Tuesday, April 30, 2013

Remove one single line from a Cisco IOS ACL

For this example we will use extended ACL 100. This is the ACL:

gw-001#show run | inc access-list 100
access-list 100 remark NAT
access-list 100 deny   ip 10.62.17.0 0.0.0.255 172.31.0.0 0.0.255.255 log
access-list 100 permit ip 10.62.0.0 0.0.255.255 any log
access-list 100 permit ip any any log


We want to remove the line access-list 100 permit ip 10.62.0.0 0.0.255.255 any log:

gw-001#show ip access-lists 100
Extended IP access list 100
    10 deny ip 10.62.17.0 0.0.0.255 172.31.0.0 0.0.255.255 log (2 matches)
    20 permit ip 10.62.0.0 0.0.255.255 any log (70 matches)
    30 permit ip any any log (29 matches)

We want to delete the entry 20. Then:

gw-001#config t
Enter configuration commands, one per line.  End with CNTL/Z.
gw-001(config)#ip access-list extended 100
gw-001(config-ext-nacl)#no 20
gw-001(config-ext-nacl)#end

gw-001#
gw-001#show ip access-lists 100
Extended IP access list 100
    10 deny ip 10.62.17.0 0.0.0.255 172.31.0.0 0.0.255.255 log (2 matches)
    30 permit ip any any log (29 matches)


Done!

Friday, April 19, 2013

Getting a basic Smokeping + Apache installation working in 10 minutes

First, we need to download the source from the vendor's site. By default it will install in /opt/smokeping-<version>, we will follow the defaults:

$ cd /tmp
$ wget http://oss.oetiker.ch/smokeping/pub/smokeping-2.6.9.tar.gz
$ tar -xvzf smokeping-2.6.9.tar.gz
$ cd smokeping-2.6.9
$ ./configure ; make ; sudo make install

It is quite possible that during the configure process it will complain about missing dependencies like rrd tool, fping, etc. Follow the instructions and install them until all of them are satisfied.

After it's installation, we will have the folder /opt/smokeping-2.6.9. We create our custom /opt/smokeping-2.6.9/etc/config. Basically it is the default configuration but modifying the last section 'targets' to point to our servers:

$ cat  /opt/smokeping-2.6.9/etc/config

*** General ***
owner    = Andreu
contact  = andreu.antonio@gmail.com
mailhost = smtp.XXXXXXX.com
sendmail = /usr/sbin/sendmail
imgcache = /opt/smokeping-2.6.9/cache
imgurl   = cache
datadir  = /opt/smokeping-2.6.9/data
piddir  = /opt/smokeping-2.6.9/var
cgiurl   = http://some.url/smokeping.cgi
smokemail = /opt/smokeping-2.6.9/etc/smokemail.dist
tmail = /opt/smokeping-2.6.9/etc/tmail.dist
syslogfacility = local0
*** Alerts ***
to =
andreu.antonio@gmail.com
from = andreu.antonio.service@gmail.com
+someloss
type = loss
pattern = >0%,*12*,>0%,*12*,>0%
comment = loss 3 times  in a row
*** Database ***
step     = 300
pings    = 20
AVERAGE  0.5   1  1008
AVERAGE  0.5  12  4320
    MIN  0.5  12  4320
    MAX  0.5  12  4320
AVERAGE  0.5 144   720
    MAX  0.5 144   720
    MIN  0.5 144   720
*** Presentation ***
template = /opt/smokeping-2.6.9/etc/basepage.html.dist
+ charts
menu = Charts
title = The most interesting destinations
++ stddev
sorter = StdDev(entries=>4)
title = Top Standard Deviation
menu = Std Deviation
format = Standard Deviation %f
++ max
sorter = Max(entries=>5)
title = Top Max Roundtrip Time
menu = by Max
format = Max Roundtrip Time %f seconds
++ loss
sorter = Loss(entries=>5)
title = Top Packet Loss
menu = Loss
format = Packets Lost %f
++ median
sorter = Median(entries=>5)
title = Top Median Roundtrip Time
menu = by Median
format = Median RTT %f seconds
+ overview
width = 600
height = 50
range = 10h
+ detail
width = 600
height = 200
unison_tolerance = 2
"Last 3 Hours"    3h
"Last 30 Hours"   30h
"Last 10 Days"    10d
"Last 400 Days"   400d
*** Probes ***
+ FPing
binary = /usr/bin/fping
+ EchoPingSmtp       # SMTP (25/tcp) for mail servers
+ EchoPingHttps      # HTTPS (443/tcp) for web servers
+ EchoPingHttp       # HTTP (80/tcp) for web servers and caches
+ EchoPingIcp        # ICP (3130/udp) for caches
+ EchoPingDNS        # DNS (53/udp or tcp) servers
+ EchoPingLDAP       # LDAP (389/tcp) servers
+ EchoPingWhois      # Whois (43/tcp) servers
*** Targets ***
probe = FPing
menu = Top
title = Network Latency Grapher
remark = Welcome to this SmokePing website.
+ MyServers
menu = APAC
title = APAC
++ Bali
menu = Bali
title = Bali
probe = FPing
host = <my Server IP>
++ Manchester
menu = Manchester
title = Manchester MPLS
probe = FPing
host = <my Server IP>
++ Bangkok
menu = Bangkok
title = Bangkok MPLS
probe = FPing
host = <my Server IP>
++ Bangkok_IPSEC
menu = Bangkok
title = Bangkok IPSEC
probe = FPing
host = <my Server IP>
Now we modify our DNS to make our server has the additional name smokeping-001 (this may vary depending on your DNS solution). Now we go to modify apache config and create the site smokeping-001:

