Sunday, April 29, 2007

Installing Java on Ubuntu Linux

Download the JRE (J2RE) or JDK (J2SDK) from:

Sun Java 1.5.0 for 32-bit x86 and AMD64

I got the JRE since I don't think I need the J2SDK.

Install java-package:
sudo apt-get install java-package

Create the Java deb package with make-jpkg
fakeroot make-jpkg jre-1_5_0_11-linux-i586.bin
ls *deb
sun-j2re1.5_1.5.0+update11_i386.deb

Install the Java deb package

sudo dpkg -i sun-j2re1.5_1.5.0+update11_i386.deb

Verify installation

java -version
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_11-b03)
Java HotSpot(TM) Client VM (build 1.5.0_11-b03, mixed mode, sharing)

Sunday, April 15, 2007

OpenNMS




These are the notes from my OpenNMS install on CentOS 4 (RHEL 4):

Install Guide referenced

java sdk
+-------
http://java.sun.com/j2se/1.4.2/install-linux.html
chmod a+x j2sdk-1_4_2_14-linux-i586-rpm.bin
./j2sdk-1_4_2_14-linux-i586-rpm.bin
sudo rpm -iv j2sdk-1_4_2_14-linux-i586.rpm

cleanup:
rm *.bin & rpm


tomcat
+-----
http://tomcat.apache.org/download-41.cgi
wget http://apache.seekmeup.com/tomcat/tomcat-4/v4.1.36/bin/apache-tomcat-4.1.36.tar.gz
wget ftp://ftp.opennms.org/pub/dependencies/tomcat4/tomcat4-4.1.18-full.1jpp.noarch.rpm
wget ftp://ftp.opennms.org/pub/dependencies/tomcat4/tomcat4-webapps-4.1.18-full.1jpp.noarch.rpm

sudo rpm -iv tomcat4-4.1.18-full.1jpp.noarch.rpm

warning: tomcat4-4.1.18-full.1jpp.noarch.rpm: V3 DSA signature: NOKEY, key ID 307a10a5
Preparing packages for installation...
tomcat4-4.1.18-full.1jpp

Don't forget to setup vars in /etc/tomcat4/tomcat4.conf to
adapt the RPM to your configuration.
Also edit/create /etc/java/java.conf to define your default JDK

For security purposes, tomcat4 service is installed
but not activated by default.
use your service installer for such purposes
ie: ntsysv

sudo rpm -iv tomcat4-webapps-4.1.18-full.1jpp.noarch.rpm

warning: tomcat4-webapps-4.1.18-full.1jpp.noarch.rpm: V3 DSA signature: NOKEY, key ID 307a10a5
Preparing packages for installation...
tomcat4-webapps-4.1.18-full.1jpp

sudo vi /etc/tomcat4/tomcat4.conf

JAVA_HOME="/usr/java/j2sdk1.4.2_14"
TOMCAT_USER="root"


rrdtool
+-----
http://dag.wieers.com/rpm/packages/rrdtool/
wget http://dag.wieers.com/rpm/packages/rrdtool/rrdtool-1.0.50-3.el4.rf.i386.rpm
sudo rpm -iv rrdtool-1.0.50-3.el4.rf.i386.rpm


postgresql
+--------
http://www.postgresql.org/
yum install postgresql-server

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
postgresql-server i386 7.4.16-1.RHEL4.1 update 3.0 M
Installing for dependencies:
postgresql i386 7.4.16-1.RHEL4.1 update 2.0 M
postgresql-libs i386 7.4.16-1.RHEL4.1 update 147 k


[root@netjitsu02 ~]# service postgresql start
Initializing database: [ OK ]
Starting postgresql service: [ OK ]

vi /var/lib/pgsql/data/postgresql.conf
tcpip_socket = true
max_connections = 256
shared_buffers = 1024

vi /var/lib/pgsql/data/pg_hba.conf
local all all trust
host all all 127.0.0.1 255.255.255.255 trust

service postgresql restart


curl
+---
installed:
[root@netjitsu02 ~]# rpm -q curl
curl-7.12.1-8.rhel4


opennms
+-------
wget http://superb-east.dl.sourceforge.net/sourceforge/opennms/opennms-1.2.9-1_rhl9.i386.rpm
wget http://superb-east.dl.sourceforge.net/sourceforge/opennms/opennms-docs-1.2.9-1_rhl9.i386.rpm
wget http://superb-east.dl.sourceforge.net/sourceforge/opennms/opennms-webapp-1.2.9-1_rhl9.i386.rpm

rpm -iv opennms-1.2.9-1_rhl9.i386.rpm
warning: opennms-1.2.9-1_rhl9.i386.rpm: V3 DSA signature: NOKEY, key ID 4c4cbbd9
Preparing packages for installation...
opennms-1.2.9-1_rhl9
- moving *.sql.rpmnew files (if any)... done
- checking for old update files... done

*** Installation complete. You must still run the installer and
*** make a few other changes before you start OpenNMS. See the
*** install guide and release notes for details.

rpm -iv opennms-docs-1.2.9-1_rhl9.i386.rpm
warning: opennms-docs-1.2.9-1_rhl9.i386.rpm: V3 DSA signature: NOKEY, key ID 4c4cbbd9
Preparing packages for installation...
opennms-docs-1.2.9-1_rhl9

rpm -iv opennms-webapp-1.2.9-1_rhl9.i386.rpm
warning: opennms-webapp-1.2.9-1_rhl9.i386.rpm: V3 DSA signature: NOKEY, key ID 4c4cbbd9
Preparing packages for installation...
opennms-webapp-1.2.9-1_rhl9


