Friday, December 6, 2013

Saving Acme Packet Configs using Rancid

No one has yet written a Rancid module for Acme Packet's (now Oracle) Session Border Controller/SBCs/SIP routers. I played around with it because I wanted a quick and easy way to diff Acme config revisions. This method works for me with SBCs using 6.2 of the Acme software. It produces several errors at the top of the config, since the Cisco module tries to run a lot of commands.

1. I created an SSH key as the rancid user, with no password:

/bin/su - rancid -c "ssh-keygen -b 2048 -t rsa"

2. I created an SSH key based user on the SBCs (I have a HA pair, so I did this on the primary) - and I used the public key I created in step one (i.e., ~rancid/.ssh/id_rsa.pub    - just remember that the format is very strict. You should match, more or less, the example below. The comment goes at the beginning, and not at the end like openssh)

ssh-pub-key import authorized-key rancid

IMPORTANT:
       Please paste SSH public key in the format defined in RFC 4716.
       Terminate the key with ";" to exit.......

---- BEGIN SSH2 PUBLIC KEY ----


Comment: My rancid user's public key

AAAAB3NzaC1yc2EAAAasdasdawdawdhZj07+93RKwx0RXcwaaadawdawdaefZuc6ePw+3G9jiZUcyxFb8Td9sc700HtZLN0CtezZKHsC+bJPp0oocb9ykAIzO9xs3vOs55aadwdad21d12fq==


---- END SSH2 PUBLIC KEY ----;

I usually create host file entries for rancid, as not all of the hosts are in dns, and some have multiple addresses. But, it's entirely up to you. The key format above is strict. Make sure there are no empty spaces at the end of lines. 


3. modify .cloginrc and add the following (assuming your SBC is called mysbc1.myfqdn.local


add password mysbc1.myfqdn.local noRealPasswordNecessaryJustFillThisInWithGarbage
add autoenable mysbc1.myfqdn.local 1
add user mysbc1.myfqdn.local rancid
add method mysbc1.myfqdn.local ssh

4. log into the SBC with the actual rancid user, just so the rancid user will add the host to its ssh_known_hosts file

5. add the SBC to the router.db for your particular environment:

mysbc1.myfqdn.local:cisco:up

 6. Now, you should be all set. Run Rancid as you would, normally. For instance, I have a COLO called pac1:

/bin/su - rancid -c "/usr/local/rancid/bin/rancid-run pac1







Monday, November 25, 2013

Connecting to SQL Server 2005 Using Perl and DBI on RHEL/CentOS

I wasted a good bit of time getting this to work correctly. I had done it once before, years ago, but lost the script. Basically, I'm connecting using Perl's DBI (with ODBC) and FreeTDS.

My RPMs are (as of now):

rpm -qa | egrep -i \(freetds\|odbc\)



freetds-0.91-2.el6.x86_64

perl-DBD-ODBC-1.23-1.el6.rf.x86_64

unixODBC-2.2.14-12.el6_3.x86_64



Basically:

1. install the appropriate RPMs

2. Edit /etc/freetds.conf and add each SQL Server DB server you want to connect to:

[mySQLServer1]
host = mysqlserver1s.hostname.or.ip.address
port = 1433
tds version = 7.0

[mySQLServer2]
host = mydbserver2.mydomain.com
port = 1433
tds version = 7.0

3. edit /etc/odbcinst.ini

[FreeTDS]
Driver  = /usr/lib64/libtdsodbc.so.0
Description = v7

4. Finally, edit /etc/odbc.ini and put in a stanza for each database you wish to connect to. You may have multiple DBs per database server/host

[mydb1]
Driver = FreeTDS
# ServerName corresponds to a stanza in /etc/freetds.conf - not an IP address or hostname
ServerName=mySQLServer1
# Port is optional, you can specify it in /etc/freetds.conf, instead
Port = 1433
#TDS Version is optional... you can specify it in /etc/freetds.conf, instead
Database = mydatabaseinstance

[mydb2]
Driver=FreeTDS
ServerName=mySQLServer1
Database=mydatabaseinstancetwo
# Here we have multiple DBs on the same server

[mydb3]
Driver=FreeTDS
ServerName=mySQLServer2
Database=yetanotherdbinstance

After all this, you can test your connectivity with isql:

isql -v mydb2 MYWINDOWSDOMAIN\\myuser MYPASSWORD

+---------------------------------------+
| Connected!                                          |
|                                                             |
| sql-statement                                        |
| help [tablename]                                   |
| quit                                                       |
|                                                             |
+---------------------------------------+
SQL>


