Backing up Cisco Configurations for Routers, Switches and Firewalls

I will add more about this when I have time. Until then, you should be able to just install python, paramiko and pexpect and run this script as-is (obviously changing the variables). This should give you all the software you need: sudo apt-get update sudo apt-get install python python-pexpect python-paramiko I plan on GREATLY increasing the ability of this script, adding additional functionality, as well as setting up a bash script that will be able to parse the configs, and perform much deeper backup abilities for ASAs. I have not tested this on Routers and Switches. I can tell you that the production 5520 HA Pair that I ran this script against was running “Cisco Adaptive Security Appliance Software Version … Continue reading

Creating a basic monitoring server for network devices

I’ve recently been working more and more with network device management. So, to help with up-time monitoring, interface statistics, bandwidth utilization, and alerting, I’ve been building up a server with some great Open Source tools. My clients love it because it costs virtually nothing to run these machines, and it helps keep the network running smoothly when we know what is going on within the network. One thing I haven’t been able to do yet is SYSLOG monitoring with the ability to generate email alerts off of specific SYSLOG messages. That’s in the work, and I’ll be adding that information into this blog as soon as I get it up and running properly. I am using Debian 7.6 for this … Continue reading

Debian Wheezy mpt-status

After recently moving our Debian servers over to ESXi 5.5, I’ve been seeing the “mpt-status” package reporting issues in the syslog. After some searching around, according to Debian.org “The mpt-status software is a query tool to access the running configuration and status of LSI SCSI HBAs. mpt-status allows you to monitor the health and status of your RAID setup.” That’s interesting because none of our Debian servers have RAID partitions. So naturally, I just removed the package. I haven’t had any errors with the servers, nor do I expect any. Here’s what I did to remove the package: sudo service mpt-statusd stop sudo apt-get purge mpt-status Problem solved!

Mounting Windows Partitions in FreeNAS 9.x

Recently I built a FreeNAS box so I could backup my computers to it. I figure with the redundancy of the disks, and the ability to have 2 hot spares in a ZRAID2 ZFS Volume would make it more stable than having Terabytes of data just sitting on a disk in my computer. Long story short I needed to move about 4 Terabytes of data off my local workstation onto the FreeNAS box. I didn’t want to transfer it over the LAN just does to speed so I hooked the drive up to the FreeNAS box with an External Drive Enclosure that had an eSATA port on it. After some quick research, I found that you need to load a … Continue reading

Connecting FreeNAS 9.2 iSCSI to ESXi 5.5 Hypervisor and performing VM Guest Backups

In this blog we’re going to work through connecting your FreeNAS box to your ESXi server for easy backups. ESXi is a hypervisor from VMware that is arguably the best ever made. I like it the most because of many reasons, including the fact that it’s free, it’s a non-Microsoft product, and if you need additional features, the licensing is reasonably priced. Now, I’ve already gone through and setup my whole server, so what I’ll do is just retrace my steps here and show how easy this process really is. Lets get started with FreeNAS. I have an old computer that I used for setting up FreeNAS. It’s an ASUS motherboard with an Intel Core 2 Quad (Q6600), 12GB of … Continue reading

Creating a Reverse Proxy with Apache2

Sometimes there is a need for hosting multiple websites from one server, or from one external IP address. For whatever your reason or need is, in this tutorial, I’ll just go through what I did to setup Apache server to forward requests. In my setup here, I have a Debian Wheezy server in my DMZ, and in my tier 2 DMZ I have 5 Web servers. My objective is to host all these server from 1 IP address, and introduce some security. I found a ton of info out there on setting up Apache as a reverse proxy, but none of them really spelled out exactly what to do, and what the results would be. Some of them did, but … Continue reading

