindly" do it for him). There are other programs out there that will brute force different network services. I found brutessh to be lite and efficent however, as well as Hyrda.

There are also programs out there (fail2ban) that will monitor your logs and watch for password brute forcing, banning any address that exceed the threshold. Hopefully this will give you a process for auditing the security of SSH servers. In another post we will look at other services and programs like fail2ban. If you are also looking for additional security you can download and run ssh-vulnkey to check for blacklisted keys on the SSH server itself.

Better Package Searching

2009-11-16T22:18:00.000-05:00

Many people in the tech industry today have tried Linux at one point or another. Recently Ubuntu has been on the rise and is gaining popularity for its ease of use. They also make frequent updates, is pretty secure right out of the box, and is fairly straight forward to use. Personally it is the distribution that I use for my servers. One of the things that I find myself doing frequently is installing software or packages. For those of you that are familiar with the command line of Linux may be able to do this with no trouble. If you have never used the command line for this before, Ubuntu uses the APT package manager to find and install software/packages. The commands might look something like this:

apt-get install -y [package name]

The -y forces a "yes" answer to any confirmation that is normally prompted to the user. Also note that you probably need to run this command as a super user (using sudo). You can also find packages that you are looking for in a similar manner:

apt-cache search [package name]

For those of you that are used to working with the command line you may be saying "ok I know this...whats the point here". While it may be easy to find packages that are looking for and install them, not everyone knows how to query already installed packages on the system. With Ubuntu this is done using the alternative package manager dpkg. Using some command line fu we can search to see if something is already installed on the system (instead of wasting time re-installing it).

dpkg --get-selections

Now before you run off and plug this into the command line you may want to understand that this will return ALL packages installed on your system. You should probably filter your results further using the "grep" command. For example I was recently working with python and SSH and needed to know if the python-crypto package was installed. The command for that might look like this:

dpkg --get-selections | grep python-crypto

If the package was installed it will return something like:

python-crypto                              install

Suppose that I just wanted to see all packages that are installed relating to python however. You might run something like

dpkg --get-selections | grep python

This will return all packages that are related to python and installed on your system. As a last little tid bit of help with package management we will look at one other option. Going back to the python-crypto package that I was working with, suppose that I wanted to know what files are in this package. You can run the following to find the location of all files within a package:

dpkg -L python-crypto

There are many other things that you can do with the apt package manager that are not included here, such as upgrade or updating the system, removing packages, or even purging them from the system. For a quick "cheat sheet" google for fosswire Ubuntu cheat sheet. It provides a quick list of the most common commands used on Ubuntu and the apt package manager is a big part of that.

Personal Password Security

2009-11-07T23:20:00.002-05:00

In the last post I talked about password security and how some companies and even users don't bother to take password security very seriously. One that that is simple enough to do is develop a strategy which will allow you to use your own personal alogrithm to generate secure passwords. Not only will this help with password security for your personal use, but if you are an IT admin and are constantly resetting passwords it will help keep your users safe. By developing a personal algorithm for passwords it also allows you to re-create the password for a site (or user) if need be without remembering the user or site's password. This may sounds a little confusing at first but lets take a closer look to get a better understanding.

A password algorithm would require the following in order to work:

A secret code (this would be a simple easy to remember word)
A secret digit (a random number chosen by you, larger isn't always better)
Either a website name or domain name (for IT admins)

An algorithm like this will then only require you to remember the secret word & code because if you ever forget your generated password you can regenerate it!! In order to see this in action I've developed a simple python script which implements this algorithm. Remember this is just one implementation of something that can be done hundreds of different ways.

import string
import re

# Get the site & secret code that the user wants to use
print " "
print "Password Gen v1.0"
print " "
url = raw_input("Enter url or domain name: ")
digits = int(raw_input("Enter a secret digit(s): "))
code = raw_input("Enter a secret password: ")

# Strip out the generics from the site so the password isn't guessable
x = re.compile("^[^:]*://")
url = x.sub("", url)

y = string.find(url, 'www.')

if (y == 0):
   url = url[4:]

# Store url as individual chars and calculate length
url_stack = []

for c in url:
   url_stack.append(c)

if (url.endswith('.com') or url.endswith('.net') or url.endswith('.org')):
   url_len = len(url_stack) - 5
else:
   url_len = len(url_stack) - 1

# Store code as individual characters
code_stack = []

for c in code:
   code_stack.append(c)

code_len = len(code_stack) - 1

# Start building the password
p_word = code_stack[0]
p_word += str(ord(url_stack[0]) + digits)
p_word += '!'
p_word += code_stack[code_len - 1]
p_word += str(ord(url_stack[url_len].upper()) + digits)
p_word += code_stack[code_len].upper()

print "Your password is: " + p_word
print ""

Now that we have the script lets run a quick test and see how it works. I'm going to use the following credentials:

Secret Code: yellow
Secret Digit: 4
Website: www.citibank.com

Running these options through the script yields a password of: y103!o79W
Supposing that you don't want to take my word for the secure aspects of this generated password (for those of your paranoid trust no one types), you can visit the following site which checks the strength of passwords:

http://www.passwordmeter.com/

As you can verify on this site this password is rated as "Very Strong" with a score of 100! While not all passwords will score exactly 100, all should retain a rating of "Very Strong". This script when also run will strip out "http://", "www", ".com", ".net", and ".org" from any site entered as these are common on all sites and therefore make the password generation less secure. Hope you enjoy the script and even if you modify it or don't use it all remember that password security is a serious matter and should not be taken lightly inside or outside the work place.

Bad Password Policies

2009-11-04T22:15:00.000-05:00

Today I wanted to look at a company that had no regard for security. They started as a small business and rapidly grew over the last few years, however they still run their systems off of a old infrastructure that wasn't designed to scale, with no security in mind, and now runs in complete disarray. One thing that I wanted to point out off the bat is their use of default passwords. This company had a policy in place to use a single default password, except that they used this password for everything from client desktops, to servers, to hosted services. This just shows that password policies are important and time should be spent on developing a policy that will efficiently handle passwords, account lockout, and password complexity. Although having a default password policy is good for new users, or temp accounts, these accounts should be monitored and audited to ensure that the passwords are changed and that temp account are set to expire.

