Category Archives: Security

Apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server

18 Saturday Jul 2015

Posted by in Security, Windows

Leave a comment

Tags

,

This post demonstrates how to apply a Windows 2012 R2 Domain GPO to a standalone Windows 2012 R2 server that is not in the domain. For this example, I’ll use the Internet Explorer 11 (IE11) lock downs I applied using a domain GPO.

This process also worked when I applied the 2012 R2 IE policy to a standalone Windows 7 Enterprise workstation.

1) Launch Group Policy Management on the Domain Controller. Browse to the policy you want to apply to the standalone servers (in my case IE11), right-click it and select Backup. Save it to a location of your choice and give it a description, such as IE11 GPO.

2) Download and install Microsoft SCM 3.0 (not on your domain controller). I just built a VM since SCM is only needed temporarily. I was only able to get it fully installed without errors on Windows 2008 R2. It supposedly supports Vista through 2012. I opted to install the bundled SQL Express since all I want is the LocalGPO executable. No need to point to a SQL server. You can uninstall the whole thing when done. The only reason to install the full package is so you can get a copy of the LocalGPO folder. Download it from:

Security Compliance Manager (SCM) Info:
https://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx

Download page:
https://www.microsoft.com/en-us/download/details.aspx?id=16776

a) When done downloading, double-click the Security_Compliance_Manager_Setup.exe > click Run > deselect Always check for SCM baseline updates (you don’t care about them right now) and click Next > accept the license and click Next > Next > Next > accept the SQL Express license and click Next > Install > Finish. The app will auto-load the baselines. Just let it finish.

b) When done installing, browse to C:\Program Files (x86)\Microsoft Security Compliance Manager. Copy the LocalGPO folder to a location of your choice. You will need to install the executable in this folder on each standalone server that will receive the Domain GPO.

5) Login as a local admin on the server to receive the GPO. Install LocalGPO on your standalone server. When done, browse to the C:\Program Files (x86)\LocalGPO folder, right-click LocalGPO.wsf, select Properties, select the Security tab and give your admin user full control of the file.

6) Create a folder on this server called c:\gpos. Copy your IE11 GPO backup folder into the c:\gpos folder.

7) Edit the LocalGPO.wsf file to recognize 2012 R2 (Windows 2012 R2 is version 6.3). Open C:\Program Files (x86)\LocalGPO\LocalGPO.wsf in notepad (right-click > Edit). Search for 6.2. On the first instance of 6.2, change it to 6.3.

From this: If(Left(strOpVer,3) = “6.2”) and (strProductType <> “1”) then

To this: If(Left(strOpVer,3) = 6.3) and (strProductType <> “1”) then

8) The Windows Firewall must be running temporarily before you run this tool. Even though you may have disabled the firewall and use a third-party product like McAfee Firewall, etc., turn on the native Windows firewall in the services.msc applet now.

9) Click start (lower left corner), and then Search icon in the upper right. Enter LocalGPO. Right-click LocalGPO Command line and select Run as Administrator. Before you run the next command, close all Windows except the cmd prompt.

Enter this command:

> cscript localgpo.wsf /path:”C:\gpos\{A81C84F4-F8F5-4E8A-B077-9EA1471B3886}”

– note: your IE11 GPO backup folder name inside c:\gpos will be different. Just add your folder name in the command above.

You should see Applied valid Machine POL and Applied valid User POL. No valid audit or INF is OK.

10) Clean up after yourself. Uninstall LocalGPO if you don’t plan to use it again. Delete the gpo backup in c:\gpos.

You can run > gpupdate /force or reboot the server to apply the policy completely.

11 Verify that it applied the policy. Launch IE11 and verify your settings are locked down. Note that on a fresh system, you  may have to launch IE and then immediately close it. Launch it again and the lock downs will be set. Sometimes it takes two startups for the settings to apply. Not sure why. If you had the Windows firewall turned off, open services.msc and disable it.

Enable legacy SSL and Java SSL support in your browser for those old, crusty websites

08 Monday Jun 2015

Posted by in Security

Leave a comment

Tags

,

This is a quick post to show you how to enable legacy SSL and Java SSL support in your browser for those old, crusty websites and applications you have in your organization. Note that this should not be done on Internet facing systems. Only offline or systems that are not routed to the Internet should implement these changes.

1) Launch Firefox. Type about:config in the location bar.
2) In the search bar that comes up, enter: security.tls.version.min. Double-click on the entry that appears and change the value to 0.
3) Do the same for security.tls.version.fallback-limit.
4) Try to connect to your site. It should now work for you.

Enable SSL in Java (it has been disabled for a few rev’s now)
1) Open Windows explorer and browse to either (or both if you have x32/x64 bit Java installed):

C:\Program Files (x86)\Java\jre1.8.0_45\lib\security
C:\Program Files\Java\jre1.8.0_45\lib\security

2) Double-click the file named java.security. You will be prompted to select a program to open the file. Choose select a program from a list of installed programs and click OK. Choose either Wordpad or notepad.

3) Scroll down to the bottom of the file. You should see:
jdk.tls.disabledAlgorithms=SSLv3

4) Change this by back-spacing over SSLv3 and save the file so it looks like:
jdk.tls.disabledAlgorithms=

You should now be able to access legacy sites with Java SSL support.

HOWTO Secure iSCSI Luns Between FreeBSD 10.1 and NetApp Storage with Mutual CHAP

01 Sunday Feb 2015

Posted by in FreeBSD, iSCSI, Security

Leave a comment

Tags

, ,

This post demonstrates how to enable bidirectional or mutual CHAP on iSCSI luns between FreeBSD 10.1 and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple.  Special thanks to FreeBSD developer Edward Napierala for his help with testing -CURRENT updates and syntax issues.

1) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created. If not, use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

2) On the NetApp filer, create a lun in the volume. Type solaris is used to be compatible with UFS.
netapp> lun create -s 5g -t solaris /vol/MCHAPVOL/FBSD10_iSCSI_MCHAP_0

3) Obtain the NetApp target nodename.
netapp> iscsi nodename
iSCSI target nodename: iqn.1992-08.com.netapp:sn.4055372815

4) On the FreeBSD server, create an iSCSI session to the NetApp. Unfortunately, there is no way of obtaining the FreeBSD server iqn in advance. Hopefully this
function will be in the next release.
server> iscsictl -A -p 10.10.10.141 -t iqn.1992-08.com.netapp:sn.4055372815

5) Now that a basic session is established, obtain your server’s iqn.
server> iscsictl -Lv | grep “Initiator name”
Initiator name:   iqn.1994-09.org.freebsd:fbsd101

6) On the NetApp filer, create an iGroup and add the FreeBSD iscsi nodename or iqn from step 5 above. The iGroup type is Solaris because its the most similar to FreeBSD. BSD is not an iGroup option.
netapp> igroup create -i -t solaris ISCSI_MCHAP_FBSD10
netapp> igroup add ISCSI_MCHAP_FBSD10 iqn.1994-09.org.freebsd:fbsd101
netapp> igroup show

ISCSI_MCHAP_FBSD10 (iSCSI) (ostype: solaris):
iqn.1994-09.org.freebsd:fbsd101 (not logged in)

7) Map the lun to the iGroup and give it lun ID 0. Important note: as of FreeBSD 10.1, there is a lun enumeration limit that requires you to start your lun ID with 0. You cannot start with 1. This is fixed in the current baseline and will appear in 10.2.
netapp> lun map /vol/MCHAPVOL/FBSD10_iSCSI_MCHAP_0 ISCSI_MCHAP_FBSD10 0

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1994-09.org.freebsd:fbsd101 -s chap -p FREEBSD -n iqn.1994-09.org.freebsd:fbsd101 -o NETAPP -m iqn.1992-08.com.netapp:sn.4055372815

netapp> iscsi security show
init: iqn.1994-09.org.freebsd:fbsd101 auth: CHAP Local Inbound password: **** Inbound username: iqn.1994-09.org.freebsd:fbsd101 Outbound password: ****  Outbound username: iqn.1992-08.com.netapp:sn.4055372815

9) Configure iSCSI on the server.
a) Start iSCSI when booted:
server> echo iscsid_enable=”YES” >> /etc/rc.conf

b) This tells it to connect to all targets when booted.
server> echo iscsictl_enable=”YES” >> /etc/rc.conf

c) Create the iscsi.conf file. Explanation for the example below:

Example:
t0                       = Represents the target ID. Start with 0.
TargetAddress   = 10.10.10.141 (your NetApp controller)
TargetName      = iqn.1992-08.com.netapp:sn.4055372815 (your NetApp iqn)
AuthMethod      = CHAP (the authentication type)
chapIName       = iqn.1994-09.org.freebsd:fbsd101 (your FreeBSD server iqn)
chapSecret      = FREEBSD (your server’s chap secret)
tgtChapName    = iqn.1992-08.com.netapp:sn.4055372815 (your Netapp iqn)
tgtChapSecret    = NETAPP (your NetApp chap secret)

Actual:
server> vi /etc/iscsi.conf

t0 {
TargetAddress   = 10.10.10.141
TargetName      = iqn.1992-08.com.netapp:sn.4055372815
AuthMethod      = CHAP
chapIName       = iqn.1994-09.org.freebsd:fbsd101
chapSecret      = FREEBSD
tgtChapName    = iqn.1992-08.com.netapp:sn.4055372815
tgtChapSecret    = NETAPP
}

wq!

d) Change permissions on the file.
> chmod 500 /etc/iscsi.conf

e) Start the iSCSI server on the server.
server> service iscsid start
Starting iscsid.

f) Reboot to test boot and session parameters. The session should connect and your lun will be visible.
server> reboot

Note: if you can’t reboot, run the following:
server> iscsictl -An t0

10) Verify your new lun.
server>  cat /var/log/messages | grep da1
Feb  1 10:38:12 fbsd101 kernel: da1 at iscsi1 bus 0 scbus3 target 0 lun 0
Feb  1 10:38:12 fbsd101 kernel: da1: <NETAPP LUN 811a> Fixed Direct Access SCSI-4 device
Feb  1 10:38:12 fbsd101 kernel: da1: Serial Number BQVJ3]DxwBcF
Feb  1 10:38:12 fbsd101 kernel: da1: 150.000MB/s transfers
Feb  1 10:38:12 fbsd101 kernel: da1: Command Queueing enabled
Feb  1 10:38:12 fbsd101 kernel: da1: 5120MB (10485760 512 byte sectors: 255H 63S/T 652C)

server> camcontrol reportluns /dev/da1
1 LUN found
0

server> camcontrol devlist -v | grep NETAPP
<NETAPP LUN 811a> at scbus3 target 0 lun 0 (da1,pass2)

server> camcontrol inquiry /dev/da1
pass2: <NETAPP LUN 811a> Fixed Direct Access SCSI-4 device
pass2: Serial Number BQVJ3]DxwBcF
pass2: 150.000MB/s transfers, Command Queueing Enabled

11) Obtain session details on the server.
server> iscsictl -Lv
Session ID:       1
Initiator name:   iqn.1994-09.org.freebsd:fbsd101
Initiator portal:
Initiator alias:
Target name:      iqn.1992-08.com.netapp:sn.4055372815
Target portal:    10.10.10.141
Target alias:
User:             iqn.1994-09.org.freebsd:fbsd101
Secret:           FREEBSD
Mutual user:      iqn.1992-08.com.netapp:sn.4055372815
Mutual secret:    NETAPP
Session type:     Normal
Session state:    Connected
Failure reason:
Header digest:    None
Data digest:      None
DataSegmentLen:   65536
ImmediateData:    Yes
iSER (RDMA):      No
Device nodes:     da1

a) Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 1
Initiator Information
Initiator Name: iqn.1994-09.org.freebsd:fbsd101
ISID: 80:33:9b:8b:a9:6d

12) From the server, format the new lun (new disk). Since you know the device ID from step 10 above (/dev/da1), perform the following steps.

