Typically when we add a new path variable in Linux we will run something like:
export PATH=$PATH:/path/to/bin
If you wish to make this permanent we simply need to add the above line to:
vi ~/.profile
Wednesday, 29 June 2016
Disabling IPv6 in CentOS 7
If you ever find yourself in the situation where it is absolutely necessary to disable IPv6 - this can be performed as below:
vi /etc/sysctl.conf
and add:
net.ipv6.conf.all.disable_ipv6 = 1
and then ensure changes are persistent:
sysctl -p
Finally reboot the system:
shutdown -r now
vi /etc/sysctl.conf
and add:
net.ipv6.conf.all.disable_ipv6 = 1
and then ensure changes are persistent:
sysctl -p
Finally reboot the system:
shutdown -r now
Tuesday, 28 June 2016
Securing IPTables in CentOS 7 / attack mitigation
Below I have compiled a list of simple (but effective) ways of helping protect yourself from denial of service style attacks with layer 3.
Smurf attacks: This happens when an attacker spoofs your address and sends a ICMP packet to a broadcast address on a network - all hosts on this subnet then will potentially send an echo reply to the victim which could render the victims machine unusable due to the sheer amount of traffic. The following rules will help mitigate smurf attacks my limiting the amount of inbound ICMP traffic and restricting specific ICMP methods that are used to help the attacks:
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
or we can simply drop all inbound ICMP packets (recommended):
iptables -A INPUT -p icmp -j DROP
Invalid packets: We don't want to process them or log them during an attack - so simply drop them:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
Port scans: We want to prevent any port scans being run on our server - the following will block anyone who attempts to run a portscan on the server for 24 hours:
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
and then the following removes the 'ban' after 24 hours:
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
We can also log the hosts initiating the port scan with:
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Address spoofing: We also want to ensure that any WAN only connected machines do block any LAN addresses:
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
XMAS attacks: These attacks simply have every option set for whichever protocol is used and should almost always be treated as suspect - we can drop these with:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Smurf attacks: This happens when an attacker spoofs your address and sends a ICMP packet to a broadcast address on a network - all hosts on this subnet then will potentially send an echo reply to the victim which could render the victims machine unusable due to the sheer amount of traffic. The following rules will help mitigate smurf attacks my limiting the amount of inbound ICMP traffic and restricting specific ICMP methods that are used to help the attacks:
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
or we can simply drop all inbound ICMP packets (recommended):
iptables -A INPUT -p icmp -j DROP
Invalid packets: We don't want to process them or log them during an attack - so simply drop them:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
Port scans: We want to prevent any port scans being run on our server - the following will block anyone who attempts to run a portscan on the server for 24 hours:
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
and then the following removes the 'ban' after 24 hours:
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
We can also log the hosts initiating the port scan with:
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Address spoofing: We also want to ensure that any WAN only connected machines do block any LAN addresses:
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP
XMAS attacks: These attacks simply have every option set for whichever protocol is used and should almost always be treated as suspect - we can drop these with:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Diagnosing Cisco switch performance issues
Cisco switches make use of ASIC hardware to quickly switches both packets and frames - for example ACL and QoS tables are cached into the hardware in the form of tables - the switch will then query the tables when it needs to make decisions - such as evaluate whether a source IP matches a specific ACL in a table.
In contrast to RAM - CAM (Content Addressable Memory) uses data to retrieve where the data is stored - while RAM does the opposite - retrieving data from a memory address.
The CAM table is used primarily for layer 2 switching and returns either 'true' (0) or 'false' (1) - e.g. if data is being sent to another host on the switch the MAC address will be looked up in the CAM table and the result is either true (returns the switch port) or false (flood the switch ports.)
TCAM (Ternary Content Addressable Memory) is like CAM - but it can store a third state which can be any value - hence is useful for storing layer 3 operations like switching and qos.
When the TCAM cable is full it will 'punt' further entries to the CPU.