As you can see, the first entry after the verbose flag corresponds to the stanza name in /etc/odbc.ini

Here's the connection info for Perl:

#!/usr/bin/perl -w

use DBI;
use strict;
my $dsn = "mydb1";
# this corresponds to the relevant stanza in /etc/odbc.ini
my $user = 'MYWINDOWSDOMAIN\user';
# single quote marks remove the need to escape the "\"
my $pass = "myBigDifficultPassword";
my $dbh = DBI->connect("dbi:ODBC:$dsn", "$user", "$pass") 
      or die "Cannot connect to DB $dsn: $DBI::errstr\n\n";






Thursday, October 31, 2013

OSSEC Agent Installation on RedHat Enterprise and/or CentOS

I consider a HIDS to be one of the very most important security systems in a network. It's very important to know if someone is attempting to brute force his way into one of your servers, but if the attacker breaks in, it's even more important to know what changed. While log monitors and tools like Splunk can detect the former, they're not designed to note changes in binaries. That's where a HIDS (Host-based Intrusion Detection System) comes into play. One of the most popular is OSSEC. It's open sourced and free to deploy. It notes troublesome issues in the logs (like login failures) and can even take proactive measures, such as blocking an attacking host by manipulating the firewall.

OSSEC works on Windows, various flavors of unix and linux, as well as network devices such as switches, routers, and firewalls. It can run stand alone or report to a master server.

Agent installation on RHEL/CentOS

1. Install the Atomic Yum repo:


sudo "wget -q -O - http://www.atomicorp.com/installers/atomic | sh"

2. Install the EPEL repo (We're using 64bit Linux here)

 If RHEL 5/CentOS 5, 

sudo rpm -ivh http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

If RHEL 6/CentOS 6,

sudo rpm -ivh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

CentOS 6
 3. Install the RPMs from yum (should be about 4 RPMs or so):
 
sudo yum -y install ossec-hids-client

3a. (optional) Disable the Yum repos for Atomic and EPEL:

sed -i /etc/yum.repos.d/atomic.repo -e 's/enabled = 1/enabled = 0/g'
sed -i /etc/yum.repos.d/epel.repo -e 's/enabled = 1/enabled = 0/g'

4. You'll need to set your server (if you even have a central OSSEC server) in the config file like so:

5. (optional) make an exception for the central server (again, if you even have one):

sudo iptables -A INPUT -p udp --dport 1514 -j ACCEPT

 That's basically it. It's most definitely worth reading up on the documentation and you should definitely test OSSEC out before using the active rules.


 


 
  

Tuesday, September 24, 2013

Cisco AP1141N (Aironet 1140 series) Access Point With 3 SSIDs and VLANs

N.B. The Cisco AP1141 access point will be end of life very soon

I had a scenario recently where I had to set up one of these access points to service three different SSIDs with one VLAN per SSID - with two SSIDs using WPA personal and the third un-encrypted.
Each SSID/VLAN was on a subnet with a DHCP server, so I did not need to use DHCP pools or DHCP relay on the access point.

Here's the config I came up with (I'm skipping the non-relevant configuration) - note that the single gigabit interface on this access point was plugged into a Dell PowerConnect 3448P PoE switch in a trunk port with 501 set to the native vlan (switchport trunk native vlan 501)

SSID1 = myssid1 running on VLAN 501 (bridge group 1)
SSID2 = myssid2 running on VLAN 601 (bridge group 60)
SSID3 = myssid3 running on VLAN 701  (bridge group 70)

! Build the first SSID on VLAN 501
dot11 ssid myssid1
   vlan 501
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 myReallyComplexKeyHere
!
! SSID 2 - this SSID has no encryption
dot11 ssid myssid2
   vlan 601
   authentication open
   mbssid guest-mode
!
dot11 ssid myssid3
   vlan 701
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 myReallyReallyComplexKey
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 501 mode ciphers aes-ccm

 !
 encryption vlan 701 mode ciphers aes-ccm
 !
 ssid myssid1
 !
 ssid myssid2
 !
 ssid myssid3
 !
 antenna gain 0

 