a) Create the partition.
server> gpart create -s gpt da1
da1 created

b) Display the partition.
server> gpart show da1
=>      40  10485680  da1  GPT  (5.0G)
40  10485680  – free –  (5.0G)

c) Add a slice.
server> gpart add -t freebsd da1
da1s1 added

d) Format the slice.
server> newfs -L ntaplun -b 4096 /dev/da1s1
/dev/da1s1: 5120.0MB (10485680 sectors) block size 4096, fragment size 4096
using 107 cylinder groups of 48.12MB, 12320 blks, 6160 inodes.
super-block backups (for fsck_ffs -b #) at:
144, 98704, 197264, 295824, 394384, 492944, 591504, 690064, 788624, 887184, 985744, 1084304, 1182864,
1281424, 1379984, 1478544, 1577104, 1675664, 1774224, 1872784, 1971344, 2069904, 2168464, 2267024,
2365584, 2464144, 2562704, 2661264, 2759824, 2858384, 2956944, 3055504, 3154064, 3252624, 3351184,
3449744, 3548304, 3646864, 3745424, 3843984, 3942544, 4041104, 4139664, 4238224, 4336784, 4435344,
4533904, 4632464, 4731024, 4829584, 4928144, 5026704, 5125264, 5223824, 5322384, 5420944, 5519504,
5618064, 5716624, 5815184, 5913744, 6012304, 6110864, 6209424, 6307984, 6406544, 6505104, 6603664,
6702224, 6800784, 6899344, 6997904, 7096464, 7195024, 7293584, 7392144, 7490704, 7589264, 7687824,
7786384, 7884944, 7983504, 8082064, 8180624, 8279184, 8377744, 8476304, 8574864, 8673424, 8771984,
8870544, 8969104, 9067664, 9166224, 9264784, 9363344, 9461904, 9560464, 9659024, 9757584, 9856144,
9954704, 10053264, 10151824, 10250384, 10348944, 10447504

13)  Create the mount point and manually mount the directory.
server> mkdir /newiscsilun
server> mount /dev/da1s1 /newiscsilun
server> df -h | grep newiscsilun
/dev/da1s1    4.8G    8.0K    4.5G     0%    /newiscsilun

14) Add the new mount point to /etc/fstab.
server>  echo “/dev/da1s1 /newiscsilun ufs rw 1 1” >> /etc/fstab

15) Test that it survives a reboot by rebooting the server now.
server> reboot

a) After the reboot, login and check the lun mount point.
server> df -h | grep newiscsilun
/dev/da1s1    4.8G    8.0K    4.5G     0%    /newiscsilun

16) On the NetApp storage you can verify the lun and the server’s session.
netapp> lun show -v /vol/MCHAPVOL/FBSD10_iSCSI_MCHAP_0
lun show -v /vol/MCHAPVOL/FBSD10_iSCSI_MCHAP_0
/vol/MCHAPVOL/FBSD10_iSCSI_MCHAP_0      5g (5368709120)    (r/w, online, mapped)
Serial#: BQVJ3]DxwBcF
Share: none
Space Reservation: enabled
Multiprotocol Type: solaris
Maps: ISCSI_MCHAP_FBSD10=0
Occupied Size:    3.8m (4022272)
Creation Time: Sun Feb  1 10:10:17 EST 2015
Cluster Shared Volume Information: 0x0

a) On the NetApp controller, get stats with the command below.
netapp>  iscsi session show -v
Session 2
Initiator Information
Initiator Name: iqn.1994-09.org.freebsd:fbsd101
ISID: 80:0d:2c:82:e2:2a

Session Parameters
SessionType=Normal
TargetPortalGroupTag=1000
MaxConnections=1
ErrorRecoveryLevel=0
AuthMethod=CHAP
HeaderDigest=None
DataDigest=None
ImmediateData=Yes
InitialR2T=Yes
FirstBurstLength=65536
MaxBurstLength=65536
Initiator MaxRecvDataSegmentLength=65536
Target MaxRecvDataSegmentLength=65536
DefaultTime2Wait=0
DefaultTime2Retain=0
MaxOutstandingR2T=1
DataPDUInOrder=Yes
DataSequenceInOrder=Yes
Command Window Size: 64

Connection Information
Connection 0
Remote Endpoint: 10.10.10.61:46881
Local Endpoint: 10.10.10.141:3260
Local Interface: e0a
TCP recv window size: 131400

Command Information
No commands active

HOWTO Secure iSCSI Luns Between Ubuntu Server 14.10 and NetApp Storage with Mutual CHAP

29 Monday Dec 2014

Posted by in iSCSI, Linux, Security

Leave a comment

Tags

, ,

This post demonstrates how to enable two-way or mutual CHAP on iSCSI luns between Ubuntu Server 14.10 and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple. Note that Ubuntu follows the no root model so you must use sudo on privileged command. I will not show every “enter password” prompt in the doc. When you see it, just enter your password.

1) Install open-iscsi on your server.
> sudo apt-get install open-iscsi
> sudo reboot (don’t argue with me, just do it!)

2) Display your server’s new iscsi initiator or iqn nodename.
> sudo cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1993-08.org.debian:01:ce45f9ecc9b

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregrate aggr1 already created. If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) On the NetApp filer, create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01

5) On the NetApp filer, create an igroup and add the Linux iscsi nodename or iqn from step 2 above to it.
netapp> igroup create -i -t linux ISCSI_MCHAP_UB1410
netapp> igroup add ISCSI_MCHAP_UB1410 iqn.1993-08.org.debian:01:ce45f9ecc9b
netapp> igroup show

ISCSI_MCHAP_UB1410 (iSCSI) (ostype: linux):
iqn.1993-08.org.debian:01:ce45f9ecc9b (not logged in)

6) Map the lun to the iscsi-group and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01 ISCSI_MCHAP_UB1410 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iSCSI target nodename: iqn.1992-08.com.netapp:sn.4055372815

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1993-08.org.debian:01:ce45f9ecc9b -s chap -p MCHAPUB1410 -n iqn.1993-08.org.debian:01:ce45f9ecc9b -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.4055372815

netapp> iscsi security show
init: iqn.1993-08.org.debian:01:ce45f9ecc9b auth: CHAP Local Inbound password: **** Inbound username: iqn.1993-08.org.debian:01:ce45f9ecc9b Outbound
password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below. You can just copy this into the file under iscsid.startup = /usr/sbin/iscsid but make sure you comment out node.startup = manual just below it. Since you want it to start automatically comment out node.leading_login = No.