Check overall process CPU usage and sort by CPU utilization:
show proc cpu sorted
Example output:
CPU utilization for five seconds: 44%/30%; one minute: 42%; five minutes: 32%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
96 88 147299 0 1.11% 1.04% 0.92% 0 Ethernet Msec Ti
117 40 36582 1 0.15% 0.19% 0.17% 0 IPAM Manager
240 28 36535 0 0.15% 0.14% 0.12% 0 MMON MENG
** Note: The first percentage figure (44%) show the overall CPU utilization and the second figure shows the percentage of the prior figure of which is caused by traffic (30%) **
The following processes are used for handling punted packets to the CPU and hence can be used as an indication of whether punted packets are causing CPU perofrmance issues:
- HLFM address lea
- Check heaps
- Virtual exec
- RedEarth Tx Mana
- HPM counter proc
Some common causes for traffic being punted to the CPU are:
- ACL logging
- Broadcast storms
- TCAM table space used up
To generate a smaller report of the overall CPU usage I like to use:
show proc cpu extended
Check CPU usage on IOS threads (does not work on 2960 series)
show proc cpu detailed process iosd sorted
We can show packet counts for all CPU receive queues with:
show controllers cpu-interface
We can issue the following to get an overview of the TCAM utilization:
show platform tcam utilization
Checking the device memory:
show processes memory sorted
show processes memory detailed process iosd sorted
Sources: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/cpu_util.html#pgfId-1028395
https://supportforums.cisco.com/document/60831/cam-content-addressable-memory-vs-tcam-ternary-content-addressable-memory
In contrast to RAM - CAM (Content Addressable Memory) uses data to retrieve where the data is stored - while RAM does the opposite - retrieving data from a memory address.
The CAM table is used primarily for layer 2 switching and returns either 'true' (0) or 'false' (1) - e.g. if data is being sent to another host on the switch the MAC address will be looked up in the CAM table and the result is either true (returns the switch port) or false (flood the switch ports.)
TCAM (Ternary Content Addressable Memory) is like CAM - but it can store a third state which can be any value - hence is useful for storing layer 3 operations like switching and qos.
When the TCAM cable is full it will 'punt' further entries to the CPU.
Check overall process CPU usage and sort by CPU utilization:
show proc cpu sorted
Example output:
CPU utilization for five seconds: 44%/30%; one minute: 42%; five minutes: 32%
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process
96 88 147299 0 1.11% 1.04% 0.92% 0 Ethernet Msec Ti
117 40 36582 1 0.15% 0.19% 0.17% 0 IPAM Manager
240 28 36535 0 0.15% 0.14% 0.12% 0 MMON MENG
** Note: The first percentage figure (44%) show the overall CPU utilization and the second figure shows the percentage of the prior figure of which is caused by traffic (30%) **
The following processes are used for handling punted packets to the CPU and hence can be used as an indication of whether punted packets are causing CPU perofrmance issues:
- HLFM address lea
- Check heaps
- Virtual exec
- RedEarth Tx Mana
- HPM counter proc
Some common causes for traffic being punted to the CPU are:
- ACL logging
- Broadcast storms
- TCAM table space used up
To generate a smaller report of the overall CPU usage I like to use:
show proc cpu extended
Check CPU usage on IOS threads (does not work on 2960 series)
show proc cpu detailed process iosd sorted
We can show packet counts for all CPU receive queues with:
show controllers cpu-interface
We can issue the following to get an overview of the TCAM utilization:
show platform tcam utilization
Checking the device memory:
show processes memory sorted
show processes memory detailed process iosd sorted
Sources: http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/troubleshooting/cpu_util.html#pgfId-1028395
https://supportforums.cisco.com/document/60831/cam-content-addressable-memory-vs-tcam-ternary-content-addressable-memory
Monday, 27 June 2016
How to reset vCenter 6.0 (and above) SSO password
In order to reset a lost vCenter 6+ SSO password we will firstly need to jump onto the server hosting the vCenter instance and then launch the VDC admin tool from the command prompt:
"%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe"
Hit '3' to perform a password reset and enter the SSO login (by default this is: [email protected])
It will then generate a new password you can use to login with.
Finally ensure you change password once logged in.
"%VMWARE_CIS_HOME%\vmdird\vdcadmintool.exe"
Hit '3' to perform a password reset and enter the SSO login (by default this is: [email protected])
It will then generate a new password you can use to login with.
Finally ensure you change password once logged in.
Thursday, 23 June 2016
Setting up IPTables from scratch on CentOS 7
This tutorial will provide you with a basic IPTables configuration to help you get up and running initially.
