• List of iSCSI Mutual CHAP Posts by OS
  • Tools and Utilities for Windows
  • Unix and Linux Distros

slice2

slice2

Monthly Archives: April 2013

Updating Nessus to the newly released 5.20 on Kali Linux

23 Tuesday Apr 2013

Posted by Slice2 in Linux, Nessus, Security

≈ Leave a comment

Tags

Linux, Security

Nessus just released version 5.20.  So, a quick follow-up to my recent post on installing Nessus is as follows.

Details:  http://www.tenable.com/products/nessus/new-in-nessus-52

Downloads:   http://www.tenable.com/products/nessus/nessus-download-agreement

> dpkg -i Nessus-5.2.0-debian6_amd64.deb
(Reading database … 241907 files and directories currently installed.)
Preparing to replace nessus 5.0.3 (using Nessus-5.2.0-debian6_amd64.deb) …
$Shutting down Nessus : .
Unpacking replacement nessus …
Setting up nessus (5.2.0) …
Fetching the newest plugins from nessus.org…
Fetching the newest updates from nessus.org…
Done. The Nessus server will start processing these plugins within a minute
nessusd (Nessus) 5.2.0 [build N24017] for Linux
Copyright (C) 1998 – 2013 Tenable Network Security, Inc

Processing the Nessus plugins…
[##################################################]

All plugins loaded

– You can start nessusd by typing /etc/init.d/nessusd start
– Then go to https://localhost:8834/ to configure your scanner

> /etc/init.d/nessusd start
$Starting Nessus : .

The Official vSphere 5.1 Hardening Guide has been released

22 Monday Apr 2013

Posted by Slice2 in Security, VMware

≈ Leave a comment

Tags

Security, VMware

The official release of the vSphere 5.1 Hardening Guide offers guidance on securely deploying VMware vSphere 5.1.

http://communities.vmware.com/docs/DOC-22981

Installing Nessus on Kali Linux

18 Thursday Apr 2013

Posted by Slice2 in Linux, Nessus, Security

≈ Leave a comment

Tags

Linux, Security

1) First step is patch your Kali Linux system.
> su – root
> apt-get update
> apt-get upgrade

2) For some crazy reason Nessus is not part of the default Kali tool set. There must be some drama between these guys. The kali apt-get repositories don’t have nessus so you must download the deb package from Tenable.

Choose the debian 6 x64 package here:
http://www.tenable.com/products/nessus/select-your-operating-system

Register to get a key for the home feed here:
http://www.tenable.com/products/nessus/nessus-homefeed

3) Install nessus.
> su – root
> cd /to/path/of/nessus/download
> dpkg -i Nessus*.deb
> rm Nessus*.deb

4) Register nessus. Obtain the key from the email sent by Tenable when you registered. It will be used to register your home feed and authorize your instance to download plug-ins.
> cd /opt/nessus/bin/
> ./nessus-fetch –register “1234-ABCD-5678-EFGH-9101”
Note: there are two dashes “–” in front of –register
> cd /opt/nessus/etc/nessus
> cp nessusd.conf.imported nessusd.conf

5) Start nessus.

> /etc/init.d/nessusd start

6) Nessus takes about 10 minutes to initialize the first time. Launch a browser and enter https://localhost:8834 to see if its ready. When ready the wizard will start. Create a user, enter the word offline for the registration (since you already did this above) and then login.

Securing NetApp Data ONTAP with the NetApp Powershell Toolkit

10 Wednesday Apr 2013

Posted by Slice2 in NetApp, Security

≈ Leave a comment

Tags

NetApp, Security

The NetApp Data ONTAP Powershell Toolkit has come a long way. The latest release has many improvements including the new simplified installer. It couldn’t be easier to deploy and use.

See this .pdf to get started. Installing NetApp Data ONTAP Powershell Toolkit v2.3

The commands below represent the NetApp Powershell cmdlet version of the ONTAP commands referenced in a previous post titled http://slice2.com/2013/04/01/hardening-netapp-dataontap-8-1x/

Edit the text below to fit your environment and save as a .ps1 script. When done, simply execute it inside a powershell session or just run the command one at a time to get familiar.