> sudo vi /etc/iscsi/iscsid.conf:
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1993-08.org.debian:01:ce45f9ecc9b
node.session.auth.password = MCHAPUB1410
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1993-08.org.debian:01:ce45f9ecc9b
discovery.sendtargets.auth.password = MCHAPUB1410
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, discover your iSCSI target (your NetApp storage system).
> sudo iscsiadm -m discovery -t st -p 10.10.10.141
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

> sudo iscsiadm -m node  (this should display the same as above)
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

11) On the server, manually login to the iSCSI target (your storage array). Note there are two “- -” dashed in front of targetname and login.
> sudo iscsiadm -m node –-targetname “iqn.1992-08.com.netapp:sn.4055372815” -–login

Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] successful.

On the NetApp storage console you should see the iSCSI sessions:
[iscsi.notice:notice]: ISCSI:
New session from initiator iqn.1993-08.org.debian:01:ce45f9ecc9b at IP addr 10.10.10.128

Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 1
Initiator Information
Initiator Name: iqn.1993-08.org.debian:01:ce45f9ecc9b
ISID: 00:02:3d:01:00:00
Initiator Alias: ub1410

12) Stop and start the iscsi service on the server.
> sudo service open-iscsi stop
Pause for 10 seconds and then run the next command.
> sudo service open-iscsi start

13) From the server, check your session.
> sudo iscsiadm -m session -P 1

14) From the server, check the NetApp iSCSI details. Note that mode, targetname and portal have two “- -” dashes in front of them.
> sudo iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.4055372815” –portal 10.10.10.141:3260

15) From the server, find and format the new lun (new disk). The command below will find the device. In this case its sdb.
> dmesg | grep “unknown partition table”
[ 1930.949065]  sdb: unknown partition table
[ 2167.186068]  sdb: unknown partition table

> sudo fdisk /dev/sdb  (note: commands are in bold red below)

Welcome to fdisk (util-linux 2.25.1).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0xe4775fd7.

Command (m for help): w

The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

> sudo fdisk /dev/sdb

Command (m for help): n
Partition type
p   primary (0 primary, 0 extended, 4 free)
e   extended (container for logical partitions)
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): press enter
Last sector, +sectors or +size{K,M,G,T,P} (2048-10485759, default 10485759): press enter

Created a new partition 1 of type ‘Linux’ and of size 5 GiB.

Command (m for help): p
Disk /dev/sdb: 5 GiB, 5368709120 bytes, 10485760 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 65536 bytes
Disklabel type: dos
Disk identifier: 0xc68508a4

Device     Boot Start      End  Sectors Size Id Type
/dev/sdb1        2048 10485759 10483712   5G 83 Linux

Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
Syncing disks.

16) On the server, create the Linux file system on the new partition.
> sudo mkfs -t ext4 /dev/sdb1
mke2fs 1.42.10 (18-May-2014)
Discarding device blocks: done
Creating filesystem with 1310464 4k blocks and 327680 inodes
Filesystem UUID: d125b8ff-a690-4cbb-925d-645764d41172
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

17) Verify the partition.
> sudo blkid /dev/sdb1
/dev/sdb1: UUID=”d125b8ff-a690-4cbb-925d-645764d41172″ TYPE=”ext4″ PARTUUID=”c68508a4-01″

18) Create the mount point and manually mount the directory.
> sudo mkdir /newiscsilun
> sudo mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
/dev/sdb1  4.8G   10M  4.6G   1% /newiscsilun

19) Add the new mount point to /etc/fstab.
> sudo vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

20) Test that it survives a reboot by rebooting the server now. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify that it is mounted.

> df -h | grep newiscsilun
/dev/sdb1  4.8G   10M  4.6G   1% /newiscsilun

21) On the server you can check session stats.
> sudo iscsiadm -m session -s

22) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> sudo chmod 600 /etc/iscsi/iscsid.conf

23) On the NetApp storage you can verify the lun and the server’s session.
netapp> lun show -v /vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01
/vol/MCHAPVOL/UB1410_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: BQVJ3]DxwBcB
Share: none
Space Reservation: enabled
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_UB1410=1
Occupied Size:  132.8m (139202560)
Creation Time: Mon Dec 29 13:33:18 EST 2014
Cluster Shared Volume Information: 0x0

You can also get stats with the command below.
netapp>  iscsi session show -v

HOWTO Secure iSCSI Luns Between Oracle Enterprise Linux 7 and NetApp Storage with Mutual CHAP

01 Monday Sep 2014

Posted by in iSCSI, Linux, Oracle, Security

Leave a comment

Tags

, , ,

This post demonstrates how to enable Bidirectional or Mutual CHAP on iSCSI luns between Oracle Enterprise Linux 7 and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple.

1) If not already installed, install the iSCSI initiator on your server.
> yum install iscsi-initiator*

2) Display your server’s new iSCSI initiator or iqn nodename.
> cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1988-12.com.oracle:77ff4f784c55

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created.  If not, use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) Create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01

5) Create an igroup and add the Linux iscsi nodename or iqn from step 2 above to the new igroup.
netapp> igroup create -i -t linux ISCSI_MCHAP_OEL7
netapp> igroup add ISCSI_MCHAP_OEL7 iqn.1988-12.com.oracle:77ff4f784c55
netapp> igroup set ISCSI_MCHAP_OEL7 report_scsi_name yes
netapp> igroup show ISCSI_MCHAP_OEL7

ISCSI_MCHAP_OEL7 (iSCSI) (ostype: linux):
iqn.1988-12.com.oracle:77ff4f784c55 (not logged in)

6) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01 ISCSI_MCHAP_OEL7 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iSCSI target nodename: iqn.1992-08.com.netapp:sn.4055372815