We will firstly start by flushing all of our IPTables rules.
** Warning: This could potentially lock you out of SSH if performed incorrectly - ensure you have console access to the server if something goes wrong! **
Ensure that a default-accept rule is in place on all of the default chains:
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
and then flush the chains as well as any non-standard chains:
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
Now we will start by allowing traffic to freely flow out and in from our loopback interface:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
We will also want to ensure that already established connections can get back to the server - i.e. allow stateful connections.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
We will likely also want to allow all outbound traffic from connections that are currently established:
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
We will also likely wish to allow SSH access from a specific host network:
sudo iptables -A INPUT -p tcp -s 10.11.12.13/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
and allow the incoming SSH connection outbound back to the SSH initiator:
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
We might also wish to accept ICMP echo requests:
sudo iptables -A INPUT -p icmp -j ACCEPT
And also log and then drop any other packets:
sudo iptables -N LOGGING
sudo iptables -A INPUT -j LOGGING
sudo iptables -A FORWARD -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGGING -j DROP
By leaving the default chain policies as 'ACCEPT' we ensure that if someone accidentally flushes a chain they are not going to lock themselves out.
We will firstly start by flushing all of our IPTables rules.
** Warning: This could potentially lock you out of SSH if performed incorrectly - ensure you have console access to the server if something goes wrong! **
Ensure that a default-accept rule is in place on all of the default chains:
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
and then flush the chains as well as any non-standard chains:
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
Now we will start by allowing traffic to freely flow out and in from our loopback interface:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
We will also want to ensure that already established connections can get back to the server - i.e. allow stateful connections.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
We will likely also want to allow all outbound traffic from connections that are currently established:
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
We will also likely wish to allow SSH access from a specific host network:
sudo iptables -A INPUT -p tcp -s 10.11.12.13/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
and allow the incoming SSH connection outbound back to the SSH initiator:
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
We might also wish to accept ICMP echo requests:
sudo iptables -A INPUT -p icmp -j ACCEPT
And also log and then drop any other packets:
sudo iptables -N LOGGING
sudo iptables -A INPUT -j LOGGING
sudo iptables -A FORWARD -j LOGGING
sudo iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
sudo iptables -A LOGGING -j DROP
By leaving the default chain policies as 'ACCEPT' we ensure that if someone accidentally flushes a chain they are not going to lock themselves out.
Wednesday, 22 June 2016
Setup AAA and SSH on a Cisco 2960
Firstly create a local user for use with AAA:
conf t
username test privilage 15 secret $tr0ngPa$$w0rd!
Proceed by enabling AAA by issuing the following:
aaa new-model
If you wish to use remote TACACS+ servers - we can define them as follows:
tacacs-server host 10.99.99.253 key YourSecureKey
tacacs-server host 10.99.99.252 key YourSecureKey
and then creating a login authentication method list:
aaa authentication login default group tacacs+ local
or if you do have have any remote tacacs+ servers:
aaa authentication login default local
and then apply the login list to the relevent methods, for example:
line console 0
login authentication default
line vty 0
login authentication default
Define a domain for SSH:
ip domain-name yourdomain.local
and then generate the RSA key:
crypto key generate rsa modulus 2048
We can now proceed to setup SSH by enabling SSH v2:
ip ssh version 2
enable the line:
line vty 0
transport input ssh
We should also lock down the SSH access by creating an appropraite ACL:
ip access-list standard mgmt-ssh
10 permit <management-subnet> <management-wildcardmask>
20 deny any log
and then apply it to a vty line:
line vty 0
access-class mgmt-ssh in
conf t
username test privilage 15 secret $tr0ngPa$$w0rd!