$ sudo vi /etc/apache2/sites-available/smokeping-001
<VirtualHost *:80>
 

        ServerAdmin admin@mydomain.com
        ServerName smokeping-001.mydomain.singapore
        DocumentRoot /opt/smokeping-2.6.9/htdocs

        <Directory />
                Options FollowSymLinks +ExecCGI
                AllowOverride None
        </Directory>
 

        ErrorLog ${APACHE_LOG_DIR}/smokeping-error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/smokeping-access.log combined

</VirtualHost>

We enable the site and also the Fast CGI mod. We might need to download this mod if it is not in our system (use apt / yum util).

$ sudo a2ensite smokeping-001
$ sudo a2enmod mod_fcgid
Smokeping installation will have placed the smokeping daemon. To start it, we need to execute:

$ sudo /etc/init.d/smokeping start

Wait for a few minutes, smokeping should be catching data by now.

Friday, April 12, 2013

File screening in Windows Server 2008

File screening is quite an useful tool. It allows us to prevent users from storing certain type of data on the file shares, advises us if they store certain files and let us know who access certain folder, between other functions.

In order to use it, first we need to have the File Services role together with the FSRM (File Server Resource Manager). If you are already sharing files most likely you already have the File Services Role, if not you can enable this from the server manager, right click on Server Manager and click on Add Roles:



Then Select File Services and Next, up to the end. In the following picture you can see I already have it, but just to give an idea :)


Now, let's install the FSRM role service. Go to File Services, right click and select Add Role Services:


Select the FSRM, and click Next:


It will ask us to create reports at this point. We can omit as we can create them later. Click on Next:


Now we can click on Install. It will take a few minutes to install the feature.



After we have it installed, we go to Administrative tools -> File Server Resource Manager. Right click on File Screening Management and select Create File Screen. We will create a File Screen that will block storing executable files on public folders:


Select the path of our public share (D:\public for the example), select the template Block Executable Files and select create.


Now we will configure the email settings, so we will receive an email every time someone tries to store executable files on the selected folder. Select the file screen we just created, right click and select Edit File Screen Properties:






Select the Administrator's email address to be sent the notification, click the 
following square if you wish to notify the user as well (email must be stored on the AD domain), then click OK. At this point, if we have not configured our SMTP server a message will prompt. If so, accept it and go back to the main screen. Click on File Server Resources Manager (local), on the actions window click on Configure Options and introduce your smtp, default admin email and default sender options:


We are done. There's good bunch of benefits from this feature, for more information you can visit the Microsoft library page for this role service.


Wednesday, April 10, 2013

Colours in your bash shell

Coloring your bash shell can be quite entertaining. Nowadays I think all the distros comes with colors enabled, if not we can enable it with an alias like this one:

$ alias ls='ls -ap --color'

-a shows all the files including the ones starting with a dot '.'
-p shows a slash '/' after the directories
--color enables color :)

I have that alias in my /etc/bash.bashrc (or /etc/bashrc depending on your distro) so every time I start my computer the colors will be there.

Now that we have the colors enabled, we can customize the shell colors using the variable LS_COLORS. 