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1988-12.com.oracle:77ff4f784c55 -s chap -p OEL7 -n iqn.1988-12.com.oracle:77ff4f784c55 -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.4055372815

netapp> iscsi security show
Default sec is None
init: iqn.1986-03.com.sun:01:e00000000000.52bcad1c auth: CHAP Local Inbound password: **** Inbound username: iqn.1986-03.com.sun:01:e000000000bound password: **** Outbound username: iqn.1992-08.com.netapp:sn.4055372815
init: iqn.1988-12.com.oracle:77ff4f784c55 auth: CHAP Local Inbound password: **** Inbound username: iqn.1988-12.com.oracle:77ff4f784c55 Outbou** Outbound username: iqn.1992-08.com.netapp:sn.4055372815

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below.
> vi /etc/iscsi/iscsid.conf
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1988-12.com.oracle:77ff4f784c55
node.session.auth.password = OEL7
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1988-12.com.oracle:77ff4f784c55
discovery.sendtargets.auth.password = OEL7
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, restart the service and discover your iSCSI target (your storage system).
> service iscsi restart
Redirecting to /bin/systemctl restart  iscsi.service

a) Verify the target.
> iscsiadm -m discovery -t st -p 10.10.10.141
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

> iscsiadm -m node  (this should display the same as above)
10.10.10.141:3260,1000 iqn.1992-08.com.netapp:sn.4055372815

11) On the server, manually login to the iSCSI target (your storage array). Note there are two dashes “- -” in front of targetname and login.
> iscsiadm -m node –targetname “iqn.1992-08.com.netapp:sn.4055372815” –login
Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260] successful.

a) On the NetApp storage console you should see the iSCSI session:
[netapp:iscsi.notice:notice]: ISCSI: New session from initiator iqn.1988-12.com.oracle:77ff4f784c55 at IP addr 10.10.10.201

b) Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 4
Initiator Information
Initiator Name: iqn.1988-12.com.oracle:77ff4f784c55
ISID: 00:02:3d:06:00:00
Initiator Alias: localhost.localdomain

12) From the server , check your session.
> iscsiadm -m session -P 1
Target: iqn.1992-08.com.netapp:sn.4055372815 (non-flash)
Current Portal: 10.10.10.141:3260,1000
Persistent Portal: 10.10.10.141:3260,1000
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1988-12.com.oracle:77ff4f784c55
Iface IPaddress: 10.10.10.201
Iface HWaddress: <empty>
Iface Netdev: <empty>
SID: 6
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE

13) From the server, check the NetApp iSCSI details. Note there are two dashes “- -” in front of mode, targetname and portal.
> iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.4055372815″ –portal 10.10.10.141:3260
# BEGIN RECORD 6.2.0.873-21
node.name = iqn.1992-08.com.netapp:sn.4055372815
node.tpgt = 1000
node.startup = automatic
node.leading_login = No
iface.hwaddress = <empty>
iface.ipaddress = <empty>
iface.iscsi_ifacename = default
iface.net_ifacename = <empty>
iface.transport_name = tcp
iface.initiatorname = <empty>
iface.state = <empty>
iface.vlan_id = 0
iface.vlan_priority = 0
iface.vlan_state = <empty>
iface.iface_num = 0
iface.mtu = 0
iface.port = 0
iface.bootproto = <empty>
iface.subnet_mask = <empty>
iface.gateway = <empty>
iface.dhcp_alt_client_id_state = <empty>
iface.dhcp_alt_client_id = <empty>
iface.dhcp_dns = <empty>
iface.dhcp_learn_iqn = <empty>
iface.dhcp_req_vendor_id_state = <empty>
iface.dhcp_vendor_id_state = <empty>
iface.dhcp_vendor_id = <empty>
iface.dhcp_slp_da = <empty>
iface.fragmentation = <empty>
iface.gratuitous_arp = <empty>
iface.incoming_forwarding = <empty>
iface.tos_state = <empty>
iface.tos = 0
iface.ttl = 0
iface.delayed_ack = <empty>
iface.tcp_nagle = <empty>
iface.tcp_wsf_state = <empty>
iface.tcp_wsf = 0
iface.tcp_timer_scale = 0
iface.tcp_timestamp = <empty>
iface.redirect = <empty>
iface.def_task_mgmt_timeout = 0
iface.header_digest = <empty>
iface.data_digest = <empty>
iface.immediate_data = <empty>
iface.initial_r2t = <empty>
iface.data_seq_inorder = <empty>
iface.data_pdu_inorder = <empty>
iface.erl = 0
iface.max_receive_data_len = 0
iface.first_burst_len = 0
iface.max_outstanding_r2t = 0
iface.max_burst_len = 0
iface.chap_auth = <empty>
iface.bidi_chap = <empty>
iface.strict_login_compliance = <empty>
iface.discovery_auth = <empty>
iface.discovery_logout = <empty>
node.discovery_address = 10.10.10.141
node.discovery_port = 3260
node.discovery_type = send_targets
node.session.initial_cmdsn = 0
node.session.initial_login_retry_max = 8
node.session.xmit_thread_priority = -20
node.session.cmds_max = 128
node.session.queue_depth = 32
node.session.nr_sessions = 1
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1988-12.com.oracle:77ff4f784c55
node.session.auth.password = ********
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.4055372815
node.session.auth.password_in = ********
node.session.timeo.replacement_timeout = 120
node.session.err_timeo.abort_timeout = 15
node.session.err_timeo.lu_reset_timeout = 30
node.session.err_timeo.tgt_reset_timeout = 30
node.session.err_timeo.host_reset_timeout = 60
node.session.iscsi.FastAbort = Yes
node.session.iscsi.InitialR2T = No
node.session.iscsi.ImmediateData = Yes
node.session.iscsi.FirstBurstLength = 262144
node.session.iscsi.MaxBurstLength = 16776192
node.session.iscsi.DefaultTime2Retain = 0
node.session.iscsi.DefaultTime2Wait = 2
node.session.iscsi.MaxConnections = 1
node.session.iscsi.MaxOutstandingR2T = 1
node.session.iscsi.ERL = 0
node.conn[0].address = 10.10.10.141
node.conn[0].port = 3260
node.conn[0].startup = manual
node.conn[0].tcp.window_size = 524288
node.conn[0].tcp.type_of_service = 0
node.conn[0].timeo.logout_timeout = 15
node.conn[0].timeo.login_timeout = 15
node.conn[0].timeo.auth_timeout = 45
node.conn[0].timeo.noop_out_interval = 5
node.conn[0].timeo.noop_out_timeout = 5
node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
node.conn[0].iscsi.HeaderDigest = None
node.conn[0].iscsi.IFMarker = No
node.conn[0].iscsi.OFMarker = No
# END RECORD

14) From the server, find and format the new lun (new disk). Your fdisk commands are in bold red below.
> cat /var/log/messages | grep “unknown partition table”
localhost kernel: sdb: unknown partition table

> fdisk /dev/sdb

Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x195fbc72.