! We need to broadcast multiple SSIDs
mbssid
 station-role root


! now the interfaces, remember that VLAN 501 is the native VLAN on the trunk port on
! the switch

interface Dot11Radio0.501
 encapsulation dot1Q 501 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio0.601
 encapsulation dot1Q 601
 no ip route-cache
 bridge-group 60
!
interface Dot11Radio0.701
 encapsulation dot1Q 701
 no ip route-cache
 bridge-group 70

! remember, no IP for the actual ethernet interface. Save the IP for the BVI interface
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive

 ! here's our native VLAN 501, untagged - myssid1
interface GigabitEthernet0.501
 encapsulation dot1Q 501 native
 no ip route-cache
 bridge-group 1
! and here is myssid2
interface GigabitEthernet0.601
 encapsulation dot1Q 601
 no ip route-cache
 bridge-group 60
! and now, myssid3
interface GigabitEthernet0.701
 encapsulation dot1Q 701
 no ip route-cache
 bridge-group 70

! Now, we set the management address:

interface BVI1
 ip address 10.1.1.240 255.255.255.0
no shut


That's basically it. I highly recommend testing by isolating this on a stand alone switch. Plug a DHCP server into another port, access mode, and switch VLANs on that port and see if your wireless devices get a DHCP address. Of course, you may want to enable more complex authentication methods.


Wednesday, September 18, 2013

Restarting Remote Desktop on Windows 2003

N.B. This entry pertains to the 2 seat terminal services instance that is enabled by allowing remote access in the system applet and not regular terminal services

In order to do this, you really need to restart the terminal services service, but it will be grayed out. You'll need to kill the appropriate svchost entry for terminal services.

1. tasklist /svc | findstr /I termserv

(note the process ID of the entry above)
an example output listing:

svchost.exe       8760  TermService

You'll need to forcefully kill the process with /F:

2. kill off the service using the PID above (in this instance, 8760 - your PID will vary!)

taskkill /F /PID 8760

3. Now, you can start it again:

net start TermService



Sunday, September 8, 2013

Enable SNMP Traps on VMware ESXi 5.x

1. Make sure you have the VMware CLI tools installed

  - from the command line prompt in the CLI tools directory, enable the SNMP service:


C:\Program Files (x86)\VMware\VMware vSphere CLI>vicfg-snmp.pl --server my.servername.or.ip
 --username root --enable

2. Set up a target (or two)

C:\Program Files (x86)\VMware\VMware vSphere CLI>vicfg-snmp.pl --server my.servername.or.ip
. --username root -t mysnmptraptarget@162/snmptrapcommunity

3. Send a test message

C:\Program Files (x86)\VMware\VMware vSphere CLI>vicfg-snmp.pl --server my.servername.or.ip
 --username root --test

Setting Up an RPM Installed Java as the Primary Java in Rhel

1. install the new Java

2. Tell alternatives about it:

sudo alternatives --install /usr/bin/java java /usr/java/latest/bin/java 1

sudo alternatives config java


and set the /usr/java/latest/bin/java as the default java.


sudo alternatives --display java | head 3

should show the correct info.


Thursday, September 5, 2013

Errors Running yum on RedHat 5 Enterprise Server

I was updating some third party RPMs on some old servers and I received an error from yum that ended like this:

up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is expired. Please ensure you have the correct certificate and your system time is correct.










The host was no longer set to tie into the RHN. Doing a yum info:


Loaded plugins: rhnplugin, security

My hunch was that the rhnplugin was causing the issue. The solution was to run yum like so:

yum --disableplugin=rhnplugin   update



Thursday, August 22, 2013

Cisco's Archive Command

I find the archive command to be very useful, not just for extracting files, but for creating copies of the IOS on one device (to copy to other devices.) You can copy single files over tftp, of course, but what do you do about a directory, with all the binaries and HTML files?


archive /create myarchive.tar name_of_directory_in_flash

So, I may do a 

dir flash:

and find something like


c1140-k9w7-mx.124-25d.JA

I'd create an archive called c1140-k9w7-mx.124-25d.JA.tar by doing this:

archive /create c1140-k9w7-mx.124-25d.JA.tar c1140-k9w7-mx.124-25d.JA

I can then do a

copy flash:c1140-k9w7-mx.124-25d.JA.tar tftp://my.ip.address.of.tftp.server/c1140-k9w7-mx.124-25d.JA.tar


Monday, August 12, 2013

VMware ESXi: Recovering from Accidental Changes to the Ethernet Address/VM uuid

I recently ran into an issue that presented itself in two forms:


Scenario 1: Moving a VM from Workstation to ESXi - MAC/uuid change

    In case 1, a VM was migrated from a VMware Workstation format to an ESXi 5.1 server. The conversion was done using VMware converter. When you use converter, you are not given the option to "move" the VM. The uuid and mac addresses for the interfaces are automatically regenerated. I figured I could just paste the old MAC address into the ethernet configuration on ESXi by using the manual setting. However, I discovered that VMware reserves the MAC addresses starting with 00:0c for auto generation and the VM would not start correctly in ESXi.