Intro to Linux: File Systems, Permissions, and Hardware Fundamentals

Hello again everyone. So, for the past few years now I’ve really been getting more and more into working with Linux. I know that’s a broad statement… Linux is just about on every device you see these days; mobile phones, computers, laptops, tablets, supercomputers, refrigerators, cars, custom motorcycles… everything! And how many different distros are there? hundreds! I won’t start any debates on how good or bad Linux is as a whole, or how Linux is as an overall Operating System… but I will go into how to use it, understand it, and operate it. This is the first part of many blogs I’ll be posting about how to use Linux, and we’ll start here with the file system. The … Continue reading

Linux Stuff: How to setup SSH certificates to simplify logins to remote systems

SSH and Server Certificates If you haven’t done this yet, we’re going to make life easy and get the SSH Certificates setup to make it super easy to SSH from our Linux Desktop.   You’ll want to make sure to install SSH Server and client on both the machines you’re planning on configuring. Most of the time this is done already. Debian Based machines: apt-get install ssh openssh-server openssh-client   Red Hat Based machines: yum install ssh openssh-server openssh-client   When that’s done test out connecting from your local machine to your remote host using: ssh steve@208.28.163.39 The authenticity of host ‘208.28.163.39 (208.28.163.39)’ can’t be established. RSA key fingerprint is 69:23:4c:49:35:41:ca:ae:23:3f:69:63:b2:ba:12:3c. Are you sure you want to continue connecting (yes/no)? … Continue reading

Microsoft Exchange: Fortify and secure your mail server!

So, I just (mostly) finished with writing a blog on how to setup a Postfix Reverse Mail Proxy that works as a SPAM filter for your Exchange Server. A blog I wrote before that was about network architecture that I feel any organization should be able to do, regardless of the size of the company. Those two blogs really had a lot to do with security at the perimeter of the network. I would like to continue working on securing email and increasing the security and reliability of your MS Exchange environment, while at the same time not impeding on usability or scalability. In this blog we’ll look at securing and fortifying your Exchange Server. If you look at Microsoft’s … Continue reading

Bash Shell Scripting: When to use quotes

In my experience there are different situations to use each type of quote. I’ve provided this in straight text, and in a version you can copy and paste into a shell script (at the bottom). On top of the single ‘ ‘ and double ” ” quotes, don’t forget to use back-ticks too ` `.   Here’s my short answer:   If you were to create a variable in Bash, you could do it like this: variable=”here is some text” Now issue that variable to the command line:   echo $variable here is some text `echo $variable` here is some text

Linux How-To: Debian Server, Bind9 DNS and Postfix Mail Relay SPAM Filter

So, MS Exchange has been attacked so many times over the years that it would be stupid to let it just sit out on the internet. Same goes for Microsoft DNS server. I would try as hard as I could to never put a Microsoft Server out on the Internet, or even allow a Microsoft to directly service the Internet. It’s just too risky, and I don’t play dice in certain situations such as these. I would, however, make an exception for hosting an Internet Information Services (IIS) Web Server. There are easy ways to lock down IIS and the OS, perform secure code reviews on the website itself, put reverse proxies in front of the web server (Apache Mod_Security … Continue reading

Cisco ASAs: Baseline Configurations

So, I’ve been dabbling around in the Cisco field for many years now. I started taking Cisco Academy courses at a local college in the Fall of 2002 and since then I’ve completed all the CCNA, CCNP and most recently the CCNA Security courses. By no means am I calling myself an expert, the best Cisco Engineer on the planet, or even on par with a Cisco engineer that’s been in the field for at least a year or so. But what I am saying is that, I feel that I’ve got a decent background. I bought a Cisco ASA 5505 a few years ago, played with it for a while and then got side tracked with other work. I … Continue reading

Using OpenVPN to build a VPN server for Remote Users

Have you ever wanted to be able to access your systems remotely? Are you running a business where you have employees on the road that need access to internal system resources? Want a secure, functional, scalable, free solution that will rival that of the top manufacturers on the market? I thought you’d say yes! Come along, we’re going to stand up a free VPN server that is easy to manage and works with Mac OS X, Linux and Windows! As I stated before, we’re going to reference back to a Blog I wrote a while back. We need a clean Debian Server install to do what we’re going to do. So, please, start with building a Minimal Install of Debian … Continue reading

Open Source: Postfix Mail Relay, SPAM filter, DNS Server, Web Server, AWStats, ISPConfig3 and More!