Installer
+--------
/opt/OpenNMS/bin/runjava -s
runjava: Looking for an appropriate JRE...
runjava: Checking for an appropriate JRE in JAVA_HOME...
runjava: skipping... JAVA_HOME not set
runjava: Checking JRE in user's path: "/usr/bin/java"...
runjava: /usr/bin/java is GNU gcj, which is not supported
runjava: did not find an appropriate JRE in user's path: "/usr/bin/java"
runjava: searching for a good JRE...
runjava: found a good JRE in "/usr/java/j2sdk1.4.2_14/bin/java"
runjava: value of "/usr/java/j2sdk1.4.2_14/bin/java" stored in configuration file

/opt/OpenNMS/bin/runjava -S "/usr/java/j2sdk1.4.2_14/bin/java"
runjava: checking specified JRE: "/usr/java/j2sdk1.4.2_14/bin/java"...
runjava: specified JRE is good.
runjava: value of "/usr/java/j2sdk1.4.2_14/bin/java" stored in configuration file


Run the Installer to Setup the PostgreSQL Database
+-------------------------------------------------
/opt/OpenNMS/bin/install -disU
==============================================================================
OpenNMS Installer Version $Id: Installer.java 3056 2006-03-26 19:39:16Z djgregor $
==============================================================================

Configures PostgreSQL tables, users, and other miscellaneous settings.

- checking database version... 7.4
- Full version string: PostgreSQL 7.4.16 on i686-redhat-linux-gnu, compiled by GCC gcc (GCC) 3.4.6 20060404 (Red Hat 3.4.6-3)
* using 'opennms' as the PostgreSQL user for OpenNMS
* using 'opennms' as the PostgreSQL password for OpenNMS
* using 'opennms' as the PostgreSQL database name for OpenNMS
- using SQL directory... /opt/OpenNMS/etc
- using create.sql... /opt/OpenNMS/etc/create.sql
- using iplike module... /opt/OpenNMS/lib/iplike.so
- checking database for old backup tables... NONE
- checking for rows that violate constraints... NONE
- creating tables...
- checking table "serverMap"... CREATED
- checking table "serviceMap"... CREATED
- checking table "distPoller"... CREATED
- checking table "node"... CREATED
- checking table "ipInterface"... CREATED
- checking table "snmpInterface"... CREATED
- checking table "service"... CREATED
- checking table "ifServices"... CREATED
- checking table "events"... CREATED
- checking table "outages"... CREATED
- checking table "vulnerabilities"... CREATED
- checking table "vulnPlugins"... CREATED
- checking table "notifications"... CREATED
- checking table "usersNotified"... CREATED
- checking table "assets"... CREATED
- creating tables... DONE
- creating sequences...
- checking "nodeNxtId" minimum value... 1
- removing sequence "nodeNxtId"... CLEAN
- creating sequence "nodeNxtId"... OK
- checking "serviceNxtId" minimum value... 1
- removing sequence "serviceNxtId"... CLEAN
- creating sequence "serviceNxtId"... OK
- checking "eventsNxtId" minimum value... 1
- removing sequence "eventsNxtId"... CLEAN
- creating sequence "eventsNxtId"... OK
- checking "outageNxtId" minimum value... 1
- removing sequence "outageNxtId"... CLEAN
- creating sequence "outageNxtId"... OK
- checking "notifyNxtId" minimum value... 1
- removing sequence "notifyNxtId"... CLEAN
- creating sequence "notifyNxtId"... OK
- checking "vulnNxtId" minimum value... 1
- removing sequence "vulnNxtId"... CLEAN
- creating sequence "vulnNxtId"... OK
- creating sequences... DONE
- creating indexes...
- creating index "server_name_idx"... OK
- creating index "servicemap_name_idx"... OK
- creating index "serviceMap_ipaddr_idx"... OK
- creating index "node_id_type_idx"... OK
- creating index "node_label_idx"... OK
- creating index "ipinterface_nodeid_ipaddr_ismanaged_idx"... OK
- creating index "ipinterface_ipaddr_ismanaged_idx"... OK
- creating index "ipinterface_ipaddr_idx"... OK
- creating index "ipinterface_nodeid_ismanaged_idx"... OK
- creating index "ipinterface_nodeid_idx"... OK
- creating index "snmpinterface_nodeid_ifindex_idx"... OK
- creating index "snmpinterface_nodeid_idx"... OK
- creating index "snmpinterface_ipaddr_idx"... OK
- creating index "ifservices_nodeid_ipaddr_status"... OK
- creating index "ifservices_nodeid_status"... OK
- creating index "ifservices_nodeid_idx"... OK
- creating index "ifservices_serviceid_idx"... OK
- creating index "ifservices_nodeid_serviceid_idx"... OK
- creating index "events_uei_idx"... OK
- creating index "events_nodeid_idx"... OK
- creating index "events_ipaddr_idx"... OK
- creating index "events_serviceid_idx"... OK
- creating index "events_time_idx"... OK
- creating index "events_severity_idx"... OK
- creating index "events_log_idx"... OK
- creating index "events_display_idx"... OK
- creating index "events_ackuser_idx"... OK
- creating index "events_acktime_idx"... OK
- creating index "outages_svclostid_idx"... OK
- creating index "outages_svcregainedid_idx"... OK
- creating index "outages_nodeid_idx"... OK
- creating index "outages_ipaddr_idx"... OK
- creating index "outages_serviceid_idx"... OK
- creating index "outages_regainedservice_idx"... OK
- creating index "vulnerabilities_nodeid_idx"... OK
- creating index "vulnerabilities_ipaddr_idx"... OK
- creating index "vulnerabilities_severity_idx"... OK
- creating index "vulnerabilities_port_idx"... OK
- creating index "vulnerabilities_protocol_idx"... OK
- creating index "vulnplugins_plugin_idx"... OK
- creating index "notifications_ipaddr_idx"... OK
- creating index "notifications_serviceid_idx"... OK
- creating index "notifications_eventid_idx"... OK
- creating index "notifications_respondtime_idx"... OK
- creating index "notifications_answeredby_idx"... OK
- creating index "userid_notifyid_idx"... OK
- creating indexes... DONE
- inserting initial table data for "distPoller"... OK
- checking if database "opennms" is unicode... ALREADY UNICODE
- checking for stale iplike references... CLEAN
- checking for stale eventtime.so references... CLEAN
- adding iplike database function... OK
- adding PL/pgSQL call handler... OK
- adding PL/pgSQL language module... OK
- adding stored procedures...
- getManagePercentAvailIntfWindow.sql... OK
- getManagedOutageForIntfInWindow.sql... OK
- getOutageTimeInWindow.sql... OK
- getManagedServiceCountForIntf.sql... OK
- getManagedOutageForNodeInWindow.sql... OK
- getManagedServiceCountForNode.sql... OK
- getPercentAvailabilityInWindow.sql... OK
- getManagePercentAvailNodeWindow.sql... OK