You can also find a good article on SANS site about things that you can do to improve security as a whole in a company, and what not to do to "suck at information security".

Cron Jobs and Scripting

2009-10-27T22:49:00.001-04:00

Today I needed a quick solution to monitor the free space on my Ubuntu server. I didn't want to setup monitoring software just to find out a quick statistic about the server's disk space so I figured I could write a script to check it for me. This would also give me a chance to practice setting up tasks via the command line with cron. My requirements for this were just to check the amount of free space on the single hard drive on the server. The output would also contain the time & date so I could get an idea of when the drive was last checked.

First a script to get the information that I need from the server. We can use the "df" command which will show information about the file system. This along with some parsing commands will give us the results that we need. The script goes something like this:

#!/bin/bash
date >> driveSpace.log
fspace=`df -h | grep sda | awk '{ print $5 }'`
echo "There is "$fspace" disk space left." >> ~/driveSpace.log

This little script creates a log file in my home directory (called driveSpace.log) which will get a "date" stamp and a single line telling me how much disk space is left on the drive. I saved this as diskSpace.sh and also left it located in my home directory. Next we will need to setup the cron command that will allow this script to run once a day to check the disk space. In order to run the cron process as a non-root user you will need to have your account listed in the /etc/cron.allow file. Now I'm working on an Ubuntu server and by default there is no cron.allow file you need to create it. If you don't the cron job will never execute. My test user is called Jake so I will add him to the cron.allow file. Use the sudo command to create the necessary file:

sudo echo Jake >> /etc/cron.allow

This will create the file and also put Jake in the file so that he now has rights to run his own cron jobs. Next we can go ahead an create a crontab file for Jake. Enter the following:

crontab -e

This will create a new crontab file (if one doesn't exist already) and then bring you into that crontab file for the user. You'll see on the top commented out the syntax that we need to use in order to create cron jobs. For our script we are going to use the following syntax:

01 04 * * * /home/Jake/diskSpace.sh

This syntax says that I want to run this script at 4:01AM every day of the week and output to the logfile specified in the script. This way I can monitor the log file to check how full my system disk is. You can get more fancy with a script like this as well making checks to see if the disk is at a certain threashold, or to email you when it breaks a certain threashold. This is just a basic example of how powerful scripting can be along side creating tasks to automate the process.

Site-to-Site VPN Overview

2009-10-19T23:00:00.001-04:00

Today we are just going to briefly look at what goes into creating a site-to-site VPN. The first part is referred to as IKE Phase 1. This is something that we will document because when creating site-to-site VPNs it is important to remember that each side must be configured the same. There are 4 things that you should document for IKE Phase 1:

Encryption Algorithm
Hashing
Authentication
Key Exchange

Out of this list we are also going to be using the encryption algorithm and authentication in IKE Phase 2. Once we have everything documented you will need to begin setting up the connection. First enable ISAKMP on each router:

Router1# crypto isakmp enable

Next we need to put the isakmp policy in place. We can do this by configuring the settings that we have previously chosen, and documented.

Router1# crypto isakmp policy 10
Router1(isakmp)# encryption aes 128
Router1(isakmp)# authentication pre-shared
Router1(isakmp)# group 2
Router1(isakmp)# hash sha

Third we are going to configure the isakmp identity which is how the clients know what the hostname is.

Router1# crypto isakmp identity

Finally for Phase 1 we will set the pre-shared keys:

Router1# crypto isakmp key address

This completes IKE Phase 1 although we will need to configure the exact same thing on both routers at each end so that they can form the initial VPN tunnel. With IKE Phase 1 setup complete we can move over to IKE Phase 2. First for Phase 2 we are going to create the transform sets:

Router1# crypto ipsec transform-set TEST1 esp-aes 128 esp-sha-hmac

Optionally we can also apply a lifetime to our IPSec tunnel:

Router1# crypto ipsec

For the third step in Phase 2 we create a set of ACLs. These are used to define what traffic is interesting and should trigger the passing over the VPN tunnel. Although we will not go into ACLs here it is important to note that they should be clearly define as to what traffic should be allowed. Finally we will apply the crypto-map.

Router1# crypto map MAP 100 ipsec-isakmp
Router1(crypto-map)# match address
Router1(crypto-map)# set peer
Router1(crypto-map)# set pfs
Router1(crypto-map)# set transform-set

This complete the creation of the Site-to-Site VPN. We can use a few different commands to verify that the output and connection are functioning properly. These commands include:

show crypto isakmp policy
show crypto ipsec sa
show crypto map
show crypto ipsec transform-set

This setup gives a general quick overview of what goes into configuring two Cisco routers for Site-to-Site VPN connections. There are other options that can be configured or manipulated for more fine tuned control and configuration. Also this can be setup via the Cisco SDM for those that are more comfortable with a GUI.

Creating and Configuring Privilege Levels

2009-09-03T20:22:00.000-04:00

When using a Cisco device's IOS you are required to login to it. With a basic login you are put into privilege level 0 which is also called user mode. This mode really has no permissions to do anything useful within the device except maybe some basic troubleshooting. To configure the device you would need to enter privilege level 15 or exec mode. What about if you want to fine tune the IOS to allow different permissions at different levels? Cisco has come up with something called "Views" which is a role based login which allows users of the particular "view" to perform certain functions. This would be helpful if you have something that is just learning to work with the Cisco IOS and you want to restrict certain commands. It is also useful for delegating certain permissions to particular devices. Creating a view isn't difficult at also so lets look at an example.

First you will need to enable AAA which stands for Authentication, Authorization, and Accounting. Without going too much into AAA right now just know that it needs to be enabled for views to work.

R1# config t
R1(config)# aaa new-model
R1(config)# end

That will enable AAA and is really all you need to get it running at the moment. Next we will need to enable the "root view" which is essentially what the Administrator has available to him/her at privilege level 15. You may need to input your exec mode password to enable it.

R1# enable view

Password:

Here we will finally get down to creating a new view. In this example we are going to create a view for a Jr. Network Engineer so that he/she can use some of the commands on the router we are working with, without destroying anything important. New views are created using the "parser" command in the IOS.