1) Login to Controller.
If you want to use your controller name in the command , edit the Example line below. Otherwise, the Connect-NaController cmdlett will prompt you for a username and password and then the controller name you want to login to.
Example: Connect-NaController -Name <you filer hostname or ip> -Credential (Get-Credential) -https

Connect-NaController -Credential (Get-Credential) -https

2) Setup ssh with strong keys.

Set-NaOption -OptionName ssh1.enable off
Set-NaOption -OptionName ssh2.enable off
Initialize-NaSecureAdminSsh -Ssh1HostKeySize 2048 -Ssh1ServerKeySize 1920 -Ssh2HostKeySize 2048 -Force -Confirm

3) Set options.

Set-NaOption -OptionName ssh.idle.timeout -OptionValue 600 -Confirm
Set-NaOption -OptionName ssh1.enable -OptionValue off -Confirm
Set-NaOption -OptionName telnet.distinct.enable -OptionValue on -Confirm
Set-NaOption -OptionName rsh.access -OptionValue “none” -Confirm
Set-NaOption -OptionName rsh.enable -OptionValue off -Confirm
Set-NaOption -OptionName telnet.access -OptionValue “none” -Confirm
Set-NaOption -OptionName telnet.enable -OptionValue off -Confirm
Set-NaOption -OptionName webdav.enable -OptionValue off -Confirm
Set-NaOption -OptionName autologout.console.enable -OptionValue on -Confirm
Set-NaOption -OptionName autologout.console.timeout -OptionValue 60 -Confirm
Set-NaOption -OptionName autologout.telnet.enable -OptionValue on -Confirm
Set-NaOption -OptionName autologout.telnet.timeout -OptionValue 5 -Confirm
Set-NaOption -OptionName security.passwd.rules.enable -OptionValue on -Confirm
Set-NaOption -OptionName security.passwd.rules.everyone -OptionValue on -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum -OptionValue 8 -Confirm
Set-NaOption -OptionName security.passwd.rules.maximum -OptionValue 16 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.alphabetic -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.digit -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.minimum.symbol -OptionValue 2 -Confirm
Set-NaOption -OptionName security.passwd.rules.history -OptionValue 6 -Confirm
Set-NaOption -OptionName security.passwd.lockout.numtries -OptionValue 6 -Confirm
Set-NaOption -OptionName security.passwd.firstlogin.enable -OptionValue off -Confirm
Set-NaOption -OptionName sp.autologout.enable -OptionValue on -Confirm
Set-NaOption -OptionName sp.autologout.timeout -OptionValue 60 -Confirm
Set-NaOption -OptionName sp.ssh.access -OptionValue * -Confirm
Set-NaOption -OptionName ndmpd.enable -OptionValue off -Confirm
Set-NaOption -OptionName interface.blocked.cifs -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.ftpd -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.iscsi -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.nfs -OptionValue e0M -Confirm
Set-NaOption -OptionName interface.blocked.snapmirror -OptionValue e0M -Confirm
Set-NaOption -OptionName ip.fastpath.enable -OptionValue off -Confirm
Set-NaOption -OptionName ip.icmp_ignore_redirect.enable -OptionValue on -Confirm
Set-NaOption -OptionName ip.match_any_ifaddr -OptionValue off -Confirm
Set-NaOption -OptionName ip.ping_throttle.alarm_interval -OptionValue 15 -Confirm
Set-NaOption -OptionName ip.ping_throttle.drop_level -OptionValue 100 -Confirm
Set-NaOption -OptionName tftpd.enable -OptionValue off -Confirm
Set-NaOption -OptionName ssl.enable -OptionValue on -Confirm
Set-NaOption -OptionName ssl.v2.enable -OptionValue off -Confirm
Set-NaOption -OptionName ssl.v3.enable -OptionValue on -Confirm
Set-NaOption -OptionName tls.enable -OptionValue on -Confirm
Set-NaOption -OptionName httpd.admin.enable -OptionValue off -Confirm
Set-NaOption -OptionName httpd.admin.ssl.enable -OptionValue on -Confirm
Set-NaOption -OptionName httpd.timeout -OptionValue 600 -Confirm
Set-NaOption -OptionName nfs.tcp.enable -OptionValue on -Confirm