Installer completed successfully!


Run the Installer to Setup the Web Application
+---------------------------------------------

format:
# $OPENNMS_HOME/bin/install -y -w $CATALINA_HOME/webapps -W $CATALINA_HOME/server/lib
/opt/OpenNMS/bin/install -y -w /var/tomcat4/webapps -W /var/tomcat4/server/lib
==============================================================================
OpenNMS Installer Version $Id: Installer.java 3056 2006-03-26 19:39:16Z djgregor $
==============================================================================

Configures PostgreSQL tables, users, and other miscellaneous settings.

* using 'opennms' as the PostgreSQL user for OpenNMS
* using 'opennms' as the PostgreSQL password for OpenNMS
* using 'opennms' as the PostgreSQL database name for OpenNMS
- using Top-level web application directory... /var/tomcat4/webapps
- using Tomcat server library directory... /var/tomcat4/server/lib
- using OpenNMS webapps directory... /opt/OpenNMS/webapps
- Checking for old opennms webapp directory in /var/tomcat4/webapps/opennms... OK
- Checking for old opennms context in /var/tomcat4/webapps/../conf/server.xml... OK
- Install OpenNMS webapp...
- creating link to /var/tomcat4/webapps/opennms.xml... DONE
- creating link to /var/tomcat4/server/lib/log4j.jar... DONE
- creating link to /var/tomcat4/server/lib/castor-0.9.3.9.jar... DONE
- creating link to /var/tomcat4/server/lib/castor-0.9.3.9-xml.jar... DONE
- creating link to /var/tomcat4/server/lib/opennms_core.jar... DONE
- creating link to /var/tomcat4/server/lib/opennms_services.jar... DONE
- creating link to /var/tomcat4/server/lib/opennms_web.jar... DONE
- Installing OpenNMS webapp... DONE

Installer completed successfully!


Configure Discovery
+------------------
vi /opt/OpenNMS/etc/discovery-configuration.xml


Start PostgreSQL, Tomcat4, and OpenNMS
+-------------------------------------
service postgresql start
service tomcat4 start
service opennms start

opennms -v status
OpenNMS.Eventd : running
OpenNMS.Trapd : running
OpenNMS.Dhcpd : running
OpenNMS.Actiond : running
OpenNMS.Capsd : running
OpenNMS.Notifd : running
OpenNMS.Scriptd : running
OpenNMS.Rtcd : running
OpenNMS.Pollerd : running
OpenNMS.Collectd : running
OpenNMS.Threshd : running
OpenNMS.Discovery : running
OpenNMS.Vacuumd : running
opennms is running

chkconfig --add opennms
chkconfig --list opennms
chkconfig opennms on
chkconfig --list opennms
opennms 0:off 1:off 2:on 3:on 4:on 5:on 6:off


Login to the web application
+---------------------------

http://216.65.220.75:8080/opennms/
admin:admin

Wednesday, April 11, 2007

Like your company logo?


Answer: Probably not as much as Mitchell Baker does.

Friday, February 16, 2007

VMware & Samba on Linux

VMware:

sudo apt-get install xinetd
sudo apt-get install libX11-dev
sudo apt-get install xlibs-dev

tar -xzvf VMware-server-1.0.2-39867.tar.gz
cd vmware-server-distrib/
sudo ./vmware-install.pl

Client Install:
unzip VMware-server-linux-client-1.0.2-39867.zip
tar -xzvf VMware-server-console-1.0.2-39867.tar.gz
cd vmware-server-console-distrib/
sudo ./vmware-install.pl

Made it so the VMware console (port 902) does not listen on all interfaces:
sudo vi /etc/xinetd.d/vmware-authd

bind = 127.0.0.1

I did not enable host-only networking during install. To reconfigure VMware server:

sudo /usr/bin/vmware-config.pl

My important settings:

Would you prefer to modify your existing networking configuration using the
wizard or the editor? (wizard/editor/help) [wizard] editor

The following virtual networks have been defined:

. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.173.0.
. vmnet2 is bridged to eth1

In which directory do you want to keep your virtual machine files?
[/var/lib/vmware/Virtual Machines] /data/vm


Samba:

sudo apt-get install samba

Add samba user:
sudo smbpasswd -a dustin


/etc/samba/smb.conf:

workgroup = NETJITSU
interfaces = vmnet1
writable = yes
path = /data/

Samba will not listen on anything other than my host-only network.

For some reason my changes did not take effect upon Samba restart. A manual stop then start did it:

sudo /etc/init.d/samba stop
sudo /etc/init.d/samba start

Thursday, February 15, 2007

Alphabet Soup



After over a year of putting it off due to my overall contempt for certifications in general, I took and passed the CISSP exam. I came to the realization that no matter how disrespected this certification is by the top security researchers, it remains a prerequisite for many security jobs. Just run a search in any job site for "CISSP", and there will no doubt be a ton of results. So here are a couple notes regarding the process and the exam.

