2/28/2010

Snort sniff honk !

Snort is an open source intrusion detection system (IDS). Its highly configurable and can be run in a number of modes and architectures, There are a small number of freely available rules to use. For more information refer to the Snort home page http://www.snort.org/. Here are some instructions on getting it setup on CentOS, these were adapted from the Snort Documentation by Patrick Harper at http://assets.sourcefire.com/snort/setupguides/Snort_Base_Minimal.pdf;

  1. yum install mysql mysql-bench mysql-server mysql-devel mysqlclient10 php-mysql httpd gcc pcre-devel php-gd gd mod_ssl glib2-devel gcc-c++ php php-pear libpcap-devel
  2. vi /etc/httpd/conf/httpd.conf #Edit the httpd.conf file to suit
  3. /etc/rc.d/init.d/httpd start
  4. /etc/rc.d/init.d/mysqld restart
  5. /usr/bin/mysql_secure_installation
  6. cd /root
  7. mkdir snortinstall
  8. cd snortinstall
  9. wget http://dl.snort.org/snort-current/snort-2.8.5.3.tar.gz
  10. tar zxvf snort-2.8.5.3.tar.gz
  11. cd snort-2.8.5.3
  12. ./configure --with-mysql --enable-dynamicplugin # Fingers crossed it all goes well
  13. make
  14. make install
  15. /usr/sbin/groupadd snort
  16. /usr/sbin/useradd -g snort snort -s /sbin/nologin
  17. mkdir -p /etc/snort/rules
  18. mkdir -p /var/log/snort
  19. cd /root/snortinstall/snort-2.8.5.3/etc
  20. cp ./* /etc/snort/
  21. cd /root/snortinstall
  22. wget http://www.emergingthreats.net/rules/emerging.rules.tar.gz
  23. tar zxvf emerging.rules.tar.gz
  24. cd rules
  25. cp ./* /etc/snort/rules/
  26. vi /etc/snort/snort.conf # Edit the snort.conf file to suit
  27. /etc/rc.d/init.d/mysqld start
  28. mysql -u root -p mysql # Create the snort database and snort database user and set permissions
  29. cd  /root/snortinstall/snort-2.8.5.3/schemas
  30. mysql -u snort -p snort < create_mysql
  31. pear install -a Image_Graph-alpha Image_Canvas-alpha Image_Color Numbers_Roman
  32. cd /root/snortinstall/
  33. wget http://downloads.sourceforge.net/project/adodb/adodb-php5-only/adodb-510-for-php5/adodb510.tgz?use_mirror=transact
  34. wget http://downloads.sourceforge.net/project/secureideas/BASE/base-1.4.4/base-1.4.4.tar.gz?use_mirror=transact
  35. cd /var/www
  36. tar zxvf /root/snortinstall/adodb510.tgz
  37. mv adodb5/ adbodb
  38. cd /var/www/html/
  39. tar zxvf /root/snortinstall/base-1.4.4.tar.gz
  40. mv base-1.4.4/ base
  41. cd base
  42. cp base_conf.php.dist base_conf.php
  43. vi base_conf.php # Edit the file to suit
  44. # Load http://SERVERNAME/base in a browser and click on the setup link
  45. # Click on Create BASE AG button
  46. # Click on the Main Page link
SQL
  1. create database snort;
  2. create user 'snort'@'localhost' identified by '';
  3. grant create, insert, select, delete, update on snort.* to snort@localhost;
  4. grant create, insert, select, delete, update on snort.* to snort;
    No comments:
    Labels: , , , , ,

    2/21/2010

    Timing is everything...

    Having the correct clock timestamp is very important for logging, maintenance, troubleshooting and even forensic analysis. Timing provides a very important frame of reference for network devices, such as hosts, routers and switches. It would be almost impossible to construct a reliable model of an environment without having a standard and accurate frame of reference, thus timing is everything...

    The Hardening Cisco Routers book provides a good reference for Network Time Protocol (NTP) important, and can be found at http://oreilly.com/catalog/hardcisco/chapter/ch10.html. NTP is a very popular way to synchornise system clocks with a central trusted server. Here's a rough guide to getting NTP running on a Linux server;

    1. sudo yum install ntp # Install the NTP client
    2. sudo vi /etc/ntp.conf # Edit the configuration file to use the nearest server pool. Refer to www.ntp.org to get the pools.
    3. sudo mv /etc/localtime /etc/localtime~ # Backup the locatime file
    4. sudo ln -s /usr/share/zoneinfo// /etc/localtime # Ensure that the correct locatime file is set for your city
    5. sudo ntpdate # Set the date using NTP using the pool specified*
    6. sudo /etc/rc.d/init.d/ntp start # Start the NTP client daemon
    7. ntpstat # Check that the system clock is synchronised
    8. date # Check that the system date is set correctly
    9. sudo hwclock -w # Set the hardware clock to the system date
    *Note: Ensure that the host allows traffic on port 123 for the NTP protocol to work.
    No comments:
    Labels: , , ,

    2/20/2010

    Linux Jump Box VPN

    With the Linux Desktop out of the way, and my impending studies in Network Security coming up, I thought I'd preempt the studies with some initial ground work on my old Linux Server. Previously we had an old server at home, that was used mostly as a web proxy (Squid) and Windows (Samba) server to share files and the home printer.