The device presents a logical sector size that is smaller than
the physical sector size. Aligning to a physical sector (or optimal
I/O) size boundary is recommended, or performance may be impacted.

Command (m for help): w

> fdisk /dev/sdb
Command (m for help): n
Partition type:
p   primary (0 primary, 0 extended, 4 free)
e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): <press enter>
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759): <press enter>
Using default value 10485759
Partition 1 of type Linux and of size 5 GiB is set

Command (m for help): p
Disk /dev/sdb: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 4096 bytes
I/O size (minimum/optimal): 4096 bytes / 65536 bytes
Disk label type: dos
Disk identifier: 0xa1c2729d

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1            2048    10485759     5241856   83  Linux

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

15) On the server, create the Linux file system on the new partition.
> mkfs -t ext4 /dev/sdb1
mke2fs 1.42.9 (28-Dec-2013)
Discarding device blocks: done
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=16 blocks
327680 inodes, 1310464 blocks
65523 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

16) Verify the partition.
> blkid /dev/sdb1
/dev/sdb1: UUID=”eb7fa074-50d8-47d1-83aa-7b69568020e4″ TYPE=”ext4″

17) Create the mount point and manually mount the directory.
> mkdir /newiscsilun
> mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
/dev/sdb1  4.8G   20M  4.6G   1% /newiscsilun

18) Add the new mount point to /etc/fstab.
> vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

19) Test that it survives a reboot by rebooting the server. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify its mounted.

> df -h | grep newiscsilun
/dev/sdb1  4.8G   20M  4.6G   1% /newiscsilun

20) On the server you can check session stats.
> iscsiadm -m session -s
Stats for session [sid: 6, target: iqn.1992-08.com.netapp:sn.4055372815, portal: 10.10.10.141,3260]
iSCSI SNMP:
txdata_octets: 137976652
rxdata_octets: 3841684
noptx_pdus: 0
scsicmd_pdus: 1127
tmfcmd_pdus: 0
login_pdus: 0
text_pdus: 0
dataout_pdus: 1827
logout_pdus: 0
snack_pdus: 0
noprx_pdus: 0
scsirsp_pdus: 1127
tmfrsp_pdus: 0
textrsp_pdus: 0
datain_pdus: 793
logoutrsp_pdus: 0
r2t_pdus: 1827
async_pdus: 0
rjt_pdus: 0
digest_err: 0
timeout_err: 0
iSCSI Extended:
tx_sendpage_failures: 0
rx_discontiguous_hdr: 0
eh_abort_cnt: 0

21) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> chmod 600 /etc/iscsi/iscsid.conf

22) On the NetApp storage you can verify the Lun and the server’s session.
netapp>  lun show -v /vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01
/vol/MCHAPVOL/OEL7_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: BQVJ3]DxwBc-
Share: none
Space Reservation: enabled
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_OEL7=1
Occupied Size:  134.0m (140546048)
Creation Time: Sat Aug 30 12:14:47 EST 2014
Cluster Shared Volume Information: 0x0

netapp> iscsi session show -v
Session 6
Initiator Information
Initiator Name: iqn.1988-12.com.oracle:77ff4f784c55
ISID: 00:02:3d:01:00:00
Initiator Alias: localhost.localdomain

Session Parameters
SessionType=Normal
TargetPortalGroupTag=1000
MaxConnections=1
ErrorRecoveryLevel=0
AuthMethod=CHAP
HeaderDigest=None
DataDigest=None
ImmediateData=Yes
InitialR2T=No
FirstBurstLength=65536
MaxBurstLength=65536
Initiator MaxRecvDataSegmentLength=65536
Target MaxRecvDataSegmentLength=65536
DefaultTime2Wait=2
DefaultTime2Retain=0
MaxOutstandingR2T=1
DataPDUInOrder=Yes
DataSequenceInOrder=Yes
Command Window Size: 64

Connection Information
Connection 0
Remote Endpoint: 10.10.10.201:41613
Local Endpoint: 10.10.10.141:3260
Local Interface: e0a
TCP recv window size: 131400

Command Information
No commands active

No commands active

HOWTO to reset the root password on Solaris with a UFS filesystem

20 Tuesday May 2014

Posted by in Security, Solaris

Leave a comment

Tags

,

1) Issue a Stop A or halt the system.

2) Insert Solaris 10 DVD. At the OK prompt enter:

ok# boot -s

3) Determine the boot disk partition and mount it.

> mount /dev/dsk/c0t3d0s0 /a (or whatever your mount point is)

> cd /a/etc

> TERM=vt100

> export TERM

> vi /etc/shadow and remove root’s encrypted password string so its colon to colon (::)

> cd /

> umount /a

> init s

4) Login as root with no password and set the new password.

> passwd root

HOWTO Find Unsigned Executables on Windows

03 Monday Mar 2014

Posted by in Security, Windows

Leave a comment

Tags

,

From the Sigcheck website, “Sigcheck is a command-line utility that shows file version number, time stamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.” It runs on XP/2003 and higher versions of Windows.

Download sigcheck and unzip to a location of your choice. Run the commands below to get a feel for the output. When the command prompt returns, open the file in Excel, Calc or your favorite spreadsheet program. The Verified column will show “signed” or “unsigned.”

