Friday, 31 March 2017

The difference between a Unix Domain Socket and a Named Pipe (fifo)

named pipes (fifo's) allow communication between different processes. They allow you to pipe data directly into a special file that is then read immediately by another process. As an example we can use the 'mkfifo' command: mkfifo /tmp/fifo ls -la /tmp/fifo prw-r--r-- Notice the precense of the 'p' bit - this indicates that the file is a named pipe / fifo. Now let's tail it and pipe some data into it: tail -f /tmp/fifo & echo test data > /tmp/fifo test data A socket file in Linux (AKA a Unix Domain Socket) allows communication...

Tuesday, 28 March 2017

Fixed: Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Modern versions of OpenSSH  will typically exclude insecure cipher suites by default - however this can cause problems with older devices that are using obsolete cipher suites - in my case an older generation ASA: ssh admin@10.11.12.13 Unable to negotiate with 10.0.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 However the long term solution (if possible) is to try and upgrade the firmware if available. In order to access the system in the meantime we can instruct the OpenSSH client to use a...

Tuesday, 21 March 2017

Safely purging / pruning old mysql binary logs

While binary logging provides an excellent way to roll back a database to a specific point in time, to recover the database in the event of corruption or for use with replication, by default MySQL binary logs are not purged and over time can accumulate using a huge amount of disk space. Binary logs (as the name suggests) store data in binary format and are consumed by mysqlbinlog. In order to prune the logs lets firstly locate the appropraite directory -- in my case this is /var/lib/mysql cd /var/lib/mysql ls -rw-rw----  1 mysql mysql...

Wednesday, 15 March 2017

Configuring IP Source Guard on a 2960X

IP Source Guard is a layer 3 security feature that prevents IP spoofing. It like DAI relies on the DHCP snooping binding table to function. DAI however works on Layer 2 / ARP and is not able to inspect layer 3 / IP traffic - hence IP Source Guard was introduced. IP Source Guard is applied on a per-interface level: int gi0/4 ip verify source If you have statically assigned IP's you can create a 'static binding' so that IP Source Guard can confirm which IP it is expecting on the specific port. ip source binding 1111.2222.3333 vlan 100 1.2.3.4...

Setting up DHCP snooping a long side a DHCP relay agent (Option 82 / giaddr)

DHCP snooping allows the switch to maintain it's own (binding) table that links a MAC address to an IP, switchport, vlan and lease time a long with restricting specific ports that send DHCP server messages. This is performed to attempt to mitigate any rouge DHCP servers on the network - however a lot of other services such as DAI also depend on DHCP snooping. We should firstly enable DHCP snooping with: ip dhcp snooping DHCP snooping is configured on a per-VLAN basis - however we must firstly define which VLAN we want to enable it on: ip dhcp...

Tuesday, 14 March 2017

Converting pk7 to pem encoded certificate / key pair to PKCS12 format

Often if a key pair is pem encoded and you wish to transport this securely for use on a Windows server you will need to convert the pem encoded files to the PKCS12 format - which is effectively an encrypted container for the key pair. We can perform the conversion for this with openssl - by firstly converting the p7b file (which is simply a container with in most cases the main certificate plus any other certificates in the chain): openssl pkcs7 -print_certs -in certifcates.p7b -out certifcates.cer and then from PEM to pkcs12 format: openssl...

Generating a SAN (Subject Alternative Name) certificate with OpenSSL

Firstly create a new file (e.g. /tmp/csr_yourdomain.conf) as follows (replacing the relevant information.) [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C=GB ST=London L=England O=Your Company OU=IT emailAddress=webmaster@yourdomain.com CN = *.yourdomain.com [ req_ext ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = *.anotherdomain.com DNS.2 = *.alternativedomain.com The above information...