R1# config t
R1(config)# parser view JRADMIN
R1(config-view)# secret 0 S3cRetP@ssworD

This will create the view named "JRADMIN" and give the view the password shown above. The Jr. Admin can use these to login later on to gain access to the router that we are working on. Next we will need to add specific commands or a group of commands at a time which enables the Jr. Admin to actually do things. The syntax that we will use for this is as follows:

commands parser_mode {include | include-exclusive | exclude} [all] [interface interface_identifier | command]

We are going to need to give the Jr. Admin the ability to ping other devices on the network (to troubleshoot connectivity issues), as well as access to all the "show" commands so that he/she can view information about the device they are logged into. You can fine tune which "show" commands are allowed to be used, but for this example we are going to allow access to all show commands.

R1(config-view)# commands exec include all show
R1(config-view)# commands exec include ping
(Ctrl + Z)

That's really all there is too it. The view should now be ready to go and the Jr. Admin should have access to all the functions that we require of him/her. We can do some verification of the parser view to make sure that it is going to function the way that we want before giving access to our users. Let's login into the new view and test it out.

R1# enable view JRADMIN

Password:

R1# show parser view
Current view is 'JRADMIN'

R1# ?

As you can see this is a very useful feature on the IOS for delegating tasks and for helping people learn (who may not have a lot of Cisco experience). The SDM also provides some pre-configured views for working with IDS and firewalls.

Cisco Password(s) Setup

2009-09-03T19:41:00.003-04:00

Today we are looking at simple password configuration and protection on Cisco switches (this can also apply to routers as well). Diving right in we are going to configure a password for all the different methods that users have to access the switch.

S1# config t

S1(config)# enable secret Hidd3nP@ssWord

S1(config)# line con 0

S1(config-line)# password Anoth3rSecret

S1(config-line)# login

S1(config-line)# exit

S1(config)# line aux 0

S1(config-line)# password @uxp@a$$word

S1(config-line)# login

S1(config-line)# exit

S1(config)# line vty 0 4

S1(config-line)# login

S1(config-line)# password MyP@ssword

(Ctrl + Z)

Starting from the top here we are doing a couple of things. The first line enters us into configuration mode, followed by setting a password to protect exec mode on the switch. Next we configured a password for the console port of the switch which is the most common physical means of access. Next we setup a password for the auxiliary port of the switch which while rarely used is good to configure in practice of locking down security. Finally we set a password on the vty (virtual logins) which users come in on via telnet. Now that all of our interfaces have passwords setup our switch wil lbe more secure from unauthorized access. The last thing that we should look at however is the command "show running-config". After running this you will see a list similar to the configuration we did above except it will reveal all the passwords!! We don't want this to occur so that people can't see our passwords. By default on Cisco products using the "password" command in the IOS will store the passwords in clear text within the configuration files. This is not secure by any means and would be better if we can MD5 encrypt those passwords. Fortunately Cisco has one last command that we can use:

service password-encryption

This command will now take all the passwords in the configuration file and encrypt them. This will make the switch more secure and prevent people that have physical access the ability to read your passwords. You can also re-run the "show running-config" command if you'd like to verify that the passwords are now all encrypted with MD5 hashing.

Cisco Router Hardening

2009-08-30T22:47:00.009-04:00

When it comes to the security of Cisco routers, lets face it, their default options don't have security in mind. This is because there has to be a certain balance between ease of us vs security and nine times out of ten usability will always win. We will take a look at some defaults that Cisco routers come with which can be configured to provide for a more secure environment. First lets look at some services and their default states:


Unnecessary Services

BOOTP Server                  Enabled
Cisco Discovery Protocol      Enabled
PAD Service                   Enabled
TCP & UDP Minor Services      Enabled (11.3 or lower)
MOP Service                   Enabled

Common Management Services

SNMP                          Enabled
HTTP Config & Monitor         Device Dependent
Domain Name Services (DNS)    Enabled

Path Integrity

ICMP Redirects                Enabled
IP Source Routing             Enabled

Probes and Scans

Finger Service                Enabled
ICMP Notification             Enabled
IP Directed Broadcasts        Enabled (12.0 or lower)
Gratuitous ARP                Enabled
Proxy ARP                     Enabled

Each one of these services should be disabled (if not needed) as they pose security holes in your network if left enabled. Aside from the list above there are other options which you can configure to secure your router like passwords, secure remote access (SSH), and others. This can be time consuming to do each one by hand which is why Cisco has the AutoSecure feature. Integrated in IOS 12.2(18)S and greater, this feature allows you to secure your router with a simple command with verbose output of the changes. AutoSecure can be run interactively or automatically depending on your preference. The following is the syntax used for the AutoSecure feature:

auto secure [management | forwarding] [no-interact | full] [login | ntp | ssh | firewall | tcp-intercept]

If not specified "full" sit the default option that is used configuring all aspects of the router. You can run the AutoSecure feature multiple times specifying the configuration of only individual parts of the router (as shown in the command options above). You may also use the no-interact mode which will choose all the options for you in securing the router. When using the "auto secure full" option (the default) the following steps are performed:

Identify the outside interface(s).
Secure the management plane.
Create a security banner.
Configure passwords, AAA, and SSH.
Secure the interfaces.
Secure the forwarding plane.

AutoSecure also creates a backup copy of your current config in flash before running in case something happens during the securing of the router. This way if you need to revert back you can use the command "configure replace flash:pre_config.cfg" to restore your original config file.

Aside from the command line AutoSecure feature there is also a GUI version that is provided via Cisco's SDM. In the SDM under the "configure" option there is a section for Security Audit. Here there are two wizards that you can use, Security Audit Wizard and One-Step Lockdown. The security audit process consists of the following:

Determining inside and outside interfaces.
Performing an audit of various security options on the router.
Allowing the user to select which security problems must be corrected.
Creating a list of configurations to correct the indicated security vulnerabilities.
Applying the security configurations.

The One-Step Lockdown wizard provides the following:

No user-configurable options.
No reminders of what is secured.
Automatic security audit to determine vulnerabilities.

