named pipes (fifo's) allow communication between different processes. They allow you to pipe data directly into a special file that is then read immediately by another process.
As an example we can use the 'mkfifo' command:
mkfifo /tmp/fifo
ls -la /tmp/fifo
prw-r--r--
Notice the precense of the 'p' bit - this indicates that the file is a named pipe / fifo.
Now let's tail it and pipe some data into it:
tail -f /tmp/fifo &
echo test data > /tmp/fifo
test data
A socket file in Linux (AKA a Unix Domain Socket) allows communication...
Friday, 31 March 2017
Tuesday, 28 March 2017
Fixed: Unable to negotiate with x.x.x.x port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
Modern versions of OpenSSH will typically exclude insecure cipher suites by default - however this can cause problems with older devices that are using obsolete cipher suites - in my case an older generation ASA:
ssh admin@10.11.12.13
Unable to negotiate with 10.0.1.1 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
However the long term solution (if possible) is to try and upgrade the firmware if available.
In order to access the system in the meantime we can instruct the OpenSSH client to use a...
Tuesday, 21 March 2017
Safely purging / pruning old mysql binary logs
While binary logging provides an excellent way to roll back a database to a specific point in time, to recover the database in the event of corruption or for use with replication, by default MySQL binary logs are not purged and over time can accumulate using a huge amount of disk space.
Binary logs (as the name suggests) store data in binary format and are consumed by mysqlbinlog.
In order to prune the logs lets firstly locate the appropraite directory -- in my case this is /var/lib/mysql
cd /var/lib/mysql
ls
-rw-rw---- 1 mysql mysql...
Wednesday, 15 March 2017
Configuring IP Source Guard on a 2960X
IP Source Guard is a layer 3 security feature that prevents IP spoofing. It like DAI relies on the DHCP snooping binding table to function.
DAI however works on Layer 2 / ARP and is not able to inspect layer 3 / IP traffic - hence IP Source Guard was introduced.
IP Source Guard is applied on a per-interface level:
int gi0/4
ip verify source
If you have statically assigned IP's you can create a 'static binding' so that IP Source Guard can confirm which IP it is expecting on the specific port.
ip source binding 1111.2222.3333 vlan 100 1.2.3.4...
Setting up DHCP snooping a long side a DHCP relay agent (Option 82 / giaddr)
DHCP snooping allows the switch to maintain it's own (binding) table that links a MAC address to an IP, switchport, vlan and lease time a long with restricting specific ports that send DHCP server messages.
This is performed to attempt to mitigate any rouge DHCP servers on the network - however a lot of other services such as DAI also depend on DHCP snooping.
We should firstly enable DHCP snooping with:
ip dhcp snooping
DHCP snooping is configured on a per-VLAN basis - however we must firstly define which VLAN we want to enable it on:
ip dhcp...
Tuesday, 14 March 2017
Converting pk7 to pem encoded certificate / key pair to PKCS12 format
Often if a key pair is pem encoded and you wish to transport this securely for use on a Windows server you will need to convert the pem encoded files to the PKCS12 format - which is effectively an encrypted container for the key pair.
We can perform the conversion for this with openssl - by firstly converting the p7b file (which is simply a container with in most cases the main certificate plus any other certificates in the chain):
openssl pkcs7 -print_certs -in certifcates.p7b -out certifcates.cer
and then from PEM to pkcs12 format:
openssl...
Generating a SAN (Subject Alternative Name) certificate with OpenSSL
Firstly create a new file (e.g. /tmp/csr_yourdomain.conf) as follows (replacing the relevant information.)
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=GB
ST=London
L=England
O=Your Company
OU=IT
emailAddress=webmaster@yourdomain.com
CN = *.yourdomain.com
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.anotherdomain.com
DNS.2 = *.alternativedomain.com
The above information...
Friday, 10 March 2017
Setting up and using gpg (GnuPG) with CentOS 7
PGP was first introduced by Phil Zimmermann & Associates and was a proprietary piece of software that allowed users to encrypt their files - although later on one of the original developers began work on OpenPGP (an open-source alternative.)