4) Setup snmpv3 parameters.
You still have to setup OnCommand (DFM). This just takes care of the controller.
See http://slice2.com/2013/03/20/how-to-enable-snmpv3-in-ontap-7-3-38-x-and-dfmoncommand-core-4-05-x

Set-NaRole -Role snmpv3role -AddCapabilities login-snmp -Confirm
Set-NaGroup -Group snmpv3group -AddRoles snmpv3role -Confirm
Set-NaUser -User snmpv3user -AddGroups snmpv3group -Confirm

5) You need to add your OnCommand/DFM Server name below. Use fqdn or ip address. Also edit the read only (ro) community  string to your setting if not public and the Location and Contact.

Set-NaOption -OptionName snmp.enable -OptionValue on -Confirm
Add-NaSnmpTrapHost -Host 10.10.10.26 -Confirm
Remove-NaSnmpCommunity -Community public
Set-NaSnmpLocation -Location “Roswell NM”
Set-NaSnmpContact -Contact “The Borg”

6) Setup syslog. Edit these parameters to point to your syslog server. Note that you must have a tab space between syslog IP address and the facility you want to syslog. The gap below is a tab not a spacebar.

Write-NaFile -Path /vol/vol0/etc/syslog.conf -AppendLine “*.* @10.10.10.100”

Hardening NetApp DataONTAP 8.1x

01 Monday Apr 2013

Posted by Slice2 in NetApp, Security

≈ Leave a comment

Tags

NetApp, Security

This configuration can be implemented on ONTAP 8.1.1 and 8.1.2. Some options are not available on 7.3x or 8.0x but that shouldnt prevent you from hardening as many options as possible. If its not available on your version, skip and move to the next option. I’ll cover securing the controllers, OnCommand Unified Manager and 7.3.x FilerView with Certificates in another post.

Secure shell should already be enabled on your controller. If the system has been around a while or the deployment engineer accepted defaults, chances are you have weak keys. Note that this process generates keys for sshv1 which is insecure and no longer used (it will be disable later in this HOWTO). Also, the host/server key size must differ by 128 bits explaining the size differential in the steps that follow. As the root user, run:

1) SSH has to be disabled before you configure it.
> secureadmin disable all

2) If it has been setup before, use the -f switch.
> secureadmin setup -f ssh

SSH Setup
———
Determining if SSH Setup has already been done before…yes
You have chosen to re-run SSH Setup. The old host keys will be
backed up to the following files:
/etc/sshd/ssh_host_key.201303310835
/etc/sshd/ssh_host_rsa_key.201303310835
/etc/sshd/ssh_host_dsa_key.201303310835
Do you want to proceed? [no] y

SSH server supports both ssh1.x and ssh2.0 protocols.

SSH server needs two RSA keys to support ssh1.x protocol. The host key is
generated and saved to file /etc/sshd/ssh_host_key during setup. The server
key is re-generated every hour when SSH server is running.

SSH server needs a RSA host key and a DSA host key to support ssh2.0 protocol.
The host keys are generated and saved to /etc/sshd/ssh_host_rsa_key and
/etc/sshd/ssh_host_dsa_key files respectively during setup.

SSH Setup will now ask you for the sizes of the host and server keys.
For ssh1.0 protocol, key sizes must be between 384 and 2048 bits.
For ssh2.0 protocol, key sizes must be between 768 and 2048 bits.
The size of the host and server keys must differ by at least 128 bits.