Proceed by enabling AAA by issuing the following:
aaa new-model
If you wish to use remote TACACS+ servers - we can define them as follows:
tacacs-server host 10.99.99.253 key YourSecureKey
tacacs-server host 10.99.99.252 key YourSecureKey
and then creating a login authentication method list:
aaa authentication login default group tacacs+ local
or if you do have have any remote tacacs+ servers:
aaa authentication login default local
and then apply the login list to the relevent methods, for example:
line console 0
login authentication default
line vty 0
login authentication default
Define a domain for SSH:
ip domain-name yourdomain.local
and then generate the RSA key:
crypto key generate rsa modulus 2048
We can now proceed to setup SSH by enabling SSH v2:
ip ssh version 2
enable the line:
line vty 0
transport input ssh
We should also lock down the SSH access by creating an appropraite ACL:
ip access-list standard mgmt-ssh
10 permit <management-subnet> <management-wildcardmask>
20 deny any log
and then apply it to a vty line:
line vty 0
access-class mgmt-ssh in
Tuesday, 21 June 2016
Setup a transparent proxy with Squid and CentOS 7
Forenote: For this tutorial I will be using the 'core' edition of CentOS 7.
We should firstly ensure our system is up to date:
yum update
and proceed by disabling firewalld
systemctl stop firewalld
systemctl mask firewalld
and also disabling selinux:
vi /etc/selinux/config
and add / modify the line:
SELINUX=disabled
and setting permisive mode (so we don't need to do a reboot):
setenforce 0
and then download and compile squid from source:
yum install perl perl-Crypt-OpenSSL-X509 && yum groupinstall "Development Tools"
cd /tmp
curl -O http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.19.tar.gz
tar zxvf squid-3.5.19.tar.gz
cd squid-3.5.19
./configure --prefix=/usr/local/squid --enable-delay-pools
make all
make install
create our squid user:
useradd squid -s /sbin/nologin
chown -R squid:squid /usr/local/squid/var/logs
chown -R squid:squid /usr/local/squid/var/cache
and then lets create our squid config:
vi /etc/squid/squid.conf
and add:
cache_dir ufs /usr/local/squid/var/cache/squid 15000 16 256
cache_effective_user squid
cache_effective_group squid
# tweaks
dns_v4_first on
visible_hostname myproxy.local
http_port <your-interface-address>:3128 transparent
## Define our network ##
acl our_network src <your-subnet/24>
## make sure that our network is allowed ##
http_access allow our_network
## finally deny everything else ##
http_access deny all
and initialize the cache:
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z
/usr/local/squid/sbin/squid -z
Now lets setup the firewall configuration...
Firstly ensure ip forwarding is enabled:
vi /etc/sysctl.conf
and add:
net.ipv4.ip_forward = 1
and ensure it persists reboot:
/sbin/sysctl -p /etc/sysctl.conf
and then install / enable iptables:
yum install iptables-services
systemctl enable iptables
systemctl start iptables
and create our iptables ruleset:
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o <source-interface> -j MASQUERADE
iptables -t nat -A PREROUTING -i <source-interface> -p tcp --dport 80 -j REDIRECT --to-port 3128
We should firstly ensure our system is up to date:
yum update
and proceed by disabling firewalld
systemctl stop firewalld
systemctl mask firewalld
and also disabling selinux:
vi /etc/selinux/config
and add / modify the line:
SELINUX=disabled
and setting permisive mode (so we don't need to do a reboot):
setenforce 0
and then download and compile squid from source:
yum install perl perl-Crypt-OpenSSL-X509 && yum groupinstall "Development Tools"
cd /tmp
curl -O http://www.squid-cache.org/Versions/v3/3.5/squid-3.5.19.tar.gz
tar zxvf squid-3.5.19.tar.gz
cd squid-3.5.19
./configure --prefix=/usr/local/squid --enable-delay-pools
make all
make install
create our squid user:
useradd squid -s /sbin/nologin
chown -R squid:squid /usr/local/squid/var/logs
chown -R squid:squid /usr/local/squid/var/cache
and then lets create our squid config:
vi /etc/squid/squid.conf
and add:
cache_dir ufs /usr/local/squid/var/cache/squid 15000 16 256
cache_effective_user squid
cache_effective_group squid
# tweaks
dns_v4_first on
visible_hostname myproxy.local
http_port <your-interface-address>:3128 transparent
## Define our network ##
acl our_network src <your-subnet/24>
## make sure that our network is allowed ##
http_access allow our_network
## finally deny everything else ##
http_access deny all
and initialize the cache:
/usr/local/squid/sbin/squid -f /etc/squid/squid.conf -z
/usr/local/squid/sbin/squid -z
Now lets setup the firewall configuration...