As you can see the differences here the One-Step Lockdown pretty much takes over and does everything for you, which does things simple however allows for no flexibility in configuration of the routers security. The Security Audit wizard provides you with more settings and configuration options although it does take slightly longer to configure. In the end you can use either the SDM GUI features or the CLI AutoSecure to secure your router. Regardless of which method you use you will have a more hardened router protecting you from attacks on your network. For a more in-depth look as a secure configuration you can check out the link below which provides a sample of a secure config file for a router as well as more information on the AutoSecure feature.

Cisco AutoSecure Example

Working with File Permissions

2009-08-25T15:20:00.003-04:00

Working with file permissions in Linux can be a little difficult at first as they are a little different from Windows. Linux access control is implemented via properties that are maintained seperaly for each individual file. These collective properties are called the access mode of the file. Linux uses three different classes of users:

User - person that owns the file
Group - group that owns the file
Other - all other users on the system

Permissions in Linux can be assigned one of two different ways. You can use the mnemonic or single digit to represent the permissions level. A table would be the easiest way to see the different permission types:


Read      r    4    View file contents.
Write     w    2    Write to or change.
Execute   x    1    Run the file.

There are three other pieces to file permissions that we should discuss as well. The SUID, SGID, and the sticky bit (this order is important).

SUID - the property for executable files only (has no effect on directories). When users run commands the process that the command runs under is usually owned by the user that executed the command. When the SUID bit is set the process of the program retains the ownership of who ever owns the command file to begin with (usually root). An example of this would be the passwd command which is owned by root, but allows other users access to the command.

SGID - this bit has a similar effect as SUID on executable files, however it adds another effect for directories. When the SGID bit is set on a directory, the directory's group retains ownership to anything create within that directory. For example if there is an engineering department (/home/eng) with the SGID bit set, and the engineering group owns the directory, then anyone that creates any files (regardless of group) will have their files owned by the engineering group.

Sticky - the sticky bit is also used on directories in Linux. When set it allows only the file owner, directory owner, and root to rename or delete any files within the directory. This is useful for having multiple people in a group work on files but not have access to delete or rename them.

Here is where the differences come in between mnemonic or digit usage. When creating a permissions with one of the three "special" bits listed above you must follow the following rules under mnemonics:


SUID    - changes x to s in user permissions  | numerical of 4000
SGID    - changes x to s in group permissions | numerical of 2000
Sticky  - changes x to T in other permissions | numerical of 1000

You can check the file or directory permissions with the command ls -l or stat.

One other topic that we will need to look at for file permissions is the umask. This is essentially a way for files and directories to receive a default set of permissions when they are created. You can execute the umask command with no parameters to find out the currently set umask value (usually 0022). When files are created they are given the default permissions of 666 or rw-rw-rw- and directories are given the default permissions of 777 or rwxrwxrwx. The umask takes the default permissions and modifies them according to its mask value (through subtraction). Lets look at an example for a better understanding:


Files default permissions -> rw-rw-rw- = 110 110 110 (in binary)
We subtract the umask     ->           - 000 010 010 (in binary)
                                       -------------
                                         110 100 100 (rw-r--r-- or 644)

Now you have a default permissions of 644 as shown above. This is the same with directories.


Dir default permissions   -> rwxrwxrwx = 111 111 111 (in binary)
We subtract the umask     ->           - 000 010 010 (in binary)
                                       -------------
                                         111 101 101 (rwxr-xr-x or 755)

The umask command with no parameters will output the current umask value, however it also takes a three digit argument to change the umask. As you can see umask values play an important role in file permissions.

This is everything needed for file permissions on Linux in a nutshell. I can truly say that coming from a Windows background people tend to get confused at first how the file permissions work (mostly because there are no check boxes at the command line). Some GUI programs like Gnome and KDE do make it a little easier for new users to familiarize themselves with Linux file permissions. Personally I use the numerical notation when working with file permissions because I find it easier however it is entirely up to you.

Working with Filesystems

2009-08-25T11:49:00.004-04:00

Its important to know how to work with filesystems in Linux. They contain everything necessary to run the system and store all data. There are many tools you can use to work with filesystems which allow you to add the the hierarchy, provide users with more storage space, monitor your storage space, and more. Lets take a look at a few tools that will help us out.

First we will start with the mount command, which is just a way to add a filesystem to a directory (effectively extending the existing hierarchy). When the system boots it reads the contents of the /etc/fstab file and automatically mounts the necessary file systems. We can type the mount command with no parameters and it will list all the currently mounted filesystems.

owner@owner-laptop:~$ mount

/dev/sda1 on / type ext3 (rw,relatime,errors=remount-ro)
tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
varrun on /var/run type tmpfs (rw,nosuid,mode=0755)
varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
udev on /dev type tmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)

These should all be similar to what are in the contents of the /etc/mtab file. The difference is /etc/fstab is the information of filesystems on the computer and /etc/mtab is the currently mounted filesystems. Lets take a closer look at the /etc/fstab file.


owner@owner-laptop:~$ cat /etc/fstab

# /etc/fstab: static file system information.
#
#                
proc            /proc           proc    defaults        0       0

# / was on /dev/sda1 during installation
UUID=98a7699d-79f8-43d1-af9c-1339b5d6f06d  /  ext3  relatime,errors=remount-ro 0 1

# swap was on /dev/sda5 during installation
UUID=d9e0c043-2633-49d6-bfe5-daac68162acd  none  swap  sw  0 0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto,exec,utf8  0 0
/dev/fd0        /media/floppy0  auto    rw,user,noauto,exec,utf8  0 0

Here we see six fields in use. The first is the device, which specifies the device file of the partition holding the filesystem. Second will be the mount point of where the filesystem will be mounted. Next we see the filesystem type followed by mount options, dump frequency, and finally the pass number for fsck. The first three fields should be self explanatory, while the last three could use a little explaining. The mount options field contains a list of comma-separated options used for mounting the filesystem. The dump frequency is usually set to 0 for all filesystems other then ext2 (the dump utility is not discussed here). Finally the fsck checks for file consistency and is usually run when the system dies unexpectedly, however it isn't something you want to run on every bootup so a 0 is used to disable it. The reason for understanding how the /etc/fstab file works is because as an administrator you can add your own entries in here for filesystems that you want to have automatically mounted when the system boots up. If you are just looking to mount a filesystem temporarily to use you can use the mount command to mount the filesystem and the umount command to remove it.