The solution is modify the .vmx file for the VM on the ESXi server. I'd recommend copying the vmx file to an alternate name (i.e., cp myVM.vmx myVM.vmx.backup.) Do these changes at your own risk:


1. Shut down the VM

2. SSH to the ESXi server and find the vmx file in question (somewhere in /vmfs/volumes/name/of/vms/directory

3. Edit the file and replace the following 4 (or more lines) with the equivalent values from the Workstation vmx file:


uuid.location = "56 2d af 08 59 0b 10 8c-78 9d 96 3d 9c 82 fe d4"
uuid.bios = "56 2d 92 33 47 3b 9e 16-e1 12 56 db 8f 32 4f 3f"
vc.uuid = "52 c3 f7 68 14 da 8f a4-16 a1 d1 54 07 85 f3 16"
ethernet0.generatedAddress = "00:0c:31:33:4a:3f"

You may have more than one ethernet interface, so change them all.

4. Remove the VM from the ESXi server's inventory (but do not remove it from Disk!), so that it will notice the change (this is done in configuration -> storage management, of course.)

5. Add it back to the machine's inventory

6. When you start it up now, it should have the same ethernet MAC addresses.

Scenario 2: Moving a VM by removing it from the inventory of one ESXi host to another ESXi host

    In this case, the VM was shut down. It resided on shared storage, so the other hypervisor head could see it. When importing it into the new machine, the person performing the operation chose "I copied it" instead of "I moved it."

This was more complex. The solution is very, very similar.


1. ssh to the new ESXi host

2. cd to the VM's directory

3. look for old log files and cat out the info you need (for instance, if the "copy" happened today, a log file from yesterday would suffice (ls -la vmware*.log)

4. Assuming the older log file is called vmware-1.log,

cat vmware-1.log | egrep  egrep "(generatedA|uuid)" > mydata.txt

5. make a backup copy of the vmx file

6. look in the mydata.txt file and grab the data you need.

7. edit the vmx file and replace the appropriate lines from the current config with the config from the mydata.txt file. You'll need to remove some text from mydata.txt

8. remove the host from ESXi's inventory and re-add it.


Building Snort RPMs On CentOS 6.x x86_64

This was done on

You'll want epel, most likely - to pick up the libdnet dependencies for snort. (sudo rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm)


1. install the prerequisites:


 sudo yum install -y pcre pcre-devel gcc flex byacc bison l libxml2-devel kernel-devel  libdnet libdnet-devel  autoconf automake libpcap-devel rpm-build

2. install the src rpms (do not do this as root)

3. This will create an rpmbuild dir in your home, go ahead and build daq:

rpmbuild -bb ~/rpmbuild/SPECS/daq.spec

4. Install the daq libraries you just built:

  sudo rpm -ivh RPMS/x86_64/daq-*.rpm

5. Now, build snort

rpmbuild -bb ~/rpmbuild/SPECS/snort.spec

6. Remove the daq libraries you installed in step 4:

 sudo rpm -e daq

You should have two libraries in RPMS/x86_64. You'll need to install both for Snort to function.

Thursday, August 8, 2013

Splunk CLI one-liners

1. list monitored files/directories:

  /opt/splunk/bin/splunk list monitor

2. remove a file/directory from monitoring/indexing:

/opt/splunk/bin/splunk remove monitor /path/to/file/or/dir

3. add a file for monitoring:

/opt/splunk/bin/splunk add monitor /var/log/httpd/access_log

4. add a oneshot file for indexing:

/opt/splunk/bin/splunk add oneshot /var/log/httpd/access_log

5. remove a oneshot file/directory from monitoring/indexing:

/opt/splunk/bin/splunk remove oneshot /path/to/file/or/dir

6. list forward servers (splunk servers this host forwards to):