I utilized just one book to prepare, the CISSP All-in-One Exam Guide, Third Edition by Shon Harris. Note that outside of specifically studying for this exam, I've read many books, papers, blogs, etc. on various security topics.

In addition to the book, I tackled a large number of practice questions using the amazing and free cccure.org I believe this aspect really prepared me for the actual test. I took a bunch of practice tests, more than 100+ questions for each domain for every domain, then researching what I missed. I kept taking tests until my average was %80+.

Regarding the test, I was expecting it to be much worse. In fact, I breezed through the first 100 questions and knew that if the rest of the questions were like that, I was home free. For the most part they were, and after just over 2 hours out of an allotted 6, I was complete.

Friday, February 09, 2007

Cisco IOS Display Bug

Last night, while logged into a router deployed at the network edge, I noticed an uninvited guest:

br02#sh users
Line User Host(s) Idle Location
1 vty 0 idle 00:00:01 201.63.40.18
2 vty 1 root idle 00:00:02 201.63.40.18

What's this, a root login to a Cisco router? I was pretty sure a root login did not exist in our AAA server, but I checked the tacacs log just to verify. No unauthorized logins there. Where is this login coming from?:

whois 201.63.40.18 [Querying whois.lacnic.net] [Redirected to whois.registro.br]
inetnum: 201.63.40.16/29
aut-num: AS10429
abuse-c: STE21
owner: Acoplast Indústria e Comércio Ltda
ownerid: 061.344.578/0001-50
responsible: Josiel Augusto Morosi
owner-c: JAM651
tech-c: JAM651
created: 20060830
changed: 20060830
inetnum-up: 201.63/16

nic-hdl-br: JAM651
person: JOSIEL AUGUSTO MOROSI
e-mail: josiel@acoplast.com.br

We definitely don't have any engineers in Brazil. Could this be a covert channel or an exploit of a recent bug?

I quickly opened a case, and received the following response:

A display bug exists in earlier versions of IOS where a user connecting to the ssh or telnet port will display as logged in while connected even if they have not sucessfully authenticated. You can if this is the case on your device if you enter a login and not authenticate sucessfully then do a "show user". This should display you "rouge" connection as a connected user.

I am not currently aware of a BugID for this issue.


As these are most likely brute-force attempts, an access-list applied to the VTY lines should mitigate them. Were the crackers in Brazil restless last night?

Monday, January 22, 2007

Migration to Linux - Disk Encryption


I've been using TrueCrypt on Windows for my disk encryption needs for a while now, and chose it in part due to its multi-platform capabilities. Now that I'm dual-booting between Windows XP and Ubuntu (although rarely switching back to Windows), I needed a way to access the same encrypted disk from both OS's. Fortuneately, TrueCrypt exceeds my needs.

I downloaded the package for my Linux distribution (Ubuntu), installed the dmsetup dependency, then truecrypt:
apt-get install dmsetup
dpkg -i truecrypt_4.2a-0_i386.deb

Create the directory where I want my encrypted disk mounted:
sudo mkdir /media/crypt

Now all will work fine but I'll need to mount the encrypted disk via sudo which will give permissions to root. My user id needs read & write access, so I need to make sure the user id bit is set on the truecrypt binary:
chmod u+s /usr/bin/truecrypt

All good, now I can mount the encrypted disk file located on my mounted NTFS partition:
truecrypt -u /media/ntfs/crypt /media/crypt

Sunday, January 21, 2007

Custom domain with Blogger


I came across this nice feature Blogger provides:

If you don't care to have blogspot.com in your blog's address, though, you can get a domain of your own. We'll continue to host all your content as before, but it will be displayed at your new address.

So all I did was add a DNS CNAME which refers blog.netjitsu.net to ghs.google.com, modify the blogger publishing settings.

Now this blog can be accessed via: http://blog.netjitsu.net

Wednesday, January 17, 2007

Apple vulnerabilities will eclipse the number of Vista vulnerabilities.


I found this somewhat-recent quote by Thomas Ptacek particularly memorable:

"Apple has announced some of these changes already. But, by this time in 2008, the number of OS-native, default-install Apple vulnerabilities will eclipse the number of Vista vulnerabilities. Despite whatever hardening features Darwin and XCode add, there will be more exploitable Apple vulnerabilities announced in 2007 than will be announced for Windows XP SP2."

From Predictions 2007: Ptacek vs. Lawson

Friday, January 12, 2007

Migration to Linux - Cisco VPN Client


The Cisco VPN Client; definitely a necessary tool for most workstations. More detailed instructions can be found here. This was my install process:

Make sure I have the kernel headers:
dustin@dustino:~$ uname -r
dustin@beulah:~$ ls /usr/src/linux-headers-2.6.17-10-generic/
arch block crypto drivers firmware fs include init ipc kernel lib Makefile mm modules Module.symvers net scripts security sound usr

Looks good. (Note: the documentation linked to above had patching and compiling (make), I found this unnecessary)
dustin@dustino:~$ /cisco_vpn/vpnclient$ sudo ./vpn_install
Password:
Cisco Systems VPN Client Version 4.8.00 (0490) Linux Installer
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.

By installing this product you agree that you have read the
license.txt file (The VPN Client license) and will comply with
its terms.


Directory where binaries will be installed [/usr/local/bin]

Automatically start the VPN service at boot time [yes]

In order to build the VPN kernel module, you must have the
kernel headers for the version of the kernel you are running.


Directory containing linux kernel source code [/lib/modules/2.6.17-10-generic/build]

* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.6.17-10-generic/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.6.17-10-generic/build" will be used to build the module.