Friday, 10 March 2017

Setting up and using gpg (GnuPG) with CentOS 7

PGP was first introduced by Phil Zimmermann & Associates and was a proprietary piece of software that allowed users to encrypt their files - although later on one of the original developers began work on OpenPGP (an open-source alternative.) These days GPG (GnuPG) is also extremely popular and is based open OpenPGP standards and is widely available across most popular operating systems. For this tutorial I will focus on CentOS 7 - however much of the processes are exactly the same on most Linux distributions. GPG makes use of PKI - so can...

Windows Task Manager, RAM and the Windows Metafile

I have sometimes noticed slight discrepancies between the available RAM presented in Windows Task Manager and the sum of private and shared bytes processes use - although on one particular server this discrepancy was a whopping 4GB! Doubting the accuracy of what the Windows Task Manager was reporting I checked a few other tools, including Process Hacker - which provides me with a more granular look at the system's RAM consumption, private, shared memory etc. However the figures still did not add up - so I ended up coming across a tool called RAMMap...

Wednesday, 8 March 2017

Kicking local / remote users out of a linux system

Get a list of current tty (console users) / pts (remote users e.g. ssh etc.) with: who -a LOGIN      tty1         2017-02-23 13:14              2432 id=tty1            system boot  2017-02-23 13:13            run-level 5  2017-02-23 13:14 youruser ? :0           2017-02-23 13:14   ?          2733 (console) youruser + pts/0      ...

Manually performing DNSSEC validation with dig

Let's firstly obtain the DNSKEY for the root namespace '.': dig DNSKEY @i.root-servers.net. . | grep -Ev '^($|;)' > root.keys . 172800 IN DNSKEY 256 3 8 AwEAAYvgWbYkpeGgdPKaKTJU3Us4YSTRgy7+dzvfArIhi2tKoZ/WR1Df w883SOU6Uw7tpVRkLarN0oIMK/xbOBD1DcXnyfElBwKsz4sVVWmfyr/x +igD/UjrcJ5zEBUrUmVtHyjar7ccaVc1/3ntkhZjI1hcungAlOhPhHlk MeX+5Azx6GdX//An5OgrdyH3o/JmOPMDX1mt806JI/hf0EwAp1pBwo5e 8SrSuR1tD3sgNjr6IzCdrKSgqi92z49zcdis3EaY199WFW60DCS7ydu+ +T5Xa+GyOw1quagwf/JUC/mEpeBQYWrnpkBbpDB3sy4+P2i8iCvavehb RyVm9U0MlIc= . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF...

DNSSEC: A quick introduction

DNS is a pretty old protocol - although used extensively even today. However it's major let down (from a security perspective) is that it transmits data in plain text and the receiver does not have means to validate the content - this makes it extremely easy to manipulate requests with techniques like DNS Poisoning. DNSSEC was introduced to overcome this problem - and provides a way of validating the responses from a nameserver with help from PKI. DNSSEC introduces a few new record types (plus a few more not mentioned here): RRSIG: This provides...

Wednesday, 1 March 2017

Setting up logging / syslog on the Cisco 2960X

Fortunately logging can be setup very easily on IOS devices - a syslog server can be configured as follows: conf t logging 1.2.3.4 and also configure the logging buffer in memory for example: logging buffered 64000 debug The above will ensure that all messages are logged to the buffer and are forwarded to our syslog server. We can also filter out annoying messages on the console - ensuring only important messages disrupt us: logging console warnings The log levels are as follows: <0-7> Logging severity level alerts ...

Cisco Switch Setup Checklist (Best Practise, Hardening etc.)

This is a short list of initial management / setup tasks that can be used a a base template: Setting up AAA Setting up remote access (SSH) Setting up SNMP Setting up logging / syslog Automatic configuration backups Setting up NTP If (like me) you prefer to disable DNS lookups - you can find the IP addresses of stratum 1 and 2 providers here. (Ideally it's best that the stratum 1 provider takes precedence) ntp server 81.168.77.149 prefer ntp server 194.164.127.6 ntp server 194.164.127.4 Hardening / Disabling Unnecessary Services  no...