    Well, it was time for a change and I decided to rebuilt it into a bastion jump box, with a restructure of the home network as well. I started off by installing a second Network Interface Card (NIC) on it. Then installed a bare CentOS on it. I did a yum update on it to ensure the latest patches and stable packages we installed. Next went through the services and disabled all the unnecessary stuff.

    The idea is to separate the internal network from the De-militarized Zone (DMZ). The purpose of the jump box is to sit on the DMZ between the access and choke routers. The jump box will provide Virtual Private Network (VPN) access into the network, as well as providing proxy services such as web proxy, syslog, ssh  and other services.

    In the network, both the access and choke router perform Network Address Translation (NAT), Quality of Serverice (QoS), as well as stateful packet inspection (SPI) firewall functions. In addition to SPI, the choke also performs some port forwards to the jump box and the sip phone. All other traffic is dropped.

    So to get home from university, I need to VPN in, then use SCP to transfer my files (assignments, reports, etc) and get out again.

    To install OpenVPN, perform the following tasks;
    1. sudo wget http://centos.karan.org/kbsingh-CentOS-Extras.repo
    2. sudo yum --enablerepo=kbs-CentOS-Testing install openvpn
    3. sudo find / -name "easy-rsa" # returns something like "/usr/share/openvpn/easy-rsa/"
    4. sudo cp -R /usr/share/openvpn/easy-rsa /etc/openvpn/
    5. sudo cd /etc/openvpn/easy-rsa/2.0/
    6. sudo mkdir keys
    7. sudo vi ./vars
    8. Change the following variables
      1. export KEY_SIZE=2048
      2. export KEY_COUNTRY=""
      3. export KEY_PROVINCE=""
      4. export KEY_CITY=""
      5. export KEY_ORG=""
      6. export KEY_EMAIL=""
    9. sudo bash
    10. source ./vars
    11. ./clean-all
    12. ./build-ca
    13. ./build-key-server server #server is the unique name to identify the server
    14. ./build-key client #client is the unique name to identify the client (repeat for each client)
    15. ./build-dh
    16. find / -name "server.conf" # returns something like "/usr/share/doc/openvpn-2.1/sample-config-files/server.conf"
    17. cp /usr/share/doc/openvpn-2.1/sample-config-files/server.conf /etc/openvpn
    18. Edit the file to suit
    19. Copy the Diffie-Hellman pem file (dh2048.pen), the server key file (server.key), and the CA certificate file (ca.crt) to the working directory and start the OpenVPN server (/etc/rc.d/init.d/openvpn start).
    No comments:
    Labels: , , , ,

    12/21/2009

    Linux for the Desktop

    I have mostly been a Linux from the command line kind of person. I would rarely come across X Windows. Recently I decided to experiment with Linux for the desktop. Needless to say have heard people raving about Ubuntu. Furthermore I have mostly been a Redhat user, and had only used the Debian distribution briefly in the past.

    I got the Ubuntu 9.10 Netbook Remix off the Australian PC Authority magazine to have a bit of a play with. It was good because it actually let me resize the existing partitions on my notebook. I had a play, and was moderately impressed by it. The interface was reasonably fluid and the performance was ok. However it was not too my liking. I felt that it lacked a lot of features and flexibility, would would be ideal for the average desktop user, just looking for netbook features.

    Needing more features and a complete set of Linux utilities and applications, I downloaded the Ubuntu 9.10 Desktop ISO image and installed off the CD. The first step was to update all the package, for some reason the Austrlian servers were not reachable and the connection timed out. I changed the "Update Manager" "Settings" to "Download from:" the "Main Server". This worked well.

    Next step was to make is look like an Apple Mac :) using the Mac4Lin installation. Before running the installation program I had to execute "sudo apt-get install emerald" to make things a bit easier. I previous Google suggested creating the following folders "~/.themes" and "~/.icons". This was done and I ran the install script. So far so good.


    Now to get the AWN (Avant Window Navigation) dock working.  "sudo apt-get install avant-window-navigation". 10 seconds and a couple of automatic dependency installs later the "Awn Manager" was available under "Preferences", and after adding the Max4Lin theme in AWN, and setting it to auto start, I launched the AWN and there was much coolness to be observed...