# Mount a CD-ROM Drive
mount -rt iso9660 /dev/hdc /mnt/cdrom

# Unmount the CD-ROM Drive
umount /mtn/cdrom

Now that you have a better hold on mounting filesystems lets take a look at monitoring them. There are two utilities that are are going to use here, the first will be the df command. The df command is used to check the disk space utilization. The most common use is with the -h switch so jumping right into an example.


owner@owner-laptop:~$ df -h

Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             7.5G  2.7G  4.5G  38% /
tmpfs                 186M     0  186M   0% /lib/init/rw
varrun                186M   88K  186M   1% /var/run
varlock               186M     0  186M   0% /var/lock
udev                  186M  140K  186M   1% /dev
tmpfs                 186M  1.2M  185M   1% /dev/shm
lrm                   186M  2.4M  184M   2% /lib/modules/2.6.28-11-generic/volatile
/dev/sr0               31M   31M     0 100% /media/cdrom0

Here we can see the layout of the current directory and the utilization of the filesystem. We can use it to monitor the filesystem for low disk space, if a partition is filled, or if we can't seem to find where all our free space is going. The second of the utilities is the du command. While df looks at things more on a whole du is more used for single directories and the amount of storage space they are consuming. Du will also list all hidden files when taking into account used space. An example for du would be:

# List all files (including hidden) with their file sizes
owner@owner-laptop:~$ du -h

# Show only a summary of all files
owner@owner-laptop:~$ du -hs

The last utility we are going to look at is fsck. This is used to check for errors on the filesystem and optionally correct them. This is a commonly run utility is the system is shutdown improperly and the disk is marked as "dirty" in which case the fsck utility will attempt to check the filesystem. There are other utility like tune2fs which can be used to fine tune the filesystem however this is for more advanced users. Clearly there is a lot to look at when managing filesystems and an important part would also be proper planning before implementing the filesystem to begin with.

Working with Boot Managers

2009-08-25T07:34:00.003-04:00

In order to load the operating system the computer relies on a boot loader. It takes the boot loader and any user supplied arguments and uses them to load the kernel. The boot loader is usually found in the Master Boot Record (MBR) of the primary disk drive. The MBR occupies the first 512 bytes (also called a sector) of the primary disk and contains partition tables along with the boot loader. The boot loader reads the partition table looking for the "active" disk drive and loads the first sector of this partition. When it comes to boot loaders you have two choices in Linux, LILO or Grub (others exist these are just the most popular).

LILO - consists of a two stages. There is also something called the lilo command which we will talk about as well. The first stage is intended to find and load the second stage. This first stage is too small to do anything other then execute the second stage. Once the second stage of the boot loader has started there is a user prompt which offers customization and options for booting up the kernel. The lilo command, which is also called the map installer, is used to install and configure the boot loader. It does this by reading a config file which tells it where to find the information required to start the boot process. This can include the kernel images, video information, the default boot disk, network card information to get network activity, and so on. This is all saved for use by the boot loader later on.

Options for lilo command use:

-C config_file -> reads the config_file instead of the default config file (/etc/lilo.conf)
-m map_file -> write map_file in placeof the default
-q -> query the current configuration
-v -> increase verbose output

GRUB - unlike LILO, GRUB is very flexible supporting many operating systems and file types.

GRUB sees disk devices as follows:

(xdn[,m]) where xd is the drive, n is the number of the disk, and m denotes the partition number

GRUB expects a certain sequence of commands to be entered when booting to a Linux kernel.
Root device
Kernel filename [options]
initrd filename (optional)
boot

A sample GRUB config file:

default=0
timeout=10
splashimage=(hd0,0)/grub/splash.xpm.gz
title Ubuntu Linux (9.04)
root (hd0,0)
kernel /vmlinuz-2.6.26-28 ro root=/dev/hda5
initrd /initrd-2.6.26-28.img

As you can see the boot loaders are fairly easy to work with and allow for tweaking in many ways. The Debian system that I use has the GRUB boot loader installed. Some of the features that it supports are password protection, changing the splash screen, multiple image loading, and many others. There are many other tutorials out there which go in depth into installing the boot loader from a floppy disk (although there days you could probably use a live Cd or thumb drive). Boot loaders are also one thing that can be tweaked to allow a faster startup time of the machine, so many different settings are possible.

Understanding the Linux Filesystem

2009-08-24T19:57:00.005-04:00

In Linux filesystem has dual meanings which relate to how to physical structure of the disk is setup or it can refer to the structure and contents of a storage device. Let's take a look at the physical components first in Linux. The most common among user machines is IDE, although some systems also use SCSI. Linux defines the following:

/dev/hda - primary master IDE
/dev/hba - primary slave IDE

/dev/sda - first SCSI drive
/dev/sdb - second SCSI drive

The number 1 after a device signifies that it is the first partition of the first hard drive (ie. /dev/hda1). Up to four primary partitions are allowed. All logical devices are label from 5-15.

Moving away from the physical meaning we take a look at the structural layout of the Linux filesystem. At the top of the filesystem is the root (/), this is also known as the root directory (not to be confused with the root user directory /root). There are a number of sub-directories that are used on the system which contain config files, devices, and user data. Looking at some of the basic directories:

/bin - contains required system binaries
/sbin - contains required system binaries
/dev - contains device files
/mnt - a mount point for temporary mounts by system administrators
/etc - contains configuration information
/root - home directory for root user
/lib - contains shared libraries
/boot - holds static files used by the boot loader
/home - contains user files (this is usually placed on a separate partition)
/tmp - a temporary directory
/proc - read-only kernel information
/srv - used to serve content to network
/var - log files are located here
/usr - contains a hierarchy of directories which include user commands, source code, and documentation.

