ServerFlux – Securing the Internet

This post (if not for more my benefit) is a brief list of commands to get people started on performing some basic administration tasks with cisco’s IOS CLI – which accompanies a great deal of the switches.

The “enable” command takes you into administrative mode, to do this enter the following at prompt:

enable

We can view switch information for diagnostic purposes:

show mac-address-table # Shows mac address table
show interfaces # Shows interfaces information
show running-config # Shows the current saved / active configuration

We wish to enter the configuration mode, so we simply enter the following (where “terminal” represents where we are configuring from):

configure terminal

We can now configure a port as follows (port 1 will be used in the following example):

interface fastethernet0/1
duplex auto # Set automatic duplex configuration (present by default)
shutdown # Shutdown the port
speed auto # Set automatic speed configuration (present by default)

Changing / Setting the router / switch hostname:

enable
configure terminal
hostname MYHOSTNAME
exit # Exit config mode
exit # Exit config line mode
write # Write changes to switch

Setting passwords for specific user levels / modes:

enable
configure terminal
enable password yourpasswordhere # Set password for elevated mode
exit # Exit config mode
exit # Exit config line mode
write # Write changes to switch

Port-Security
Trunked ports can not use “port-security”! So we need to change the trunk port to an access port by doing the following:

interface fastethernet0/1
switchport mode access # Change to access mode
switchport port-security # Enables port security (not configured though!)
switchport port-security mac-address AA:BB:CC:DD:EE:FF # Sets the mac address that will be accepted in this port
switchport port-security maximum # Lets you define how many secure mac addresses there can be (it is only one be default!)
switchport port-security violation shutdown (default action - if violation found, port is closed and info send to log , port will need to be manually reopened!)
or
switchport port-security violation restrict # Drops violating frames, sends info to log, but doesn't shut down port
or
switchport port-security violation protect # Simply drops frames, does not send anything to log

If you do not know the mac-address to set in port-security you can use sticky ports, instead of predefining a mac address you can use:

switchport port-security mac-address

The first source mac address learned on the port will be the secure mac-address.

We can review the changes made by doing the following:

enable
configure terminal
show port-security interface fastethernet0/1

To disable trunking on a port:

enable
configure terminal
interface FastEthernet0/10
no switchport mode trunk
no switchport trunk encapsulation
no switchport trunk allowed vlan
no switchport trunk native vlan
switchport mode access
exit

To enable / disable STP (Spanning Tree Protocol) on a specific VLAN:

enable
configure terminal
span vlan 10
exit

or to disable

enable
configure terminal
no span vlan 10
exit

Get a brief list of ports / info:

[/bash]

And finally to save any changes made use:
1write memory

Switch Security

Setting a password for the console:
You can review the current switch configuration by doing:

enable
show running-config

We can now set the password:

line con 0
password yourpasswordhere
login
exit # Exit config mode
exit # Exit config line mode
write # Write changes to switch

Setup TELNET / SSH Access Password (VTY):

enable
configure terminal
line vty 0 4 # Use this line
password yourpasswordhere # Set password
login
exit # Exit config mode
exit # Exit config line mode
write # Write configuration

We will firstly install the TFTP server – which is simply an FTP server which does not require any authentication.

apt-get install tftpd-hpa

We not now need to check the configuration for the TFTP server – you should make sure that the RUN_DAEMON directive is set to “ENABLE” in the config: /etc/default/tftpd-hpa configuration file. You will also find the server directory specified in this configuration file:

TFTP_OPTIONS="--secure"
TFTP_USERNAME="tftp"
TFTP_DIRECTORY="/srv/tftp"
TFTP_ADDRESS="0.0.0.0:69"
RUN_DAEMON="yes"

We will also need syslinux (boot loader) in order to boot up the ISO’s we are going to use with the PXE server so we do:

wget --no-check-certificate https://www.kernel.org/pub/linux/utils/boot/syslinux/syslinux-4.05.zip
unzip syslinux-4.05.zip
cd syslinux-4.05

We will now copy two required files to the TFTP root directory:

cp core/pxelinux.0 /srv/tftp
cp memdisk/memdisk /srv/tftp

We will create a create the configuration files for syslinux as follows:

mkdir /srv/tftp/pxelinux.cfg
nano /srv/tftp/pxelinux.cfg/default

and add the following to the default file:

DEFAULT win7
PROMPT 60

LABEL win7
LINUX /memdisk
APPEND iso
INITRD /win7.iso

Now the PXE server has been setup its time to setup DHCP so it can tell workstations where your PXE server is, I have used active directory for this example:

Go to > Administrative Tools > DHCP > Scope XX.XX.XX.XX > Scope Options
and then create the following records (replace where needed):

006 DNS Servers XX.XX.XX.XX
013 Image Size 0x28
066 Boot Server host Name XX.XX.XX.XX
067 Bootfile name: Pxelinux.0

Now simply restart one of your client workstations within the scope of your DHCP server and hit F12 to network boot upon system startup and you should have Windows 7 installation up and running!

This tutorial describes the process on how you can connect via SSH to your ESXI 5.0 host using public key authentication. I have tried to explain as much as possible, since there (or at least I couldn’t find any) decent tutorials on the internet covering this subject on ESXI 5.0.

Firstly we will create our private and public keys on the remote host (the host we are connecting to ESXI on):

ssh-keygen -t rsa

The keys by default are stored as follows:

~/.ssh/rd_rsa
~/.ssh/rd_rsa.pub

We set the permissions:

chmod 600 ~/.ssh/rd_rsa
chmod 600 ~/.ssh/rd_rsa.pub

We will now copy the public key to the remote host:

scp ~/.ssh/rd_rsa.pub root@remotehost:/root

And then on the remote hosts we do:

cat /root/rd_rsa.pub > /etc/ssh/keys-root/authorized_keys
chmod 600 /etc/ssh/keys-root/authorized_keys

The above is very important, other tutorial do not explain this at all! There is a directive in /etc/ssh/sshd_config called “AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys” This specifies where a users “authorized_keys” will be looked up on the esxi host. In this tutorial we will be connecting from a remote host to the ESXI host as the user root; hence we replace %u with root – so it becomes “keys-root”.

Important!: Make sure that the ~/.ssh folders on both hosts are chmod to 700 e.g.:

chmod 700 ~/.ssh

In order to disable password logins to the SSH server you should change the following in :

vi /etc/ssh/sshd_config

and change according to below:

PermitRootLogin yes
ChallengeResponseAuthentication no # This entry might not be present! Don't add it if it isn't present.
PasswordAuthentication no

and finally restart SSH service:

/etc/init.d/SSH restart

You can now connect to ESXI 5 using SSH public key authentication by running the following:

ssh -i ~/.ssh/rd_rsa root@esxi-host

If you run into any problems, just use the -v switch in SSH e.g.:

ssh -v -i ~/.ssh/rd_rsa root@esxi-host

We will firstly install the GNUPG package (which is commonly already included with Debian distro’s) from apt:

apt-get install gnupg

We now require a key pair – so that we can encrypt and decrypt files, so we generate them as follows:

gpg --gen-key
Select Option: 1
Key Size: 2048
Key is valid for: 0

You should then confirm your identity details and enter a pass-phrase.

To list your public keys use:

gpg --list-keys

And to list your secret (private) keys use:

gpg --list-secret-keys

Encrypting files with the keys:

To encrypt a file simply use the following:

gpg --output yourfile.gpg --encrypt --recipient  "Joe Bloggs" yourfile.ext

To decrypt a file simply use:

gpg --output yourfile.ext --decrypt yourfile.gpg

If your key is stolen?

Now if in the case our private key was stolen we would like to be able to renounce / disable the key from working, this can achieved by generating a revocation certificate as follows:

gpg --output revoke.asc --gen-revoke <keyid>

* Where keyid is the “key ID” of your public certificate (e.g. get it via gpg –list-keys)

What is a named pipe?

