Friday, February 16, 2007

VMware & Samba on Linux

VMware:

sudo apt-get install xinetd
sudo apt-get install libX11-dev
sudo apt-get install xlibs-dev

tar -xzvf VMware-server-1.0.2-39867.tar.gz
cd vmware-server-distrib/
sudo ./vmware-install.pl

Client Install:
unzip VMware-server-linux-client-1.0.2-39867.zip
tar -xzvf VMware-server-console-1.0.2-39867.tar.gz
cd vmware-server-console-distrib/
sudo ./vmware-install.pl

Made it so the VMware console (port 902) does not listen on all interfaces:
sudo vi /etc/xinetd.d/vmware-authd

bind = 127.0.0.1

I did not enable host-only networking during install. To reconfigure VMware server:

sudo /usr/bin/vmware-config.pl

My important settings:

Would you prefer to modify your existing networking configuration using the
wizard or the editor? (wizard/editor/help) [wizard] editor

The following virtual networks have been defined:

. vmnet0 is bridged to eth0
. vmnet1 is a host-only network on private subnet 172.16.173.0.
. vmnet2 is bridged to eth1

In which directory do you want to keep your virtual machine files?
[/var/lib/vmware/Virtual Machines] /data/vm


Samba:

sudo apt-get install samba

Add samba user:
sudo smbpasswd -a dustin


/etc/samba/smb.conf:

workgroup = NETJITSU
interfaces = vmnet1
writable = yes
path = /data/

Samba will not listen on anything other than my host-only network.

For some reason my changes did not take effect upon Samba restart. A manual stop then start did it:

sudo /etc/init.d/samba stop
sudo /etc/init.d/samba start

Thursday, February 15, 2007

Alphabet Soup



After over a year of putting it off due to my overall contempt for certifications in general, I took and passed the CISSP exam. I came to the realization that no matter how disrespected this certification is by the top security researchers, it remains a prerequisite for many security jobs. Just run a search in any job site for "CISSP", and there will no doubt be a ton of results. So here are a couple notes regarding the process and the exam.

I utilized just one book to prepare, the CISSP All-in-One Exam Guide, Third Edition by Shon Harris. Note that outside of specifically studying for this exam, I've read many books, papers, blogs, etc. on various security topics.

In addition to the book, I tackled a large number of practice questions using the amazing and free cccure.org I believe this aspect really prepared me for the actual test. I took a bunch of practice tests, more than 100+ questions for each domain for every domain, then researching what I missed. I kept taking tests until my average was %80+.

Regarding the test, I was expecting it to be much worse. In fact, I breezed through the first 100 questions and knew that if the rest of the questions were like that, I was home free. For the most part they were, and after just over 2 hours out of an allotted 6, I was complete.

Friday, February 09, 2007

Cisco IOS Display Bug

Last night, while logged into a router deployed at the network edge, I noticed an uninvited guest:

br02#sh users
Line User Host(s) Idle Location
1 vty 0 idle 00:00:01 201.63.40.18
2 vty 1 root idle 00:00:02 201.63.40.18

What's this, a root login to a Cisco router? I was pretty sure a root login did not exist in our AAA server, but I checked the tacacs log just to verify. No unauthorized logins there. Where is this login coming from?:

whois 201.63.40.18 [Querying whois.lacnic.net] [Redirected to whois.registro.br]
inetnum: 201.63.40.16/29
aut-num: AS10429
abuse-c: STE21
owner: Acoplast Indústria e Comércio Ltda
ownerid: 061.344.578/0001-50
responsible: Josiel Augusto Morosi
owner-c: JAM651
tech-c: JAM651
created: 20060830
changed: 20060830
inetnum-up: 201.63/16

nic-hdl-br: JAM651
person: JOSIEL AUGUSTO MOROSI
e-mail: josiel@acoplast.com.br

We definitely don't have any engineers in Brazil. Could this be a covert channel or an exploit of a recent bug?

I quickly opened a case, and received the following response:

A display bug exists in earlier versions of IOS where a user connecting to the ssh or telnet port will display as logged in while connected even if they have not sucessfully authenticated. You can if this is the case on your device if you enter a login and not authenticate sucessfully then do a "show user". This should display you "rouge" connection as a connected user.

I am not currently aware of a BugID for this issue.


As these are most likely brute-force attempts, an access-list applied to the VTY lines should mitigate them. Were the crackers in Brazil restless last night?