Firstly ensure ip forwarding is enabled:
vi /etc/sysctl.conf
and add:
net.ipv4.ip_forward = 1
and ensure it persists reboot:
/sbin/sysctl -p /etc/sysctl.conf
and then install / enable iptables:
yum install iptables-services
systemctl enable iptables
systemctl start iptables
and create our iptables ruleset:
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -I INPUT 1 -i <source-interface> -p tcp --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o <source-interface> -j MASQUERADE
iptables -t nat -A PREROUTING -i <source-interface> -p tcp --dport 80 -j REDIRECT --to-port 3128
Logging dropped iptables traffic
Generally speaking it is good practice to log dropped traffic on your firewall - this can be achieved pretty easily with iptables.
Firstly create a new chain called 'logging':
iptables -N LOGGING
and then instruct the input chain to send any unmatched packets to the 'logging' chain:
iptables -A INPUT -j LOGGING
and we can also do the same for FORWARD traffic:
iptables -A FORWARD -j LOGGING
** Make sure that there are no catch-all drop rules in the input chain as this will prevent the unmatched packets from being dropped (they will be dropped when they are evaluated in the logging chain.) **
We then define rate-limiting to prevent a build-up of logs and define a prefix / log level for the logs:
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
Finally we apply the drop-all rule to our 'logging' chain:
iptables -A LOGGING -j DROP
Firstly create a new chain called 'logging':
iptables -N LOGGING
and then instruct the input chain to send any unmatched packets to the 'logging' chain:
iptables -A INPUT -j LOGGING
and we can also do the same for FORWARD traffic:
iptables -A FORWARD -j LOGGING
** Make sure that there are no catch-all drop rules in the input chain as this will prevent the unmatched packets from being dropped (they will be dropped when they are evaluated in the logging chain.) **
We then define rate-limiting to prevent a build-up of logs and define a prefix / log level for the logs:
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
Finally we apply the drop-all rule to our 'logging' chain:
iptables -A LOGGING -j DROP
Understanding superblocks in Linux file systems
A disk consists of sectors - a block is made up of these sectors.
Available block sizes differ dependent on the filesystem - for example:
ext2: 1024 (1Kb), 2048 (2Kb) or 4096 (4Kb) bytes
ext3: 1024 (1Kb), 2048 (2Kb), 4096 (4Kb) or 8096 (8kB) bytes
ext4: 1024 (1Kb) to 65536 (64Kb) bytes
xfs: 512 (0.5kB) to 65536 (64kB) bytes
The block size is defined when initially creating the file system e.g.:
mkfs -t ext3 -b 4096 /dev/sda1
Performance Considerations
Typically if you are going to be storing large files on the disk you will want to ensure you have a large[er] block size - look at it this way: if you have a large file with many blocks (the blocks combine together to create the file) it will take longer to read all of those individual blocks than if you had larger blocks - meaning less blocks to read.
And in reverse - if you have a large amount of small files you will want a small block size as there will be a greater amount of blocks available to accommodate the files and because the blocks are smaller the system is having to read less sectors and hence improves the performance.
Hard disks
A hard disk will contain a (constant) sector size - usually 512. It is important to note that a block size can't be lower than that of the hard disks sector size - it must be a multiple of it's sector size e.g. 1024,2048 and so on.
Block Groups
(Specific to EXT file systems - see 'Allocation Groups' for XFS) Block groups are made of individual blocks - which makes reading and writing large amounts of data easier.
Each block group contains a redundant copy of the super block (mentioned below) and file system descriptors.
The physical structure of the file system is made up as follows:
Superblocks
A superblock contains important filesystem meta data like:
- Blocks per block group
- Number of free blocks in the filesystem
- Mount and write times
- File system state (e.g. clean or dirty mount)
Hence protecting superblocks is extremely important - and loss of a superblock can render a filesystem unmountable!
Available block sizes differ dependent on the filesystem - for example:
ext2: 1024 (1Kb), 2048 (2Kb) or 4096 (4Kb) bytes
ext3: 1024 (1Kb), 2048 (2Kb), 4096 (4Kb) or 8096 (8kB) bytes
ext4: 1024 (1Kb) to 65536 (64Kb) bytes
xfs: 512 (0.5kB) to 65536 (64kB) bytes
The block size is defined when initially creating the file system e.g.:
mkfs -t ext3 -b 4096 /dev/sda1
Performance Considerations
Typically if you are going to be storing large files on the disk you will want to ensure you have a large[er] block size - look at it this way: if you have a large file with many blocks (the blocks combine together to create the file) it will take longer to read all of those individual blocks than if you had larger blocks - meaning less blocks to read.