Is the above correct [y]

Making module
make -C /lib/modules/2.6.17-10-generic/build SUBDIRS=/home/dustin/cisco_vpn/vpnclient modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.17-10-generic'
Building modules, stage 2.
MODPOST
WARNING: /home/dustin/cisco_vpn/vpnclient/cisco_ipsec.o - Section mismatch: reference to .init.text: from .data between 'interceptor_dev' (at offset 0xb4) and 'interceptor_notifier'
WARNING: could not find /home/dustin/cisco_vpn/vpnclient/.libdriver.so.cmd for /home/dustin/cisco_vpn/vpnclient/libdriver.so
make[1]: Leaving directory `/usr/src/linux-headers-2.6.17-10-generic'
Create module directory "/lib/modules/2.6.17-10-generic/CiscoVPN".
Copying module to directory "/lib/modules/2.6.17-10-generic/CiscoVPN".
Already have group 'bin'

Creating start/stop script "/etc/init.d/vpnclient_init".
/etc/init.d/vpnclient_init
Enabling start/stop script for run level 3,4 and 5.
Creating global config /etc/opt/cisco-vpnclient

Installing license.txt (VPN Client license) in "/opt/cisco-vpnclient/":

Installing bundled user profiles in "/etc/opt/cisco-vpnclient/Profiles/":
* New Profiles : sample

Copying binaries to directory "/opt/cisco-vpnclient/bin".
Adding symlinks to "/usr/local/bin".
/opt/cisco-vpnclient/bin/vpnclient
/opt/cisco-vpnclient/bin/cisco_cert_mgr
/opt/cisco-vpnclient/bin/ipseclog
Copying setuid binaries to directory "/opt/cisco-vpnclient/bin".
/opt/cisco-vpnclient/bin/cvpnd
Copying libraries to directory "/opt/cisco-vpnclient/lib".
/opt/cisco-vpnclient/lib/libvpnapi.so
Copying header files to directory "/opt/cisco-vpnclient/include".
/opt/cisco-vpnclient/include/vpnapi.h

Setting permissions.
/opt/cisco-vpnclient/bin/cvpnd (setuid root)
/opt/cisco-vpnclient (group bin readable)
/etc/opt/cisco-vpnclient (group bin readable)
/etc/opt/cisco-vpnclient/Profiles (group bin readable)
/etc/opt/cisco-vpnclient/Certificates (group bin readable)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.

Sometimes a manual start of the VPN kernel module is required as seen here:

Could not attach to driver. Is kernel module loaded?
The application was unable to communicate with the VPN sub-system.

dustin@dustino:~$ /etc/init.d/vpnclient_init start

Next, I copied my existing PCF files into:

/etc/opt/cisco-vpnclient/Profiles

Then modified permissions on each PCF file:
dustin@dustino:~$ chmod o+rw /etc/opt/cisco-vpnclient/Profiles/*

That's it, now I can establish a tunnel:
dustin@dustino:~$ sudo /usr/local/bin/vpnclient connect work_vpn

Now, what if you want to create a new profile? First copy an existing pcf, then edit it:
[main]
Description=
Host=VPN.NET
AuthType=1
GroupName=VPNGROUP
GroupPwd=
enc_GroupPwd=C475174D2582A73B30FB9F647285460BE94339E0AFDD9ADC06F1504284521FE34B723FC29D7C0955F82DBA2152DB5F06D854CB12A0F56B4D

Modify the Host, GroupName, then clear the encrypted password next to "enc_GroupPwd=", and add the new group next to "GroupName=". Like so:
[main]
Description=
Host=TEST.VPN.NET
AuthType=1
GroupName=VPNTESTGROUP
GroupPwd=NEWPASS
enc_GroupPwd=

Now, connect using the new profile:
dustin@beulah:~$ sudo /usr/local/bin/vpnclient connect test

Then disconnect, and check the profile. Notice that the group password is now encrypted:
[main]
Description=
Host=TEST.VPN.NET
AuthType=1
GroupName=VPNTESTGROUP
GroupPwd=NEWPASS
enc_GroupPwd=xxxxx

Migration to Linux


I've been using Linux & BSD now for a few years, but mostly on the server side, not as a desktop OS. Sure I've tried multiple flavors (Fedora, CentOS), but for one reason or another Windows remained the primary OS. I decided to give it a shot again, this time with Ubuntu on my IBM R51.

I prepared my laptop by using a partition manager to resize an existing NTFS partition (d:), making way for 10GB I'd dedicate to Ubuntu. Install was a snap and I liked the fact that the install CD doubles as a LiveCD which can be used to first validate hardware compatibility.
dustin@beulah:~$ cat /etc/issue
Ubuntu 6.10 \n \l

I was very suprised to see that Ubuntu detected and installed the Intel Pro/Wireless 2200BG NIC.
dustin@beulah:~$ lspci | grep 2200
02:02.0 Network controller: Intel Corporation PRO/Wireless 2200BG Network Connection (rev 05)

dustin@beulah:~$ grep 2200 /var/log/messages
Jan 13 18:17:22 beulah kernel: [17179586.448000] ipw2200: Intel(R) PRO/Wireless 2200/2915 Network Driver, 1.1.2kmprq
Jan 13 18:17:22 beulah kernel: [17179586.448000] ipw2200: Copyright(c) 2003-2006 Intel Corporation

The kernel module is loaded:
dustin@beulah:~$ sudo lsmod | grep ipw
ipw2200 115652 0
ieee80211 35272 1 ipw2200

Here's the partition table listing:
dustin@beulah:~$ sudo fdisk -l
Password:

Disk /dev/hda: 60.0 GB, 60011642880 bytes
255 heads, 63 sectors/track, 7296 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

Device Boot Start End Blocks Id System
/dev/hda1 * 1 2550 20480008+ 7 HPFS/NTFS
Partition 1 does not end on cylinder boundary.
/dev/hda2 2550 7295 38117016+ f W95 Ext'd (LBA)
/dev/hda5 2550 6021 27881248+ 7 HPFS/NTFS
/dev/hda6 6022 7104 8699166 83 Linux
/dev/hda7 7105 7295 1534176 82 Linux swap / Solaris

One of the first things to do is update:

+ sudo apt-get update
+ sudo apt-get upgrade


The partition I want to share (/dev/hda5) between both OS's is currently formatted in NTFS. Not too long ago, this was a no-go.
sudo mkdir /media/ntfs
sudo vi /etc/fstab:

/dev/hda5 /media/hda5 ntfs nls=iso8859-1,umask=000,uid=dustin 0 0

But that only gives me read only access. The Ubuntu Wiki reveals that I need ntfs-3g:
sudo apt-get install ntfs-3g

Replace the previous line in /etc/fstab with:
/dev/hda5 /media/ntfs ntfs-3g defaults,locale=en_US.utf8,uid=dustin 0 0

sudo umount -a && sudo mount -a

All better, now I can read and write to my NTFS partition in Linux.