Please enter the size of host key for ssh1.x protocol [768] :2048
Please enter the size of server key for ssh1.x protocol [512] :1920
Please enter the size of host keys for ssh2.0 protocol [768] :2048

You have specified these parameters:
host key size = 2048 bits
server key size = 1920 bits
host key size for ssh2.0 protocol = 2048 bits
Is this correct? [yes] yes

Setup will now generate the host keys. It will take a minute.
After Setup is finished the SSH server will start automatically.

Sun Mar 31 08:35:48 EST [sim812:secureadmin.ssh.setup.passed:info]: SSH setup is done and ssh2 is enabled. Host keys are stored in /etc/sshd/ssh_host_key,

/etc/sshd/ssh_host_rsa_key, and /etc/sshd/ssh_host_dsa_key.

3) If using Putty or xterm, logout and login back in to accept the new, stronger keys.

4) Set the ssh.idle.timeout (set in seconds)
> options ssh.idle.timeout 600

4) Disable ssh1 and never use it unless you abolutely have no other choice.
> options ssh1.enable off

5) Enable the ability to separate SSH and ONTAP console sessions.
> options telnet.distinct.enable on

6) Disable RSH and never use it.
> options rsh.access “none”
> options rsh.enable off

7) Disable telnet and never use it.
> options telnet.access “none”
> options telnet.enable off

8) Disable webdav.
> options webdav.enable off

9) Configure Autologout.
> options autologout.console.enable on
> options autologout.console.timeout 60
> options autologout.telnet.enable on
> options autologout.telnet.timeout 5 (The SSH timeout is controlled by the telnet timeout setting)

10) Set the default user account settings. You may want to tune this to your environemnt. Note that Windows users cant use the max password size of 16.
> options security.passwd.rules.enable on
> options security.passwd.rules.everyone on
> options security.passwd.rules.minimum 8
> options security.passwd.rules.maximum 16
> options security.passwd.rules.minimum.alphabetic 2
> options security.passwd.rules.minimum.digit 2
> options security.passwd.rules.minimum.symbol 2
> options security.passwd.rules.history 6
> options security.passwd.lockout.numtries 6
> options security.passwd.firstlogin.enable off  (This setting locks out root so don’t turn it on!)
Note: root and the service processors’s naroot user share the same password so root’s password cannot exceed 16 characters.

11) Configure options for the service processor.
> options sp.autologout.enable on
> options sp.autologout.timeout 60 (set in minutes. This can be shortened but uninterrupted SP access is critical during updrades or troubleshooting)
> options sp.ssh.access * (this should be set to a specific IP/CIDR range rather than * to be more secure. If you must access your controllers from many networks, leave it at *.

12) Disable NDMP until needed. Ndmp is very usefull in certain Sysadmin situations but doesnt need to be left on unless you dump to VTLs or tape libraries.
> options ndmpd.enable off

13) Disable specific protocols on the management interface. Its a good idea to block protocols on interfaces that will never carry that traffic type. These options allow you to properly isolate traffic which complements VLAN separation.

> options interface.blocked.cifs e0M
> options interface.blocked.ftpd e0M
> options interface.blocked.iscsi e0M
> options interface.blocked.nfs e0M
> options interface.blocked.snapmirror e0M
To open the interface enter interface.blocked.nfs “”

14) NetApp recommended IP options:
> options ip.fastpath.enable off
> options ip.icmp_ignore_redirect.enable on
> options ip.match_any_ifaddr off
> options ip.ping_throttle.alarm_interval 15
> options ip.ping_throttle.drop_level 100

15) Disable TFTP.
> options tftpd.enable off

16) Enable SSL on the controller.
> options ssl.enable on
> options ssl.v2.enable off
> options ssl.v3.enable on
> options tls.enable on

Enable SSL for System Manager:
> options httpd.admin.enable off
> options httpd.admin.ssl.enable on
> options httpd.timeout 600  (timeout time in seconds, 600 = 10 minutes)

16) Enable SNMPv3 for secure communication between OnCommand(DFM) and the controller. See my other post for the simple steps here:

http://slice2.com/2013/03/20/how-to-enable-snmpv3-in-ontap-7-3-38-x-and-dfmoncommand-core-4-05-x/

17) Create a banner for SSH and SP console login. Using a text editor, create a login banner. Copy the text to your Windows/Unix buffer so you can paste it in the follow steps.
> options ssh2.banner.enable on
> wrfile /etc/motd and paste your banner text into the terminal. Press CTRL+C to save the file (ignore the warning).
> wrfile /etc/issue and paste the text above into the terminal. Press CTRL+C to save the file (ignore the warning).