Everyone out there hates SPAM, right? I know I do. And my domain isn’t out there that much, so I can’t say that I get anywhere near as much SPAM mail as some large enterprise businesses do. What If I told you that your Barracuda Spam filter, or your McAfee Spam Filter, or whatever paid product, is junk? What if I told you that we can get you up and running with a FREE SPAM filter for your mail server. What if I told you that it was just as easy to setup and use as your current SPAM filter? How about this question: How much are you paying for your current SPAM filter? Well, this blog post is getting … Continue reading

SAMBA 4 Released! Let’s get installing!

So, as many of you have heard, SAMBA 4 was finally released… and holy crap, it’s the closest LDAP service I’ve ever seen to the real Active Directory. As well it should be too, I mean, Microsoft actually helped work on it! This release of SAMBA is huge. It’s really going to change the game of LDAP, file sharing between Linux/Unix and Windows, and authentication. You can read the news release from the SAMBA team HERE or visit their website HERE What is really huge about it all is that you can setup a SAMBA 4 server to take over, literally, all functions of a Windows AD Domain Controller. It can process authentication requests, hand out Group Policies, process MSRPC … Continue reading

Open Source: Managing Debian and Ubuntu Linux with Active Directory

I talked about this in my last blog post: We had a need for Authentication on our Linux/Unix systems to be done by Active Directory. So my co-worker and I set off on a mission to fulfill this request. We’d tried some software that wasn’t free, heard about some other software that wasn’t free and then is struck us. “Why Pay?” All the work had previously been done for us in the Open Source community… why not leverage them directly? So this is my homage to the Open Source community. I’m going to try to give back by writing this blog about my trials and tribulations in setting up this functionality. I’ll forewarn you, this blog entry is very long and … Continue reading

Open Source can save you millions: Part 1, the intro…

After dealing with some vendors in the last couple years, I’ve come to realize one major tone keeps rearing it’s ugly head: Vendor sales people will tell you anything to get you to buy their product or service, regardless as to whether or not their product/service is the best solution at the best price out there. Now, wait just a minute. I’m not going to demonize salesmen or be some hippie tree hugger and say, “don’t buy commercial products, man!”. Some companies and products are pretty damn good. Some are definitely not. Some are ridiculously expensive; some are not. But How do you know which ones to actually spend money on, or not to spend money on, if your company, or personal outlook on life, is telling … Continue reading

Serious network architecture that works for everyone.

I started writing this blog post as a way to setup a reverse proxy for mail inspection, but it turned out that a network architecture blog focused on security of the perimeter was more important. I’ve gone over in my head with all the companies that have told me, “Ohhh we don’t need this” or, “this is too much administrative overhead” or, “We don’t need this much complexity, we’re just manufacturing “widgets” , or something like that. And to those people, I say this: “I am so sick and tired of hearing excuses of why you think it’s okay to be lazy. Do it right, do it now, and save yourself the headaches of a breach.” We’ll talk about the … Continue reading

Linuxy Stuff: DavMail

So I actually have a few things I’m working on here, but I’ll focus this on just 1 topic. In talking with a coworker a couple weeks ago, he introduced me to some great software that acts as a proxy to Microsoft Exchange. I’ve tested it with Exchange 2010, but I’m sure it works in previous releases as well. The name of the software is DavMail and it works pretty damn well. I do hate POP mail, since you can only sync the Inbox folder. So if your already existing Exchange account has multiple folders setup and rules moving mail around, have fun with that. For sanity, I separate my mail quite a bit. For projects and certain people I … Continue reading