Note: a GUI method to managing filesystems is with:

- gparted: GNOME Partition Editor
- pysdm: Storage Device Manager

To install: sudo apt-get install gparted pysdm

to be continued...

Thursday, January 11, 2007

Traffic analysis with Argus and Tcpdump


I recently performed some incident response using Argus for a customer who has been experiencing random site outages. With limited tools at my disposal besides a well known and somewhat useless IPS, I turned to Argus to get some insight into the traffic hitting their site. Provided to me was a libpcap file captured during an "attack" with Ethereal.

Since the capture file is so large and would take a considerable amount of time to transfer over my slow DSL connection, I decided to install Argus on a customer provided system. After installation, I generate Argus records from the pcap file:
argus -r cap.lpc -w /nsm/argus/cap.arg

Now that Argus data has been generated directly from the libpcap file,
ra (argus-client) tools can be used to work w/ the data.

Lets see the pairs of top talkers:
ramon -M Matrix -n -r cap.arg > argus_oldcap_top-pairs

24 Oct 06 15:22:26 212.243.221.227 1.1.1.2 10285 18722
583232 26384262
24 Oct 06 15:21:59 204.102.114.38 1.1.1.2 10460 18439
643850 25374248
24 Oct 06 15:21:58 206.167.78.12 1.1.1.2 8774 14051
609206 18376660
24 Oct 06 15:21:58 69.45.79.3 1.1.1.2 7877 9613
578814 11140600
24 Oct 06 15:22:00 84.53.134.34 1.1.1.2 6160 8243
505782 9621784
24 Oct 06 15:22:01 209.124.184.139 1.1.1.2 5454 8042
382142 10334766
24 Oct 06 15:21:58 128.220.254.131 1.1.1.2 6063 7197
388688 9576128
24 Oct 06 15:21:59 69.45.79.12 1.1.1.2 5777 7025
441117 7876808
24 Oct 06 15:22:00 192.91.244.226 1.1.1.2 4508 7607
266368 10625268

[root@fs3 fs3]# whois 212.243.221.227
inetnum: 212.243.221.194 - 212.243.221.255
netname: AKAMAI-NET
descr: Akamai Technologies Inc.
descr: 02139 Cambridge, MA 02139
...truncated...

The customer happens to utilize Akamai services. It's interesting that they occupy most of the top 10 talker spots during the "attack" window.
Now just top talkers:
ramon -M TopN -n -r cap.arg > argus_oldcap_top-talkers

24 Oct 06 15:21:58 1.1.1.2 241882 586948 20058262
654973106
24 Oct 06 15:21:58 204.102.114.38 18565 10583 25533978
650492
24 Oct 06 15:22:26 212.243.221.227 18722 10285 26384262
583232
24 Oct 06 15:21:58 206.167.78.12 14261 8932 18661924
617738
24 Oct 06 15:21:58 69.45.79.3 9693 7953 11245064
582918
24 Oct 06 15:22:00 84.53.134.34 8503 6320 9985540
514422
24 Oct 06 15:21:58 69.45.79.12 7882 6475 9020638
478809
24 Oct 06 15:21:59 209.124.184.139 8378 5644 10796882
392402
24 Oct 06 15:21:58 128.220.254.131 7485 6303 9980156
401648
24 Oct 06 15:22:00 192.91.244.226 7607 4508 10625268
266368
24 Oct 06 15:21:58 199.77.203.3 6799 5250 8301021
394010

Lets look at the full conversations for one of the top talkers:
ra -n -r cap.arg -L0 host 212.243.221.227

StartTime Flgs Type SrcAddr Sport Dir DstAddr
Dport SrcPkt DstPkt SrcBytes DstBytes State
24 Oct 06 15:22:26 * tcp 212.243.221.227.49629 ->
1.1.1.2.http 74 94 4910 119750 FIN
24 Oct 06 15:22:30 * tcp 212.243.221.227.49714 ->
1.1.1.2.http 36 38 3142 38738 FIN
24 Oct 06 15:22:32 * tcp 212.243.221.227.49745 ->
1.1.1.2.http 14 16 1944 5810 FIN
24 Oct 06 15:22:33 * tcp 212.243.221.227.49760 ->
1.1.1.2.http 12 14 1828 2322 FIN
24 Oct 06 15:22:33 * tcp 212.243.221.227.49761 ->
1.1.1.2.http 20 22 2244 17518 FIN
24 Oct 06 15:22:33 * tcp 212.243.221.227.49766 ->
1.1.1.2.http 14 16 1934 9144 FIN
24 Oct 06 15:22:33 * tcp 212.243.221.227.49771 ->
1.1.1.2.http 12 14 1822 2344 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49799 ->
1.1.1.2.http 14 16 1924 5256 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49800 ->
1.1.1.2.http 14 14 1944 1512 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49804 ->
1.1.1.2.http 14 16 1924 5288 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49806 ->
1.1.1.2.http 14 16 1924 5606 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49808 ->
1.1.1.2.http 14 16 1924 6508 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49811 ->
1.1.1.2.http 14 16 1924 6840 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49818 ->
1.1.1.2.http 22 24 2356 18910 FIN
24 Oct 06 15:22:35 * tcp 212.243.221.227.49820 ->
1.1.1.2.http 48 50 3760 56432 FIN
24 Oct 06 15:22:36 * tcp 212.243.221.227.49828 ->
1.1.1.2.http 12 14 1820 2258 FIN
24 Oct 06 15:22:36 * tcp 212.243.221.227.49830 ->
1.1.1.2.http 12 14 1816 2198 FIN
24 Oct 06 15:22:36 * tcp 212.243.221.227.49831 ->
1.1.1.2.http 12 14 1824 3236 FIN
24 Oct 06 15:22:36 * tcp 212.243.221.227.49833 ->
1.1.1.2.http 14 16 1924 6228 FIN
24 Oct 06 15:22:36 * tcp 212.243.221.227.49836 ->
1.1.1.2.http 12 14 1832 2526 FIN
24 Oct 06 15:23:10 * tcp 212.243.221.227.50165 ->
1.1.1.2.http 12 14 2172 1466 FIN
24 Oct 06 15:23:10 * tcp 212.243.221.227.50169 ->
1.1.1.2.http 56 60 4568 69956 FIN
24 Oct 06 15:23:21 * tcp 212.243.221.227.50274 ->
1.1.1.2.http 9819 18194 531772 25994416 CON