This layout is based on the filesystem hierarchy standard which tries to standardize the layout of the Linux operating system. Although many follow this layout some vendors and distributions do not so slight variety is quite common. A good Wiki article has more in depth layout of the filesystem for those interested.

http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard

There is also a more in depth guide on the layout of some individual parts of the filesystem including:

/etc
/dev
/usr
/var
/proc

There are also many guides for system administrators on how to partition systems, and where to put each sub-directory so as to make the most stable and reliable system (this does however boil down to technical and personal choice). We will look at a Debian based system as an example.

The root partition / must always physically contain /etc, /bin, /sbin, /lib and /dev, otherwise you won't be able to boot. Typically 150–250MB is needed for the root partition.

/usr contains all the user programs and is usually the part of the filesystem which takes up the most space (depending on what you plan to install). A minimum of 1.5GB should be used here, however a more realistic install would allow for 4-6GB.

/var is where all the "variable" information will which includes things like package management, updates, e-mails, web sites, etc. A recommended 300-500MB will do however you should allocate more if you plan to install numerous packages onto your system.

/tmp is a directory which won't hang onto information long. This is just a temporary place for applications to write data (like CD burning, or creating archives). Adjust the space accordingly for your needs.

/home will contain all your user data. We all know that we love to save tons of things to our computers, but keep in mind it might be better to setup quotas for your users to limit how much they can store. Don't forget it's great to give your users tons of space for saving their stuff, but you also have to back all this data up! A recommended space of 250MB / user.

Please remember that these are all just suggestions and that as always size, structure, and planning will vary!

When you are ready to start partitioning the system there are a few tools which we can use which include fdisk, cfdisk, and partman. Now again remember that we are using a Debian based distro for which partman is the recommended partitioning tool. It can create and resize partitions which makes it quite useful. Fdisk is a more advanced partitioning tool which we will leave to the gurus (or until you become more comfortable with the utility). Finally cfdisk is a menu drive partitioning tool that is very simple to use and what I would recommend using. To compliment the partitioning of the filesystem there are two other utilities which you will need to actually "create" the filesystem itself. They are mkfs and mkswap. Mkfs is used to create different types of filesystems on the partitions that you create, while mkswap creates a swap filesystem. A swap is like a scratch pad for Linux. The equivalent on a Windows machine would be the use of page filing. The complete process of setting everything up includes partitioning, formatting, and creating the actual filesystem itself. This process can be automated by installers for most distros and everything is usually put on one drive for newbies. As you become more proficient using Linux you will learn to customize your layout and moving things around to suit your needs. On a final note about Linux filesystems, partitioning and creating filesystems can erase or destroy data if you don't know what you are doing. Please backup anything that is important or try these utilities in a lab based environment first!

TFTP Server Setup

2009-07-29T19:37:00.005-04:00

So those that work with Cisco devices frequently will soon have a new appreciation of TFTP servers. If you haven't learn already they are a centralized place where you can store configuration files, IOS images, updates, and other files. This makes backup ad restoring a breeze. TFTP servers are also quite useful for the deployment world as well. Most deployment senarios require a PXE service that relies on a TFTP server to send out the needed files when the clients perform a PXE boot. We are going to look at setting up a TFTP server on a Ubuntu/Debian machine. This isn't too hard to accomplish on Fedora/Redhat either I just happen to have an Ubuntu Server. For Windows most TFTP servers aren't really configured but installed as part of a larger application (Solarwinds makes a good one).

First we are going to need to find the required files for our server role. We can hunt them down with the apt package manager:

sudo apt-cache search tftp

This will return a listing of all packages that relate to TFTP. We are going to be using tftpd-hpa as it is the most common. Issuing the command to install:

sudo apt-get install -y tftpd-hpa

We will be given a warning message that the install is using the inetd.conf file and that those using xinetd will need to manually add the configuration. Here is the configuration file that they provide when installing the package.


service tftp
{
    socket_type        = dgram
    protocol           = udp
    wait               = yes
    user               = root
    server             = /usr/sbin/in.tftpd
    server_args        = -s /var/lib/tftpboot
}

Navigate to the /etc/xinetd.d directory where you can open up any text editor. Create a file name tftp and insert the configuration file listed above. Save and exit from there and now we will need to make a change to the default configuration for the tftpd daemon which is set to exit on startup. This time we will open /etc/default/tftpd-hpa and change the daemon options.

#Defaults for tftpd-hpa
RUN_DAEMON="yes"
OPTIONS="-l -s /var/lib/tftpboot"

Save the configuration file and exit. We will also need to make one more change. When we installed the tftpd server it wrote the service settings to the inetd.conf file which we aren't using (because the xinet.d service is taking its place). We need to comment out the line that the install wrote. Open up /etc/inetd.conf and comment out the following line:

#tftp dgram udp wait root /usr/sbin...

Save and exit. Finally we will need to create the tftpboot directory which will hold all the files and folders that we can use for PXE booting or storing uploaded files that we wish to save.

mkdir /var/lib/tftpboot

Now we can start the tftp server.

sudo service tftpd-hpa start

You can now verify that the service is running correctly by using netstat:

netstat -a | grep tftp


udp     0    0 *:tftp    *:*

Now you have a complete tftp server running which you can use anywhere in your environment. For me it is mostly used to house all the backup configuration files for all things Cisco. It is important to save often when testing new things and this way I know that I have a bunch of different configuration files that are stored safely. As an example within my tftpboot directory is have a blank file called pix_config. I will use this to save my firewall configuration. From the firewall I can issue the following command to backup my configuration file:

firewall# config t
firewall(config)# tftp-server inside 172.168.1.100 /pix_config
firewall(config)# exit

The configuration file is now saved to my tftp server for safe keeping.

