Category Archives: Linux

The Linux Category actually encompasses *BSD, RH, Fedora, Ubuntu, and the like.

Linux, Networking

Security Onion

1 Comment

After reading some more sans security documents I was pointed toward Security Onion as my go-to for IDS/IPS. I had been using snorby TKL by smooth-sec (Bailey.st), but it wasn’t doing a great job and the documentation was lacking. Security onion is more of a resource hog but offers quite a few awesome tools. Here is my basic setup to get Security Onion working properly:

Download ISO, burn, Install on a server (Dell PE1850, 2x 2.8GHz Xeon, 16GB RAM, Mirror 300GB SCSI)

Added Root User – I still dislike all this “sudo this” and “sudo that”
sudo passwd root

Update Operating system
apt-get update
apt-get upgrade

Update Onion
sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

Turn off sensor for Eth1 (assuming Eth0 is mirror port and Eth1 is LAN)
nsm_sensor_ps-stop --sensor-name=YOURSERVERNAME-eth1
nano /etc/nsm/sensortab
Comment out the Interface to disable

Reboot
reboot

Remove SIDs/Block Addresses (*OLD*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/local/bin/pulledpork_update.sh
nsm_sensor_ps-stop
nsm_sensor_ps-start

Remove SIDs/Block Addresses (*NEW*)
Block SIDs will stop snort from even reporting the issue – by default ALL rules are enabled
nano /etc/nsm/pulledpork/disablesid.conf

1:1411-1:1419,1:OTHERRULES,1:ETC

/usr/bin/rule-update
nsm_sensor_ps-stop
nsm_sensor_ps-start

Blocking IPs will stop snort from worrying about certain hosts – by default ALL hosts are worried
nano /etc/nsm/YOURSERVERNAME-eth1/bpf.conf

Add the following template:

#Nothing from src host to dst port
!(src host xxx.xxx.xxx.xxx && dst port 161) &&
#Nothing from src host to dst host and dst port
!(src host xxx.xxx.xxx.xxx && dst host xxx.xxx.xxx.xxx && dst port 80) &&
#Nothing to or from:
!(host xxx.xxx.xxx.xxx) &&
#Last entry has no final &&
!(host xxx.xxx.xxx.xxx)

nsm_sensor_ps-restart

Linux

Change Default Page In Apache

Leave a comment

Running on Debian 6/Ubuntu 10.04.4.

Add the .htaccess file in the directory you want to change the default page:
nano .htaccess
Add the DirectoryIndex configuration
DirectoryIndex home.htm index.html
Save and quit
This will make home.htm the newest default page

Linux

Samba Logging on Ubuntu

Leave a comment

Should work with debian also.
Ubuntu 10.04.4 LTS x32 system fully patched with LAMP, SSH, and Samba already installed
* Installed samba via the webmin interface

Install the local syslog server
apt-get install sysklogd

Edit the syslog server
nano /etc/syslog.conf

local7.* /var/log/samba/log.audit

Save and exit
touch /var/log/samba/log.audit
/etc/init.d/sysklogd restart

Edit Samba to enable the logging
nano /etc/samba/smb.conf

vfs objects = full_audit
full_audit:prefix = %u|%I|%m|%S
full_audit:success = mkdir rename unlink rmdir pwrite
full_audit:failure = none
full_audit:facility = LOCAL7
full_audit:priority = NOTICE

Save and Exit
/etc/init.d/smbd restart

You should now notice the file attempts at /var/log/samba/log.audit

Linux

Show Version of Python

Leave a comment

I needed to know what version of python I was running, so I immediately tried:
python -v

No dice.

What does get me the version:
python
import sys
print sys.version

And then I noticed that as soon as I get into Python the version is displayed. Palmface.

Linux, Networking

Proxmox 2.0RC1 LAN Setup

Leave a comment

Here is my hardware:
3x R610 Servers with 4x onboard broadcom gigabit interfaces and 4x riser intel gigabit interfaces
2x Dell 6224 iSCSI managed L3 switches with 20Gbps stacking cables (iSCSI and Backup)
1x Dell Equalogics SAN (24X 2.5″ 600GB SAS) P4100X
1x Cisco 3560X switches (LAN)

And my situation:
I needed to get the 3 R610 servers to communicate to the SAN LUN(s), a backup network, and the user LAN via the above equipment list. And it needed to be fairly quick – iSCSI over ethernet with bonded gigabit connections quick.

My configuration per proxmox server:
prox_lan_setup.txt
I made it a text document as that’s a lot easier to see.

Unfortunately I learned that Equallogics SAN will not use Bonded connections – they want MPIO. My configuration now has MPIO for iSCSI and LACP (802.3ad) for the LAN.

Linux

Dell OMSA Proxmox R610

1 Comment

Just purchased a new R610 for running Proxmox 2.0RC1, but I needed a way to get OpenManage on there.

I followed a sara.nl link page to get an old version of OMSA installed. It worked great minus the small problem of not having a storage controller available. Apparently the new PERC6i controller requires OMSA 6.3 or higher. Well, I may as well go with 6.5. Fortunately for me, Dell finally released both Ubuntu 10.04 and Debian 6 binaries AND install instructions. I had to alter them a little bit for my prox environment, so here goes:

aptitude update
aptitude full-upgrade
reboot
echo 'deb http://linux.dell.com/repo/community/deb/latest /' | tee -a /etc/apt/sources.list.d/linux.dell.com.sources.list
gpg --keyserver pool.sks-keyservers.net --recv-key E74433E25E3D7775
gpg -a --export E74433E25E3D7775 | apt-key add -
apt-get update --allow-unauthenticated
apt-get install srvadmin-all
service dataeng start
service dsm_om_connsvc start
To get this to auto start on reboot: update-rc.d dsm_om_connsvc defaults
https://ipofserver:1311

Login as root and your root password.

If you receive an error with apt-get update –allow-unauthenticated, all I did was cat /etc/apt/sources.list.d/linux.dell.com.sources.list and then re-run the command.

Linux

PCI Audit vs Ubuntu Server

Leave a comment

I was in the midst of my first ever PCI audit – the company I was doing work for wanted to start taking credit card orders over their website. I thought it would be easy – the website was a wrap-around of the credit card company’s authorization site, so no numbers ever touched the company-owned systems. Unfortunately the security firm required all external facing IP addresses to test. One of those IP addresses pointed to an Ubuntu 10.04.4LTS system that was running Owncloud software on apache (think DAV for multiple users via web interface).

So the PCI audit returns with a giant FAIL. Apache is out of date!

apache2 -v
2.2.14
This version came out in October of 2009.

So I edited the apt sources list to grab a newer file:
nano /etc/apt/sources.list
And added:

deb http://us.archive.ubuntu.com/ubuntu/ oneiric main
deb-src http://us.archive.ubuntu.com/ubuntu/ oneiric main

apt-get update
apt-get install apache2
apache2 -v
2.2.20
This version came out in August of 2010

Run the PCI compliance test again – FAIL. Apparently they require 2.2.21 or higher. The only issues I could find with 2.2.20 deal with mods being enabled that they don’t use, or .htaccess permissions that they also don’t use. OK, so let’s go up another version.

nano /etc/apt/sources.list
Add:

deb http://us.archive.ubuntu.com/ubuntu/ precise main
deb-src http://us.archive.ubuntu.com/ubuntu/ precise main

apt-get update
apt-get install apache2
apache2 -v
2.2.22
This version came out in January of 2012

I verified the site was still working. Make sure you comment out the sources.list precise and oneiric otherwise you’ll have lots of update issues down the road.

Source generator:
http://repogen.simplylinux.ch/generate.php