A named pipe (or FIFO) is simply a way of piping data between applications – as the name suggests “in a pipe”. A named pipe within a Windows environment differs from the Linux varient (FIFO) – a Windows type is more orientated around server and client communication, while a FIFO can be created on a linux system while allows all applications on the file system to access it like a file. For example:

Create the pipe:

mkfifo my_pipe

Pipe some data into it:

gzip -9 -c < my_pipe > archive_out.gz

Close the pipe:

rm my_pipe

Firstly download the CLI from the following website:

http://www.vmware.com/download/download.do?downloadGroup=VCLI50U1

And then untar it to a temp dir e.g.:

cd /tmp
tar zxvf VMware-vSphere-CLI-4.0.0-161974.x86_64.tar.gz

We will make sure we have all of the per-requisites:

apt-get install libclass-methodmaker-perl libssl-dev perl-doc liburi-perl libxml-libxml-perl libcrypt-ssleay-perl ia32-libs 

And then install vSphere CLI:

cd VMware-vSphere-CLI-4.0.0-161974
perl vmware-install.pl

And finally to use the CLI type the following at prompt:

vmware-cmd

or use the following for help:

vmware-cmd --help

In this example we will be starting up rsync in deamon mode on system boot, for this we will firstly need to create an init script:

nano /etc/init.d/rsyncd

Below is an example init script:

#! /bin/sh
# /etc/init.d/rsyncd
#

# Carry out specific functions when asked to by the system
case "$1" in
  start)
    echo "Starting rsyncd..."
    rsync stream tcp nowait rysnc /usr/bin/rsync rsync --daemon
    echo "Done!"
    ;;
  stop)
    echo "Stopping rsyncd..."
    killall rsync
    echo "Done!"
    ;;
  *)
    echo "Usage: /etc/init.d/rsyncd {start|stop}"
    exit 1
    ;;
esac

exit 0

We will now setup the permissions for the script:

chmod 755 /etc/init.d/rsyncd

And to make the script run at boot time:

update-rc.d rsyncd defaults

and to remove from boot up use:

update-rc.d -f  rsyncd remove

If in the event (like myself) you created the init script on a Windows system the line endings are different in Linux, and hence you will get a error such as:

/bin/sh^M: Bad interpreter: No such file or directory

You can resolve this by using the “fromdos” utility:

apt-get install tofrodos
fromdos /path/to/your/file.ext

This utility converts the input files line endings to linux style line endings.

We will firstly use apt to install the rsync package:

apt-get install rsync

We will proceed by create a configuration file rsync (which isn’t created by default!)

nano /etc/rsync.conf

The configuration file should be as follows (replacing / adding the appropriate IP(s) / blocks to the “hosts_allow” variable and replace the “path” variable with the location of where you want to rsync to have access.

max connections = 2
log file = /var/log/rsync.log
timeout = 300
[cache]
comment = Cache of Mongrels
path = /backups
read only = no
list = yes
uid = nobody
gid = nogroup
#auth users = mongrel
list = yes
hosts allow = 127.0.0.0/8 192.168.0.0/24
secrets file = /etc/rsync.secrets

Create our rysnc users (example of /etc/rsync.secrets):

username:password
user:password
administrator:123

Now lets create our rsync user:

useradd rsync -s /usr/sbin/nologin

Set permissions for the secrets file:

chown rsync:rsync /etc/rsync.secrets
chmod 400 rsync.secrets

We can now run the rsync deamon with the following command line:

rsync stream tcp nowait rysnc /usr/bin/rsync rsync --daemon

Since this driver has not been circulated well, I thought I would save people the time looking for drivers for the SR9600 USB NIC, you can find the drivers below:

Windows 7 / Vista / XP / 98 SR9600 Driver

The device is commonly marketed under the following name: USB 2.0 Ethernet 10/100 Network LAN RJ45 Adapter

The device ID (found is Device Manager) is as follows: Device ID: USB\VID_0FE6&PID_9700

In order to configure a Windows Server (2003/2008) with NTP please see below:

Open up an elevated command prompt and enter the following (where XX.XX.XX.XX is the hostname / IP of the NTP server)

w32tm /config /manualpeerlist:XX.XX.XX.XX,0x8 /syncfromflags:MANUAL

Now go to the services applet:

Start > Run > services.msc

Locate the “Windows Time” Service – make sure that its “Startup Type” is set to automatic (as it is set to “Manual” by default!) and stop the service and then start it again. The time should then be synced with the NTP server. If in doubt try this utility to verify it has happened properly:

NTP Debug Tool

You can also query the status of the Windows Time Service like follows (it will also let you know the last sync time – if possible):

w32tm /query /status

If you screwed up?

The following will wipe any Time Service configuration, so you can start again from scratch:

net stop w32time
w32tm /unregister
w32tm /register