And in reverse - if you have a large amount of small files you will want a small block size as there will be a greater amount of blocks available to accommodate the files and because the blocks are smaller the system is having to read less sectors and hence improves the performance.
Hard disks
A hard disk will contain a (constant) sector size - usually 512. It is important to note that a block size can't be lower than that of the hard disks sector size - it must be a multiple of it's sector size e.g. 1024,2048 and so on.
Block Groups
(Specific to EXT file systems - see 'Allocation Groups' for XFS) Block groups are made of individual blocks - which makes reading and writing large amounts of data easier.
Each block group contains a redundant copy of the super block (mentioned below) and file system descriptors.
The physical structure of the file system is made up as follows:
A superblock contains important filesystem meta data like:
- Blocks per block group
- Number of free blocks in the filesystem
- Mount and write times
- File system state (e.g. clean or dirty mount)
Hence protecting superblocks is extremely important - and loss of a superblock can render a filesystem unmountable!
Friday, 17 June 2016
Working with views and templates with Django
This tutorial serves as a quick guide on how to utilize templates with your views in Django.
Lets first deploy a new instance of Django:
pip install Django==1.9.7
cmd
mkdir C:%HOMEPATH%\Desktop\django
cd C:%HOMEPATH%\Desktop\django
django-admin startproject myapp
and then create our new web app:
cd myapp
python manage.py startapp nagios
python manage.py migrate
python manage.py runserver
http://127.0.0.1:8000/
And ensure the website comes up OK.
Now lets make a start on creating out template object - this will be done interactively via the shell initially:
python manage.py shell
from django import template
import datetime
myTemplateObject = template.Template('<html><body>The current time is {{ thetime }}.</body></html>')
myContextObject = template.Context({'thetime': datetime.datetime.now()})
print(myTemplateObject.render(myContextObject))
The above will simply output the date and time. In other languages this is very similar to achors which allow you insert specific data into a specific point in a document.
Now - a slightly more complex example might be where we wish to insert a number of rows into an HTML table - we can utilize python types like lists as well - for example:
from django import template
resultString = ''
tableelements = template.Template('<td> {{ element }} </td>')
for element in ('Harry', 'John', 'Ben'):
resultString += tableelements.render(template.Context({'element': element}))
myTemplateObject = template.Template('<html><body><table style="width:100%"><tr> {{ resultString }} </tr></table></body></html>')
myContextObject = template.Context({'resultString': resultString})
print(myTemplateObject.render(myContextObject))
Now we will apply this to a view, for example in our views.py file:
Create a the folder 'mymonitor' and the file (template) template.html and ensure that you add the anchor in: {{ element }}
and then add the following to your views.py file:
def table1(request):
return render(request, 'mymonitor/template.html', {'element': resultString})
Lets first deploy a new instance of Django:
pip install Django==1.9.7
cmd
mkdir C:%HOMEPATH%\Desktop\django
cd C:%HOMEPATH%\Desktop\django
django-admin startproject myapp
and then create our new web app:
cd myapp
python manage.py startapp nagios
python manage.py migrate
python manage.py runserver
http://127.0.0.1:8000/
And ensure the website comes up OK.
Now lets make a start on creating out template object - this will be done interactively via the shell initially:
python manage.py shell
from django import template
import datetime
myTemplateObject = template.Template('<html><body>The current time is {{ thetime }}.</body></html>')
myContextObject = template.Context({'thetime': datetime.datetime.now()})
print(myTemplateObject.render(myContextObject))
The above will simply output the date and time. In other languages this is very similar to achors which allow you insert specific data into a specific point in a document.