We can look deeper into this traffic using tcpdump w/ a BPF:
tcpdump -n -r cap.lpc -X -c 5 src 212.243.221.227

14:22:26.074184 212.243.221.227.49629 > 1.1.1.2.http: S
157012009:157012009(0) win 5840 (DF)
0x0000 4500 003c 05fb 4000 3406 78be d4f3 dde3 E..<..@.4.x..... 0x0010 aae0 6a4b c1dd 0050 095b d029 0000 0000 ..jK...P.[.).... 0x0020 a002 16d0 42a4 0000 0204 05b4 0402 080a ....B........... 0x0030 b507 d5d2 0000 0000 0103 0303 ............ 14:22:26.074186 212.243.221.227.49629 > 1.1.1.2.http: S
157012009:157012009(0) win 5840 (DF)
0x0000 4500 003c 05fb 4000 3406 78be d4f3 dde3 E..<..@.4.x..... 0x0010 aae0 6a4b c1dd 0050 095b d029 0000 0000 ..jK...P.[.).... 0x0020 a002 16d0 42a4 0000 0204 05b4 0402 080a ....B........... 0x0030 b507 d5d2 0000 0000 0103 0303 ............ 14:22:26.176200 212.243.221.227.49629 > 1.1.1.2.http: . ack
1017734966 win 5840 (DF)
0x0000 4500 0028 05fc 4000 3406 78d1 d4f3 dde3 E..(..@.4.x.....
0x0010 aae0 6a4b c1dd 0050 095b d02a 3ca9 6736 ..jK...P.[.*<.g6 0x0020 5010 16d0 916e 0000 0000 0000 0000 P....n........ 14:22:26.176203 212.243.221.227.49629 > 1.1.1.2.http: . ack 1 win
5840 (DF)
0x0000 4500 0028 05fc 4000 3406 78d1 d4f3 dde3 E..(..@.4.x.....
0x0010 aae0 6a4b c1dd 0050 095b d02a 3ca9 6736 ..jK...P.[.*<.g6 0x0020 5010 16d0 916e 0000 0000 0000 0000 P....n........ 14:22:26.176355 212.243.221.227.49629 > 1.1.1.2.http: P
0:437(437) ack 1 win 5840 (DF)
0x0000 4500 01dd 05fd 4000 3406 771b d4f3 dde3 E.....@.4.w.....
0x0010 aae0 6a4b c1dd 0050 095b d02a 3ca9 6736 ..jK...P.[.*<.g6 0x0020 5018 16d0 cfb9 0000 4745 5420 2f66 6f63 P.......GET./foc 0x0030 7573 2f72 6e61 692f 696e 6465 782e 6874 us/rnai/index.ht 0x0040 6d6c 2048 5454 502f 312e 310d 0a41 6363 ml.HTTP/1.1..Acc 0x0050 6570 743a 202a 2f2a 0d0a 5265 6665 7265 ept:.*/*..Refere 0x0060 723a 2068 7474 703a 2f2f 7363 6965 6e63 r:.http://scienc 0x0070 652e 6f72 662e 6174 2f73 6369 656e 6365 e.orf.at/science 0x0080 2f6e 6577 732f 3134 3538 3433 0d0a 4163 /news/145843..Ac 0x0090 6365 7074 2d4c 616e 6775 6167 653a 2064 cept-Language:.d 0x00a0 652d 6368 0d0a 5445 3a20 2063 6875 6e6b e-ch..TE:..chunk 0x00b0 6564 3b71 3d31 2e30 0d0a 436f 6e6e 6563 ed;q=1.0..Connec 0x00c0 7469 6f6e 3a20 5445 0d0a 4163 6365 7074 tion:.TE..Accept 0x00d0 2d45 6e63 6f64 696e 673a 2067 7a69 700d -Encoding:.gzip. 0x00e0 0a41 6b61 6d61 692d 4f72 6967 696e 2d48 .Akamai-Origin-H 0x00f0 6f70 3a20 310d 0a56 6961 3a20 312e 3120 op:.1..Via:.1.1. 0x0100 616b 616d 6169 2e6e 6574 2867 686f 7374 akamai.net(ghost 0x0110 2920 2841 6b61 6d61 6947 486f 7374 290d ).(AkamaiGHost). 0x0120 0a58 2d46 6f72 7761 7264 6564 2d46 6f72 .X-Forwarded-For 0x0130 3a20 3833 2e37 382e 3132 332e 3933 0d0a :.83.78.123.93.. 0x0140 4e50 475f 5352 435f 4144 4452 3a20 3833 NPG_SRC_ADDR:.83 0x0150 2e37 382e 3132 332e 3933 0d0a 486f 7374 .78.123.93..Host 0x0160 3a20 7777 772e 6e61 7475 7265 2e63 6f6d :.www.foo.com 0x0170 0d0a 5072 6167 6d61 3a20 6e6f 2d63 6163 ..Pragma:.no-cac 0x0180 6865 0d0a 4361 6368 652d 436f 6e74 726f he..Cache-Contro 0x0190 6c3a 206e 6f2d 6361 6368 652c 206d 6178 l:.no-cache,.max 0x01a0 2d61 6765 3d30 0d0a 436f 6e6e 6563 7469 -age=0..Connecti 0x01b0 6f6e 3a20 6b65 6570 2d61 6c69 7665 0d0a on:.keep-alive.. 0x01c0 5573 6572 2d41 6765 6e74 3a20 7377 6364 User-Agent:.swcd 0x01d0 2f35 2e32 2e30 3033 320d 0a0d 0a /5.2.0032....