18) Create Administrative users. Don’t login as root. Create user accounts in the administrators group so you have an audit trail. Also note that the parameters for mix/max password age (-m -M) fit common best practices.

> useradmin user add john.doe -g Administrators -m 1 -M 90

a) For OnCommand Unified Manager, consider an account such as:
> useradmin user add OnCommandAdmin -g Administrators -m 1 -M 365

b) For NetApp Virtual Storage Console (VSC), consider an account such as:
> useradmin user add VSCadmin -g Administrators -m 1 -M 365

c) When setting user password expiry, you occasionally get locked out. To determine a users status, check the “Status” sections of the following command:
> useradmin user list john.doe

If Status is expired, the only way to enable the user account is to change the password. Login as root or an admin user and enter:
> passwd
Login: john.doe
New password:
Retype new password:

19) Configure NFS Parameters. Since most of us have VMware ESXi clusters in our environment, we must use NFSv3. ESXi does not support NFSv4 so the enhanced security is not available. Enable NFS over TCP rather than UDP for ESXi hosts.
> options nfs.tcp.enable on

20) Identify your admin host on the controller. This is a hidden option that is not seen with the options command unless it is defined. If you enter > options admin.hosts no output is returned if it is not configured. This should be set to a dedicated host, possibly your OnCommand Unified Manager server that should also have System Manager, Performance Adviser, ConfigAdviser, VASA plugin, ONTAP Powershell Toolkit and other NetApp management tools.
> options admin.hosts <your server name>

21) Configure Syslog to send to a remote syslog server like Splunk, Kiwi, WhatsUp, etc.
> rdfile /etc/syslog.conf.sample
Copy the text below, paste into notepad.exe and add your syslog server hostname or IP address. Note: use tab key, not space bar to separate the blank space between *.info/*.err;kern.*.local7* and <your syslog IP/hostname>

# Log messages of priority info or higher to the console and to /etc/messages
*.info                                  /dev/console
*.info                                  /etc/messages
*.*                @<your syslog server>

# Edit and uncomment following line to log all messages of priority
# err or higher and all kernel messages to a remote host, e.g. adminhost
# *.err;kern.*                          @adminhost
*.*                @<your syslog server>

# Edit and uncomment following line to log all messages of priority
# err or higher and all kernel messages to the local7 facility of the
# syslogd on a remote host, e.g. adminhost.
# *.err;kern.*                          local7.*@adminhost
local7.*            @<your syslog server>

a) After you have made the changes to the file above, perform the following:
> wrfile /etc/syslog.conf

b) Paste the text from notepad into the blank console, press enter to add a line at the bottom of the input and press CTRL+C to end the session.  Ignore the error that appears.

c) The Syslog service should restart in 15 seconds. If it does not, send a test message:
> logger Hello World

d) If you dont see “kern.syslogd.restarted:info]: syslogd: Restarted” on the console within 20-30 seconds of saving the file, manually restart syslog service.
> priv set advanced
*> syslog reset_syslog
*> priv set admin