Now - a slightly more complex example might be where we wish to insert a number of rows into an HTML table - we can utilize python types like lists as well - for example:
from django import template
resultString = ''
tableelements = template.Template('<td> {{ element }} </td>')
for element in ('Harry', 'John', 'Ben'):
resultString += tableelements.render(template.Context({'element': element}))
myTemplateObject = template.Template('<html><body><table style="width:100%"><tr> {{ resultString }} </tr></table></body></html>')
myContextObject = template.Context({'resultString': resultString})
print(myTemplateObject.render(myContextObject))
Now we will apply this to a view, for example in our views.py file:
Create a the folder 'mymonitor' and the file (template) template.html and ensure that you add the anchor in: {{ element }}
and then add the following to your views.py file:
def table1(request):
return render(request, 'mymonitor/template.html', {'element': resultString})
Thursday, 16 June 2016
lsof cand fuser command reference
lsof is a useful tool that allows you to view files that currently have a handle on them by a process (i.e. open) - below is a few common commands that will help when debugging.
View files open by a specific user
lsof -u limited
View processes that are listening on a tcp port:
sudo lsof -i TCP:80
View handles on a specific file:
sudo lsof /var/www/html/vhost/123.zip
View open files for a specific process id:
sudo lsof -p 5123
Where similarly fuser allows you to view the processes that have handles on them - but more specifically it allows you to view open processes on a mount point:
fuser -m /mount/remote-smb-share
and also automatically kill any processes that have a handle open e.g.:
fuser -k -m /mount/remote-smb-share/file.locked
View files open by a specific user
lsof -u limited
View processes that are listening on a tcp port:
sudo lsof -i TCP:80
View handles on a specific file:
sudo lsof /var/www/html/vhost/123.zip
View open files for a specific process id:
sudo lsof -p 5123
Where similarly fuser allows you to view the processes that have handles on them - but more specifically it allows you to view open processes on a mount point:
fuser -m /mount/remote-smb-share
and also automatically kill any processes that have a handle open e.g.:
fuser -k -m /mount/remote-smb-share/file.locked
Throttling internal internet access with the ASA
To perform this we will utilize a service policy - the example below only limits download speed (not upload speed) - since the latter is not usually contested.
Define an access list to match the traffic we wish to throttle (including subnets we do not wish to e.g. internal ones):
access-list rate-limit-acl extended deny ip 10.50.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list rate-limit-acl extended permit ip any 10.100.0.0 255.255.0.0
Create a class-map to classify the traffic:
class-map throttle_classmap
match access-list rate-limit-acl
exit
Define a policy map to setup qos (this will limit bandwidth to 2 megabits and allow a burst speed of 16000 bits) :
policy-map throttle_policymap
class throttle_classmap
police output 2000000 16000
police input 2000000 16000
exit
exit
and finally create a service policy apply it to your inside interface:
service-policy throttle_policymap interface inside
Define an access list to match the traffic we wish to throttle (including subnets we do not wish to e.g. internal ones):
access-list rate-limit-acl extended deny ip 10.50.0.0 255.255.0.0 10.100.0.0 255.255.0.0
access-list rate-limit-acl extended permit ip any 10.100.0.0 255.255.0.0
Create a class-map to classify the traffic:
class-map throttle_classmap
match access-list rate-limit-acl
exit
Define a policy map to setup qos (this will limit bandwidth to 2 megabits and allow a burst speed of 16000 bits) :
policy-map throttle_policymap
class throttle_classmap
police output 2000000 16000
police input 2000000 16000
exit
exit
and finally create a service policy apply it to your inside interface:
service-policy throttle_policymap interface inside
Friday, 10 June 2016
Working with views and templates with Django
This tutorial serves as a quick guide (my notes) on how to utilize templates with your views in Django.
Lets first deploy a new instance of Django:
pip install Django==1.9.7
cmd
mkdir C:%HOMEPATH%\Desktop\django
cd C:%HOMEPATH%\Desktop\django
django-admin startproject myapp
and then create our new web app:
cd myapp
python manage.py startapp nagios
python manage.py migrate
python manage.py runserver
http://127.0.0.1:8000/
And ensure the website comes up OK.
Now lets make a start on creating out template object - this will be done interactively via the shell initially:
python manage.py shell
from django import template
import datetime
myTemplateObject = template.Template('<html><body>The current time is {{ thetime }}.</body></html>')
myContextObject = template.Context({'thetime': datetime.datetime.now()})
print(myTemplateObject.render(myContextObject))
The above will simply output the date and time. In other languages this is very similar to anchors which allow you insert specific data into a specific point in a document.