Cisco Password Recovery

2009-07-29T14:19:00.006-04:00

Today we'll look at the password recovery procedure for a Cisco 3550 switch. Now the commands should be similar if not the same however they do vary by model number, so your input and output may vary slightly. First we are going to connect to the switch via a console cable. For this session we are going to use telnet through the putty utility. Once connected we will power off the switch. Now on the left of the switch there is a "Mode" button which we will press and hold while plugging the switch back in. All the ports will illuminate for a short while and then port 1 will turn off. When this happens you can let go of the Mode button and the switch will tell you that the start up has been interrupted. Here is where the commands will start to come in. We start with:

switch: flash_init

switch: load_helper

Now from here your output may vary. If you are not presented with a directory full of files you can issue the command:

switch: dir flash: <-- Notice you need the : after the word "flash"

If you are already in the directory (like I was) rename the configuration file to something else so it will not load when the switch boots: switch: rename flash:config.text flash:config.old After that you should be good to reboot by using: switch: boot After the switch reboots we will need to make one other change to rip out any passwords that were previously on the switch.

switch: enable
switch# config t
switch(config)# no enable secret
switch(config)# enable secret cisco
switch(config)# enable password cisco
switch(config)# ^Z
switch# write memory

Now your switch should be good to go with the new password(s) you just configured. You can now begin building the configuration for your switch.

Error Codes

2009-07-27T08:24:00.002-04:00

So you've just installed the latest and greatest in Microsoft software and you fire it up all excited to try it out only to be given an error code. Although not everyone has such bad luck, anyone that has dealt with Microsoft's products knows that they love their error codes (there is something like 16,000 of them). Luckily there happens to be some documentation on the error codes for Microsoft products. This like has the error codes broken down into sections with a description of the error. It has actually proven quite useful in certain situation so bookmark it for reference later on.

http://msdn.microsoft.com/en-us/library/ms681381(VS.85).aspx

Here we go again...

2009-07-22T21:51:00.003-04:00

Posted yesterday (although it took some time to confirm), there is a new exploit in the works for multiple Adobe products. As it is being reported the vulnerability lies in Adobe's Flash code, however this code can also be executed via Adobe Reader. According to SANS there has been reports of PDFs being used to take advantedge of this bug, and drive-by attacks via Flash's code. Even with Javascript support disabled in Adobe Reader this attack apparently still works. On Adobe's security blog they are stating that they are looking into the issue. Although this 0day doesn't seem to be widely used at the moment, I think that it is only a matter of time. Flaws in Adobe products tend to lead to instant system compromise which tend to make them very popular for expliotation, not to mention that there is not centralized patch management for Adobe products either! Checking milw0rm today nothing seems to be up for a Point of Concept (PoC), but again it's only a matter of time. Patching apparently won't help at the moment as Adobe is still investigating the issue at this time. Here are some quick writes up of what is known so far:

http://blogs.adobe.com/psirt/
http://www.networkworld.com/news/2009/072209-adobe-pdf-flash-trojan.html?hpg1=bn
http://isc.sans.org/diary.html?storyid=6847

Best advice is to keep your anti-virus up-to-date, this way if you do get compromised you can stop the infection from spreading. Your other alternative is to cease using Adobe Reader and Flash for the time being, but we all know this is not a reality.

Update Your Java

2009-07-21T22:10:00.003-04:00

On the 15th of this month ISC SANS had a posting about updating Java. Turns out that there has been a vulnerability for this bug for a while. According to the SANS posting it just took a while for the bad guys to start incorporating the use of it. Looking though milw0rm however there is indeed a point of concept (PoC). The code posting for the exploit is a little too long to put here so instead I'll refer you to the link here. The code shows that it will load a .jnlp file from a hosted website executing an endless loop eating away at system resources. Althought there is a prompt for confirmation to run the endless loop program as this is only a PoC for educational purposes. It is advised that everyone update their Java to the newest version (Version 6 Update 14). Anything at Version 6 Update 13 or lower is vulnerable to this.

Adobe Reader Exploit

2009-07-21T21:28:00.005-04:00

Yesterday on the bugtraq mailing list someone released a point of concept (PoC) for a new flaw in the download manager for Adobe Reader. The download manager, which is powered by Nos Microsystems, installs a service with improper permissions making it possible for someone to replace the executable files with another binary file of choice. Upon next reboot of the computer it will run the replaced executable with SYSTEM privileges. This issue (according to the release) seems to affect all versions in the 9.x family. It is worth nothing however that this probably won't effect corporations that use the administrator package to deploy Adobe Reader because this doesn't use the Nos download manager.

Jumping over to milw0rm however we can see that a PoC exploit has been released for this (although it was only a matter of time). Looking at the PoC we can get a better idea of how this exploit works and impacts the system.

Adobe Download Manager Exploit PoC

C:\>sc qc "getPlus(R) Helper"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: getPlus(R) Helper
       TYPE               : 110  WIN32_OWN_PROCESS (interactive)
       START_TYPE         : 3   DEMAND_START
       ERROR_CONTROL      : 1   NORMAL
       BINARY_PATH_NAME   : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe
       LOAD_ORDER_GROUP   :
       TAG                : 0
       DISPLAY_NAME       : getPlus(R) Helper
       DEPENDENCIES       : RPCSS
       SERVICE_START_NAME : LocalSystem

C:\>cacls "C:\Programmi\NOS\bin\getPlus_HelperSvc.exe"
C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F <-------------- [!!!]
                                           NT AUTHORITY\SYSTEM:F

We can see here that the BUILTIN\Users group has full control to this executable. There are so many different types of attacks that can be carried out here. As pointed out on the bugtraq posting the severity and destructiveness are entirely up to the user carrying out the attack. Recently Adobe has announced that it will start patching on a consistent schedule similar to Microsoft's. At the time however there is no patch or workaround for this current issue.

Your Very Own Python Server

2009-07-20T22:08:00.006-04:00

I've been working on this assignment at work which requires a lot of testing to ensure that things are working correctly. So every time an adjustment is made I would have to log into the remote computer check it, jump back, make some changes, jump back, ad infinitum. I decided that I wanted to automate some of this process a little which would essentially require a back door to the remote computer (Windows remote desktop takes way too long). I decided that I wanted a quick and easy server application that could be run on the remote machine that I could tap into via the command line to execute a few commands and check what I needed to without changing screens or a remote login. To start out I chose Python as my programming language because it's powerful, high level, and flexible. First I had to build out the server, providing the most basic functionality possible while yet accomplishing what I needed to get done. Below is the code that I used to create the server with a few things stripped out (mostly the help_menu functions) to make the code as simple as possible. While this server may not do much it is a good starting point that can be built on very easily. If someone wanted to they could also develop this a little further and have a full fledged application for internal use. Of course server programs like these are also commonly found on compromised computers as well, used for upload and downloading files, remote host control, etc...