/opt/splunk/bin/splunk list forward-server

Thursday, July 25, 2013

Moving MySQL's Data Directory on a New Install on Linux

It seems pretty simple on a new install. You can copy the files from /var/lib/mysql to the new location. If you want to initialize it from scratch:

1. set up the datadir variable in /etc/my.cnf under [mysqld] like so:

[mysqld]
datadir           = /my/path/to/data/directory



2. You'll need to run the mysql_install_db perl script as the mysql user like so:

su - mysql -c "mysql_install_db --datadir=/my/path/to/data/directory"

or, if you have sudo configured:

sudo -u mysql mysql_install_db --datadir=/my/path/to/data/directory


2b. If you're using selinux, copy the security contexts from /var/lib/mysql recursively like so:

chcon -R --reference=/var/lib/mysql /my/path/to/data/directory



3. Now, you should be able to start MySQL from init or using the service command (on Redhat based distributions)

sudo /etc/init.d/mysql start

or 

sudo /sbin/service mysql start




Monday, July 1, 2013

One Line Windows Touch Command (Windows 7, Windows 8, etc.)

I was looking around the web for an easy way to simulate the unix command touch - but I kept finding old variants that would not work past Windows ME. I worked with the FOR loop in batch scripting. Here's the version that works for me:

To set all CSV files to the current time:

for /F "usebackq delims=|"  %i in (`dir /B *.csv`) do copy %i /B+ ,,/Y

Note: to set a single file to the current date:

copy filenamt /B+ ,,/Y

A lot of sites suggested dir with no /B - but this doesn't work for me in Windows 8.

Of course, you can "touch" all files like so:

for /F "usebackq delims=|"  %i in (`dir /B *.*`) do copy %i /B+ ,,/Y



Monday, June 3, 2013

Adding Multiple IP Address to Network Interfaces in Windows 2008R2

In order to add a secondary (or tertiary, etc.) IP v4 address to Windows 2008R2, you can use the usual gui method. However, this will create ips that will automatically register. So, you'll have multiple DNS A records for the same hostname, which may not be desired - especially if you using SSL certs on the host.

To get around this problem, do not add the additional IP addresses in the GUI. Use the powershell:

Netsh int ipv4 add address "Local Area Connection 2" 192.168.77.23 255.255.252.0 skipassource=true



Monday, May 13, 2013

Autofs direct maps for NFS mounts

I had a situation where I needed to automount an NFS share on the root level, i.e.,

mynfsserver:/data/nfsshar1 on /myNFSshare on a local NFS client.

In order to do this, I had to set up a direct map. In /etc/auto.master, I added:


/-      /etc/auto.direct

and then I created the file /etc/auto.direct with the following entry:

/myNFSshare         mynfsserver:/data/nfsshar1

I reloaded autofs and was then able to do a directory listing on the share. This works for Rhel 5 & 6 and CentOS 5&6.



Saturday, April 27, 2013

Java keytool quick tips

Creating a keystore from an SSL key and cert


To store an SSL key for Jetty or other Java based webserver, you usually use keytool. You'll first need to convert the key to pkcs12 (we're calling the output file jetty.pkcs12) format like so (we're assuming your key is generated with openssl or something similar - also, we're in the same directory as the keys):

Convert mykey,key and mykey.crt to a pkcs12  format using openssl
( I highly recommend using a passphrase on the key)


openssl pkcs12 -inkey ./mykey.key -in ./mykey.crt -export -out ./jetty.pkcs12

Let's take that pkcs12 key and convert it into a Java keystore (we're calling the keystore mykeystore)

 


keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype pkcs12 -destkeystore mykeystore

Let's list the contents of this keystore:

keytool -list -storename mykeystore


Add an CA certificate to the default java CA cert keystore

 

Java keeps its own CA cert repo - which can be frustrating if you don't update java on your server frequently. To add a new CA cert (let's assume you just bought an SSL cert online and your cert CA's certificates were created recently)

1. Find cacerts for your installation - note that many commercial java programs like to install their own java. If you're looking at the default java location, try:

find /usr -name cacerts

1b. If you're trying to find the cacerts for an application you installed, figure out where java is being called from:

ps wwaux | grep java

(you'll likely see a path for java - i.e., /opt/java/bin/java  or something similar)

Now, find the cacerts  
 find /opt -name cacerts

2. Add the CA cert to your cacerts file:

keytool -import -trustcacerts -alias MyCAsName -file /path/to/ca-certificatec -keystore /path/to/keystore