Sigcheck page:
http://technet.microsoft.com/en-us/sysinternals/bb897441

Sigcheck download:
http://download.sysinternals.com/files/Sigcheck.zip

Full Sysinternals Suite download:
http://download.sysinternals.com/files/SysinternalsSuite.zip

1) The following command scans executables only, shows extended version information, recurses sub-directories in c:\windows\system32 and writes the output to a file called sigcheck-Win7.csv.
> sigcheck -e -a -s -c c:\windows\system32 > sigcheck-Win7.csv

2) To run a check through VirusTotal, add the -v option. Note that when using the Virustotal option it may take 20 minutes or more to complete.
> sigcheck -e -a -s -v -c c:\windows\system32 > sigcheck-Win7-virustotal.csv

HOWTO Secure iSCSI Luns Between Red Hat Enterprise Linux 7 (Beta) and NetApp Storage with Mutual CHAP

01 Saturday Feb 2014

Posted by in iSCSI, Linux, NetApp, Security

Leave a comment

Tags

, , ,

This post demonstrates how to enable Bidirectional or Mutual CHAP on iSCSI luns between Red Hat Enterprise Linux 7 (Beta) and NetApp storage. The aggregate, lun and disk sizes are small in this HOWTO to keep it simple.

1) If not already installed, install the iSCSI initiator on your system.
> yum install iscsi-initiator*

2) Display your server’s new iscsi initiator or iqn nodename.
> cat /etc/iscsi/initiatorname.iscsi
InitiatorName=iqn.1994-05.com.redhat:ece5618996a9

3) On the NetApp filer, create the volume that will hold the iscsi luns. This command assumes you have aggregate aggr1 already created.  If not use an aggregate that has enough room for your volume.
netapp> vol create MCHAPVOL aggr1 10g

4) Create the lun in the volume.
netapp> lun create -s 5g -t linux /vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01

5) Create an igroup and add the Linux iscsi nodename or iqn from step 2 above to the new igroup.
netapp> igroup create -i -t linux ISCSI_MCHAP_RHEL7
netapp> igroup add ISCSI_MCHAP_RHEL7 iqn.1994-05.com.redhat:ece5618996a9
netapp> igroup show ISCSI_MCHAP_RHEL7

ISCSI_MCHAP_RHEL7 (iSCSI) (ostype: linux):
iqn.1994-05.com.redhat:ece5618996a9 (not logged in)

6) Map the lun to the igroup and give it lun ID 01.
netapp> lun map /vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01 ISCSI_MCHAP_RHEL7 01

7) Obtain the NetApp target nodename.
netapp> iscsi nodename
iqn.1992-08.com.netapp:sn.84167939

8) Set the CHAP secret on the NetApp controller.
netapp> iscsi security add -i iqn.1994-05.com.redhat:ece5618996a9 -s chap -p RHEL7 -n iqn.1994-05.com.redhat:ece5618996a9 -o NETAPPMCHAP -m iqn.1992-08.com.netapp:sn.84167939

netapp> iscsi security show
init: iqn.1994-05.com.redhat:ece5618996a9 auth: CHAP Inbound password: **** Inbound username: iqn.1994-05.com.redhat:ece5618996a9 Outbound password: **** Outbound username: iqn.1992-08.com.netapp:sn.84167939

9) On the server, edit your /etc/iscsi/iscsi.conf file and set the parameters below.
> vi /etc/iscsi/iscsid.conf
node.startup = automatic
node.session.auth.authmethod = CHAP
node.session.auth.username = iqn.1994-05.com.redhat:ece5618996a9
node.session.auth.password = RHEL7
node.session.auth.username_in = iqn.1992-08.com.netapp:sn.84167939
node.session.auth.password_in = NETAPPMCHAP
discovery.sendtargets.auth.authmethod = CHAP
discovery.sendtargets.auth.username = iqn.1994-05.com.redhat:ece5618996a9
discovery.sendtargets.auth.password = RHEL7
discovery.sendtargets.auth.username_in = iqn.1992-08.com.netapp:sn.84167939
discovery.sendtargets.auth.password_in = NETAPPMCHAP
> wq!

10) On the server, restart the service and discover your iSCSI target (your storage system).
> service iscsi restart
Redirecting to /bin/systemctl restart  iscsi.service

a) Verify the target.
> iscsiadm -m discovery -t st -p 10.10.10.11
10.10.10.11:3260,1000 iqn.1992-08.com.netapp:sn.84167939

> iscsiadm -m node  (this should display the same as above)
10.10.10.11:3260,1000 iqn.1992-08.com.netapp:sn.84167939

11) On the server, manually login to the iSCSI target (your storage array). Note there are two dashes “- -” in front of targetname and login.
> iscsiadm -m node –targetname “iqn.1992-08.com.netapp:sn.84167939” –login
Logging in to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] (multiple)
Login to [iface: default, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260] successful.

a) On the NetApp storage console you should see the iSCSI session:
[iscsi.notice:notice]: ISCSI: New session from initiator iqn.1994-05.com.redhat:ece5618996a9 at IP addr 10.10.10.186

b) Verify the iSCSI session on the filer:
netapp> iscsi session show
Session 88
Initiator Information
Initiator Name: iqn.1994-05.com.redhat:ece5618996a9
ISID: 00:02:3d:01:00:00
Initiator Alias: rhel7

12) From the server , check your session.
> iscsiadm -m session -P 1
Target: iqn.1992-08.com.netapp:sn.84167939
Current Portal: 10.10.10.11:3260,1000
Persistent Portal: 10.10.10.11:3260,1000
**********
Interface:
**********
Iface Name: default
Iface Transport: tcp
Iface Initiatorname: iqn.1994-05.com.redhat:ece5618996a9
Iface IPaddress: 10.10.10.186
Iface HWaddress: <empty>
Iface Netdev: <empty>
SID: 1
iSCSI Connection State: LOGGED IN
iSCSI Session State: LOGGED_IN
Internal iscsid Session State: NO CHANGE

13) From the server, check the NetApp iSCSI details. Note there are two dashes “- -” in front of mode, targetname and portal.
> iscsiadm –mode node –targetname “iqn.1992-08.com.netapp:sn.84167939” –portal 10.10.10.11:3260

14) From the server, find and format the new lun (new disk). Your fdisk commands are in bold red below.
> cat /var/log/messages | grep “unknown partition table”
rhel7 kernel: [   24.102281]  sdb: unknown partition table

> fdisk /dev/sdb

Welcome to fdisk (util-linux 2.23.2).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table
Building a new DOS disklabel with disk identifier 0x2c025f67.

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.
Syncing disks.