    To get the complete look you need to go through all the steps in the PDF manual available from Mac4Lin but the end result is quite satisfying in a cheezy sort of way. For people like me who cannot afford to pay for a proper Apple mac, this poor man's mac combines the GUI of (similar to) an Apple and the flexibility of a stable Linux distribution.
    No comments:
    Labels: ,

    12/05/2009

    CCNA - Frame Relay

    It appears I did get it working, but for some reason I cannot ping the local interface on the routers. If anyone is after the config and the network file for dynamips just drop me an e-mail or something, but there are heaps of them on the net already, and there is nothing special about the one I have.

    Basically the idea of the lab was to setup static routes to the loopback interfaces on the remote routers. The important concept learnt were;
    • Understand the importance of a route back from the remote router.
    • Configure a static route with using a router interface
    • Configure a static default route with a next hop router

    No comments:
    Labels: , ,

    11/30/2009

    CCNA Studies - continued...

    I've finally been able to get some time to get back into CCNA studies. Decided to put my GNS3/dynamips setup online, as well as my notes as I make progress. Not sure if it may be useful to anyone as there is already a lot of good resources out there, but I figured this way I'll have access to it online as well instead of getting into the server at home.

    Basically at the moment am going through the Training Signal videos that I borrowed off a friend, who is now doing his CCNP. So the labs at the moment are from the videos, by Chris Bryant... he has an awesome blog with lots of videos, tutorials and practise exams -http://thebryantadvantage.blogspot.com.

    I started the lab prep work by trying to setup a Frame Relay hub and spoke topology network on GNS3. Speaking of dynamips, its heaps faster to load the IOS if the image has been expanded already. I found Zipeg http://www.zipeg.com quite useful for this purpose.

    Anyways, I built a frame relay network on GNS3 and it would not work. So I upgraded to the current version of GNS and tried again. Still no go. Frustrated I posted an angry message on twitter, facebook and linkedin and gave up on this temporarily...

    No comments:
    Labels: , , , ,

    11/29/2009

    Make ringtones from your iTunes music

    It's really sucky how you cannot use your existing iTunes music as your ringtones. I mean you have already paid for the music so why not let you use it directly. Instead you either need to buy them as ringtones off the iTune Store or convert them.

    The simplest way I found was to use iTunes itself to perform the conversion for you. Basically you need to listen to your music and determine how much of it you'd like to use for your ringtone, convert the song, import it into iTunes and then sync your iPhone.

    Here's the step-by-step using iTunes 9

    1. Launch iTunes 9
    2. Select Music and listen to the song
    3. Determine the start time and end time of your ringtone (recommend 30 seconds)
    4. Right-click the song and select Get Info
    5. Select the Options tab
    6. Click on the start and end times and type in the start and end times
    7. Click the OK button to close the dialog box
    8. Right-click the same song and select Create AAC version
    9. Note a new version of the song with the same name
    10. Right-click the new song and select Show in Windows Explorer
    11. Select the AAC version of the song and press the F2 key to rename the file
    12. Rename the file extension from *.m4a to *.m4r
    13. Close the Windows Explorer window
    14. Right-click the new song and select Delete
    15. Left click the File menu and select Add File to Library
    16. Browse to the file, select it and Click Open
    17. Finally sync your iPhone
    No comments:
    Labels: ,

    10/01/2009

    How to set the Linux date and time from the command prompt


    Note: This is a repost of an old website page. It has just been moved it here as a blog.

    The Linux machine maintains the date and time, firstly, like all other personal computers on the hardware, this is sometimes referred to as the Basic Input and Output System (BIOS) or Complementary Metal Oxide Semiconductor (CMOS). The second date and time reference is maintained by the operating system, and is updated from the hardware clock during boot-up. During the Linux installation, the hardware clock is configured to be in Coordinated Universal Time (UTC) or Greenwich Meridian Time (GMT) The latter is often referred to as the system clock and the former is usually known as the hardware clock.

    During boot-up the system clock is initialised with the date and time on the hardware clock. The advantage of maintaining time in UTC is that the Linux system will automatically account for daylight savings based on your timezone. The timezone information for the Linux box is configured via the /etc/localtime file.

    The man page for the hwclock command provides more detailed information on the time keeping features of Linux. The file /etc/localtime is a symbolic link to the timezone data found under the /usr/share/zoneinfo directory.