Now - a slightly more complex example might be where we wish to insert a number of rows into an HTML table - we can utilize other python types like lists as well - for example:
from django import template
resultString = ''
tableelements = template.Template('<td> {{ element }} </td>')
for element in ('Harry', 'John', 'Ben'):
resultString += tableelements.render(template.Context({'element': element}))
myTemplateObject = template.Template('<html><body><table style="width:100%"><tr> {{ resultString }} </tr></table></body></html>')
myContextObject = template.Context({'resultString': resultString})
print(myTemplateObject.render(myContextObject))
Now we will apply this to a view, for example in our views.py file:
Create a the folder 'mymonitor' and the file (template) template.html and ensure that you add the anchor in: {{ element }}
and then add the following to your views.py file:
def table1(request):
return render(request, 'mymonitor/template.html', {'element': resultString})
Lets first deploy a new instance of Django:
pip install Django==1.9.7
cmd
mkdir C:%HOMEPATH%\Desktop\django
cd C:%HOMEPATH%\Desktop\django
django-admin startproject myapp
and then create our new web app:
cd myapp
python manage.py startapp nagios
python manage.py migrate
python manage.py runserver
http://127.0.0.1:8000/
And ensure the website comes up OK.
Now lets make a start on creating out template object - this will be done interactively via the shell initially:
python manage.py shell
from django import template
import datetime
myTemplateObject = template.Template('<html><body>The current time is {{ thetime }}.</body></html>')
myContextObject = template.Context({'thetime': datetime.datetime.now()})
print(myTemplateObject.render(myContextObject))
The above will simply output the date and time. In other languages this is very similar to anchors which allow you insert specific data into a specific point in a document.
Now - a slightly more complex example might be where we wish to insert a number of rows into an HTML table - we can utilize other python types like lists as well - for example:
from django import template
resultString = ''
tableelements = template.Template('<td> {{ element }} </td>')
for element in ('Harry', 'John', 'Ben'):
resultString += tableelements.render(template.Context({'element': element}))
myTemplateObject = template.Template('<html><body><table style="width:100%"><tr> {{ resultString }} </tr></table></body></html>')
myContextObject = template.Context({'resultString': resultString})
print(myTemplateObject.render(myContextObject))
Now we will apply this to a view, for example in our views.py file:
Create a the folder 'mymonitor' and the file (template) template.html and ensure that you add the anchor in: {{ element }}
and then add the following to your views.py file:
def table1(request):
return render(request, 'mymonitor/template.html', {'element': resultString})
Friday, 3 June 2016
Identifying account lockouts with Windows Event Log
GPMC >> Default Domain Controllers Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Audit Policy and ensure the following are set:
Account Logon Events – Failure
Account Management – Success
Logon Events – Failure
You should look out for event ID 644 (which will appear as a Success event) on the DC with the PDC emulator.
Account Logon Events – Failure
Account Management – Success
Logon Events – Failure
You should look out for event ID 644 (which will appear as a Success event) on the DC with the PDC emulator.
Thursday, 2 June 2016
Logging to file with haproxy
By default haproxy logs information to syslog - in order to get the output piped out to a text file we should perform the following:
sudo vi /etc/rsyslog.d/49-haproxy.conf
and ensure the following line is uncommented / present:
if $programname startswith 'haproxy' then /var/log/haproxy.log
This simply instructs the syslog daemon to pipe out any data submitted by the process 'haproxy' to /var/log/haproxy.log
You should also ensure that the syslog daemon is running:
sudo vi /etc/rsyslog.conf
and ensuring the following is uncommented:
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
and try generating some traffic...
sudo vi /etc/rsyslog.d/49-haproxy.conf
and ensure the following line is uncommented / present:
if $programname startswith 'haproxy' then /var/log/haproxy.log
This simply instructs the syslog daemon to pipe out any data submitted by the process 'haproxy' to /var/log/haproxy.log
You should also ensure that the syslog daemon is running:
sudo vi /etc/rsyslog.conf
and ensuring the following is uncommented:
$ModLoad imudp
$UDPServerRun 514
$UDPServerAddress 127.0.0.1
sudo service rsyslogd restart
tail -f /var/log/haproxy.log
and try generating some traffic...