All posts by bsdman

Currently working as an IT Manager. Worked for an OIT company as a Network Engineer in 2011. Worked for a Medical IT company as the Network Administrator 2009-2011. Worked as the Senior Systems Administrator at a computer reseller from 2005-2009. Worked as a Computer Consultant for several small companies from 2007-2009. Worked as a Computer Technician at a computer reseller from 2002-2004.

NPS Radius 2008 Cisco ASA VPN

I had IAS working on a 2003 server as a RADIUS server for authentication to a Cisco ASA for VPN connectivity.

1                     Create a RADIUS Client on the NPS

2                     Create a network Policy as follows;

  1. Right click network policies and click new
  2. Type a policy name accept the defaults and click next
  3. Add a condition (I used a windows group with my users in it), click next
  4. Make sure the access granted radio button is selected and hit next
  5. Select the “Unencrypted authentication (PAP, SPAP)” and unselect the rest
  6. Select NO on the annoying help box
  7. Finally select next then next and finish to complete.

3                     Configure your Cisco device for RADIUS as you would have with 2k3.

Migrate to new DHCP Server Microsoft

Export the DHCP database from Windows 2003:

1.                   On the Windows 2003 DHCP server, navigate to a command prompt

2.                   Type the following Command: netsh

3.                   Type the following Command: DHCP

4.                   Type the following Command: server <\\Name or IP Address>

5.                   Type the following Command: export c:\w2k3DHCPdb all

Note You must have local administrator permissions to export the data.

Import the DHCP database

1.       Copy the exported DHCP database file to the local hard disk of the Windows Server 2008-based computer.

2.       Install the DHCP Role on the server.

3.       Stop the DHCP server service on the server.  To do this, follow these steps:

a.       Log on to the target DHCP server by using an account that is a member of the local Administrators group.

b.      Click Start, click Run, type cmd in the Open box, and then click OK.

c.       At the command prompt, type net stop DHCPserver , and then press ENTER. You receive a “The Microsoft DHCP Server service is stopping. The Microsoft DHCP Server service was stopped successfully” message.

d.      Type exit, and then press ENTER.

4.       Delete the DHCP.mdb file under c:\windows\system32\DHCP folder.

5.       Start the DHCP server service.

6.       Right-click on the Command Prompt (cmd) and select run as administrator, to open the cmd prompt using elevated privileges.

Note You must have local administrator permissions to import the data.

7.       Type the following Command: netsh

8.       Type the following Command: DHCP

9.       Type the following Command: server <\\Name or IP Address>

10.   Type the following Command: import c:\w2k3DHCPdb

11.   Restart DHCP and verify the database has moved over properly.

Transfer FSMO Roles

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

  1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

    NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

      -or-

    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
  5. Click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.

    NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.

  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.

      -or-

    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
  5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Windows Firewall Base Filtering Engine Services

Had a client computer that could no longer connect to the VPN. The end-user blamed IT for changing something as it “worked before your scheduled weekend updates”. Yeah.

Turns out this guy had a rootkit, a trojan, and some malware on his system. Shame on IT for not catching it sooner, but it didn’t spread anywhere else.

Combofix, malwarebytes, TDSS, and stinger later, I was convinced we got it off of his system. Unfortunately he could still not connect due to the Base Filtering Engine service and the Windows Firewall service being unable to start. Cisco’s anyconnect client requires these two services in order to perform the necessary handshaking for a secured VPN connection.

Found these two kick butt registry keys to fix the situation:
http://it.thelibrarie.com/utilities/firewall.reg.txt
http://it.thelibrarie.com/utilities/bfe.reg.txt

Obviously change them to .reg files and run. I generally edit them to see what they do before blindly installing registry keys from a random IT site.

Proxmox Syslog Errors

So I run proxmox 2.1 (pve-manager/2.1/f9b0f63a). I monitor the servers with Dell’s OpenManage 6.5 and Nagios. I started noticing the following in my syslog (/var/log/syslog)

Jun 26 07:35:21 pveserver1 snmpd[2015]: error on subcontainer ‘ia_addr’ insert (-1)
Jun 26 07:35:21 pveserver1 snmpd[2015]: error on subcontainer ‘ia_addr’ insert (-1)
Jun 26 07:35:51 pveserver1 snmpd[2015]: error on subcontainer ‘ia_addr’ insert (-1)
Jun 26 07:35:51 pveserver1 snmpd[2015]: error on subcontainer ‘ia_addr’ insert (-1)

Quick check online points me to SNMP issues – apparently there is a “bug” that was fixed, but is still technically present due to the default settings of snmpd.

Login as root
nano /etc/default/snmpd
Change the line with SNMPDOPTS to
SNMPDOPTS='-LS6d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid'
And the line with TRAPDOPTS to
TRAPDOPTS='-LS6d -p /var/run/snmptrapd.pid'
Save and Exit

Then restart SNMPD
/etc/init.d/snmpd restart

Watch the log file and see if you receive any more snmpd messages
watch tail -45 /var/log/syslog

Proxmox Ubuntu Debian Force Reboot

I had a cluster of proxmox servers (debian) that refused to reboot. I had just run some updates as part of the monthly maintenance schedule and issued the “reboot” command. I have molly-guard installed, so I had to type the name of the server as well, but they were just sitting there.

Checked the /var/log/messages for any ideas – system preparing for reboot.

The server continued to function as it had before the reboot command – I could use apache, ssh, webmin, etc all fine. As the servers are located at a not-close datacenter AND I have KVM control from any VPN connection, I decided to try to find a way to force it down. Unfortunately our DC does not allow us to control the smart PDUs installed in each rack as they retain the right to remotely monitor our power consumption.

After a short search on my favorite g search engine site, I come across this:
echo 1 > /proc/sys/kernel/sysrq
echo b > /proc/sysrq-trigger

As soon as you hit enter on the second command the server will drop and start to reboot.

Security Onion

After reading some more sans security documents I was pointed toward Security Onion as my go-to for IDS/IPS. I had been using snorby TKL by smooth-sec (Bailey.st), but it wasn’t doing a great job and the documentation was lacking. Security onion is more of a resource hog but offers quite a few awesome tools. Here is my basic setup to get Security Onion working properly:

Download ISO, burn, Install on a server (Dell PE1850, 2x 2.8GHz Xeon, 16GB RAM, Mirror 300GB SCSI)

Added Root User – I still dislike all this “sudo this” and “sudo that”
sudo passwd root

Update Operating system
apt-get update
apt-get upgrade

Update Onion
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Turn off sensor for Eth1 (assuming Eth0 is mirror port and Eth1 is LAN)
nsm_sensor_ps-stop --sensor-name=YOURSERVERNAME-eth1
nano /etc/nsm/sensortab
Comment out the Interface to disable

Reboot
reboot

Remove SIDs/Block Addresses (*OLD*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/local/bin/pulledpork_update.sh
nsm_sensor_ps-stop
nsm_sensor_ps-start

Remove SIDs/Block Addresses (*NEW*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/nsm/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/bin/rule-update
nsm_sensor_ps-stop
nsm_sensor_ps-start

Blocking IPs will stop snort from worrying about certain hosts – by default ALL hosts are worried
nano /etc/nsm/YOURSERVERNAME-eth1/bpf.conf

Add the following template:

#Nothing from src host to dst port
!(src host xxx.xxx.xxx.xxx && dst port 161) &&
#Nothing from src host to dst host and dst port
!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&
#Nothing to or from:
!(host xxx.xxx.xxx.xxx) &&
#Last entry has no final &&
!(host xxx.xxx.xxx.xxx)

nsm_sensor_ps-restart