The Sample Server Code


from socket import *
import socket
import random
import sys
import os

# Help menu function
help_menu = "\n---- Supported Commands ----\n\n" + \
"[cmd]         - this can be any command found in the system32 folder\n" + \
"[cmd_full]    - any known application (you must use full path)\n" + \
"restart       - remote restart\n" + \
"shutdown      - remote shutdown\n" + \
"win_update    - remote update (can take time)\n" + \
"help          - display this menu" + \
"quit          - disconnects from the server\n" + \
"kill          - kills the remote server (will start again on reboot)\n" + \
"\n"

# Generate the hostname and the current ip address
hostname = socket.gethostname()
host_ip = socket.gethostbyname(hostname)

# Assign a number for the port (default of 5080)
port = 5080

# Create a buffer size (default 1024)
buf = 1024

# Tuple to hold the host and port number
x = (host_ip,port)

# Create the socket and bind it to the computer
s = socket.socket(AF_INET, SOCK_STREAM)
s.bind(x)

# Wait for connection
s.listen(1)
conn, addr = s.accept()
print "Connection from: ", addr

# Send the first menu to the client
conn.send("Welcome to mini-server\n")

# Begin server loop
while 1:

 data = conn.recv(buf)

 if data == "quit":
   print "Connection closed from: ", addr
   break
 elif data == "help":
   conn.send(help_menu)
 else:
   os.system(data)
   conn.send("Command completed")

s.close()
print "Server terminated"

Next we needed a client to connect into the server. This client like the server is also very basic and doesn't provide for much more than what I needed it for. However just like the server it can be adapted to add more features.

The Sample Client Code


import socket
import sys

# Create a connection for the client to use to connect to the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = sys.argv[1]
port = 5080
buf = 1024

# Setup the connection between the client and the server
s.connect((host,port))
conn = s.recv(buf)
print conn

while (1):
 # Grab data from the user to send to the server
 data = raw_input(">> ")
 if data == "quit":
   s.send(data)
   break
 else:
   # send the data to the server and get a reply back
   if(s.send(data)):
     print "Sending: ", data
     conn = s.recv(buf)
     print conn

s.close()

Hopefully you found this little bit of code useful or something that you can use for your own projects. If nothing more this serves as a great example of Python and socket programming.

Linux Firewall

2009-07-18T10:04:00.012-04:00

I decided today that it was time to finally give my home lab some attention. I'm running an Ubuntu linux server as the gateway to my lab network and it needed to be redone. After a quick OS reinstall I wanted to configure the firewall for specific needs. Although there are different ways to do this I decided to use the ufw program to manage the firewall as it is simple for new users and quick enough that I can knock out a few rules in a short amount of time. There is a GUI version for those that don't like the command line called gufw. It provides the same functionality with an easy to use interface. We will be using the command line version which is being configured over an SSH connection. By default the firewall is disabled when you install the operation system. Before we turn it on however we need to create a quick rule to allow SSH connections into the box, otherwise once we enable the firewall SSH connections will no longer be allowed and then I'll have to go configure it from the console. So we start out by creating our SSH session into the box and switching over to the root user, as this program requires root in order to do anything. For the moment we will type the following to get the firewall up and running:

# ufw allow ssh
# ufw enable
# shutdown -r now

The last line here reboots the computer which is required once the firewall has been enabled. When the system comes back up we can SSH back into the server and begin adding more specific rules for my lab. Let's take a quick look at the syntax that ufw uses which will help when creating rules.

UFW Syntax

ufw [--dry-run] enable|disable|reload

ufw [--dry-run] default allow|deny|reject

ufw [--dry-run] logging on|off|LEVEL

ufw [--dry-run] status [verbose|numbered]

ufw [--dry-run] show [raw]

ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [log|log-all]
PORT[/protocol]

ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [log|log-all]
[proto protocol] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]]

ufw [--dry-run] app list|info|default|update

As you can see there are alot of options that we can use here. First we want to check that the firewall is actually running correctly.

# ufw status

This should return a status of "active". Now the most simple way to add rules to the firewall is just to use the very simple syntax that ufw provides. Suppose we want to add a rule that will allow users to telnet (port 23) into the gateway. The simple syntax that ufw uses is:

ufw allow|deny|reject port

So for our rule we are going to do:

# ufw allow 23

It should tell you that your rule has been added and you can verify that by checking:

# ufw status

Now something to notice here is that you will see that port 25 is being allowed from anywhere using any protocol. While this may be fine for a lab environment this is a bad habit to get into because it could lead to real attacks getting through in a real world situation. Lets remove the rule we just added:

# ufw delete allow 23

And then recreate the rule adding a little security to it:

# ufw allow telnet

- or -

# ufw allow 23/tcp

Now if you check the status of the firewall again you will notice that instead of just saying 23 it will say 23/tcp meaning that the telnet connection is enabled but only for the TCP protocol. This unwanted protocols on certain ports. The only downfall here is that you need to know which protocols are used with which ports (which isn't a bad thing to remember either). Ok so lets remove this rule again and recreate it one last time with a little more security added in.

# ufw delete allow telnet

Now this time when we create our firewall rule we want to be specific about what traffic is going to be allowed. We want to create a rule that will allow traffic from only the internal LAN (192.168.1.0/24) to the linux gateway (192.168.1.3) using the TCP protocol only and on port 23. Well that was a mouth full and we can make it happen with the following:

# ufw allow proto tcp from 192.168.1.0/24 to 192.168.1.3 port 23

Now this rule will prevent spoofing attacks from outside ip addresses being able to get into my gateway. There ar emany other things that you can do with ufw such as setting different types of logging, creating more advanced rules, and also using the --dry-run switch to show you what the effect of the rules are before they are put into place. This is also a program that can be scripted with BASH for some quick reconfiguration for testing different senarios. One thing of note with this program is that log messages are sent to the kernal log (in case you are looking for the log file). Anyone with some Cisco expereience might these similar to creating ACLs on a Cisco device. It is definetly a useful program for quick firewalling and protection.