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Recent Posts

  • Patch Alma Linux 8.7 on an Offline or Air-Gapped System
  • HOWTO Remove /home logical volume and add that space to the root partition
  • Patch Rocky Linux 8.6 on an Offline or Air-Gapped System
  • HOWTO Install the Splunk Universal Forwarder on FreeBSD
  • HOWTO install a Splunk Universal Forwarder on Solaris 11 SPARC and x64 Using pkg(p5p) and tar
  • HOWTO install a Splunk Universal Forwarder on Solaris 10 SPARC and x64 Using pkgadd and tar
  • Recover Files from a Windows NTFS partition using Linux based SystemRescue
  • Sysmon Event ID 1 Process Creation rules for Splunk Universal Forwarder and McAfee All Access
  • Upgrading CentOS 7.2003 to 7.2009 on an Offline or Air-Gapped System
  • HOWTO Easily Resize the Default LVM Volume on Ubuntu 18.04
  • Create a Docker Container for your Cisco ESA, SMA or WSA Offline Content Updates
  • Apply the Mozilla Firefox STIG to Firefox on Ubuntu Linux 18.04
  • Dynamically Resize Those Tiny BlackArch Linux Terminals and Add a Scrollbar
  • Kali Linux OVA for Air-Gapped Use Build Process
  • HOWTO install the XFCE 4 Desktop on NetBSD 8.1
  • Build a Kali Linux ISO with the latest OS patches and packages
  • HOWTO quickly STIG Firefox 59.01
  • HOWTO mount a Synology NAS SMB share on Linux with SMBv1 disabled
  • Howto safely delete the WSUS WID on Windows 2012R2
  • HOWTO quickly STIG Firefox 45.0.1
  • Completing the vSphere vCenter Appliance Hardening Process
  • HOWTO install the XFCE 4.12 Desktop on NetBSD 7
  • Enabling TLS 1.2 on the Splunk 6.2x Console and Forwarders using Openssl and self signed certs.
  • HOWTO enable SSH on a Cisco ASA running 9.1.x
  • Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server
  • Enable legacy SSL and Java SSL support in your browser for those old, crusty websites
  • HOWTO update FreeBSD 10.1 to the latest 11-current release
  • HOWTO Secure iSCSI Luns Between FreeBSD 10.1 and NetApp Storage with Mutual CHAP
  • HOWTO install the XFCE 4 Desktop on NetBSD 6.1.5
  • HOWTO Secure iSCSI Luns Between Ubuntu Server 14.10 and NetApp Storage with Mutual CHAP

Categories

  • Cisco (2)
  • ESXi (4)
  • FreeBSD (2)
  • HP (5)
  • iSCSI (12)
  • Linux (31)
  • Nessus (3)
  • NetApp (31)
  • NetBSD (10)
  • Oracle (9)
  • Security (48)
  • Solaris (9)
  • Splunk (5)
  • VMware (19)
  • Windows (20)
  • Wireshark (4)
  • XFCE (3)

Archives

  • February 2023
  • August 2022
  • July 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • November 2021
  • January 2021
  • December 2020
  • November 2020
  • August 2020
  • May 2020
  • September 2019
  • August 2019
  • March 2018
  • November 2016
  • March 2016
  • January 2016
  • November 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013

Blogroll

  • Adobe Security Bulletins
  • CentOS Blog
  • Cisco Security Blog
  • CSO Magazine
  • DHS National Vulnerability Database
  • Eric Sloof's NTPRO
  • HT SSL Tests
  • Intel Corp Security Advisories
  • Internet Usage World Stats
  • Kali Linux Blog
  • Linux Mint Blog
  • Meltdown and Spectre
  • Microsoft Security Blog
  • Microsoft Security Intelligence Report
  • Microsoft Security Research & Defense
  • Microsoft Security Response Center
  • MITRE CVE Site
  • NetApp Blogs
  • NetBSD Blog
  • Oracle OTN Security
  • Oracle Security Blog
  • PacketStorm
  • Redhat Security Blog
  • SC Magazine
  • Shodan Search Engine
  • US-CERT Alerts
  • US-CERT Bulletins
  • US-CERT Vulnerability Notes KB
  • VMware Blogs
  • VMware Security Advisories

Category Cloud

Cisco ESXi FreeBSD HP iSCSI Linux Nessus NetApp NetBSD Oracle Security Solaris Splunk VMware Windows Wireshark XFCE

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 38 other subscribers

Powered by WordPress.com.

 

Loading Comments...