If you used a Red Hat based distro, you will the file /etc/DIR_COLORS with a configuration example. If not, see below mine's:

COLOR tty
OPTIONS -F -T 0
TERM linux
TERM console
TERM con132x25
TERM con132x30
TERM con132x43
TERM con132x60
TERM con80x25
TERM con80x28
TERM con80x30
TERM con80x43
TERM con80x50
TERM con80x60
TERM cons25
TERM xterm
TERM rxvt
TERM xterm-color
TERM color-xterm
TERM vt100
TERM dtterm
TERM color_xterm
TERM ansi
TERM screen
TERM screen.linux
TERM kon
TERM kterm
TERM gnome
TERM konsole
EIGHTBIT 1
NORMAL 00       # global default, although everything should be something.
FILE 00         # normal file
DIR 01;34      # directory
LINK 01;36      # symbolic link
FIFO 40;33      # pipe
SOCK 01;35      # socket
BLK 40;33;01    # block device driver
CHR 40;33;01    # character device driver
ORPHAN 01;05;37;41  # orphaned syminks
MISSING 01;05;37;41 # ... and the files they point to
EXEC 01;32
.cmd 01;32 # executables (bright green)
.exe 01;32
.com 01;32
.btm 01;32
.bat 01;32
.sh  01;32
.csh 01;32
.tar 01;31 # archives or compressed (bright red)
.tgz 01;31
.arj 01;31
.taz 01;31
.lzh 01;31
.zip 01;31
.z   01;31
.Z   01;31
.gz  01;31
.bz2 01;31
.bz  01;31
.tz  01;31
.rpm 01;31
.cpio 01;31
.jpg 01;35 # image formats
.gif 01;35
.bmp 01;35
.xbm 01;35
.xpm 01;35
.png 01;35
.tif 01;35

For a color palette definition, you can check out bash documentation or the manpage for dir_colors. Also, you can use this bash line to show them:

$ for code in {0..255}; do echo -e "\e[38;05;${code}m $code: Test"; done

We can choose the colors we want and modify our /etc/DIR_COLORS accordingly. For example, in CentOS we have 01;34 (dark blue) as default directory color, if we want to change it to light blue we change the line:

DIR 01;34 

for
DIR 38;05;75 (following the colors from the previous for loop)
we sabe the file. Now, to generate the variable LS_COLOR we can execute dircolors:

$ dircolors /etc/DIR_COLORS

And export the variable shown. To make it more straight forward we can also do:

$ eval `dircolors /etc/DIR_COLORS`

And that's it!

If you wish to make it effective at boot time, we can add this line to our /etc/bash.bashrc (or /etc/bashrc):

eval `dircolors /etc/DIR_COLORS`

But that will affect the whole system. If we want to affect only our user, we can use the file $HOME/.dir_colors instead (actually any file name would do) and have this in our $HOME/.bashrc:

eval `dircolors /etc/DIR_COLORS`


Tuesday, April 9, 2013

Using HTTP proxy on Linux console and Debian apt

If we want to use a http proxy server in the console (i.e we are browsing with lynx) we just need to set the environment variable http_proxy:

$ export http_proxy="http://<myproxyaddress>:<myproxyport>"

$ export http_proxy="http://192.168.0.10:3128"

If we have authentication enabled we need to specify the user / pass in command line, for example in lynx it would be:

$ lynx --pauth=user:password http://www.google.com.sg

Besides http_proxy, we also have:

  • https_proxy for secure http
  • ftp_proxy for ftp
  • no_proxy for the addresses to not to use proxy
$ export https_proxy="http://<myproxyaddress>:<myproxyport>"

$ export ftp_proxy="http://<myproxyaddress>:<myproxyport>"

$ export no_proxy="localhost, 127.0.0.1, 192.168.0.6, <other hosts or ips>"

If we want to use the proxy with apt, we can also specify the configuration in the folder /etc/apt/apt.conf.d. In my case I named the configuration item as 80proxy:

$ cat /etc/apt/apt.conf.d/80proxy
Acquire::http::Proxy "http://user:password@proxy_ip:proxy_port";



Otherwise, with the http_proxy variable we still use the proxy if we call apt-get, but if you like to schedule an apt-get update in the crontab this approach is kind of better.


Monday, April 8, 2013

Adding static ARP entries on Linux

One of the ways to expose our password is trough a man in the middle attack. For example, we login in a hotel while other guests are using ettercap.

 One of the possible ways to protect ourselves is adding a static entry in our arp cache, ensuring that we won't be using any gateway other than the one we just introduces. For example, let's put the case we just logged in the hotel wifi and our gateway uses IP 192.168.0.1 and we use wlan1 as interface:

$ sudo arp -a
cm09.sigma24.maxonline.com.sg (18.22.12.59) at 3X:0D:02:20:78:f4 [ether] on wlan1
? (192.168.0.1) at 00:3a:01:de:d5:05 [ether] on wlan1

 We will add a static entry, so if someone announces a mac address change for our gateway we won't be following:

$ sudo arp -s 192.168.0.1 00:3a:01:de:d5:05 -i wlan0

Done. With this we will be a bit more secured when traveling and logging in 3rd parties WI-FI.