Linux Apache2: Mod_rewrite for WordPress

So I’ve been having all kinds of issues with getting Word-Press “permalinks” working. I could’ve sworn that that I had my “.htaccess” file setup properly, my Word-Press install seemed to be working just fine, and everything else on the server worked. So what to do?   Google.   First off, if you’re like me, you already installed Apache like this: apt-get install apache2     You should already have Apache’s mod_rewrite installed on your box. If so, it will found in “/usr/lib/apache2/modules”     Now, go into your “mods-enabled” directory and create a rewrite file. cd /etc/apache2/mods-enabled touch rewrite.load sudo nano rewrite.load     Now paste this following line, then save and close this file: LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so     … Continue reading

Debian Minimal Install: The base for all operations

This blog is really just a place holder for many blogs to be written in the future. In some of the future “How-To” blogs I plan on writing, I’m going to need to ensure that we start with a perfectly clean install of Debian. So from here we’ll start from a completely fresh install of a Debian 6 (Squeeze) OS.   For this you’ll need the newest version of Virtual Box installed on your machine. You’ll also want to download the Small Debian ISO from Debian’s Download page.   Let’s start with getting your Debian server built and running. Start with getting a Virtual Machine up and running. We’ll start with the basics of provisioning a Virtual Machine in Virtual … Continue reading

Setting Up a SVN Server Using SSH Certificates

A while back there was a need for one of my clients to manage some files between a team of their employees. They asked if I could set them up a secure location for the files to be stored in, as well as using an encrypted channel for moving the documents, and code they were writing, to and from the server. So I embarked on setting up an SVN server for them that would use SSH to encrypt the communications.   This should work on Debian 6 (Squeeze), though I actually built this on a Ubuntu 12.04 server. Theoretically, this should work on most versions of Ubuntu as well. So if you need one, here’s how I built mine: sudo … Continue reading

Cisco Fun

So, I decided to go back to school (after 3 or so semesters off) and take some fun classes. Last time I went I was stuck in some shit Liberal Arts classes. I wont bore you with that. So this semester I’m taking Red Hat Admin 1, which I’m flying through at an obscene rate, and Cisco Security 1. Now, when I started college back in fall of 2002, I started with CCNA classes. I loved them; took 8 semesters of Cisco CCNA and CCNP courses. SO it’s been a while, but I figured I should take some new Cisco classes. Well, it’s been great so far. Tonight, in my home lab I hooked up my 2600 routers and did … Continue reading

It’s a bitch when you cant clear ARP tables…

So we got an RMA’d Watchguard unit in the other day and I finally got time to install it last night. The first Watchguard unit started having issues last night and I figured that was a perfect time to replace the old unit with the new. It was right at that moment we started having issues. Earlier in the week I rebuilt the firewall ruleset, proxy configurations and static NAT translations to mimic exactly what the current Watchguard was doing. As any company does, this client has an email server, a few websites, and other inbound and outbound ports that need to be open. The original Watchguard was being replaced with a better one that is able to handle more … Continue reading

Vulnerability Assessments are not Penetration Tests!!

Too often I, as well as many of my co-workers, go into a client and throughout whatever assessment I am working on, general questions come up like, “when’s the last time you’ve had a pen test?” And the client responds, “Ohhh, we do those annually with ‘Some Corporation.’ ” And after looking at ‘Some Corporation’s’ website and seeing what they consider to be a penetration test, I am again disgusted to see that they show up with a vulnerability scanner, run it, validate some findings, and are off to their next client. Now I know these are some brash comments made toward some random security companies, but let’s be honest here: If you’re going to do something, do it right the … Continue reading

SSDs and Hard Disk Performance

Well, if you saw my blog, “The Spin Stops Here,” you see that we’ve already covered topics such as battery life, and the difference between traditional disks and the newer SSDs, among other things. But in this blog, I wanted to cover a couple other issues and facts surrounding SSDs. You may want to read my last blog on SSDs, as I will be using acronyms and information mentioned previously. Since my last SSD blog, prices have come down and larger drives have become available. I am in transition on my own laptop in running off a SSD with a secondary drive as a SATA disk, mainly for storage and running VMs (not counting the 1.5TB external USB drive I … Continue reading

Fast GPU’s arent just for Gaming Graphics!