> fdisk /dev/sdb
Command (m for help): n
Partition type:
p   primary (0 primary, 0 extended, 4 free)
e   extended
Select (default p): p
Partition number (1-4, default 1): 1
First sector (2048-10485759, default 2048): <press enter>
Using default value 2048
Last sector, +sectors or +size{K,M,G} (2048-10485759, default 10485759): <press enter>
Using default value 10485759
Partition 1 of type Linux and of size 5 GiB is set

Command (m for help): p
Disk /dev/sdb: 5368 MB, 5368709120 bytes, 10485760 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xeb560917

Device Boot  Start  End       Blocks   Id  System
/dev/sdb1    2048   10485759  5241856  83  Linux

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

15) On the server, create the Linux file system on the new partition.
> mkfs -t ext4 /dev/sdb1
mke2fs 1.42.8 (20-Jun-2013)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
Stride=0 blocks, Stripe width=0 blocks
327680 inodes, 1310464 blocks
65523 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1342177280
40 block groups
32768 blocks per group, 32768 fragments per group
8192 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done
Writing inode tables: done
Creating journal (32768 blocks): done
Writing superblocks and filesystem accounting information: done

16) Verify the partition.
> blkid /dev/sdb1
/dev/sdb1: UUID=”540997d7-ee07-42b3-a4af-612af6812d18″ TYPE=”ext4″

17) Create the mount point and manually mount the directory.
> mkdir /newiscsilun
> mount /dev/sdb1 /newiscsilun
> df -h | grep newiscsilun
Filesystem Size  Used Avail Use% Mounted on
/dev/sdb1  4.8G  10M  4.6G   1% /newiscsilun

18) Add the new mount point to /etc/fstab.
> vi /etc/fstab
/dev/sdb1 /newiscsilun ext4 _netdev 0 0
> wq!

Note: the _netdev option is important so that it doesn’t try mounting the target before the network is available.

19) Test that it survives a reboot by rebooting the server. With the _netdev set, iscsi starts and your CHAP logins should take place before it attempts to mount. After the reboot, login and verify its mounted.

> df -h | grep newiscsilun
Filesystem Size  Used Avail Use% Mounted on
/dev/sdb1  5.0G  139M  4.6G   3% /newiscsilun

20) On the server you can check session stats.
> iscsiadm -m session -s
Stats for session [sid: 1, target: iqn.1992-08.com.netapp:sn.84167939, portal: 10.10.10.11,3260]
iSCSI SNMP:
txdata_octets: 17096
rxdata_octets: 748232
noptx_pdus: 0
scsicmd_pdus: 213
tmfcmd_pdus: 0
login_pdus: 0
text_pdus: 0
dataout_pdus: 0
logout_pdus: 0
snack_pdus: 0
noprx_pdus: 0
scsirsp_pdus: 213
tmfrsp_pdus: 0
textrsp_pdus: 0
datain_pdus: 204
logoutrsp_pdus: 0
r2t_pdus: 0
async_pdus: 0
rjt_pdus: 0
digest_err: 0
timeout_err: 0
iSCSI Extended:
tx_sendpage_failures: 0
rx_discontiguous_hdr: 0
eh_abort_cnt: 0

21) As root, change permissions on /etc/iscsi/iscsid.conf. I’m not sure why they haven’t fixed this clear text CHAP password in a file issue so just make sure only root can read/write the file.
> chmod 600 /etc/iscsi/iscsid.conf

22) On the NetApp storage you can verify the Lun and the server’s session.
> lun show -v /vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01
/vol/MCHAPVOL/RHEL7_iSCSI_MCHAP_01      5g (5368709120)    (r/w, online, mapped)
Serial#: hoagPJvrDTup
Share: none
Space Reservation: enabled (not honored by containing Aggregate)
Multiprotocol Type: linux
Maps: ISCSI_MCHAP_RHEL7=1

> iscsi session show -v
Session 90
Initiator Information
Initiator Name: iqn.1994-05.com.redhat:ece5618996a9
ISID: 00:02:3d:01:00:00
Initiator Alias: rhel7

Session Parameters
SessionType=Normal
TargetPortalGroupTag=1000
MaxConnections=1
ErrorRecoveryLevel=0
AuthMethod=CHAP
HeaderDigest=None
DataDigest=None
ImmediateData=Yes
InitialR2T=No
FirstBurstLength=65536
MaxBurstLength=65536
Initiator MaxRecvDataSegmentLength=65536
Target MaxRecvDataSegmentLength=65536
DefaultTime2Wait=2
DefaultTime2Retain=0
MaxOutstandingR2T=1
DataPDUInOrder=Yes
DataSequenceInOrder=Yes
Command Window Size: 32

Connection Information
Connection 0
Remote Endpoint: 10.10.10.186:59575
Local Endpoint: 10.10.10.11:3260
Local Interface: e0a
TCP recv window size: 131400

Command Information
No commands active

HOWTO verify the SSL Cipher Suite and Plug-ins supported by your browser and validate your website certificate

15 Wednesday Jan 2014

Posted by in Security

Leave a comment

Tags

If you ever wondered what your browser tells the world in terms of your supported SSL/TLS cipher suites, key sizes and plug-in versions, try the first four URLs below in each web browser that you use. If you have a website, the bottom three check your site certificate.

For your Browsers:

Qualys Vulnerable Plug-in Browser Check
https://browsercheck.qualys.com/?scan_type=js

Mozilla Vulnerable Plug-in Check for Firefox, Opera, and Chrome. I believe the Qualys checker above is a little better but it doesn’t hurt to run both Qualys and Mozilla’s just in case one misses something. Also, the Qualys check doesn’t always capture the latest micro point release from Firefox.
http://www.mozilla.org/en-US/plugincheck/

SSL Cipher Suite Details of your Browser
https://cc.dcsec.uni-hannover.de/

SSL/TLS Details of your Browser and POODLE Test
https://www.ssllabs.com/ssltest/viewMyClient.html

For your Website:

Check your Site Certificate or CSR
https://ssltools.websecurity.symantec.com/checker/

Qualys SSl Labs Site checker
https://www.ssllabs.com/ssltest/index.html

SSL Site Configuration Checker
https://sslcheck.globalsign.com/en_US