    1. To set the timezone, create the appropriate symbolic link
      • /bin/ln -sf ../usr/share/zoneinfo/Pacific/Fiji /etc/localtime
    2. To indicate to the system that UTC time is to be used, the configuration file, /etc/sysconfig/clock needs to be edited. The file should be edited to indicate UTC=true. To use GMT ensure that the file has UTC=false set. 
      • /bin/vi /etc/sysconfig/clock
    3. To set the system clock, the date command may be used. To set the date and time enter the following command. If the UTC time is used then the -u, --utc or --universal switch must be used to set the time as UTC. 
      • /bin/date MMDDhhmm.ss
    4. Once the system clock has been set, it can be used to re-initialise the hardware clock. Again if the UTC format is used then the -u or --utc switch must be used.
      • /sbin/hwclock --systohc

    Refrences:

    1. Linux man page for date
    2. Linux man page for hwclock

    No comments:
    Labels: , , , , , , , , , ,

    9/01/2009

    How to use PuTTY with keys for SSH authentication

    Note: This is a repost of an old website page. It has just been moved it here as a blog.


    PuTTY is a windows telnet and SSH client implementations. It's free and widely used.For more details you can visit the official site at http://www.chiark.greenend.org.uk/~sgtatham/putty/index.html. The instruction below provide details on the installation and configuration of PuTTY for authentication using keys.

    Locate the latest stable version of the PuTTY SSH client and install it on the client machine. At the time of this document, the latest stable version was version 0.58. The PuTTY client can be downloaded from its homepage located at http://www.chiark.greenend.org.uk/~sgtatham/putty/

    The primary files required are PuTTY (putty.exe) the actual TELNET and SSH client and and PuTTYgen (puttygen.exe) the DSA and RSA key generation and import utility. You may choose to use the PuTTYgen utility to generate the key pair for you, or if you are using Linux then you may generate the OpenSSH keys. These OpenSSH keys may be imported and used with PuTTY without too much problem. You may choose to generate DSA or RSA keys. RSA keys may be used with SSH versions 1 and 2, but DSA key may only be used with version 2. As far as I can tell, other than the algorithms used the only other performance difference between DSA and RSA is that RSA is slightly faster than DSA.


    1. If you were using OpenSSH to generate an RSA key pair on a Linux box
      • /usr/bin/ssh-keygen -t rsa
      • Then enter the location and name of the file to store the keys
      • Then enter the pass phrase to use and confirm it. Note that pass phrases cannot be recovered and the keys will have to be re-generated.
      • Finally note the fingerprint for future reference and secure the private key files.
    2. PuTTY only accepts PuTTY Private Key Files (*.PPK), so there is a need to convert the OpenSSH keys to PuTTY Keys. This is done using PuTTYgen
      • Start PuTTYgen
      • Select the Conversions menu
      • Select the Import keys menu item
      • Select the private key that was generated in the ealier step and specify the pass phrase that was used (if any)
      • Then save the converted private key file as a PPK file.
    3. The public keys generated will have to be saved into the ".ssh" directory within their home directories. The keys would also have to be appended to the authorized_keys or authorized_keys2 file.


    Now PuTTY sessions may be started as normal and users specify the login name to use. There should be no need to enter a password to authenticate. However if you are not using PuTTY Authentication Agent, then you may be required to specify the pass phrase that was used to create the keys

    References:
    1. http://www.chiark.greenend.org.uk/~sgtatham/putty/
    No comments:
    Labels: , , , , , , , , , , ,

    8/07/2009

    Slow Sony Ericsson P910i

    I bought a Sony Ericsson P910i a couple of years back in 2006. I was in desperate need of a smart phone as my PDA at the time had been stolen after my car got broken into. The phone runs a Symbian OS.

    After several years of abuse, the keypad gave up (buttons had to be really pressed in to function), and it finally slowed down to a crawl. Rebooting the phone took a couple of minutes at least. It was literally impossible to perform backups, etc. Even a master reset did not fix the problem, I formatted the phone and still no luck, I finally gave up and discarded the phone to the pile of clutter on my desk in the study, and quickly forgot about it. This was around April of this year 2009.

    Yesterday, I saw the phone again, and Googled for a solutions. Basically I needed to get into Service mode and format the phone from there. To get into the Service mode (you can do this both with and without the keyboard) you needed to, enter the following sequence of key events;

    1. Jog dial up
    2. "*" key press
    3. Jog dial down
    4. Jog dial down
    5. "*" key press
    6. Jog dial down
    The service menu will then be displayed, with three options;

    1. Information
    2. Service tests
    3. Service functions
    The Information menu gives you information on various aspects of the phone and GSM network. The Service tests menu allows you to select phone functions, and finally the Service functions menu allows you to Format the internal disk.

    After formatting the disk, the phone will reboot, but this time it was much after than the previous snail pace performance. Thus once again the P910i is back in service and now I just need to get all the old software and contact details back on it.
    No comments:
    Labels: , , , ,
    Subscribe to: Posts (Atom)