Looks like non-attack traffic to me. Now here's how to collect traffic with Argus:
argus -c -d -i eth1 -w /nsm/argus/argus_eth1.out - ip

ps -ef | grep argus
root 17969 1 10 13:14 ? 00:01:07 argus -c -d -i eth1 -w /nsm/argus/argus_eth1.out - ip
root 17970 17969 0 13:14 ? 00:00:00 argus -c -d -i eth1 -w /nsm/argus/argus_eth1.out - ip
root 17971 17970 0 13:14 ? 00:00:01 argus -c -d -i eth1 -w /nsm/argus/argus_eth1.out - ip

Another Top Talkers report:
ramon -M TopN -n -r /nsm/argus/argus_eth1.out | more

07 Dec 06 13:14:43 1.1.1.2 1279856 3477698 108939939 3977099954
07 Dec 06 13:14:43 170.224.106.156 18831 103081 3548824 67919235
07 Dec 06 13:14:43 84.53.135.21 68171 46060 82953688 3681311
07 Dec 06 13:14:43 89.149.169.60 67878 37252 87414096 2788064
07 Dec 06 13:14:44 195.22.198.76 63206 34936 88545400 2042096
07 Dec 06 13:14:48 89.149.169.62 56294 37124 67945977 3006272

List flows for a specific IP:
ra -n -r /nsm/argus/argus_eth1.out -L0 host 89.149.169.60 | more

StartTime Flgs Type SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State 07 Dec 06
07 Dec 06 13:14:43 * tcp 89.149.169.60.64208 -> 1.1.1.2.http 66 82 5220 103360 FIN
07 Dec 06 13:14:45 * tcp 89.149.169.60.64261 -> 1.1.1.2.http 30 32 2824 30796 FIN
07 Dec 06 13:14:44 * tcp 89.149.169.60.64239 -> 1.1.1.2.http 12 14 1934 1754 FIN
07 Dec 06 13:14:45 * tcp 89.149.169.60.64270 -> 1.1.1.2.http 14 16 1992 3916 FIN
07 Dec 06 13:14:46 * tcp 89.149.169.60.64273 -> 1.1.1.2.http 14 16 1998 3920 FIN
07 Dec 06 13:14:44 * tcp 89.149.169.60.64244 -> 1.1.1.2.http 80 110 5886 141624 FIN
07 Dec 06 13:14:51 *S tcp 89.149.169.60.64426 -> 1.1.1.2.http 6687 17343 361846 24840880 FIN
07 Dec 06 13:14:52 * tcp 89.149.169.60.64459 -> 1.1.1.2.http 44 46 4056 50054 FIN
07 Dec 06 13:14:52 * tcp 89.149.169.60.64460 -> 1.1.1.2.http 16 16 2956 4792 FIN

Generate a top talkers report in pairs within 9am-12 generated using the following command:
ramon -M Matrix -n -r /nsm/argus/argus_eth1.out -t 13.9 - 12

While I did not find evidence of an attack, I have a much better picture of their traffic behavior. Looks like the developers have some work to do.

I first learned of Argus in Richard Bejtlich's The Tao of Network Security Monitoring.

See the Argus site for more complete documentation.

Investigating alerts with Cisco IDS v5.x

I've seen much documentation on Cisco IDS/IPS, but not much of it covers what really matters; investigating alerts for possible incidents. Here's some screen shots documenting one such example using the IDM on a 5.x sensor.

Here we see the IDM event screen:



This packet triggered the alert. Observe the ipLog section:


This is dandy but I still don't know if I should be worried about this event. Since I've enabled IP Logging, the alert event triggered packet capture for a specified duration or packet count. This screen shows a number of logs and their corresponding event alert id's.


After I download the log relevant to the alert, it can be analyzed with software such as like Ethereal/Wireshark:



Now choose the packet which generated the alert and right-click "follow tcp stream". This screen depicts the full transcript of the conversation between victim & attacker:


The output shows this attempt did not succeed. Looks like some tuning is in order. BTW, this process is simpler/faster/easier with a system such as Sguil.

Wednesday, January 10, 2007

Linux/Cisco TCP MSS


I ran into a strange issue on my home network when a few of my systems experienced erratic web browsing behavior. For instance, I could browse to google, not yahoo, but could ping them both. I narrowed it down to the Linux systems (both Fedora & Ubuntu).

So I started some sniffing on a Windows XP & Linux system, accessed the same site, then reviewed the data. I found that after the Linux system sent an HTTP GET, it never saw a response from the server, whereas the Windows system did. Further analysis showed that the TCP header on the GET request from the Linux system was 32 bytes vs 20 bytes from the Windows system.



It turns out the TCP maximum segment size (MSS) had to be adjusted on my Cisco router. These are the commands:
  • ip tcp adjust-mss 1452
  • ip mtu 1491