I have always been a fan of the latest and greatest hardware and always been amazed on how fast new hardware is getting. Well now the Security field is going to have to start worrying about how this hardware is being leveraged to crack passwords. The Nvidia Corporation has harnessed the functionality of the C programming language and integrated it with their newest GPU’s to form the CUDA Technology. In Fact, even the Lenovo T60 and T61’s are loaded with Nvidia Quadro graphics cards that can run CUDA software. There are even Python bindings for CUDA and many other languages may enter this arena. Applications for Fluid Dynamics, Digital Media, Electronic Design, Finance, Game Physics, Audio and Video, and many … Continue reading

Firewall Ruleset Reviews and Firewall Management

I’ve done a lot of firewall ruleset reviews for companies large and small. There is a pattern forming in almost every firewall I’ve seen. Bad management. It’s not about blaming people though. The economy is in the sewer and layoffs plague every company across the planet. Most every security team is dealing with tons of ongoing work to stay secure and low budgets and resources to get the job done. The firewall rule sets I’ve seen range from 50 lines to 10,000+ lines. Some are so complex that we schedule a week of work to audit and determine what can be taken out, what needs to stay and what shouldn’t have been there in the first place. Let’s face it; … Continue reading

SSDs: The Spin Stops Here

So who out there has ever experienced a Hard Disk failure? Sure, a lot of you have. Current magnetic spinning disks are (very) slowly being replaced by faster, longer lasting, Solid State Disks. Solid State Disks are nothing new. But they do offer many benefits over their predecessor. The major benefits over older technology are what really set apart this new technology. With no moving parts, higher resistance to dropping and lower power consumption, laptop users are loving this new technology. Accident prone people who drop their laptops are enjoying their data staying put, road warriors are enjoying longer battery life, and power users are enjoying longer disk life. The market share for Solid State Disks is relatively small at … Continue reading

The Human Exploit

So you’re sitting at your desk and the phone rings. “Hey this is Mark from information security. We are noticing that your computer is creating a lot of traffic out to the internet. Are you noticing that anything on your computer is out of the ordinary lately?” What would you say? Well, in the average Social Engineering test we perform, the answer is quite honestly a, “yeah my computer is slow… can you guys finally come and fix it?” That’s when we say, “Sure! We’d be glad to *cough* help! Go here, download this patch, and run it…” and a couple minutes later we have fully compromised a system sitting behind a firewall in a corporate environment and easily getting … Continue reading

Writing Security Policies and Procedures

Anyone who has ever written a set of policies and procedures knows how time consuming, headache ridden and tedious they are to create. For those of you who are in need of updating or creating new policies and procedures, this blog will be going over some things to keep in mind. We’ll also go over tips to making your writing easier for you and easier for your users to understand. Whether you’re just starting to write brand new policies and procedures or you’re doing your yearly updates on existing ones, I think the thing that everyone needs to keep in mind is simplicity. So that means, for any lawyers that may be reading this, you guys aren’t allowed to write … Continue reading

The Network Neutrality Debate: Good or Evil?

So for a long time now there has been a bill around in congress about Network Neutrality. Some people like it, some people don’t, others just don’t care. But who’s really looked into it? I mean, it sounds good. It sounds like it could help everyone out, right? It’s keeping the Internet neutral, right? Well, for those of you who haven’t looked into Net Neutrality, its time you hear about it. Let’s look at the up side of this debate. The original idea was great: Ensure that all traffic on the Internet was treated equally by all Internet Service Providers. Net Neutrality is supposed to mean no discrimination and tries to prevent Internet Service Providers from blocking, speeding up or … Continue reading