These days GPG (GnuPG) is also extremely popular and is based open OpenPGP standards and is widely available across most popular operating systems.
For this tutorial I will focus on CentOS 7 - however much of the processes are exactly the same on most Linux distributions.
GPG makes use of PKI - so can...
Windows Task Manager, RAM and the Windows Metafile
I have sometimes noticed slight discrepancies between the available RAM presented in Windows Task Manager and the sum of private and shared bytes processes use - although on one particular server this discrepancy was a whopping 4GB!
Doubting the accuracy of what the Windows Task Manager was reporting I checked a few other tools, including Process Hacker - which provides me with a more granular look at the system's RAM consumption, private, shared memory etc. However the figures still did not add up - so I ended up coming across a tool called RAMMap...
Wednesday, 8 March 2017
Kicking local / remote users out of a linux system
Get a list of current tty (console users) / pts (remote users e.g. ssh etc.) with:
who -a
LOGIN tty1 2017-02-23 13:14 2432 id=tty1
system boot 2017-02-23 13:13
run-level 5 2017-02-23 13:14
youruser ? :0 2017-02-23 13:14 ? 2733 (console)
youruser + pts/0 ...
Manually performing DNSSEC validation with dig
Let's firstly obtain the DNSKEY for the root namespace '.':
dig DNSKEY @i.root-servers.net. . | grep -Ev '^($|;)' > root.keys
. 172800 IN DNSKEY 256 3 8 AwEAAYvgWbYkpeGgdPKaKTJU3Us4YSTRgy7+dzvfArIhi2tKoZ/WR1Df w883SOU6Uw7tpVRkLarN0oIMK/xbOBD1DcXnyfElBwKsz4sVVWmfyr/x +igD/UjrcJ5zEBUrUmVtHyjar7ccaVc1/3ntkhZjI1hcungAlOhPhHlk MeX+5Azx6GdX//An5OgrdyH3o/JmOPMDX1mt806JI/hf0EwAp1pBwo5e 8SrSuR1tD3sgNjr6IzCdrKSgqi92z49zcdis3EaY199WFW60DCS7ydu+ +T5Xa+GyOw1quagwf/JUC/mEpeBQYWrnpkBbpDB3sy4+P2i8iCvavehb RyVm9U0MlIc=
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF...
DNSSEC: A quick introduction
DNS is a pretty old protocol - although used extensively even today. However it's major let down (from a security perspective) is that it transmits data in plain text and the receiver does not have means to validate the content - this makes it extremely easy to manipulate requests with techniques like DNS Poisoning.
DNSSEC was introduced to overcome this problem - and provides a way of validating the responses from a nameserver with help from PKI.
DNSSEC introduces a few new record types (plus a few more not mentioned here):
RRSIG: This provides...
Wednesday, 1 March 2017
Setting up logging / syslog on the Cisco 2960X
Fortunately logging can be setup very easily on IOS devices - a syslog server can be configured as follows:
conf t
logging 1.2.3.4
and also configure the logging buffer in memory for example:
logging buffered 64000 debug
The above will ensure that all messages are logged to the buffer and are forwarded to our syslog server.
We can also filter out annoying messages on the console - ensuring only important messages disrupt us:
logging console warnings
The log levels are as follows:
<0-7> Logging severity level
alerts ...
Cisco Switch Setup Checklist (Best Practise, Hardening etc.)
This is a short list of initial management / setup tasks that can be used a a base template:
Setting up AAA
Setting up remote access (SSH)
Setting up SNMP
Setting up logging / syslog
Automatic configuration backups
Setting up NTP
If (like me) you prefer to disable DNS lookups - you can find the IP addresses of stratum 1 and 2 providers here.
(Ideally it's best that the stratum 1 provider takes precedence)
ntp server 81.168.77.149 prefer
ntp server 194.164.127.6
ntp server 194.164.127.4
Hardening / Disabling Unnecessary Services
no...